Reporting on cyberattacks: the media’s urgent problem

Cyberwar will be the defining story of our generation, but right now we’re dangerously unequipped to report on it accurately.

@davelee


In years gone by, when reporting on war, journalists have sometimes needed to be inventive in getting the news out.

There is a duty not to compromise the operations of the military, particularly when lives are at risk.

Equally, there is a public that has the right to know what is being done in their country’s name. But as history shows, governments on both sides of a conflict mostly do whatever they can to share as little as possible. And what they do share is often propaganda.

For war reporters, it’s an annoyance, but not too much of a problem, because when it comes to old-fashioned boots on the ground war, there are numerous ways to circumvent this kind of comms evasion.

An all-time great, Brian Hanrahan (Image: BBC News)

Take the the age-old example of legendary BBC man Brian Hanrahan, for example.

While reporting on the Falklands War, Hanrahan faced a problem. The Argentinians had claimed they shot down British Harrier jets. Hanrahan knew this was untrue, but was told by the British navy — with whom he was embedded — that he absolutely must not say how many planes were involved in an operation.

And so, in perhaps the finest piece of broadcast news scripting ever, he decided to run with this:

“I’m not allowed to say how many planes joined the raid,” he said.
“But I counted them all out and I counted them all back.”

When it comes to cyberattacks, there are no planes to count in and out.

There are no sounds of gunshots to make it obvious something is happening.

There are no soldiers on the ground that can be observed and asked: “Who do you work for?”

And unlike a “real” war, our governments are at the moment under no obligation to tell us what they are doing in the cyber arena.

Which is why, years on, we still don’t know for sure if the US (with Israel’s help) was behind Stuxnet, a cyberattack that caused physical damage to Iran’s infrastructure.

We still don’t know if the UK was responsible for a serious hack on Belgacom, a Belgian telecoms firm, despite some putting forward what they see as damning evidence.

We don’t know who was behind an attack that damaged blast furnaces in Germany earlier this month. For heaven’s sake, we don’t even know who was attacked.

And why don’t we know any of this? Because neither journalists nor experts have any way to say for certain who is doing what and why.

Let’s take an active story. The hack on Sony Pictures raises many issues about the reporting of hack attacks, and the coverage so far carries worrying implications.

Experts are queueing up to dispute the FBI’s confident claim that it was North Korea — mainly because the evidence pointing the finger at Kim Jong-un is either a) flakey at best or b) top secret, and therefore not open to scrutiny, journalistic or otherwise.

The result of this political back-and-forth is far-reaching, and one that from here on in is being reported on without anyone having any real clue whether the basis of the story — that it was North Korea — is in any way accurate.

We simply don’t know who did it — and yet the atmosphere created by the coverage means the US is considering reclassifying North Korea as a terrorist state. That move would open the door significantly when it comes to what the US considers a “proportional response” to the attack on Sony.

In a first for a cyberattack, the US has, in the past couple of days, added new sanctions on three North Korean organisations and 10 officials, but has admitted, coyly, that there’s no evidence they had anything to do with the cyberattack.

There’s a solid motive that would suggest North Korea did it. But there is also a considerable motive for the US to say it was North Korea, namely the US’s need for a cyber bogeyman, which presents a justification for creeping surveillance of communications networks (at a time when the CIA is under very serious scrutiny).

And for Sony’s part, the more time spent looking at this as an act of war the less time will be spent considering just how bad — if ex-employee statements are to be believed — its security is, and whether it is liable.

At the very least, tensions in an already tense part of the world have been heightened, and we’re completely in the dark as to whether it is justified. We may even have caused it — it wasn’t until the media brought up The Interview that anyone mentioned North Korea. Not even the hackers.

So here’s the nutshell: Reporting on cyberattacks currently relies far too heavily on taking what our governments say as fact. That’s not new, but unlike in the past, when reporters could take steps over time to find out more, cyberattacks occur in a manner that is unverifiable, leaving its perpetrators unaccountable.

Even simpler, everyday cyberattack stories are fraught with difficulty for journalists.

There was a story I wrote last year that really stands out in my mind — for mostly the wrong reasons.

It wasn’t a scoop, by any means, and the details were sketchy. Boy, were they sketchy.

They’re still sketchy, come to think of it. So much so that the company involved has no doubt held back from kicking off about our coverage… because they themselves probably weren’t (aren’t) sure what the truth is.

The story involved Snapchat, and an apparent leak of images. Nude images, naturally.

My story, for the BBC website, ran here: Nude ‘Snapchat images’ put online by hackers.

Regular readers of the BBC will notice a common trick: the use of the good-old arse-covering quote marks. Some people are calling them Snapchat images, those quote marks say, and we’d like to report that. But we’re not 100% sure, so those quote marks keep us somewhat safe.

This manner of thinking extends itself into the first paragraph of my story. It reads:

Explicit images believed to have been sent through messaging service Snapchat were reportedly put online, with threats from hackers to upload more.

