The European broadcasting Union reported that most broadcasters have failed to take the appropriate measures to mitigate the risk of cyber-attacks even though broadcasters have been the increasingly barraged by cyber-attacks in recent times (Fachot, 2019). Mass media companies have often been targeted by states, non-state actors and organized crime because attacks offer a wider visibility and are likely to attract even more threat actors (Poznansky& Perkoski, 2018). Mass media companies do not only distribute but also produce content that cater to a diverse audience. What makes them even the more at risk is that their infrastructure cannot be hidden from the outside world because broadcasting work right from gathering of data/ information to editing and distribution must be shared broadly between affiliates and global collaborators.
In 2020, Raywood reported that the media industry had suffered up to 17 billion credential stuffing attacks over the course of 2 years among other cyber-attacks. Another research reported that of the 88 billion cyber-attacks recorded between January 2018 and December 2019, 20 % were aimed at media companies (Zurkus, 2018). Even more worryingly, the media industry recorded a 630% and 208% year-over-year increase in cyber attacks against broadcast television and video streaming platforms respectively. Reports also reveal a 7000% increase in attacks targeting published content (Zurkus, 2018). Interestingly, this spans media such as newspapers, books, and magazines.
A Case in Point
The most recent cyber attack targeted at a media company in Kenya involves the attack on Citizen TV’s YouTube channel in late March 2022. The attackers changed the channels name to Ethereum (US) momentarily before the station’s efforts to restore normalcy bore fruits (Baraza, 2022). Prior to being detected, the attackers had used the platform to propagate information regarding the Ethereum cryptocurrency, which is an open source blockchain that integrates smart contract functionality (Baraza, 2022). While the giant media company was able to restore the account, some videos still bore the name Ethereum as the publisher of the material.
Such an attack to a media company caused some serious disruption of services. the company was not able to air their usual content that viewers have grown to love. One would also assume that such an attack smeared the reputation of the company, thereby causing trust issues on the credibility of the media company. Even more importantly, the company may have had data belonging to clients and affiliate news providers in the wider Royal Media Services group exposed. Such an attack exposes the media company to lawsuits as it undermines their duty to protect user data as required of data controllers by the Data Protection Act of Kenya 2019. In addition, the attackers leveraged the large viewership base of Citizen TV to spread their message leading to a nationwide case of misinformation.
This is just one of the reported cases of media companies under siege bycyber threat actors. Many have gone unreported. So where is the disconnect? This report looks into some of the challenges and potential solution to the cyberthreats faced by media companies.
Challenges facing the Media Company
Multiplicity of Systems
Media companies are faced with a tough task of having to manage a multiplicity of systems. This implies that broadcasters have a lot of platforms that are interconnected through which they offer their services (Fachot, 2019). Unfortunately, this offers a wider attack surface while also making it difficult to conduct penetration tests to identify the compromised systems (Carmony, 2020). Attackers can often pivot from one system to another provide they manage to gain the initial access. In addition, the media companies have very little in terms of Industrial Automation and Control Systems (IACS) meant to handle Cybersecurity issues. This is a major headache especially for media companies who already have insufficient technical and logical controls against cyber-attacks.
Equipment and Personnel
Media companies in Kenya rely on connected media devices that have been found to offer very minimal security threshold. In most cases, these solutions are off-the-shelf and not tailored to meet the security needs of the media companies. Taking for example the hacking case of citizen TV, the attack occurred on a third-party platform (YouTube), where they might have very little control over the security. In addition, the case that involved hacking of Al Jazeera personnel, it was found out that their mobile devices provide the gateways for the attackers to gain information that could have compromised the media company as a whole (BBC, 2020).
Just like in other industries, media companies also face the human-treat vulnerability. Research has it that the most effective attacks often use social media engineering to manipulate people and trick them into divulging crucial information that can be used to compromise the company (Salahdine & Kaabouch, 2019). For the media industries, it might not even be that mundane. There are journalists and independent authors affiliated to the company, who the media companies might have very little control over. These individuals might be politically influenced, sponsored APTs by rivaling states or just malicious people seeking to influence the public opinion or cause a state of distrust. So certainly, media companies face a much more serious threat from the human factor.
