A hack on the AP and its results tally could have chaos-inducing consequences.
Despite spending hundreds of millions of dollars on security upgrades, U.S. media organizations have failed to properly protect their newsrooms from cyberattacks on their websites, communications systems and even editing platforms — opening themselves up to the possibility of a chaos-creating hack around Election Day.
In just the past month, BuzzFeed has been vandalized, and both Newsweek and a leading cybersecurity blog were knocked offline after publishing articles that hackers apparently didn’t appreciate. Federal law enforcement is investigating multiple attacks on news organizations, and journalists moderating the presidential debates say they’ve even gotten briefings from the FBI on proper cyber hygiene, prompting them to go back to paper and pens for prep work.
“We do a lot of printing out,” said Michele Remillard, an executive producer at C-SPAN, the network home to the backup moderator for all the debates.
Journalists are seen as especially vulnerable soft targets for hackers. Their computers contain the kinds of notes, story ideas and high-powered contact lists coveted by foreign intelligence services. They also work in an environment that makes them ripe for attack, thanks to professional demands like the need for a constant online presence and inboxes that pop with emails from sources whom they don’t always know and which frequently contain the kinds of suspicious links and attachments that can expose their wider newsroom networks.
Senior U.S. officials, current and former lawmakers and cybersecurity pros told POLITICO the threat against the media is real — and they fret the consequences. Specifically, the security community is worried The Associated Press’ army of reporters could get hacked and the wire service — the newsroom that produces the results data on which the entire media world relies — inadvertently starts releasing manipulated election tallies or that cybercriminals penetrate CNN’s internal networks and change Wolf Blitzer’s teleprompter.
“It’s the art of possible is what really scares me,” said Tony Cole, chief technology officer of FireEye, a Silicon Valley-based cybersecurity firm that works with some of the country’s major television and newspaper companies. “Everything is hackable.”
“No site is safe,” added Tucker Carlson, editor-in-chief of The Daily Caller. “If the federal government can be hacked, and the intelligence agencies have been hacked, as they’ve been then, can any news site say we have better cybersecurity than the FBI or Google?”
The media have long been a spy’s best friend. Intelligence community sources say that foreign and U.S. agents use local newspapers to look for clues about their targets, and that strategy has only grown more sophisticated in an all-online era in which foreign intelligence is reportedly known to hover over a media company’s servers searching for any kind of heads-up on relevant stories inching closer to publication. Reporters on the campaign trail and back in their home bureaus said in interviews that they’ve become increasingly aware of their status as potential hacking victims. The spate of recent attacks — involving their sites and their competitors’ — are more than ample warning of what’s possible. Several journalists said they now use email and other communication with the expectation they’re being watched, and under the assumption that their messages can and will be hacked and shared publicly with the wider world.
“We’re a bigger target than the 7-Eleven down the street,” said Mark Leibovich, chief national correspondent for The New York Times Magazine. “Presumably, we have really good, smart IT people who know what they’re doing, who are taking all kinds of precautions, who are acutely in tune with what the risks are and what the threats are.”
There is perhaps no greater target in election journalism than the AP, the venerable wire service that will have more than 5,000 reporters, editors and researchers working across the country, tabulating results, calling races and feeding a much wider network of subscribers. Often other news outlets refer to the AP before making calls on races, and AP projections on the East Coast can have effects on West Coast voting, which closes hours later thanks to the time differences. Multiple sources in media, government and the security industry fretted about the effect if the AP were to get hit, and what that would do to their ability to get the news out.
The AP will deploy reporters across the country to send up vote tallies, usually by phone, the wire service explained to The Washington Post in May. It also has multiple checks and balances in place to monitor for errors. But as with many other news organizations contacted by POLITICO, AP spokesman Paul Colford said the wire service’s policy is to refrain from making public comments about its security measures.
“Given the extraordinary interest in the presidential election and thousands of other state and local contests, we would add that AP has been working diligently to ensure that vote counts will be gathered, vetted and delivered to our many customers on Nov. 8,” he said.
