For a lot of her profession, hacker Runa Sandvik has labored to guard journalists and newsrooms from highly effective adversaries who wish to hold wrongdoing and corruption out of the general public eye. Journalists and activists are more and more focused by the rich and resourceful who search to maintain the reality hidden, from nation-state aligned hackers hacking into journalist’s inboxes to governments deploying cellular adware to eavesdrop on their most vocal critics.
Few know the threats that journalists face higher than Sandvik, a local Norwegian. She defended The New York Occasions newsroom from hackers and nation-state adversaries, educated reporters to cloak their on-line exercise in anonymity on the Tor Venture, and helped organizations just like the Freedom of the Press Basis to construct instruments that permit journalists, like us at TechCrunch, securely talk with sources and obtain delicate supply paperwork. Sandvik can also be a famend hacker and safety researcher and, as of lately, a founder.
Together with her new startup, Granitt — with Sandvik as its principal — goals to assist at-risk folks, like journalists and activists but additionally politicians, legal professionals, refugees and human rights defenders, from threats they face doing their work.
“At any level somebody finds themselves in a class the place there is perhaps some repercussions for them doing no matter it’s they’re doing, that’s one thing I might contemplate ‘in danger’ and one thing that I will help with,” Sandvik instructed me once we spoke in New York Metropolis this week.
Sandvik instructed me about her work and her new bootstrapped startup, how leaders ought to prioritize their cybersecurity efforts, and, what piece of safety recommendation she would give that each individual ought to know.
Our chat, which has been calmly edited and condensed for readability, follows.
ZW: You’ve been laying the groundwork for Granitt for the previous decade. Inform me how you bought right here.
RS: If you happen to take a look at a decade in the past once I labored for the Tor Venture they usually obtained funding, we got down to educate reporters the best way to use the Tor Browser. And really shortly realized that it’s not tremendous impactful to simply educate somebody the best way to use the Tor Browser in the event that they’re not additionally acquainted with good passwords, two-factor authentication and software program updates — issues to think about after they’re touring to battle zones, for instance. And we began constructing out a curriculum round what you need to do to be protected on-line. I later consulted for the Freedom of the Press Basis doing considerably comparable work, and in addition then engaged on SecureDrop. And my position at The New York Occasions was constructing on that kind of labor as nicely. And after the Occasions eradicated my position, I labored with ProPublica, Radio Free Europe, and the Ford Basis to have a look at not simply safety for people but additionally the best way to assist the enterprise aspect of media organizations to help the newsroom.
A number of the work that I’ve performed has type of been workshops straight for the newsroom. I’ve had one-on-one chats with reporters about some challenge that they’re about to tackle. However I’ve additionally had quite a lot of conversations with the IT and safety people on the enterprise aspect to assist them perceive what are the challenges that the newsroom is going through. How can I finest remedy them? What ought to they concentrate on? And in addition, how do they go about getting on top of things, and the way do they then in a while educate workers within the newsroom? There’s type of been some “practice the coach” kind of labor as nicely, as a result of 10 years in the past Tor was round however the consumer expertise was clunky. Now in 2022, we’ve quite a lot of actually neat instruments which can be very consumer pleasant for being protected on-line for doing analysis in protected methods.
One factor that I noticed on the Occasions is that you just had a crew to do cybersecurity. You had somebody specializing in bodily safety, you had human assets taking good care of emotional security, and also you had authorized taking good care of any type of authorized challenges that may pop up. But when we take a look at what it’s going to take for a journalist to be protected, it’s actually the mix of these 4 teams — and meaning these 4 teams that want to come back collectively and have a working group, discuss to one another, perceive what every individual brings to the desk, and what can truly be performed holistically to raised help workers.
Proper, and we’re beginning to see that throughout newsrooms on the subject of focused harassment and doxing, however supporting journalism is a crew effort and it takes a village and everybody working from the identical web page. So, why the identify Granitt?
The identify is the Norwegian spelling of granite. It’s actually that straightforward. Over time I’ve had shut associates who’ve inspired me to do one thing alone, and have identified how the work that I do doesn’t actually exist anyplace else and that I’m in a very good place to do it.
What sort of work will you be doing along with your new startup and the way do you propose to unravel each the safety facet and getting totally different groups speaking and collaborating with the purpose of supporting journalists?
It’s nonetheless consultancy, so, I believe coaching workshops and public talking are nonetheless going to be part of it. There’s nonetheless going to be on a regular basis safety steering for newsrooms, steering round particular tasks, so whether or not it’s somebody who’s about to tackle a delicate challenge, journey, or somebody needs to arrange a ideas channel, how do you create the method to help that internally? That’s positively nonetheless part of what I do. However then additionally working extra with totally different groups on the enterprise aspect to make sure that these 4 teams of individuals can truly come collectively in a working group and higher perceive what the workers really want, and to grasp what are the threats that they’re going through, how do they really work, and what do we have to work out to raised help them?
There’s quite a lot of bridge constructing. I don’t assume it’s a case that individuals don’t care about this, I believe that some will not be essentially conscious of the challenges that sure individuals are going through. And in addition, in some ways, how straightforward it may be to spin up that sort of effort internally. If you happen to’re The New York Occasions, you’ll have the assets. However if you happen to’re a smaller newsroom, you may nonetheless have a working group of devoted reporters who can work out how we will finest help our workers with on-line threats and harassment, or what to do if somebody will get phished. If you happen to’re a smaller newsroom, there’s nonetheless loads you are able to do, and one thing is best than nothing.
Was there an impetus for you beginning this firm? Was there a single occasion that made you assume, ‘I’ve to do that,’ or was it extra akin to a gradual collection of occasions over the course of years?