Password Sharing and Recycling
Password sharing and recycling have been reported as the most prevalent factors that contribute towards credential stuffing attacks. This is often done especially in video sites, where these media companies often post their content for maximum reach. Guirakhoo reported that password-sharing and recycling offers threat actors an easy attack vector especially on streaming platforms. Further, that attackers can register to these platforms easily and cheaply and leverage credential stuffing tools that target reuse of passwords. This technique has been lauded as a go-to for cybercriminals because media platforms don’t offer sufficient security controls such as 2 factor authentication, and where such are in place, users fail to take advantage of the same. Additionally, research revealed that some media platforms use the same credentials in other platforms that they manage. This was found to be true of the giant media company Amazon Prime Video who used the same credentials for Amazon Prime. This implies that attackers who manage to gain access to the first account is more likely and easily able to pivot their way into the other account.
Distributed Denial-of-Service (DDoS) Attacks
These are malicious attempts to interfere the normal traffic of the targeted network, server or service by flooding it with internet traffic by leveraging several compromised computer systems known as zombies or botnets (Cloudflare). In their nature of trade, mass media companies cannot afford to suffer DDoS attacks, which interestingly is one of their biggest headaches. Such are often propagated by competitors and state actors with different motivations.
Mas media companies are particularly prone to fake news or vulnerability of truth as a report from Serianu (2017) calls them. this is to be expected owing to the nature of their trade and even more resoundingly critical. The report asserts that that 2017 saw a serious surge in fake news regarding rogue politicians, disinformation, misinformation, and outrageous claims in the leading mass media platforms. Some of the content distributed through these channels were videos of post-election violence, news on politicians who defected from their respective political parties. The attackers seek to exploit the fact that the public have little knowledge or are not well poised to discern true information from false information from the news they watch daily.
The issue of fake news is even more deep-cutting as research reveals. People have sought to weaponize it by weaving riveting agendas, manipulating emotions, influencing public opinion, and making money from an unsuspecting reader (Serianu, 2017).
Broadcast companies in Kenya need to borrow a leaf from other media companies with a global command with regards to mitigation of Cybersecurity measures. In recent times, the broadcast industry is edging towards cloud services to streamline workflows, better editing and storage capacity, Cyber resilience through backups, and for the purposes of business continuity (Fachot, 2019).
Looking to the Standards and Regulations
Media companies could make use of the standards that focus on solution for protection against a broad range of vulnerabilities. The ISO/IEC 27000 family in particular offers best practices for IT service management. More specifically, the ISO/IEC JTC 1 section 27 outlines the IT security techniques to be followed by businesses such as media companies. In addition to that, the IEC 62443 series established by the IEC TC 65 deals with industrial process measurement, control and automation and investigates vulnerabilities relating to the Industrial Automation and Control Systems (IACS). These two standards have been tried and tested to offer the best guidelines for the broadcasting sector as reported by the US National Association of Broadcasters guide to broadcast cyber security.
Collaboration is quickly becoming an attractive approach that also service providers to respond to the evolving threat environment more effectively by sharing intelligence on common signatures. These standards also recommend design and architecture that draws well-defined boundaries between production networks and general office networks. Coupled with cyber security layers, access controls within the media companies an go a long way in mitigating against insider threats.
The actions to mitigate have broadly revolved around pursuing certification by these security standards to be able to implement best practice with regards to security mass media infrastructure.
On a local level the Computer Misuse and Cybercrimes Act 2018 offers overarching guidelines that can be leveraged by media companies to protect themselves from cyber-attacks. Article 13 of the act emphasizes on audits and reporting on the state of critical infrastructure within organizations. Article 21 also provides for controls against cyber espionage, which has been a major problem to media companies around the globe. This section can be invoked to bind third party authors or employees of the media companies to maintain a strict control over intellectual property or works they undertake in the mass media companies. Regarding disinformation, Articles 22 and 23 outline the offenses regarding spreading of fake news, which as seen earlier is a major problem to the mass media companies. Such laws help prevent mass media channels from being used to incite public unrest or deliberate manipulation of public opinion for malicious intent.
As seen in the earlier section, laws are indeed in place that can be used by the local mass media companies. However, the buck stops with the governance structure of the media companies. Do the internal laws align with the national laws on cybersecurity? The top governance needs to budget for cybersecurity equipment to protect the critical infrastructure. In addition, they need people with adequate skills to manage these physical and logical controls. Regular training to improve staff capacity and minimize potential of insider threats is also a task to be undertaken by the top management (Punchihewa, 2017). It is worth noting that training and increasing the number of technical personnel only might not be enough. It is proposed that there is need to turn to technology at some point such as the use of encryption and sandboxing to protect data from intrusions and total loss (Punchihewa, 2017). Encryption ensures that even if the attackers get aces to the information from the media company, they are not able to make sense of it. Sandboxing on the other hand is a good defense mechanism against attacks propagated through email. It offers an isolated environment where any suspicious files or mails received can be tested and monitored without being exposed to the core network (Punchihewa, 2017).
