Hacker Runa Sandvik Went From Hijacking a Smart Rifle to Securing The NYT

There is a gap in newsrooms. On one side, journalists and editors go about their work, writing and publishing stories. On the other, a security team protects the company's networks and infrastructure. But today, there are more digital threats against journalists, their sources, and their employers than ever before. So the two sides need to meet in the middle in order to maintain the safety of all involved.

That's where Runa Sandvik at The New York Times, comes in.

"I end up being a bridge," Sandvik, who has the unique title of 'Director of Information Security for the Newsroom,' told Motherboard in a phone call.

Although Sandvik has been training journalists for years, this position at the Times was a whole new creation; she sits with reporters in the newsroom itself, able to assist with security issues.

"It's not a pure security role; it's not a pure support role, it's a jack-of-all trades type of role, because you end up wearing a whole load of hats," she said.

Indeed, Sandvik's own history has jumped between journalism, security, and development. As a child growing up in Norway she wanted to be a lawyer, but got her first computer when she was 15 years old.

"Things changed from there," Sandvik said. She would download anything and everything, opening files to see what would happen.

"I got it infected pretty frequently," she added. In 2009, she contributed to the Tor Project, the nonprofit behind the Tor anonymity network, before working for a penetration testing and code audit company, and joining the Tor Project full time.

Sandvik has produced her own security research too. In 2015, Sandvik and her husband hacked a so-called smart rifle, allowing them to change the weapon's target or remotely disable the gun.

Sandvik also worked as a journalist herself—she has written for Forbes—giving her a much better understanding of the unique demands of the newsroom.

"At the end of the day, you need to get the job done. You can't say my security tool failed, I couldn't deliver in time," she said.

The Times hired Sandvik just over a year ago, and since then the outlet has already undergone some significant changes.

Sandvik has helped the Times launch a new series of tip-lines, where potential sources can leak documents or information securely. The Times now has a public-facing Signal and WhatsApp number, as well as a SecureDrop instance.

At the moment, the Times is working on a system that will allow journalists to safely access that data in a more efficient fashion—the organization receives around 50 to 100 tips a day, Sandvik said.

"It's going to be an incredibly beneficial resource to the newsroom, we just need to get to a point where we're safely allowing reporters to actually work with that data," she added.

The Times now has two factor authentication across all of the company's Twitter accounts, and Sandvik has been advising journalists concerned about the recent restriction on traveling with laptops and other electronic devices from some countries to the US.

One of Sandvik's roles is to show journalists how cybersecurity applies to them. After the Snowden revelations, reporters may be a little overwhelmed with information.

"I call it the 'hook' when I train people," Sandvik said. "How can I frame the challenge for you, in a way that it will hit home for you. What is it that is going to make you care about this."

"I try to frame it as: I want to help you do this thing you're going to do, but securely."

Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.