Cybersecurity and Deterrence
The Media Must Prepare for Another Hack-and-Leak
The New York Post’s publication of a story about alleged emails belonging to Hunter Biden, supplied to the tabloid by President Trump’s lawyer Rudy Giuliani, has all the hallmarks of a Russian influence operation. Yet if the Post’s story is part of a propaganda campaign by Russia or other actors bent on corrupting American democracy, it is a very clumsy one: The original story was so specious that reporters refused to put their names on it, and even Fox News may have passed on it.
The Post story serves as a kind of warmup for the media, which may face a more newsworthy hack-and-leak scenario soon. Russian intelligence agents from the unit that successfully hacked and leaked the Democratic National Committee’s (DNC’s) emails in 2016 are again trying to break into email accounts of political parties and consultants, Microsoft said last month. In late September, Facebook announced that it had dismantled a propaganda campaign with connections to the same Russian actors. Meanwhile, Google says China and Iran are trying to access email accounts of campaign staffers working for both President Trump’s and Joe Biden’s campaigns via phishing attempts.
With all these indications that another hack-and-leak operation is likely, what would it take to make America more resilient against propaganda campaigns?
In an ideal world, candidates and other public figures—especially the main would-be beneficiaries, Trump and his supporters—would step up and denounce such operations, turning the adversary’s attempt to undermine democracy into a bipartisan affirmation of the integrity of civic discourse. And the Trump administration would marshal a whole-of-government effort to punish and deter Russia and other foreign governments from meddling. These actions would reduce the benefits and increase the costs of hack-and-leak operations.
Alas, we don’t live in an ideal world. There is no reason to think that the Trump administration and its allies on Capitol Hill would take such action in the face of a hack-and-leak operation, and plenty of reason to think that they wouldn’t—just consider how Trump himself and Republican legislators boosted the New York Post’s coverage of the Biden story. Instead, as the New York Post story has shown, the burden for achieving resilience will fall predominantly on social media platforms—where propaganda campaigns incubate and spread—and on the news organizations that bring such campaigns into the mainstream by reporting on them. In a recent report, we published recommendations for how news organizations can adapt to this challenge.
Social media platforms have come a long way since 2016, but there is still widespread dissatisfaction with the job they are doing. This dissatisfaction is responsible, in part, for the bipartisan scrutiny of Section 230 of the Communications Decency Act, which shields internet platforms from legal liability for content posted by their users.
Consider the social media platforms’ response to the New York Post story. Shortly after the story appeared, Twitter blocked the ability to share links to the Post’s reporting on its platform and temporarily suspended some accounts that shared the story. Facebook downranked the story in its algorithm to give fact-checkers time to assess it. After Sen. Ted Cruz moved to subpoena Twitter CEO Jack Dorsey, Twitter reversed course and announced it would “no longer remove hacked content unless it is directly shared by hackers or those acting in concert with them.” Instead, it would label tweets to provide context. The backtracking was “practically an invitation for Kremlin hackers to launder their dirty deeds through outlets such as the New York Post or Wikileaks,” Washington Post columnist Max Boot argued. Twitter’s quick reversal showed that even four years after the DNC email hack, social media companies are still improvising a response to the threat.
News organizations, however, have work to do as well. In 2016, reporters ran like crazy with the DNC emails, focusing on the content of those communications and what they revealed about Hillary Clinton’s paid speeches and, famously, John Podesta’s risotto, rather than the real news: that Russia stole those emails and leaked them in order to help Trump win.
Since Daniel Ellsberg’s 1971 leak of the Pentagon Papers, journalists have generally operated under a single rule: Once information is authenticated, if it is newsworthy, publish it. How it was obtained is of secondary concern to the information itself.
In this new era, journalists must abandon this principle in favor of updated norms. News organizations won’t—and shouldn’t—ignore stolen information if it is newsworthy. But they need to make the provenance of the material an essential part of the story, so that readers understand why and who hacked it. Otherwise, American journalists will be unwitting accomplices of foreign propaganda operations.
Reporting on information of murky provenance takes time, which can clash with the competitive instinct to publish as quickly as possible. To that end, news organizations should devote more resources to determine the origins of leaks when they appear. This is a necessity, not a luxury, for responsible reporting in this digital age. It could even lead to scoops about who is behind a leak and their motivations and tactics for carrying out the leak.
We are well aware of the budget pressures facing many organizations in the news industry. With that in mind, we recommend that cash-strapped organizations consider pooling resources to build shared capabilities as a cost-saving measure, as is starting to take place with fact-checking.
Newsrooms should also have a plan worked out in advance for how reporters will cover a hack-and-leak, and they should practice it at least once. Conscientious businesses and governments test their mettle by exercising how they respond to foreseeable incidents. If an organization was unprepared in such a scenario, reporters would highlight that failure. News organizations should hold themselves to the same standard.
What would a plan look like? As soon as a hack-and-leak emerges, senior editors—as the Washington Post’s Marty Baron urged his newsroom in recent guidance—would meet to review “the newsworthiness of the information, its authenticity and whether” reporters can determine the material’s provenance. “Our emphasis should be on making a sound and well-considered decision—not on speed,” Baron wrote. “We should resist the instinct to post a story simply because a competitor has done so. We should not tweet or retweet reports or comments on hacked or leaked material without first reporting them out.”
Responsible reporters must avoid the temptation of being the first to reveal the contents of hacked and leaked material or getting the most retweets or shares on social media. Instead, reporters should understand their job as explaining what is most significant about that material.
Again, the response to the New York Post story shows that there is still learning to be done. Jake Sherman of Politico had his account temporarily suspended after tweeting the link to the Post story to his 235,000 followers. He later wrote that he wished he “had given the story a closer read before tweeting it.” The New York Times’s Maggie Haberman quoted a passage from the Post story and tweeted it out to her 1.5 million followers without any of her own reporting or context. (The tweet was subsequently removed.)
To be sure, these missteps were aberrations in the credible fact-based mainstream media. Most outlets treated the story as disinformation. Right-wing media is focusing now on the political response to the story and Republican leaders’ fury over social media moves to limit the spread of the propaganda.
Right now—before the next major hack-and leak or more general disinformation campaign—is the time for all responsible newsrooms to install a speed bump built and overseen by newsroom leadership, with buy-in from across the organization. If they do only one thing, news organizations, wired to be first, need to fight the impulse to publish immediately. They can still aim to be first—but to be first responsibly.