LAS VEGAS—Hackers are known for using any available resource to get the money or data they want. Many times, that involves using media contacts to apply public pressure to the companies they are seeking to extort.Hackers reach out to reporters to let them know about their latest conquests. That includes Robert McMillan from The Wall Street Journal and Lorenzo Franceschi-Bicchierai from TechCrunch, who spoke here at Black Hat about their experiences chatting with hackers. It’s not a friendly relationship; both reporters described the hackers as “liars” and “bad people” who they have to talk to when getting information that is in the public interest.Franceschi-Bicchierai told the audience that hackers reach out to him via private messaging apps, and part of his job is separating truth from fiction. Since he’s communicating with criminals, he has to do his own research to make sure the claims are valid. McMillan said he’s had similar experiences when getting tips or information from criminal sources. He also noted that hackers’ comfort with divulging their crimes puts journalists in a precarious position. Does the reporter sit on the story to give the victim time to recover? If not, the journalist is at risk of being used by the criminal to extort the victim. If the reporter chooses to run the information, they’re at risk of not giving accurate information to customers who may have been affected by the incident. It requires a delicate balance.’No Surprise Journalism’When a cybersecurity incident occurs, be it a hack, data breach, or even a ransomware infection, a lot of people find out—quickly. For the companies being victimized, these highly publicized notifications by media outlets may come a little too quickly. Also on the Black Hat panel was Sadia Mirza, a partner at Troutman Pepper, who was tasked with giving the point of view of a corporate public relations representative who is tasked with providing information to shareholders and protecting the company’s image. Mirza lamented that journalists move “too fast” when reporting about cyber incidents. She explained that corporate incident response teams aren’t always able to produce instant answers about complex incidents that may require investigation or, in some cases, litigation.The reporters on stage said their primary obligation is not to the companies affected, but the consumers of the products the companies are selling, who may be affected by the cybersecurity incidents. McMillan explained that The Wall Street Journal employs a “no surprise journalism” policy, meaning that they always reach out to companies for a response before publishing news about a cyber incident (we do something similar here at PCMag). That means that the company is informed by the reporter ahead of time about a hack or other cyber incident, and the company is given time to formulate some kind of response. McMillan noted that corporate responses are quite varied, and it usually depends on the corporate culture set by the CEO. Some companies are forthcoming when speaking to the public about incidents, and give regular updates about how many customers are affected, and next steps for securing accounts. Others, and McMillan referenced Uber’s past cyber incidents here, tend to stay silent for as long as possible in order to wait out attention from the public and spin the incident into something that doesn’t sound as dangerous or concerning.
Recommended by Our Editors
Mirza responded, saying that slow corporate responses aren’t always indicative of obfuscation. Instead, people should want companies to take time to investigate an incident so they can make the most accurate statements about what occurred and present a firm path for customers to take to recover, if needed. “There are a lot of complexities that people just don’t appreciate,” she noted.Franceschi-Bicchierai agreed, but said that consumers have a right to know when a company is involved in an incident that puts their data at risk. McMillan added that reporters “love complexity. That’s how [we] add value, by explaining the complex” to a general audience. He concluded the panel by requesting that companies offer more information when reporting about cyber incidents so that reporters don’t have to keep asking for more.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
