The field of cybersecurity technology is a different animal, however. It can bring the cloaks, daggers and pose ethical challenges for PR teams, vendors and journalists alike.
I thought about this while reading a NY Times story: When Spies Hack Journalism.
It’s about the growing phenomena of state-sponsored actors bringing stolen info to the media (think North Korea’s hack of Sony; or Russia’s sharing of Democrats’ emails).
Should such info be published? What are the journalistic and ethical considerations?
Of course there’s always an agenda behind the hacker’s motives, and bad things can happen when sensitive data gets out; editorial teams need to consider this vs. the public’s right to know.
Scott Shane writes: “The old rules say that if news organizations obtain material they deem both authentic and newsworthy, they should run it. But those conventions may set reporters up for spy agencies to manipulate… the hacked Democratic emails revealed true and important things… The problem was that Russian hackers chose not to deliver to American voters the same inside material from the Trump campaign. The tilt of the coverage was decided in Moscow. By counting on American reporters to follow their usual rules, the Kremlin hacked American journalism.”
The article further quotes Columbia Law professor David Pozen, who is an expert on news leaks: “Publishing leaks provided by foreign spies ‘legitimizes and incentivizes hacking,’ he said. ‘I think this makes the ethical calculus for journalists much more complex.’ Asked if he had any guidelines in mind, Mr. Pozen demurred. ‘I don’t think I have great answers,’ he said.
“If You Pitch this, Bad Shit will Happen”
In the above story, the journalists are portrayed as hapless pawns, caught in the crossfire of good vs. evil. But they have agendas too. Nothing grabs attention like a big scoop.
Sometimes media eagerness for info can place the ethical challenge on the doorstep of PR.
After all, we want to be a friendly resource. Cyber security PR often means swooping in when there’s a story about a hack and contacting reporters. We bring them spokespeople and inside info.
The murky world of hacking adds to the challenge. Tech providers can get uncomfortably close. They see what’s happening on the dark web. Many have research teams, monitor groups with nefarious motives, and recruit from the pool of former hackers. It’s not always easy to tell the good guys from the bad.
This kind of thing, you would think, should prompt more businesses to boost their digital security, perhaps by using something like Cobalt pentesting to locate vulnerabilities that could be exploited in potential hacks in order to resolve them.
I can recall two situations where we (i.e. the agency PR team) got into uncomfortable places and had to make tough decisions with potentially dire implications (I’ll leave names out for obvious reasons).
In one case, we were working with a client’s head of research, who uncovered — and encouraged us to share with the media — the identity of a key suspect in a major international hacking incident. No sooner was the reporter briefed than the proverbial shit hit the fan. The client’s head of PR called an urgent meeting to ask how this could happen. He was concerned that revealing his company as the source of this info would put employees’ lives at risk, not to mention the person they identified! (P.S., it turns out the reporter knew the name already, and in the final analysis, we learned the info was incorrect).
Another time, our client’s spokesperson was briefing a top-tier reporter about a much-publicized hack involving a major bank. The journalist was pushing for details about the mechanics of the attack. Our client said he was reluctant to share the info, because it could help hackers recreate the crime with other banks. The journalist seemed unconcerned, and in fact was even excited about getting and publishing such hot info. The client held firm. But you would think that publications have rules about sharing info that can be harmful.
Much has been written about PR and journalistic ethics. Cybersecurity is one area that could benefit from a closer look and clearer lines.