Chinese Hackers’ Attack on the New York Times Worked to Perfection

Innovation, the Internet, gadgets, and more.
Jan. 31 2013 6:12 PM

Hacking the Old Gray Lady

The Chinese attack against the New York Times worked to perfection.

The New York Times building
The New York Times building

Photo by Mario Tama/Getty Images

Journalists are on notice. If you investigate the Chinese government, Chinese hackers will come after you. That’s what you should conclude from the New York Times’ disclosure that it was hacked for four months by attackers it suspects were associated with the Chinese military. The likely motive, the Times says, was retaliation against the paper for its investigation into the wealth amassed by the family of Wen Jiabao, China’s prime minister. But this wasn’t the first time Chinese hackers attacked journalists. They infiltrated Bloomberg News last year, the Times reports. They’ve also gone after the Associated Press, the Wall Street Journal, and other Western news organizations.

Reporters who cover China might wish to take some comfort in the fact that the Times was on to the hackers. The paper had expected a response to its investigation, and AT&T, which had been monitoring the paper’s network, alerted the Times of a potential hack on the day that it published the Wen investigation. The paper suspects that hackers were looking for information about its sources, but computer security experts it consulted “found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied,” executive editor Jill Abramson said.

To me, though, these seem like small assurances. Knowing the hackers were coming didn’t really help the Times—attackers still managed to obtain the corporate passwords of every one of its employees and broke into the PCs of 53 of them. They also infiltrated the email accounts of a couple of reporters who cover China, including David Barboza, who conducted the investigation into Wen’s family. What’s more, security experts say the Times can’t really be sure that the hackers are gone from its network, nor that they didn’t find anything of value. The most important outcome here might be the chilling effect: Now that a Chinese attack on the New York Times is international news, any dissident or potential whistle-blower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists.

In other words, the hack worked. Indeed, the attack on the New York Times points out why cyberattacks are such a spectacularly diabolical and effective weapon, especially when they’re aimed at journalists. Until now, when a government or criminal enterprise didn’t like something a reporter wrote, it had two options—it could shut down the outlet or kill the journalist. Hacking presents a third option, one that’s far more nuanced and effective.

First, it’s anonymous—as a technical matter, it’s almost impossible to know for sure who hacked the New York Times, and China can maintain plausible deniability. Hacking is secret and very rarely messy. The hacker can get what he wants—a reporter’s sources, information about how a news outlet works and whom to cozy up to, perhaps personal information that could be helpful for blackmail—without anyone ever finding out. Hacking crosses borders. In the past, a foreign paper like the New York Times would have been relatively more protected from Chinese governmental repercussions than a local paper. Not anymore. Now hackers can get you anywhere, and they can make life hell for everyone you work with.

Finally and most importantly, hacking is almost impossible to defend against. Journalists have to use computers and the Internet constantly to do their jobs. If you do that, you’re opening yourself up to attack. Sure, you can and should take precautions against hacking. The Times attack seems to have begun with a simple email-based phishing scam; if someone at the Times hadn’t clicked on a bad link, the attackers would never have gotten in. But Chinese hackers have used similar tactics to hit Google and the White House, too. In a large organization, someone is going to slip up, and it only takes one. This suggests that if they’re determined—which they are—hackers could get to pretty much any journalist they wish.

But it’s not just Chinese hackers that journalists have to worry about. The tools of hacking are decentralized and distributed, available to anyone who’s ever been the subject of a negative article. The Times has hinted that it was attacked by supporters of WikiLeaks in 2011, and in 1998, when it reported on hacker Kevin Mitnick, a group called H4acking for Girl13z defaced the paper’s website. In 2010, Gawker—which writes often and unsparingly about powerful online collectives at 4Chan, Anonymous, and Reddit—got epically hacked by those same groups. The hackers got 1.3 million usernames, email addresses, and password hashes belonging to Gawker readers. The hackers even logged on to Gawker’s private online chat room and spied on its editorial operations.

Journalists should take two lessons from such incidents. The first is obvious. Don’t be a security slacker. Don’t click on fishy links, use two-step verification for your important accounts, choose strong passwords that you don’t repeat at various sites, don’t stick mysterious USB drives into your machine, etc. All those steps are important, and they’re things that a lot of people—yes, journalists are people too—don’t take seriously enough.

But the second lesson is more important: Realize that you and your devices are vulnerable, and conduct your work with that in mind. Let your sources know it, too. This means storing your most delicate information on computers that aren’t connected to the Internet. It means taking important notes on paper, not your phone. But mostly it means this: If you’re working on anything controversial, know that you, your colleagues, and your sources can be surveilled. If that deters you from doing your job—well, that’s the whole point of hacking. That’s why we should all be very worried.

TODAY IN SLATE

Frame Game

Hard Knocks

I was hit by a teacher in an East Texas public school. It taught me nothing.

Republicans Like Scott Walker Are Building Campaigns Around Problems That Don’t Exist

Why Greenland’s “Dark Snow” Should Worry You

If You’re Outraged by the NFL, Follow This Satirical Blowhard on Twitter

The Best Way to Organize Your Fridge

The World

Iran and the U.S. Are Allies

They’re just not ready to admit it yet.

Sports Nut

Giving Up on Goodell

How the NFL lost the trust of its most loyal reporters.

Chief Justice John Roberts Says $1,000 Can’t Buy Influence in Congress. Looks Like He’s Wrong.

Farewell! Emily Bazelon on What She Will Miss About Slate.

  News & Politics
Politics
Sept. 16 2014 2:11 PM Spare the Rod What Charles Barkley gets wrong about corporal punishment and black culture.
  Business
Moneybox
Sept. 16 2014 2:35 PM Germany’s Nationwide Ban on Uber Lasted All of Two Weeks
  Life
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
  Arts
Brow Beat
Sept. 16 2014 1:27 PM The Veronica Mars Spinoff Is Just Amusing Enough to Keep Me Watching
  Technology
Future Tense
Sept. 16 2014 1:48 PM Why We Need a Federal Robotics Commission
  Health & Science
Science
Sept. 16 2014 1:39 PM The Case of the Missing Cerebellum How did a Chinese woman live 24 years missing part of her brain?
  Sports
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.