Amy Zegart is the Co-Director of the Stanford Center for International Security and Cooperation. This year, she invited me to join the advisory council for the Stanford Cyber Policy Advisory Program; a multi-year working group think tank designed to develop cyber strategy, doctrine, and fundamental ideas for the U.S. government. She also helps run the Stanford Cyber Boot Camp series, a program that aims to educate various communities around the country about cybersecurity issues.
This week, she targeted journalists and invited me, and some other prominent network defenders, to have an off-the-record conversation regarding what we thought about how journalists approach the cybersecurity topic.
The room was filled with journalists from ABC, The Washington Post, Foreign Policy, NPR, The Wall Street Journal, CNN, and The New York Times. I have dealt with reporters before, usually in a friendly situation explaining some technical aspect of the latest security event, but I have never been outnumbered before by a factor of 20 to 1 in a situation where we might be exchanging some "off-the-record" criticism on both sides.
Amy had us in a circular, two-tiered conference room, where the network defenders sat on the bottom tier, surrounded by journalists both on the same tier and on the upper tier. Going in, it felt like we were gladiators walking into the arena with hungry lions and tigers roaming around looking to eat us on our tier, and the spectators on the higher tier, who definitely were rooting for the animals.
In truth, it was nothing like that all. It turned out to be a free exchange of information from both sides that helped to dismantle some pre-conceived and incorrect assumptions that both the network defenders and journalists had about the other side. Here is my big takeaway from the boot camp.
Journalists are professionals who know a lot of things about a gazillion different topics, cybersecurity being one of them. Network defenders are specialists with a deep knowledge about cybersecurity but probably only a cursory knowledge of other things. Most journalists are generalists without a lot of depth in any particular topic but who know how to pull a compelling story out of a specific topic by sifting through myriad known facts, assumptions and rumors. They rely on network defenders to get the facts straight and to help them find the right angle to make the story good without it turning into marketing.
Network defenders should assist in this regard as much as possible. The relationship does not have to be adversarial. We are on the same side in most cases. The reporters want to publish a good story – hopefully one that’s balanced and accurate. The network defenders want to make sure that journalists educate the general public correctly. Without our help, we lose the opportunity to help educate the masses. And that opportunity is greater than ever, with so many publications – even publications that traditionally do not cover technology topics in depth – running stories on cybersecurity.
I thought the Stanford Cyber Boot Camp series was a huge success. Even though I initially felt like I was walking into the lion’s den, with reporters lying in wait to eat me at the first opportunity, the experience turned out to be the complete opposite. Both sides walked away a bit smarter about how to deal with the other. I learned that journalists have a tough job to do even if they are really good at their craft. They mostly just want to publish a good story. I also learned that my relationship with journalists does not have to be adversarial. Network defenders can help reporters publish good stories, and at the same time, ensure that the public receives accurate stories to read about cybersecurity.