Journalists are on notice. If you investigate the Chinese government, Chinese hackers will come after you. That’s what you should conclude from the New York Times’ disclosure that it was hacked for four months by attackers it suspects were associated with the Chinese military. The likely motive, the Times says, was retaliation against the paper for its investigation into the wealth amassed by the family of Wen Jiabao, China’s prime minister. But this wasn’t the first time Chinese hackers attacked journalists. They infiltrated Bloomberg News last year, the Times reports. They’ve also gone after the Associated Press, the Wall Street Journal, and other Western news organizations.
Reporters who cover China might wish to take some comfort in the fact that the Times was on to the hackers. The paper had expected a response to its investigation, and AT&T, which had been monitoring the paper’s network, alerted the Times of a potential hack on the day that it published the Wen investigation. The paper suspects that hackers were looking for information about its sources, but computer security experts it consulted “found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied,” executive editor Jill Abramson said.
To me, though, these seem like small assurances. Knowing the hackers were coming didn’t really help the Times—attackers still managed to obtain the corporate passwords of every one of its employees and broke into the PCs of 53 of them. They also infiltrated the email accounts of a couple of reporters who cover China, including David Barboza, who conducted the investigation into Wen’s family. What’s more, security experts say the Times can’t really be sure that the hackers are gone from its network, nor that they didn’t find anything of value. The most important outcome here might be the chilling effect: Now that a Chinese attack on the New York Times is international news, any dissident or potential whistle-blower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists.
In other words, the hack worked. Indeed, the attack on the New York Times points out why cyberattacks are such a spectacularly diabolical and effective weapon, especially when they’re aimed at journalists. Until now, when a government or criminal enterprise didn’t like something a reporter wrote, it had two options—it could shut down the outlet or kill the journalist. Hacking presents a third option, one that’s far more nuanced and effective.
First, it’s anonymous—as a technical matter, it’s almost impossible to know for sure who hacked the New York Times, and China can maintain plausible deniability. Hacking is secret and very rarely messy. The hacker can get what he wants—a reporter’s sources, information about how a news outlet works and whom to cozy up to, perhaps personal information that could be helpful for blackmail—without anyone ever finding out. Hacking crosses borders. In the past, a foreign paper like the New York Times would have been relatively more protected from Chinese governmental repercussions than a local paper. Not anymore. Now hackers can get you anywhere, and they can make life hell for everyone you work with.
Finally and most importantly, hacking is almost impossible to defend against. Journalists have to use computers and the Internet constantly to do their jobs. If you do that, you’re opening yourself up to attack. Sure, you can and should take precautions against hacking. The Times attack seems to have begun with a simple email-based phishing scam; if someone at the Times hadn’t clicked on a bad link, the attackers would never have gotten in. But Chinese hackers have used similar tactics to hit Google and the White House, too. In a large organization, someone is going to slip up, and it only takes one. This suggests that if they’re determined—which they are—hackers could get to pretty much any journalist they wish.
But it’s not just Chinese hackers that journalists have to worry about. The tools of hacking are decentralized and distributed, available to anyone who’s ever been the subject of a negative article. The Times has hinted that it was attacked by supporters of WikiLeaks in 2011, and in 1998, when it reported on hacker Kevin Mitnick, a group called H4acking for Girl13z defaced the paper’s website. In 2010, Gawker—which writes often and unsparingly about powerful online collectives at 4Chan, Anonymous, and Reddit—got epically hacked by those same groups. The hackers got 1.3 million usernames, email addresses, and password hashes belonging to Gawker readers. The hackers even logged on to Gawker’s private online chat room and spied on its editorial operations.
Journalists should take two lessons from such incidents. The first is obvious. Don’t be a security slacker. Don’t click on fishy links, use two-step verification for your important accounts, choose strong passwords that you don’t repeat at various sites, don’t stick mysterious USB drives into your machine, etc. All those steps are important, and they’re things that a lot of people—yes, journalists are people too—don’t take seriously enough.
But the second lesson is more important: Realize that you and your devices are vulnerable, and conduct your work with that in mind. Let your sources know it, too. This means storing your most delicate information on computers that aren’t connected to the Internet. It means taking important notes on paper, not your phone. But mostly it means this: If you’re working on anything controversial, know that you, your colleagues, and your sources can be surveilled. If that deters you from doing your job—well, that’s the whole point of hacking. That’s why we should all be very worried.