Panel on cyber security urges encryption to protect sources, but warns of vulnerabilities

Despite its potential vulnerabilities, reporters should use encrypted communication to protect their sources, an expert panel on cyber security urged at a March 13 event at the National Press Club sponsored by the Club’s Journalism Institute and the Professional Development Committee.

“It is incumbent on us [the press] to protect our sources from the beginning,” stressed panel moderator Rachel Oswald, vice chair of the Club’s Press Freedom Committee and a reporter for CQ Roll Call, as she opened the event by noting a recent spate of leaks to the press and Trump administration efforts to find the leakers.

As examples of encryption mechanisms available to reporters, the panel cited such open source software as Signal and WhatsApp for secure communication and Tor, a browser that conceals the user’s actions.

Emma Gaston-Alexander, vice dean of the Cybersecurity Graduate Program at the University of Maryland University College, called the act of whistle blowing a “heavy lift” for individuals who believe something is going on in their agency and want to communicate without leaving a record. She noted that agencies have teams of lawyers while whistle blowers have to defend themselves legally from their own pockets if necessary.

She explained that the legal responsibility for U.S. federal employees at the executive or White House level requires that “every type of communication is considered a record and must be preserved,” including every document, every email. If personal devices are occasionally used of necessity, she said, they must tie into the agency system in order to preserve the communication.

Dishad Othman, a digital security adviser at Internews Network, citing his experience in countries with autocratic governments, said that when reporters use encryption, governments can respond by attacking smartphones and other devices with malware that can read communication before encryption.

Othman also noted that agencies can discover whether encryption apps have been used.

Benjamin Dean, a technical exchange Fellow with the Center for Democracy and Technology, cautioned that "encryption is one small part of the whole picture,” adding that there is no panacea and that nothing is ever 100 percent secure.

Jack Gillum, investigative reporter for the Associated Press, described his approach to protecting communication with sources: He avoids the “e word,” saying “secure” instead of encryption. But when a conversation begins to be sensitive, he said, he also may move it to a coffee house or bar.

In response to a statement by an attendee at the event, Club member John Donnelly, that his takeaway from the session is, “We can’t really protect our sources,” Gillum acknowledged that nothing is completely secure. But he suggested some simple ways to protect sources. “Maybe we all [should] meet in person more,” he said, and use mail without a return address.

Another attendee, former Club President Jerry Zremski, commented that some of his best stories came from anonymous sources who approached him, but now he would need to seek them. In response, Gillum said that he publishes his contact points for encyrption software and his mailing address in his social media postings to encourage sources to contact him.

Oswald reminded the audience that the Institute will be offering hands-on courses for reporters on cyber security in the spring. Go here for descriptions and links to registration information.