It is 7 AM on the East Coast. ‘Dissent’ sits down at her computer, and opens her email. A security expert contact has tipped her off about the possible source of a series of credit card breaches emanating from the Midwest. It’s a juicy story that needs investigation. As she listens to the steady huffing and trickling of the coffee percolator, she clicks her mail shut and prepares herself to go to work.
But Dissent’s day job has nothing to do with journalism. She’s a healthcare worker who wants to remain anonymous. She runs the Office of Inadequate Security blog in her spare time, snatching stories from the wires and posting them in between patient meetings. She lifts headlines from the trade and popular press, and harvests stories from the websites of privacy commissioners and law enforcement sites around the US. She’s a collator of data breach stories, rather than a reporter, and is driven by her concerns over privacy in healthcare information to run the non-profit blog. As such, she has a unique insight into the way that the media is reporting data breaches.
Dissent gets the occasional lead, but doesn’t have time for investigative reporting. She tends to hand such leads off to the mainstream press instead, in the hope that journalists can pursue an investigation. But how well are they doing?
“I think that coverage has become better, but it is still frustrating when mainstream media don’t ask the right questions”, she says. Even though she is not a technical expert herself, she regularly finds herself asking questions when reading news articles in the mainstream press, such as: What happened to the data? Was it encrypted?
Trade vs Mainstream
Michelle Schafer, security practice director at Reston, Virginia-based PR firm Merritt Group, sees distinct differences between the mainstream and trade press when it comes to reporting security stories. “I find that the business press tend to be a lot more careful on fact checking and take more time in building a good story – they want multiple resources, not just one vendor, and they want data to back it up”, she says.
| "I think that coverage has become better, but it is still frustrating when mainstream media don’t ask the right questions" |
| “Dissent”, Office of Inadequate Security |
Where investigative reporting is pursued, the quality mainstream press shines at gathering stories. The Operation Aurora attack on Google and over 30 other companies was covered over several months by the New York Times, leading to deep and nuanced coverage.
Perhaps it is no surprise that hacking stories, such as this, attract the most interest from journalists. Media research company Apollo Research recently analyzed over 76 000 security-related news articles in the US and Europe between October 2009 and March 2010. It found that hacking stories accounted for 27.3% of all security-focused articles, and the percentage of hacking stories spiked directly after the Operation Aurora story first hit. Popular culture has made hacking a sexy topic that still captures the imagination of journalists and readers alike.
These stories sometimes focus on hackers that infiltrate systems for purely financial motives, such as the widely covered sentencing of TJX hacker Alberto Gonzales. However, they also correlate closely with stories that have a geopolitical angle. The case of Gary McKinnon, the UK hacker who became the source of a tussle between the UK and the US over extradition rights, is one such example. Allegations of cyberespionage, in cases such as the Ghost Net and Shadow Net botnets, are another. The mainstream press has also covered stories such as the proposed hacking of utility networks by foreign state actors, and the theft of military secrets.
The Need for Technical Knowledge
But not all mainstream reporting on security and privacy stories is of such a high quality. The tabloid press has sometimes embarrassed itself with erroneous reporting. In March, the UK’s Daily Mail apologized for a feature item that incorrectly identified Facebook as the social network used by a pedophile to approach an investigator that it worked with, who had posed as a 14-year-old girl.
The error there lay not with the bylined author, but with journalists and editors at the Mail who edited the story, according to reports. The significance here is that the bylined author was actually an industry expert who sent copy to a journalist. Whereas journalists in other fields may be able to conduct their own investigative research, the signs are that in security, they have to get their information from researchers who carry out the investigative work. Of the top 12 experts quoted in news articles, only one – Howard Schmidt – was not from a vendor primarily selling security software or services.
| "The US has introduced breach notification laws that make it easier for journalists to find out when incidents have occurred" |
| Neil O’Neil, The Logic Group |
While you may not find many journalists wielding a copy of Nessus and conducting port scans, where this technical expertise does exist in-house, it tends to come from technically adept individuals that have crossed over into journalism. Accomplished ZDNet blogger Dancho Danchev is an independent security consultant, while Kevin Poulsen, senior editor at Wired News, was already widely known as a hacker before he made the jump.
In the mainstream press, that technical knowledge may be even less prevalent. Brian Krebs, a technically adept journalist who worked at the Washington Post and cracked numerous breach stories, was also instrumental in bringing down rogue ISP McColo in late 2008. He has since left, joining the ranks of the bloggers who compete with the mainstream press for reader attention. “The Post made a mistake in losing him”, says Dissent.
A Race to the Bottom?
As with many news subjects, competition among journalists leads to a race to break the story. “Most of the reporters I work with tend to want to be ‘first’ to tell the story – there’s sort of a race going on about who can break the story first, especially if it is a major breach or vulnerability”, Schafer explains. This has doubtlessly been exacerbated by the move to online coverage, especially among bloggers who can post news very quickly.
“The trades can do it a lot faster, mainly because they have the right connections on who they want to speak with and they understand the technologies well too”, Schafer adds. But research suggests that those contacts are not particularly varied. Is this a race to the bottom?
“Graham Cluley comes up a lot”, says Richard Lavern, research director at Apollo Research. Lavern is referring to the specialist at Sophos, who has become something of a ‘rock star’ in the security sector. According to the Apollo report, Cluley was the most-quoted expert. Ten companies accounted for 40% of all security news coverage, the report said. Many journalists seem to have a few security specialists on their speed dial that they can approach for a good quote without too much effort, and don’t appear to be looking very far for news stories, leading to an echo chamber effect.
More Stories and Fewer Staff
It is no wonder that the news media shows some sign of strain. It is suffering from the worst economic crisis since the 1930s, exacerbated by the disruption of printed content by the internet. According to the Newspaper Association of America, print advertising revenue dropped by an unprecedented 28.6% last year, and 17.7% the year before that. In fact, aside from a modest three-year blip from 2003–5, print advertising revenues have been falling consistently over the last decade.
| "There’s sort of a race going on about who can break the story first, especially if it is a major breach or vulnerability" |
| Michelle Schafer, Merritt Group |
Unfortunately, the growth in online advertising that was staunching the bloodbath in print advertising has reversed. Online ad revenues for newspapers grew by a healthy 31.4% in 2006. Last year, a glut of inventory, combined with an unhealthy economy, stripped nearly an eighth of the value out of that market. The result: budget cuts, and fewer staff.
The remaining staff has to cover more, rather than fewer, data breach stories. According to the Open Security Foundation, which collects statistics about data breaches, the number of breaches dropped by a third last year compared with 2008. But overall, the number of breaches reported on average from 2006–9 was still 91% higher than the number of breaches reported from 2001–5. Which begs the question: Why?
“The US has introduced breach notification laws that make it easier for journalists to find out when incidents have occurred”, points out Neil O’Neil, principle digital forensics investigator at IT consulting firm The Logic Group. Over 46 states have now enacted legislation requiring organizations to tell customers residing in the state when their information has been put at risk, making what amounts to a national data breach notification rule. “However, the UK still doesn’t have these laws”, he points out. Europe has a data breach notification rule, but it applies only to telecommunication service providers, and not to broader business.
This regulatory factor means that the fewer newspaper staff that exists in the US must report on far more stories than in the first half of the last decade, when there were more staff reporting on fewer items.
As the news industry continues to fight disruption and cope with new economic models, policy makers will be watching. Senators may not read the trade press or the specialist security blogs, but they will monitor the major outlets. “Congressional leaders who read about a data breach in the New York Times will begin asking questions”, says Dissent. As she prepares to send off her latest lead to investigative contacts, that gives her – and the rest of us – some comfort.