Advertisement

SKIP ADVERTISEMENT

This Former Hacker Now Helps The Times Stay Safe Online

Runa Sandvik believes information security can fit into reporters’ lives seamlessly and conveniently.

Runa Sandvik, senior director of information security at The New York Times.Credit...Gabriella Angotti-Jones/The New York Times

Times Insider delivers behind-the-scenes insights into how news, features and opinion come together at The New York Times.

Runa Sandvik has slowly persuaded everyone in her life to download Signal, the encrypted messaging app often hailed as the gold standard for privacy: family, friends, co-workers — even Uber drivers.

She always personalizes her appeals: To her friends, she says, “It’s free!” To reporters, she points out that it will protect their sources. Whoever her subjects happen to be, Ms. Sandvik wants to help them fit information security into their lives without having to think about it.

“I have personally always said that my job is to help you do your job securely,” Ms. Sandvik said, “so that you don’t have to think about all of this stuff. It’s just done. It’s taken care of. It’s safe by default.”

Ms. Sandvik, on the other hand, is the senior director of information security for The New York Times. She spends a lot of time thinking about all of this stuff.

She has written about encryption tools and a dark web email service for Forbes. The URL of her personal website is encrypted.cc. She once threw a CryptoParty with Edward Snowden in Hawaii.

And today, she is known for spearheading security improvements at The Times, including two-factor authentication for reporters, which requires an additional verification method after entering a password; a confidential page for tips from sources; secure communication methods; protection for Times subscriber accounts; and more.

It all started in Norway, when Ms. Sandvik got her first computer at age 15. She became obsessed with the endless puzzles and challenges within: how the computer worked, how it didn’t work, and especially how to break its functions and make it do things it wasn’t supposed to do. The interest for me at that point, early on, was just to soak up as much info as I could, just learn how things work, learn how things fall apart,” she said. This led her to the hacker space.

It wasn’t until she started work for the Tor Project, a nonprofit digital privacy group that often trains journalists, that she changed the way she thought about what computers could do for people.

She recalled beginning to ask herself, “What are ways that I can take what I know about information security, and about hacking — the ways you would go after a reporter, for example — and use that to support and defend and empower the people, as opposed to just figuring out how to break stuff?”

Since coming to The Times in March 2016, she has continued to ask herself that question and to weave her background into the way the newsroom functions. “One of the first things I noticed about Runa when I started working with her was how much she cares for what she does and for the mission of The Times,” said Bill McKinley, her boss and the executive director of information security at The Times. When they meet with reporters for new projects, he said, “she lights up.”

And what she does is increasingly crucial.

Cyberattacks — and cyberattacks against journalists, specifically — are on the rise, Ms. Sandvik said.

“If you had asked me a year ago, I probably would’ve said no, the only difference is that we’re paying more attention now,” she said. “In the past year, that has certainly changed. I think that we are seeing not necessarily new types of attacks, but a type of persistence and an escalation that we haven’t seen before.”

Those attacks can include trolling, threats and harassment, as well as persistent and innovative phishing emails that can look as if they come from other colleagues within the newsroom or even friends outside of work. And once a hacker gets a journalist’s user names and passwords, “there’s nothing that you can do to get that data back,” she said.

A project Ms. Sandvik worked on that readers may recognize is The Times’s tips line, a page that allows people to send confidential tips to Times journalists. When the F.B.I. raided Michael D. Cohen’s office, for example, it was a tip to The Times’s investigations desk, via encrypted email, that allowed us to break the story first. More recently, a story emerged from a tip from Deloitte employees about their petition to management to stop working with the Immigration and Customs Enforcement agency.

The Times still gets more than 50 tips a day. “It’s changed how the newsroom works,” said Gabriel Dance, the deputy investigations editor. And even for less flashy projects, like tweaks in communication methods for journalists, Ms. Sandvik’s work doesn’t go unnoticed.

“She’s had to help us think really creatively about how to stay secure while also staying flexible to working in a newsroom,” he said. “It’s the coaching she gives to investigative reporters on how best to protect themselves and protect their sources.”

Around the newsroom, she’s also known for her stealthy fake phishing emails (modeled to appear to come from colleagues but, upon closer examination, actually sent from an external email address), often requesting employees’ information and aiming to see who falls for it. For the small number who open attachments or enter their user names and passwords, Ms. Sandvik and her team reach out to them for follow-up training.

Outside The Times, she is well regarded in the information security community, Mr. McKinley said. She frequently attends conferences, speaks at events and hosts CryptoParties, or events that aim to educate people about digital security in an accessible way (two weeks ago, she co-hosted a Times-sponsored CryptoParty). Her friends see her as a tough stalwart of a male-dominated industry.

“Sometimes men get the idea that they can bully this tiny Norwegian woman, and that they can push her around,” said Eva Galperin, a friend of Ms. Sandvik’s who also works in information security, as the director of cybersecurity for the Electronic Frontier Foundation. “And she will not move.”

The two often trade war stories and tips on instituting new security features in the workplace. One of her favorite stories about Ms. Sandvik took place during Def Con, a convention for hackers and security experts, when Ms. Sandvik and her husband presented their research on how to hack and disable a sniper rifle. “It was the very first time I had ever seen coverage of a man and a woman doing security research together, and the woman got all the credit and the man was a footnote,” Ms. Galperin laughed. “I can tell you, that almost never happens.”

As for Ms. Sandvik, she knows her industry is dominated by men, but she said it had never really gotten in her way.

“It’s kind of interesting that security is in her title,” Mr. Dance said, “because she is like a security blanket. She makes us feel more comfortable that no matter what file or source or situation we find ourselves in, we can go to Runa.”

Keep up with Times Insider stories on Twitter, via the Reader Center: @ReaderCenter.

Melina Delkic is a senior staff editor. More about Melina Delkic

A version of this article appears in print on  , Section A, Page 2 of the New York edition with the headline: Once a Hacker, Now a Security Buff. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT