Illustration of a character with a mouse clicker icon pointing to its foot

It’s sensitive

When Megan Jordan travels overseas, packing for her digital life can be tricky. She leaves her personal cellphone and computer at home, and carries only work devices stripped of sensitive data. And when she visits a hotel’s gym, she steers clear of anyone working out nearby because they could potentially download her data.

As the chief communication officer and senior vice president of global corporate affairs for ChromaDex, she remains vigilant in her cyber practices to help ensure the nutraceutical company’s brand and intellectual property aren’t compromised.

“If we can’t protect that research, it will stymie innovation,” said Jordan, who earned her bachelor’s in public relations in 1992. “So, I’ve become increasingly more passionate about our role as communications professionals in ensuring the controls that are there.”

Even with worldwide information security spending expected to exceed $124 billion by the end of 2019, the fact remains that digital security starts and ends with individual users like Jordan. Hackers most often target employees’ unsecured devices to create a portal into an organization’s network and ultimately the sensitive data that resides there.

The impacts of these hacks can not only be operationally debilitating, but also intensely personal. One landmark example, the 2014 cyberattack on Sony Pictures seeking to derail the release of its then-upcoming film The Interview, proved that exposing employees’ confidential files and emails can be just as destructive as deploying malware to destroy data. In another infamous case, Chinese hackers infiltrated The New York Times in response to their investigation into China’s prime minister Wen Jiabao, accessing the email accounts of reporters covering the probe and compromising information about their sources.

In a world rife with cyber threats that can jeopardize everything from a company’s brand to press freedoms and elections, USC Annenberg faculty and alumni are pioneering new ways to advance digital security awareness and leading-edge training that will empower individuals across the communication and media landscapes.

Protecting sources, clients, brands and yourself

Marc Ambinder, who was appointed expert-in-residence in digital security at USC Annenberg this Fall, is helping to spearhead these efforts. He sees secure communication as both a professional obligation and a necessity for anyone in the business of content creation, curation or marketing.

“Your documents, contracts, emails, notes, audio files, photos, videos, scripts, layouts, storyboards, and intellectual property are inherently vulnerable to attacks from competitors, from triggered audiences, from governments, from malicious hackers and nation-states,” he said.

While communications professionals pay attention to the presentation and to their audience, however, Ambinder points out that an acute need persists for a more active approach through practical, dynamic training about the production of information and its security.

As a national security journalist himself, Ambinder has done reporting on extremely sensitive topics including CIA contingency programs, Pakistan’s nuclear weapons program, and the Joint Special Operations Command. He has been teaching investigative journalism at USC Annenberg since 2017 and just created the school’s first course on national security reporting.

Now, he wants to leverage his expertise to create comprehensive, scalable and useful modules to train communication professionals of all types.

Ambinder has teamed up with the Freedom of the Press Foundation to launch a two-year, multi-part project that will comprehensively study what is preventing colleges and universities from offering critical digital security courses to students, and subsequently develop a semester-long curriculum that can be implemented to solve this problem.

“The next generation needs to be equipped with security knowledge, so they can properly learn the many nuances of digital security, and so they can evangelize best practices,” he said. “It’s our belief that teaching digital security at institutions like USC is the only way to properly scale the skill set.”

The idea ultimately is to do a risk assessment for protecting information, Ambinder said. That means first, students have to be aware of the threats that may exist: Who would want access to their information? The second step is to mitigate those potential problems or those breaches of their intellectual property. “It’s not just about journalism,” he added. “It’s a problem for anyone, because you have valuable intellectual property you want to protect.”

The third step is to make choices. It’s not feasible to employ every digital security tool in every situation; for example, a VPN (virtual private network) is useful but it also slows things down. Students have to be aware of the tradeoffs inherent in security decisions.

Ambinder asserts that although there are scholars who study digital security, and there are courses that students can take, no curriculum yet has adopted this risk-analysis approach. He has already begun piloting these strategies through an hour-long training session with students in USC Annenberg’s Media Center this Fall. He hopes to develop a teaching template that other schools across the country could use.

Senior Annaliese Tusken, Annenberg Media’s assistant director, participated in the training and found it an eye-opening experience to consider how susceptible she is to data breaches with her own work.

“I myself, and I know many other students, likely didn’t realize how easily our information can be compromised,” she said. “Digital security is such a complex subject and cybersecurity breaches can start very small. As students preparing ourselves to enter the workforce, it is vital that we understand the tools we need — like a password manager and two-step authentication — to protect ourselves, our sources and any other important information.”

Digital security on an international scale

As the chief strategy officer at the United States Agency for Global Media (USAGM), Shawn Powers is helping to incubate and distribute the digital security tools that help advance training efforts like those at USC Annenberg.

His interest in the field began during his doctoral studies at USC Annenberg, where he focused on the intersection of public diplomacy, technology and national security. After graduating in 2009 and joining the faculty at Georgia State University, however, he decided to take a more hands-on approach and joined the U.S. Department of State to head up the Advisory Commission on Public Diplomacy.  

Since joining the USAGM in 2018, he has helped lead the independent federal agency in overseeing all U.S. international broadcasting as well as five publicly funded news networks around the world, including Voice of America.

More specifically, he is concentrating on markets where freedom of the press doesn’t exist because economic conditions aren’t robust enough to sustain it. Among Powers’ primary tasks is promoting internet freedom and developing secure communications between journalists and their sources. One way to do that is to give journalists a way to talk with sources through encryption. A grant from his office made it possible to create the encryption protocols that back up Signal, a secure messaging app.

“Digital security is absolutely essential for journalists to remain effective and safe in the kinds of markets that we’re in, like Russia, China and Cuba,” he said. “But the technologies we’ve developed aren’t just for journalists, we’ve made them open and available for consumers around the world.”

He is also exploring the possible threats and opportunities inherent at the nexus of technology and media, including low-Earth-orbiting satellites owned and operated by the private sector, and 5G, which can provide a platform for distributing high-bandwidth content at low cost. Even podcasting, which is just beginning to catch on in developing markets, he said, could also open up new avenues because companies such as Spotify aren’t yet on governments’ radars to censor.

“I think digital literacy is crucial,” Powers said. “I’m not saying everyone needs to learn to code, but I do think that everyone needs to understand how technology works. Focusing on understanding how to protect your privacy and protect your rights is essential.”

Securing our elections

The USC Annenberg Center on Communication Leadership and Policy (CCLP) also recognizes that digital literacy coupled with security will be at the forefront as the 2020 election approaches. Experts anticipate that the United States will once again be the target of foreign and domestic cyberattacks that could compromise the country’s infrastructure, local and state governments, and news and information.

Seeking to empower elections officials nationwide to reinforce their defenses against digital attacks that may affect the integrity and outcome of elections, CCLP has launched a new program that will provide in-state training sessions in all 50 states.

CCLP’s effort began this summer with initial support from the Democracy Fund and collaboration with the National Governors Association to conduct workshops in six states.

“Each state had a unique focus,” said Adam Clayton Powell III, director of CCLP’s Washington, D.C., programs. “For example, in Minnesota, we explored the legislative and regulatory approaches that can be brought to bear on misinformation, disinformation and misrepresentation, including deepfake videos.”

Now, with additional grant support from Google, CCLP is expanding the program across the entire country, leveraging faculty expertise from six of USC’S schools to create and deploy leading-edge, bipartisan election-security curricula.

“Our goal is to help states be better prepared for foreseeable threats — regardless of source, origin, party or candidate targeted,” said University Professor Geoffrey Cowan, the project’s principal investigator.

Powell, the project’s managing director, will spearhead the curricula development by convening a series of working sessions in Washington, D.C., and Los Angeles, drawing on faculty experts from across the university, including some who have run presidential campaigns for candidates from both parties.

“We are creating an initiative that will demonstrate the important role that academic institutions may play in helping to protect the integrity of our elections,” Powell said. “Google’s generous support to develop and sustain this multi-disciplinary project is vital.”

Starting in January 2020, the project will launch in-state programming consisting of a day-long series of briefings and exercises. While the curricula will be designed for state and local election officials, campaign officials of all parties, academics, nongovernmental organizations, journalists and students, programming will be open to the public and media to ensure maximum transparency.

“For decades, USC Annenberg has been a leader in the field of communication technology,” Cowan said. “With this initiative, the school is continuing to demonstrate its commitment to a bright, diverse and democratic future.”

Data security myths with Marc Ambinder

1) Myth: I’m not in danger of being the victim of a digital attack.

Reality: You’ve already been the victim of a digital attack. You might think that a hack of passwords and emails is different from a cyberattack, but you’re not thinking like the bad folks think. Most people use the same passwords for many applications, and it’s relatively easy to purchase these stolen data sets off the dark web.

Solution: The solution is easy: Use two-factor authentication for every site and app that offers it and use a good password manager.

2) Myth: As long as I use an encrypted chat app, my sources are safe from exposure.

Reality: Any app that uses end-point encryption adds a layer of protection, and it should be the default method of communicating with sources or sensitive clients. It’s important to remember, though, these apps don’t protect the metadata; the “to” and “from” and “time” information, which, for a reporter, might reveal sensitive information.

Solution: Bottom line, encrypted apps are a starting point for security, but they must be used properly.

3) Myth: I can travel abroad with my own phone and laptop and not have to worry about my digital security.

Reality: This is a scary blind spot for many people, especially communicators. Even if you’re a junior-level employee at a firm that does big business, a growing number of countries will know before you present your passport to their customs and border officials that you are affiliated with that company.

Solution: If you must bring your own phone, wipe it clean (two times over) before leaving and re-install the bare minimum of apps directly — not from a cloud backup — and never plug your phone into a public charger. When you return home, wipe it clean again, and then restore it from the cloud. Invest in a cheap laptop for work travel.

This story was co-written by Emily Cavalcanti and Katharine Gammon.