Can you see the magic word? “Reportedly.”

Later on in the same story:

According to Business Insider reporter James Cook, hackers had boasted of having access to 13 gigabytes’ (GB) worth of pictures that had been intercepted over a number of years.

There I go again — arse-covering. James Cook said it, not me. If it’s wrong, it’s his fault. (I’m joking, it’s mine — but you get my point.)

To sum up: Oh dear.


Why was my story like that?

Lazy journalism might be the first accusation, but that would be unfair. My day was spent chasing Snapchat (who eventually provided a brief response, but ignored requests for clarity), and grasping any information I could from expert sources.

The truth is — it was extremely difficult, perhaps even illegal, to stand it up fully.

By simply making efforts to verify that a breach had occurred — i.e looking at the material posted online — I would put myself at risk of breaking laws over accessing images of minors. Accessing child abuse images, in any circumstance, is illegal. No exceptions.

Flickr: Brent humanartistvending

My only option was to report the story this way, or face not reporting it at all, which would be a significant failing. Millions use Snapchat, if this kind of breach is going on it should be covered, regardless if the blame lies, as it most likely did, with a third-party app.

Similar situations presented themselves at numerous times and in various manifestations over the course of 2014, and will continue to do so in future.

After the Sony Pictures hack — which will go down as an awakening for corporate America — warnings sprang out from Sony that accessing the leaked files would be tantamount to obtaining documents illegally.

And with the leak of nude celebrity pictures, Jennifer Lawrence stated that anyone accessing the images was “perpetuating a sexual offence”.

Even this story, about a Russian site posting up feeds of unprotected webcams, had our own lawyers in a bit of a spin. Could we look at the site without breaking the law? We weren’t really sure. The story was brought on thanks to a warning from the UK’s data commissioner — so did that mean we just took their word for it? That felt wrong.

In the end I think we all did the same thing: We looked. Of course we did. We just didn’t make it obvious we had when it came to reporting it. And we certainly didn’t link to it, or encourage it.

Legally, morally and technically we’re in unprecedented territory, and it will get worse in 2015 without a hard look at how journalists should go about their work in this field.

The normal, well-established (if sometimes flouted) rules of journalistic behaviour simply do not apply when it comes to covering hacks and cyberattacks.


Who is this 4Chan person?
Flickr: Brian Klug

Then again, the media doesn’t exactly cover itself in glory when reporting cyberattacks.

That now infamous “who is this 4chan person?” moment from CNN has already become the benchmark for media cluelessness, in the same way that “the internet is a series of tubes” symbolised a political class that knew naff-all about technology.

(Ironically, the “series of tubes” part of that speech was about the only accurate thing Ted Stevens said. But I digress.)

We must do better in reporting cyberattacks. We must stop breathlessly typing up headlines containing “biggest”, “most dangerous” and “most sophsiticated” without proper justification.

If we do use those words, we must anticipate that the audience will demand more: what should people do? How can we be protected? Do we need to care?

In short: footing each article with “experts suggest changing your passwords” won’t be acceptable in 2015.

While the problems I’ve outlined here hinder our ability to report on cyberattacks, we can do a lot to make things clearer — namely using the wealth of expert opinion to at least begin to piece together a picture of what’s going on.

What’s certainly in our favour is the fact that many corporations and governments look to good outside consultants to offer help in times of crisis. We should use this relationship to our advantage - those consultants will often want to speak to us, because it will help them get work.

But, equally, we must start being more sceptical of “experts” with obvious motives. There is a business interest, of course, in a security software company spokesperson saying more security software is needed.

In the past year, I’ve been sent hundreds upon hundreds — no exaggeration — of emails from the same PR person representing just one security firm. Each time a new world-ending vulnerability for their client to comment on. We must filter out this opportunism.

Equally, we need to stop using broadbrushes that confuse our audience.

Hacktivism doesn’t deserve the same categorisation , or attention, as cyberwar. They’re almost completely different things. Scary groups that use YouTube clips and Twitter accounts to shout “TANGO DOWN!!” are not a significant cyberthreat.

It’s an easier narrative, sure, but to give these actions the same weight as powerful cyberattacks is misleading, and in many cases, inciting unnecessary fear.


My posts on Medium aren’t part of my work at the BBC.

But I’ll be using this post as a way, I hope, to kickstart discussions here about how we report on cyberattacks so as to hold those in power accountable, and — without wanting to sound like a manager here… — focus our efforts in a way that best serves our audience.

Journalists need support and guidance on how to stay on the right side of the law when investigating and reporting on cyberattacks.

The BBC’s editorial policy team are world-leaders on many things — but I’d argue it is currently unable to offer the kind of support the corporation’s journalists need in this area.

What can I do when it comes to reporting hacking? How far can I go? What can I look at?

Will my employer have my back?

All these questions need answering, at the BBC and elsewhere, as a matter of urgency.

@davelee