For much of her career, hacker Runa Sandvik has worked to protect journalists and newsrooms from powerful adversaries who want to keep wrongdoing and corruption out of the public eye. Journalists and activists are increasingly targeted by the wealthy and resourceful who seek to keep the truth hidden, from nation-state aligned hackers hacking into journalist's inboxes to governments deploying mobile spyware to snoop on their most vocal critics.
Few know the threats that journalists face better than Sandvik, a native Norwegian. She defended The New York Times newsroom from hackers and nation-state adversaries, trained reporters to cloak their online activity in anonymity at the Tor Project, and helped organizations like the Freedom of the Press Foundation to build tools that allow journalists, like us at TechCrunch, securely communicate with sources and receive sensitive source documents. Sandvik is also a renowned hacker and security researcher and, as of recently, a founder.
With her new startup, Granitt — with Sandvik as its principal — aims to help at-risk people, like journalists and activists but also politicians, lawyers, refugees and human rights defenders, from threats they face doing their work.
“At any point someone finds themselves in a category where there might be some repercussions for them doing whatever it is they're doing, that's something I would consider ‘at risk' and something that I can help with,” Sandvik told me when we spoke in New York City this week.
Sandvik told me about her work and her new bootstrapped startup, how leaders should prioritize their cybersecurity efforts, and, what piece of security advice she would give that every person should know.
Our chat, which has been lightly edited and condensed for clarity, follows.
ZW: You've been laying the groundwork for Granitt for the past decade. Tell me how you got here.
RS: If you look at a decade ago when I worked for the Tor Project and they got funding, we set out to teach reporters how to use the Tor Browser. And very quickly realized that it's not super impactful to just teach someone how to use the Tor Browser if they're not also familiar with good passwords, two-factor authentication and software updates — things to consider when they're traveling to conflict zones, for example. And we started building out a curriculum around what you should do to be safe online. I later consulted for the Freedom of the Press Foundation doing somewhat similar work, and also then working on SecureDrop. And my role at The New York Times was building on that type of work as well. And after the Times eliminated my role, I worked with ProPublica, Radio Free Europe, and the Ford Foundation to look at not just security for individuals but also how to help the business side of media organizations to support the newsroom.
Some of the work that I've done has sort of been workshops directly for the newsroom. I've had one-on-one chats with reporters about some project that they're about to take on. But I've also had a lot of conversations with the IT and security folks on the business side to help them understand what are the challenges that the newsroom is facing. How can I best solve them? What should they be aware of? And also, how do they go about getting up to speed, and how do they then later on educate staff in the newsroom? There's sort of been some “train the trainer” type of work as well, because 10 years ago Tor was around but the user experience was clunky. Now in 2022, we have a lot of really neat tools that are very user friendly for being safe online for doing research in safe ways.
One thing that I saw at the Times is that you had a team to do cybersecurity. You had someone focusing on physical security, you had human resources taking care of emotional safety, and you had legal taking care of any sort of legal challenges that might pop up. But if we look at what it's going to take for a journalist to be safe, it's really the combination of those four groups — and that means those four groups that need to come together and have a working group, talk to each other, understand what each person brings to the table, and what can actually be done holistically to better support staff.
Right, and we're starting to see that across newsrooms when it comes to targeted harassment and doxing, but supporting journalism is a team effort and it takes a village and everyone working from the same page. So, why the name Granitt?
The name is the Norwegian spelling of granite. It is really that simple. Over the years I've had close friends who have encouraged me to do something on my own, and have pointed out how the work that I do doesn't really exist anywhere else and that I'm in a good position to do it.
What kind of work will you be doing with your new startup and how do you plan to solve both the security aspect and getting different teams communicating and collaborating with the aim of supporting journalists?
It's still consultancy, so, I think training workshops and public speaking are still going to be a part of it. There's still going to be everyday security guidance for newsrooms, guidance around specific projects, so whether it's someone who's about to take on a sensitive project, travel, or someone wants to set up a tips channel, how do you create the process to support that internally? That's definitely still a part of what I do. But then also working more with different teams on the business side to ensure that those four groups of people can actually come together in a working group and better understand what the staff really need, and to understand what are the threats that they're facing, how do they actually work, and what do we need to figure out to better support them?
There's a lot of bridge building. I don't think it's a case that people don't care about this, I think that some are not necessarily aware of the challenges that certain people are facing. And also, in many ways, how easy it can be to spin up that kind of effort internally. If you're The New York Times, you'll have the resources. But if you're a smaller newsroom, you can still have a working group of dedicated reporters who can figure out how we can best support our staff with online threats and harassment, or what to do if someone gets phished. If you're a smaller newsroom, there's still a lot you can do, and something is better than nothing.
Was there an impetus for you starting this company? Was there a single event that made you think, ‘I have to do this,' or was it more akin to a gradual series of events over the course of years?
