This article considers the ways that journalists cover cybersecurity incidents and convey technical material to general audiences. It describes how journalists have provided increasingly detailed and technical descriptions of these breaches as readers have become more familiar with different computer technologies and security controls. It further argues that these technical details are helpful in media reports only when they do not detract from readers’ understanding of the impacts and severity of cybersecurity incidents. Finally, it concludes with some recommendations for effective cybersecurity communication.
Just over a decade ago, cybersecurity journalists were charged with covering one of the most interesting, sophisticated, and difficult-to-explain security compromises: the breach of the Dutch certificate authority DigiNotar. Understanding what happened and why it mattered required some comprehension of the technical underpinnings of the Web and the ways that browsers decide which websites to trust. Specifically, the DigiNotar incident required some familiarity with digital certificates and how they work, as well as the certificate authorities that issue them. But the first New York Times article about the incident did not lead with an explanation of any of those details; instead, it began: “Hackers passed themselves off as the Internet giant Google with the apparent goal of snooping on people using Google services in Iran, the company said.” DigiNotar, the company at the center of the incident, was not even mentioned by name until the fifth paragraph.
Not every cybersecurity incident requires as much technical background to understand as the DigiNotar compromise or poses the same sort of challenges for journalists trying to explain the intricacies of a complicated breach to a general audience. But even as journalistic investigations and discussions of cybersecurity incidents have gotten more detailed and technical over the course of the past decade, the framing of that 2011 New York Times article by Somini Sengupta remains a model for conveying the significance of security breaches to non-technical readers. In particular, the emphasis on describing the impacts of the breach on Iranian Internet users and the initial focus on Google highlighted for readers what the stakes of this breach were, even before they were confronted with any discussion of digital certificates. This approach is widely applicable to writing about sophisticated cybersecurity incidents for a general audience. The more complicated or confusing the technical mechanisms at the heart of a breach are, the more important it is to couch the explanation of those mechanisms in the context of an easily understandable description of the impacts and importance of the incident.
In other cases, where the technical components of a breach, such as phishing emails or guessed passwords, are more familiar to a general audience, or where the company at the center of a breach is already well known, these framing devices may not be needed. And it is certainly possible to go too far in the other direction and emphasize only the perpetrators or the geopolitical context for a cybersecurity incident without referencing the technical maneuvering involved at all. Striking the right balance of technical detail and broader framing for the context and impacts of an incident depends on both the intended audience and the complexity of a given incident.
After all, the technical details of cybersecurity breaches are immensely important for certain audiences—for forensic investigators and security teams at the breached companies, for instance, or for regulatory agencies and courts trying to determine whether those companies are in any way at fault for their security failures. For more casual readers of popular media accounts, however, the technical details of a cybersecurity incident may be relevant only insofar as they do not detract from those readers’ overall understanding of a particular breach’s significance. An article about the DigiNotar breach that begins with explaining that a Dutch certificate authority had been compromised (a description which, not incidentally, also happens to apply to the first sentence of this article) would presumably lose many more readers than one leading with Google services being used to spy on people in Iran. Indeed, part of writing about cybersecurity for general audiences is convincing them to care enough about a particular breach to be willing to spend some time understanding the technical components. The 2014 Heartbleed vulnerability was another example of a fairly technical security issue that had such high stakes for online privacy and security that popular coverage of it ended up educating many people on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Media reports on Heartbleed emphasized the potential for sensitive data sent to websites to be intercepted using the vulnerability. In many cases, these reports also explained in some detail how the OpenSSL software works and specific mechanisms for encrypting online traffic. Like DigiNotar, Heartbleed was an incident that could only really be understood with some detailed explanation of how a largely invisible part of the Internet works.
Journalists’ ability to describe complicated, technical incidents has been aided by the public’s growing comfort with cybersecurity vocabulary and tools like two-factor authentication, phishing, firewalls, encryption, and ransomware. Over the course of the past five or so years, editors have gone from asking me to define these terms to taking it largely for granted that readers will know what they refer to. Journalists, too, are getting better at digging into the technical components of breaches they cover as they become more familiar with the relevant terminology and build up more experience. The breaches themselves are also increasingly complex and interesting as criminals and state actors develop more sophisticated capabilities.
Taken together, these trends have meant that journalistic investigations of cybersecurity incidents have gotten more detailed and more technical without necessarily losing their general appeal and accessibility. For example, Dina Temple-Raston’s reporting for NPR in 2021 on the SolarWinds compromise integrated a detailed description of how the intruders in SolarWinds’ network infiltrated the company’s update servers into a broader discussion of the massive scope of the resulting cyber-espionage campaign. In Wired and their subsequent books, Kim Zetter’s reporting on the Stuxnet worm and Andy Greenberg’s reporting on the Russian NotPetya campaign similarly married specific technical detail with engaging socio-political context that made the technical material more accessible and interesting.
For reporters writing about cybersecurity incidents for non-technical audiences, there can be tremendous value in incorporating technical details as long as those details are situated within a broader framing that illustrates the immediate stakes of the incident. This allows for a focus on the concrete impacts of the incident and not just its execution. Additionally, avoiding metaphors for technical concepts whenever possible helps clarify the actual technical components of breaches for readers who may otherwise assign blame or make assumptions about the sophistication and complexity of cyberattacks based on the comparison. Comparing encryption to locking a safe, or port scanning to knocking on a door, or a digital certificate to an electronic driver’s license can gloss over important nuances of how these technologies operate, how much work is required to implement or circumvent them, and the role they play in specific security incidents. At the same time, there is tremendous value in contextualizing the scale and sophistication of these incidents, including by comparing them to previous security compromises.
This is not a golden age of cybersecurity by any stretch of the imagination, but it may be a little bit of a golden age of cybersecurity journalism, with more talented writers covering breaches and cyberattacks than ever before. Their ability to seek out and describe the technical operations underlying security breaches is a small silver lining to the sheer number of incidents that they have had to cover that have helped them develop this level of expertise and skill.
Josephine Wolff is an associate professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (MIT Press, 2018). Her writing on cybersecurity has appeared in The New York Times, Slate, Wired, The Washington Post, The Atlantic, and Scientific American.
Should states and museums use digital technology as a replacement for restitution and repatriation of cultural artifacts such as the Parthenon Sculptures? Technological solutions that help them face up to…