Content Protection Mechanisms
Content is the most valuable asset for the mass media companies. Therefore, to ensure business continuity, these companies need to put in place digital rights management (DRM) measures. Globally, the IEC TC 100 offers standards of how companies can go about content protection (Fachot, 2019). These guidelines have to do with the interoperability solutions to facilitate distribution of content according to the provisions of the digital living network alliance (DLNA). In addition, the IEC 62698 prescribes a standardized set of rules that offers insight cow multimedia content can be shared legally across various platforms such as Internet protocol TV among other recent technologies.
An emerging technology, blockchain has demonstrated its capabilities as a tool to validate and protect multimedia content from piracy and tampering by unauthorized parties (Qureshi et. al., 2020). Blockchain has made it possible to bump up the traceability of information flowing through the mass media infrastructure by recording a signature for each information item resulting from a particular process, either compression or editing (Qureshi et. al., 2020). With this capability, Mass media companies will be able to detect faster if someone has tampered with their information. They can log each operation on the content as transaction and register it on a blockchain that cannot be altered.
Media companies are increasingly being targeted by threat actors who are ever on the prowl to innovate effective ways of defeating security measures and controls. The main challenges have been theft of intellectual property, damaging the organizational reputation, loss of commercially sensitive information, and distributed denial of service attacks (DDoS). These are as a result of vulnerabilities such as multiplicity of content, fake news, password sharing across platforms, loopholes in equipment and personnel, and ineffective governance.
Mass media organizations need to educating employees and affiliates on maintaining good credential hygiene. Businesses to deploy more robust authentication techniques and find the right blend of technology, policies, and technical know-how to help protect their clients from cyber risks while also maintaining a good user experience. Such may include blockchain technology, encryption systems and content protection mechanisms. They must also put in place internal laws informed by international standards such as the ISO 27000 family and local laws such as the Computer Misuse and Cybercrimes Act of 2018. Ultimately, all these efforts need to be coordinated from the top-level management of these companies. This could be in terms of support, budgeting, implementation, enforcement, and audits.
Baraza, L. (2022). Citizen TV YouTube account hacked, name changed. https://metropoltv.co.ke/2022/03/29/citizen-tv-youtube-account-hacked-name-changed/
BBC. (2020). Al Jazeera journalists ‘hacked via NSO Group spyware’. https://www.bbc.com/news/technology-55396843
Carmony, M. (2020). Analyzing Cybersecurity Risks Within Critical Infrastructures: Threats and Challenges in the Oil and Gas Industry (Doctoral dissertation, Utica College).
Cloudflare. (n.d.). What is a DDoS Attack?. https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
Computer Misuse and Cybercrimes Act. (2018). http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/ComputerMisuseandCybercrimesActNo5of2018.pdf
Fachot, M. (2019). Cyber security- a priority for broadcasters and media companies. https://etech.iec.ch/issue/2019-01/cyber-security-a-priority-for-broadcasters-and-media-companies
International Electrotechnical Commission. (2018). Security for industrial automation and control systems- Part4-1: Secure product development lifecycle requirements. (IEC 62443). https://webstore.iec.ch/preview/info_iec62443-4-1%7Bed1.0%7Den.pdf
International Organization for Standardization (2018). Information Security Management (ISO/DIS Standard No. 27001). https://www.iso.org/isoiec-27001-information-security.html
ISO/IEC 100. (ISO/DIS Standard No. 27001). https://www.iso.org/isoiec-27001-information-security.html
Poznansky, M., & Perkoski, E. (2018). Rethinking secrecy in cyberspace: The politics of voluntary attribution. Journal of Global Security Studies, 3(4), 402-416.
Punchihewa, A. (2017). Cyber Security for Broadcast Media Organizations and Professionals. https://www.researchgate.net/publication/315887041_Cyber_Security_for_Broadcast_Media_Organisations_and_Professionals
Qureshi, A., & Megías Jiménez, D. (2020). Blockchain-based multimedia content protection: review and open challenges. Applied Sciences, 11(1), 1.
Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future Internet, 11(4), 89.
Serianu. (2017). Kenya Cybersecurity Report 2017. Demystifying Africa’s Cyber Security Poverty Line. https://serianu.com/downloads/KenyaCyberSecurityReport2017.pdf
Zurkus, K. (2018). How Can Media Companies Be More Confident in Their Cybersecrutiy Strategy and Policy?. https://securityintelligence.com/how-can-media-companies-be-more-confident-in-their-cybersecurity-strategy-and-policy/