Federal and state officials stress that even a successful hack on a major news outlet around Election Day would not affect the final results, which typically take weeks to certify. The vote tallies, after all, will be available on official sites and in many instances on special social media feeds. And if a news site did get defaced with incorrect information, the results would be more like a modern-day version of the famous ‘Dewey Defeats Truman’ headline that President Harry Truman triumphantly held aloft the day after his 1948 reelection.
Still, there is a widespread recognition — from the White House down to the local precinct level — that a hack on the media could be damaging given the role it plays in getting election news out to satisfy the country’s insatiable information appetite. Misinformation circulated in the early hours of Nov. 8 about the race’s trajectory, for example, could factor into a voter’s decision to even show up during the election’s final hours, especially in Western states. There’s also concern that false media reports spread via a hacked news account could be a potential spark for violence in an already exceptionally charged atmosphere. On the flip side, there’s a recognition that the media can help build public confidence in the final results, especially following a campaign that’s been engulfed in its closing weeks by Russian-sponsored hacking of the Democratic National Committee, the hacking of Hillary Clinton’s campaign chairman’s personal emails, and Donald Trump’s unfounded charges of vote rigging.
“To the degree that foreign hackers could prevent the dissemination of good information around the election, that can be a problem,” said Rep. Adam Schiff, the top Democrat on the House Intelligence Committee. The California congressman said he frets that media outlets, like many other industries, face “massive costs” in protecting themselves against cyberattacks with “no end in sight” to the potential risks. Schiff added that he is especially concerned about smaller news organizations without major IT budgets or the backing of larger parent companies. “They’re much more vulnerable,” he said.
Cybersecurity experts say media spending to protect news organizations against cyberattack has grown substantially in the past three years, especially in the wake of North Korea’s attack on Sony Pictures in late 2014. The price tag for vulnerability audits and other techniques varies by the size of the newsroom and the surface area for potential attacks, but multiple sources said quarterly audits can easily cost $50,000 or more.
Cyber experts and media officials from newsrooms across the country said they’re prepped to deal with a range of threats to their sites, including the kinds of malware that can infect a computer network and give hackers an entry point to manipulate a home site. They’re also building backup capacity in the event of a DDoS attack, or distributed denial of service, that tries to overwhelm a website or server with fake traffic. News sites, they note, are already prepping for monster traffic around the election, which can surge as much as 30 times compared with other big events this cycle, such as a debate or primary.
At the staffing level, newsrooms have also been pushing for better cyber habits by hosting training seminars, requiring employees to take must-pass exams and requiring double-authentication before granting access to a newsroom’s internal filing system and social media accounts.
But cyber experts warn that all the preparatory work in the world can matter little for a news organization if it’s facing an attack from a more sophisticated actor.
“If all of a sudden your adversary becomes a nation-state, like Sony or the DNC with Russia, you see those kind of procedures aren’t worth a darn,” said Robert Anderson, a former senior FBI cyber official and a managing director at the Navigant consulting firm.
The press has indeed been a familiar target for hackers. In 2013, hackers hit the AP’s Twitter account and posted a false report about a bombing at the White House, sending the stock market into a five-minute spiral. In more recent incidents, a USA Today columnist wrote an article in February admitting he was hacked midair while using his commercial flight’s WiFi, and the New York Times reported in August that its Moscow bureau was targeted by what were believed to be Russian hackers.
Newsweek blamed hackers for a DDoS attack that took down its site last month soon after it published an article about Trump’s company allegedly violating the U.S. embargo against Cuba through secret business dealings in the 1990s. And BuzzFeed had several articles on its site altered earlier this month after it ran a story identifying a person allegedly involved in the hacking of tech CEOs and celebrities.
“I’m sure that lots of newsrooms are having this conversation right now, particularly as we get closer to the election and people have a lot more to lose when things don’t go their way,” said Brian Krebs, the cybersecurity blogger and former Washington Post reporter whose site went down last month after a major DDoS attack that he says was spawned by his reporting about the arrest of two Israeli hackers.
With the threat of hackings against the media reaching such a heightened pace, many election observers urged both reporters and the reading public to take a deep breath as the results start coming in.
“If Twitter is reporting that Jill Stein wins South Carolina, that should probably give you pause,” said David Becker, executive director of the Center for Election Innovation and Research.