I’ve at all times been conscious that there aren’t lots of people that do what I do. There aren’t lots of people that target safety for reporters. And over time that has modified and there are extra folks doing the sort of work, educating newsrooms and educating the enterprise aspect at media organizations. I believe that a part of my reluctance to simply begin one thing alone was I believed it might simply be simply this factor I do on the aspect, and I believe I used to be simply getting in the way in which of myself. Now it’s an official factor with a reputation, a brand, and web site. It’s one thing that I’m extra enthusiastic about and able to put money into. For me, it’s the factor that I’ve at all times performed, however having an organization crops the flag that that is one thing that’s wanted, necessary, and price investing in.
Inform me extra in regards to the threats that you just search to counter and who you are attempting to guard. What makes these varieties of people a better threat or a larger goal than the common residents?
I’ve been shifting from speaking about folks as “excessive threat” and simply speaking about it as “in danger.” I’ve discovered that it’s simpler for some to grasp or relate to. Simply the latest overturning of Roe v. Wade is an effective instance. Lots of people abruptly grew to become “in danger,” however not essentially excessive threat. And whereas I’ve actually centered my work on safety for newsrooms and for reporters — that’s nonetheless what I’m very keen about — the steering that I give on the finish of the day is nice steering for anybody who’s attempting to do no matter it’s that they wish to do, however in a protected means. At any level somebody finds themselves in a class the place there is perhaps some repercussions for them doing no matter it’s they’re doing, that’s one thing I might contemplate “in danger” and one thing that I will help with.
My aim is that will help you work safely and assist you to do no matter it’s that you just’re attempting to do in a protected means. Meaning we’ve to speak about, and have in mind, any type of menace that you just’re conscious of. We have to provide you with a plan for you, it turns into very contextual pushed, and it’s about arising with the fitting mitigations for you and the work that you just’re attempting to do at that cut-off date. Whether or not the priority is NSO-style adware, phishing, or touring and also you’re apprehensive about shedding your laptop computer, we will discuss in regards to the dangers, the challenges, what you are able to do and provide you with one thing that really works for you.
It feels like a really collaborative course of between you and your purchasers; a mixture of technical, and schooling and instructing your purchasers what to do and what to not do by the use of menace modeling and figuring out what dangers you could face.
I may inform you that you need to work on a laptop computer that runs Tails [a highly secured operating system] and a persistent quantity and solely ever use Tor. But when even the thought of shifting to a unique browser is one thing you’re not snug with, that entire instance is simply going out the window. Sure, from a safety perspective, it’s a very good choice, but when it doesn’t suit your workflow or life-style as a person, it’s not steering that’s prone to stick. In some circumstances, it actually simply comes right down to determining what is definitely going to give you the results you want in order that we will help you’re employed extra safely.
The threats on the market range wildly, relying on the sorts of actions of at-risk people, and each individual’s menace mannequin is totally different, if not distinctive. How does that collaboration work for locating what works for them and what they want as a part of the menace mannequin?
I’m certain you’ve seen this submit earlier than. “Your menace mannequin just isn’t my menace mannequin.” It’s simply improbable and it’s value sharing repeatedly. In some circumstances, I’ll talk straight with an individual that wants help, and in others it is going to be a person and one or two different folks, like an editor or the safety individual or lawyer on the firm, and it’s very particular to the person. In different eventualities, it could possibly be a dialog with the groups on the enterprise aspect supporting the newsroom attempting and work out what steering that we give to everybody. What would we contemplate our on a regular basis safety steering that everybody ought to simply know? After which you may construct out each a baseline safety degree for the group and discover methods to then degree up yr after yr, however you additionally then work out precisely what are the challenges that you just’ve needed to date, what do the marginally extra advanced or subtle threats seem like, and the way do you go about addressing that? And to your query, safety steering and context-specific safety steering is absolutely arduous, if not not possible to scale. I believe in some unspecified time in the future, you do have to put money into having folks discuss to one another.
You and I each know that assaults are getting smarter and extra advanced with new capabilities. Is there a single cybersecurity subject that issues you at the moment greater than anything?
In Could I gave a chat at Paranoia 2022 titled “How the Media Will get Hacked.” And as an alternative of taking a look at how reporters get hacked — as a result of we will discuss something out of your typical rip-off or phishing, to nation-state backed adware and zero-click exploits — if you happen to take a look at how media organizations get hacked, I give a number of examples in my discuss. When The New York Occasions was hacked by China in 2012, that was phishing. Tribune Publishing in 2018 obtained ransomware, additionally due to phishing or outdated programs. Dagbladet [Norwegian newspaper] and Schibsted [Norwegian media giant] had some points with somebody who discovered credential dumps and determined to strive them in opposition to their programs, no two-factor authentication was enforced, they usually obtained entry. And the final one, Amedia [Norwegian newspaper] once more obtained ransomware, so once more, phishing or outdated programs.
We all know the best way to deal with all of those. So what is occurring? It’s attention-grabbing that what it actually comes right down to is: we all know what finest practices are, so why are they so arduous to do? We have to have extra of a dialog round that. Each single day, management at totally different organizations need to make decisions round what to deal with, what to put money into, the place to spend cash, and what dangers they select to just accept at that cut-off date. But when the tip result’s that organizations are compromised on account of one thing as foundational as phishing and missing two-factor, it actually begs the query — are we truly prioritizing the fitting issues?
And earlier than we finish. If you happen to may give one key piece of safety recommendation that each individual ought to know. What would that be?
Activate two-factor authentication!
Lead picture credit: Jean-Philippe Ksiazek/AFP by way of Getty Photographs.