I've always been aware that there aren't a lot of people that do what I do. There aren't a lot of people that focus on security for reporters. And over the years that has changed and there are more people doing this type of work, educating newsrooms and educating the business side at media organizations. I think that part of my reluctance to just start something on my own was I thought it would just be just this thing I do on the side, and I think I was just getting in the way of myself. Now it's an official thing with a name, a logo, and website. It's something that I'm more excited about and ready to invest in. For me, it's the thing that I've always done, but having a company plants the flag that this is something that's needed, important, and worth investing in.
Tell me more about the threats that you seek to counter and who you are trying to protect. What makes these kinds of individuals a higher risk or a greater target than the average citizens?
I've been shifting from talking about people as “high risk” and just talking about it as “at risk.” I've found that it's easier for some to understand or relate to. Just the recent overturning of Roe v. Wade is a good example. A lot of people suddenly became “at risk,” but not necessarily high risk. And while I have certainly focused my work on security for newsrooms and for reporters — that's still what I am very passionate about — the guidance that I give at the end of the day is good guidance for anyone who's trying to do whatever it is that they want to do, but in a safe way. At any point someone finds themselves in a category where there might be some repercussions for them doing whatever it is they're doing, that's something I would consider “at risk” and something that I can help with.
My goal is to help you work safely and help you do whatever it is that you're trying to do in a safe way. That means we have to talk about, and take into account, any sort of threat that you're aware of. We need to come up with a plan for you, it becomes very contextual driven, and it's about coming up with the right mitigations for you and the work that you're trying to do at that point in time. Whether the concern is NSO-style spyware, phishing, or traveling and you're worried about losing your laptop, we can talk about the risks, the challenges, what you can do and come up with something that actually works for you.
It sounds like a very collaborative process between you and your clients; a mix of technical, and education and teaching your clients what to do and what not to do by way of threat modeling and determining what risks you may face.
I could tell you that you should work on a laptop that runs Tails [a highly secured operating system] and a persistent volume and only ever use Tor. But if even the idea of moving to a different browser is something you're not comfortable with, that whole example is just going out the window. Yes, from a security perspective, it's a good option, but if it does not fit your workflow or lifestyle as an individual, it's not guidance that's likely to stick. In some cases, it really just comes down to figuring out what is actually going to work for you so that we can help you work more safely.
The threats out there vary wildly, depending on the kinds of activities of at-risk individuals, and every person's threat model is different, if not unique. How does that collaboration work for finding what works for them and what they need as part of the threat model?
I'm sure you've seen this post before. “Your threat model is not my threat model.” It's just fantastic and it's worth sharing again and again. In some cases, I'll communicate directly with a person that needs assistance, and in others it will be an individual and one or two other people, like an editor or the security person or lawyer at the company, and it's very specific to the individual. In other scenarios, it could be a conversation with the teams on the business side supporting the newsroom trying and figure out what guidance that we give to everyone. What would we consider our everyday security guidance that everyone should just know? And then you can build out both a baseline security level for the organization and find ways to then level up year after year, but you also then figure out exactly what are the challenges that you've had to date, what do the slightly more complex or sophisticated threats look like, and how do you go about addressing that? And to your question, security guidance and context-specific security guidance is really hard, if not impossible to scale. I think at some point, you do need to invest in having people talk to each other.
You and I both know that attacks are getting smarter and more complex with new capabilities. Is there a single cybersecurity issue that concerns you today more than anything else?
In May I gave a talk at Paranoia 2022 titled “How the Media Gets Hacked.” And instead of looking at how reporters get hacked — because we can talk about anything from your typical scam or phishing, to nation-state backed spyware and zero-click exploits — if you look at how media organizations get hacked, I give several examples in my talk. When The New York Times was hacked by China in 2012, that was phishing. Tribune Publishing in 2018 got ransomware, also because of phishing or outdated systems. Dagbladet [Norwegian newspaper] and Schibsted [Norwegian media giant] had some issues with someone who found credential dumps and decided to try them against their systems, no two-factor authentication was enforced, and they got access. And the last one, Amedia [Norwegian newspaper] again got ransomware, so again, phishing or outdated systems.
We know how to address all of these. So what is happening? It's interesting that what it really comes down to is: we know what best practices are, so why are they so hard to do? We need to have more of a conversation around that. Every single day, leadership at different organizations have to make choices around what to focus on, what to invest in, where to spend money, and what risks they choose to accept at that point in time. But if the end result is that organizations are compromised as a result of something as foundational as phishing and lacking two-factor, it really begs the question — are we actually prioritizing the right things?
And before we end. If you could give one key piece of security advice that every person should know. What would that be?
Turn on two-factor authentication!
Lead image credits: Jean-Philippe Ksiazek/AFP via Getty Images.