This article appeared in The Cyber Issue in Winter 2016.
Journalists get a unique look into cyber issues. At the forefront of the biggest stories and scandals, the media is essential in shaping the public’s understanding and awareness of the latest developments. The Journal of International Affairs talked to Kim Zetter, an award-winning journalist who recently covered cyber for Wired, about what it is like on the inside, how she communicates with sources in the digital age, and what are the next major crises and breaking news stories.
How did you get your start in journalism?
I started my career doing editorial work actually. I was living in Israel with my boyfriend at the time, doing work for a private magazine and some freelance work for a newspaper in the United States. When I got back, I moved to San Francisco. There weren’t too many opportunities for journalists on the West Coast at that time apart from technology-focused publications. I ran into a friend from college on the street who worked at PCWorld. She referred me for their features editor position.
Were you always interested in technology and cyber issues?
Not at all. I wasn’t actually interested in technology because I’m not a gadget person, per se. But I figured that I could do the PCWorld features position for six months; features wouldn’t be as gadget oriented, and it could be interesting.
When was this? How did you transition into covering cyber issues?
This was in 1999. A few months after I got there, a colleague returned from DEF CON. I thought the whole event sounded bizarre—a conference for hackers is in itself just a bizarre idea.
But the technology, or rather what it could do, was fascinating. For instance, that year the group Cult of the Dead Cow came out with a backdoor Trojan called Back Orifice for the Windows operating system. They presented the following year too, when I went for the first time.
What was it like being at DEF CON in 2000?
I loved it. The culture and the community were so varied. The people were incredibly smart, like no other people I’d ever met before. And the social, political, and policy issues surrounding technology were fascinating.
Still, I remember being one of the only women there. Today there are so many women at DEF CON. My first year, I was one of two female journalists—Elinor Mills from CNET was the only other woman in the press room. In the room where the Cult of the Dead Cow was presenting there were 1,000 people, and maybe a dozen or two were women.
How should journalists and policy experts better educate themselves about technology and cyber issues?
All my training was on the job. No one formally trained me—I just observed what people were saying. I kept interviewing smart people. It’s similar to how any journalist gets to know a new beat. You learn what the salient topics are, who to talk to, and who to ignore. You get to learn how stuff works.
By and large, people were very patient with me. If you show genuine integrity and an interest in getting stuff right, they want to help you.
The most important thing when it comes to getting smart on cyber is to know what to read and who to get your information from. There’s a lot of bad reporting, misinformation, and deceptive information out there. Companies and governments both put out a lot of deceptive information.
Is it fair to say that getting reliable information is a big issue in this field?
Oh yes. A lot of new reporters in this space don’t know who to go to. It’s a big problem in policy and law too, not just journalism.
A lot of people think that just because they know the policy process or the law that they don’t need to understand the technology. That’s how we got insufficient laws or ones that are too widespread.
For example, when it comes to surveillance technology, the lawmakers are the only ones who get briefed, but they don’t have a clear understanding of the broad range of possibilities that applies to that technology. They can’t make a proper determination about the constitutionality of an activity without an independent and knowledgeable assessment. All they have to go on is what the intelligence community says the program does.
What are some of the difficulties that you face in covering national security stories?
Any time you report on a national security or classified program it is particularly hard to make sure that you have the right information. Traditionally, for reliable journalism you need two or three sources to publish. That isn’t necessarily a hard and fast rule anymore, especially for online sources, but that’s the way it was done traditionally.
With classified topics, that’s very difficult to do because of the risk sources take to talk. They have a lot to lose—they could lose their clearance, face prosecution, etc. And with the various types of surveillance methods and sources available today, even the old-school method of talking to a source in person has become dangerous.
How do you meet with sources securely?
You can use encryption, but if your computer has been compromised, that is not going to protect you. Encryption is only for data in transit. Also, if your sources aren’t as careful as you are, all your work will be for naught.
You can still meet a source in person, but you have to be careful. You have to leave all your electronics behind. You can’t use your credit card to pay for your cab. You have to be careful about surveillance at the site where you meet your source. And it’s not just governments—private companies have access to methods of surveillance now too.
Why is it so important to pay attention to the “little things” in the technology field?
I’ve always felt that it’s vitally important. Still, editors have chastised me for getting down in the weeds. There’s a lot of coverage that doesn’t get down into the details, and I think that is part of why I have a good following of readers.
It’s a disservice to the readers and the public not to stop and give further attention to these issues. Back when Juniper released information about a backdoor into their router technology, the mainstream media covered it for a few weeks, but then it petered out by Christmas. But the information security community did not stay silent—they really went out and dug into the technology. One guy in Europe and his global team were able to advance this issue with a deeper dive. My job was then to pull it together and put it into context.
A lot of my work is about listening to the people in the information security community. What is important to them is important to me. A lot of that goes back to knowing who to follow.
How can we improve cyber reporting in the media?
Readers have to want it. When you see good reporting, share it. That’s what editors are looking at and how they are judging their reporters.
I’ve heard so many times that “readers won’t read it—it’s too long.” But my readers will read it. There are lots of people catering to the grandma who’s worried about viruses on her computer. I put in ten-plus years to this topic and my reporting should show it.
The bottom line is that readers need to show appreciation—if the editorial staff can see that there’s a market for more in-depth reporting, they’ll support it.
How has reporting on cyber and technology issues changed since you started?
The thing that really stands out is the number of reporters who care about security. It just wasn’t on anyone’s radar back then.
We did a privacy cover at PCWorld in 1999. Privacy at that time didn’t even touch on government surveillance though. That didn’t show up until post 9/11, and even then it didn’t really get a lot attention until 2005 when the New York Times broke the story about warrantless wiretapping. Still, a lot of the media largely ignored it until Snowden’s revelations.
What do you think will be the “big stories” in tech-related reporting?
First, I’d say it’s the issue of “going dark.” The encryption battle will get more fierce as people try to use tools to protect their identification and the government continues to try to combat those tools.
The second is nation-state attacks. I think we’ll see an increase in those kind of attacks. After Stuxnet, we predicted a rise in attacks that caused physical damage, but we’ve only really seen one—the Ukrainian power grid attack. I think soon we will see it. Critical infrastructure is horribly vulnerable to targeted and opportunistic attacks.
The last is something we haven’t seen yet but we’ve been getting warnings about. Hacking used to be about extracting or stealing data. Recently, we’ve seen a movement toward the deletion of data, as in the Sony and Saudi Aramco attacks. But what we haven’t seen yet, and what’s potentially the most frightening, is an attack that alters data. We’ll have a huge issue when we can’t trust the integrity of data, particularly in industries where data integrity is everything, like banking or weapons systems. There is a lot of potential for these kind of attacks—we just haven’t seen it yet.