Journalists working in Eastern Europe and Russia face the double digital security threats of targeted surveillance and hacking attacks by cybercriminals.
Eastern Europe has long been home to some of the most advanced cybercriminals in the world. On top of the threats of falling prey to ransomware or phishing attacks, reporters and activists in former Soviet bloc states are being increasingly targeted by Russian-backed information warfare and cyberoperations.
#mediadev talks to Mykhailo Koltsov, an expert in cybersecurity for journalists and the cofounder of StopFake.org about digital safety in Eastern Europe and what journalists can do to protect themselves.
#mediadev: Which countries in Eastern Europe are the most vulnerable in terms of digital security?
Mykhajlo Kolstov: No country can claim it isn't vulnerable but I think Russia faces the greatest risks. The state, security services and industry are enmeshed and they've dismantled protections of journalists' rights. They can access journalists' equipment without fearing legal repercussions and new anti-terrorism legislation [passed in June 2016] has made things worse. Under the so-called "Yarovaya law", punishment has increased for those expressing "extremist" opinions [and the law is increasingly being brought against social media users critical of Russia's involvement in Ukraine, for example]. This is quashing people's freedom to express opinions on the Internet.
In Ukraine, on the other hand, digital security risks are growing because of a general failure to implement security strategies. The biggest risks in 2016, for instance, were hacker attacks on energy infrastructure and the theft of confidential or personal data. Communication channels that people thought were safe were compromised. In 2016, for example, there were concerns over the security of the messaging app Telegram, which is used by Russian activists like Oleg Kozlovsky and Georgy Alburov. Another problem is the spread of ransomware [malicious software that encrypts data and demands payment to decrypt it]. Paradoxically, social engineering attacks, such as email phishing for stealing personal logins and other data, are the most widespread kind of attack.
How has the situation changed in the past few years?
In the past, attacks were much broader in scope in that viruses and malware spread in many different ways and the victims were usually random. These days, attacks tend to be more finely tuned and target a specific person or organization. One problem still needing attention is that editorial offices don't have any kind of systematic digital security strategy to protect their journalists. Basically, journalists are left up to their own devices as far as digital security strategy goes and their technical know-how or skills aren't always up to date.
Surprisingly, what we've experienced in the last three years is that it isn't necessary to attack journalists' email or social media accounts to put them out of business. Setting up an alternative source for spreading fake news can have the same effect because the proliferation of fake news discredits journalism as a profession, and journalists cease to be perceived as sources of reliable information.
How are these digital threats affecting journalists' work?
More than anything, these threats are discrediting journalism itself. If you're a journalist but can't protect your sources, or your personal data is being leaked to the public, you can't do a proper job. You can hardly be a journalist these days if ransomware has encrypted data on your laptop, your phone calls are being tapped and your email and communication channels have been discredited. This essentially restricts the right to freedom of expression. Journalism as a whole depends on journalists enjoying a certain level of trust among their readers, but after an attack, readers may be less likely to trust them. Digital threats also destroy journalists' work because such threats interfere with their professional and personal spheres.
Although most journalists know it's important to protect themselves from digital threats, most haven't internalized this yet – simply because they don't think it will happen to them. In Ukraine, though, those doing the most to protect themselves are investigative journalists who regularly report on corruption.
Are there specific threats associated with social media platforms?
Social media is much more vulnerable because [it's an external platform that you can't always control]. One peculiarity of the post-Soviet space is the popularity of the Russian platform VK, which is relatively easy for intelligence services to monitor. But we have to remember that social media is also a revenue source for media outlets and so an attack on social media doesn't just threaten an outlet's reputation but also its revenue stream.
What are the key takeaways for journalists?
The main point is that a journalist's digital identity can be exposed to threats, regardless of their current activities. That's why protection needs to be varied and up to date. Some basic principles still apply, such as the length of a password and two-step verification, but technology is developing fast, and journalists need to keep on top of it. Today, for example, the instant messaging app Telegram is considered to be a secure communication channel but that might change tomorrow.
It's best to have various forms of protection, especially for your electronic devices – your notebook, tablet or smartphone. For the first level of security, you need to combine hard disk encryption with a cryptographically secure password and biometric protection. For the second level, you need to protect your digital identity, that is, your email and social media accounts. For this you should use a cryptographically secure password that you change at least every six months, together with two-step verification. The code for the two-step verification should be generated by a special smartphone app and not via a text message [that is sent by the provider of the service you are logging into]. Then you need to consider how to protect your communication channels, such as by using a messenger service with end-to-end encryption to protect confidential information. As for communicating with sources, the best way to do this is to use services such as XabarDocs, which allows the anonymous uploading of files.
Which risks are unavoidable?
Every system has a number of limitations that can be exploited by hackers. Journalists can't become too paranoid because they also have to be publicly accessible but they do need to protect themselves. Still, no password is completely secure. You can't always protect it if you're under surveillance, and if you have to give up your password under the threat of torture or death, then having a secure password isn't much help either. Journalists are also restricted by how their devices, or the platforms they use to communicate, function. For example, infrastructure weaknesses of a mobile or Internet provider can serve as a tool for an attack. Your task, then, is to limit – as much as possible – what you could lose through an attack.
Are encryption and anonymity ideal solutions or are they also risky?
No, encryption and anonymity aren't universal remedies. You need a certain degree of technical skill to use and update them, and to keep yourself technically up to date, but they can also negatively affect the performance of your devices. For example, encrypting your hard drive can slow it down and if there's a software error, it's virtually impossible to recover your data. The Tor browser provides a clear example of the dangers of relying on technology. Tor was originally considered safe for anonymous browsing until it was revealed that the FBI hacked it to convict pedophiles.
If you work with digital technology, it's important to get training as well as advice from experts because technology can offer the illusion of protection without necessarily delivering it.
Media development organizations are also involved in digital security. Where should they start?
Above all, they need to develop a systematic approach to safety guidelines and procedures, and then integrate them into an outlet's infrastructure and staff training programs. Digital security courses and system reviews should take place on a regular basis. It's also important for the top managerial level to implement a risk assessment system for digital threats because those at the top need to know potential consequences of various types of digital attacks. This way, people at all levels gain an understanding of why digital protection is so important and this makes it easier to implement digital security strategies.
Mykhailo Koltsov lectures on cybersecurity at Ukraine's National University of Kyiv-Mohyla Academy and also works as a trainer for DW Akademie at the Ukrainian Media E-School. He is a cofounder of Stopfake.org, a highly regarded fact-checking site.
The original interview was conducted in Russian by Olena Ponomarenko and Heinrich Maser. It has been lightly edited for brevity and clarity. (kh/hw)