As voters, as journalists, as citizens, and as writers, as participants alive in what was once considered a secure democracy, we are today living in the US through what Masha Gessen (following Bálint Magyar) calls an “autocratic attempt”.
Let those words sink in for a moment: an autocratic attempt … ”The build up to actually wielding autocratic power.”
When a political figure who has gained power tries to use that power to probe the possibilities for establishing an autocratic state, that’s an autocratic attempt. The other stages in the process are an “autocratic breakthrough” and an “autocratic consolidation”. I hope we never get to either point. But I cannot say with confidence that we will not. Neither can Masha Gessen. (Read their book, Surviving Autocracy.)
In my previous article I recommended that the big national newsrooms create threat modelling teams to help organise coverage of the Trump government and the 2020 elections. My concern was that US democracy was being put at risk. Traditional campaign coverage is not capable of addressing that kind of threat.
But how would this work in practice?
I consulted two people who have worked with threat modelling in other danger zones, and I asked them to help me imagine its possible uses in a newsroom setting.
One is Joshua Geltzer, currently a visiting professor of law at Georgetown University. From 2015 to 2017 he was senior director for counterterrorism on the National Security Council staff, where he participated in what are called “table top” exercises that try to imagine how threats would play out. (This is often called “threat ideation.”) As a “customer” working on counter-terrorism for the executive branch, he used the products of threat modelling teams based in the intelligence agencies and law enforcement. He has also written about Donald Trump’s attacks on the 2020 election.
My other informant is Alex Stamos, former chief security officer at Facebook, and chief information security officer at Yahoo, which he described as “the most senior person at a company who is solely tasked with defending the company’s systems, software and other technical assets from attack”. Incorporating what I learned from Geltzer and Stamos – and from an off-the-record briefing about election threats put on by the Aspen Institute, which I attended recently – here is how I see it working.
The recommendation: the big national news providers – ABC, CBS, NBC, CNN, NPR, PBS, AP, Reuters, The New York Times, The Washington Post – should have threat modelling teams, just as they all have pollsters. These teams would try to identify the most serious threats to a free and fair election and to US democracy over the next three months, so that their newsrooms can take appropriate action.
What is threat modelling and how does it work?
“Threat modelling is the effort to articulate dangers in ways that allow us to prepare to prevent, mitigate, or respond to them,” said Geltzer. “It’s a way of identifying and describing threats that helps us to address them.” Its purpose is to assess vulnerabilities and anticipate attacks in a more systematic fashion than just being worried about them.
Stamos put it this way. “Threat modelling” is a formal process by which a team maps out the potential adversaries to a system and the capabilities of those adversaries, maps the attack surfaces of the system and the potential vulnerabilities in those attack surfaces, and then matches those two sets together to build a model of likely vulnerabilities and attacks.
What does it take to do threat modelling well?
Geltzer told me: “You need to have a deep sense of what you’re trying to protect in the first place.” (I will come back to this point later; it is critical.) You also need expertise in the kinds of dangers that are likely to arise. For Trump as a threat to US democracy, this might mean consulting people who have devoted serious study to “how democracies die”.
For other kinds of threats newsrooms often have in-house expertise, in the form of beat reporters who know their terrain intimately, like NBC’s Brandy Zadrozny and Ben Collins, who have been tracking QAnon and other misinformation rabbit holes.
You need to be able to step into the shoes of your adversary, and think like they do. You need the right temperament, says Geltzer, “to take seriously dangers without inflating them (which can happen when you start thinking hard about them!) and also without underestimating them,” which cognitive bias and organisational pressures can make us do.
What kinds of things do threat modellers do?
They identify weaknesses or likely points of attack, what Stamos called “attack surfaces”. For each plausible threat they try to divide the assessment of how consequential it would be from how likely it is to happen, and then carefully combine those two to determine its overall urgency. As Geltzer said, they study how attacks can be prevented, how the damage can be mitigated if they do happen, and what kind of response is required if an attack succeeds.
Threat modelling also flows into exercises that help an organisation prepare for threats and understand them better. At Facebook, Stamos helped run “red team” exercises. “A red team is a team, either internal to the company or hired from external consultants, that pretends to be an adversary and acts out their behaviour with as much fidelity as is possible,” he said. “At Facebook, our red team ran large exercises against the company twice a year. These would be composed based upon studying a real adversary – say, the Ministry of State Security of the People’s Republic of China.”
What is the product – or deliverable – of good threat modelling, and what does it help you do?
One answer: it helps you deploy scarce resources. As Stamos said to me, his security team had only so many people. They could only take on so many projects. Threat modelling can tell you how to spend your budget. The parallel to the newsroom is clear: you only have so many reporters. There is a limited number of investigations you can do before the election. With Trump in power there is always a flood of news. How do you decide what’s urgent?
Another answer: done well, threat modelling – and what’s called threat ideation – makes your staff more alive to dangers that their routines or assumptions might have obscured. It’s an awareness tool.
Beyond raising awareness, what specific uses would threat modelling have in a newsroom setting?
In a previous article, I described a published product that could emerge: A Threat Urgency Index. It would summarise and rank the biggest dangers (to the election and to US democracy) by combining assessments of how consequential, how likely, and how immediate each threat is.
The index would have a web address. It would be updated when there is new information, sort of like Five Thirty Eight’s Election Forecast. You could also subscribe to the index as a newsletter. Right now, for example, the attempt to whip up fears about mail-in voting might rank highly on that list. Or the call – echoing from Trump’s Twitter feed – for armed militias to “protect” the vote count in a disputed election.
Another use might be to run exercises that raise newsroom awareness around the possible manipulation of the news system as we get closer to the election. “The obvious one is hacked documents,” said Stamos. “Worked great in 2016. Why change horses?”
What problem is threat modelling supposed to solve?
As Steve Bannon famously said, Trump’s method for neutralising the news media is to “flood the zone with shit”. There’s always too many things to pay attention to. Threat modelling could help with that by separating things that sound scary from things that really are scary – and could happen.
That’s one answer. Another comes from Kyle Pope, the editor of Columbia Journalism Review, who recently wrote:
"The American people are living on the edge of death and economic despair. Those are the stakes of the 2020 election, one whose integrity is in jeopardy thanks to the hypocrisies of Silicon Valley and the influence of foreign (and domestic) actors, on top of voter suppression – by online disinformation campaigns and simpler means (including manipulating the post office). The press must look past the campaign coverage that was and embrace its role as a safeguard of democracy."
To be a safeguard of democracy you cannot just react to what explodes into the news from now until 20 January. You have to zoom forward in imagination, glimpse danger, and then work your way back to decisions made today and tomorrow. Threat modelling helps you move about in time.
If threat modelling is defensive, what is it that journalists should be trying to defend?
To me this is one reason to do it. In order to deploy a threat modelling, or threat “ideation” team you have to know what you are trying to protect against. You have to own that responsibility. Which is a lot different from reporting whatever comes down the pike.
Earlier in the campaign, I wrote a post about this problem: You cannot keep from getting swept up in Trump’s agenda without a firm grasp on your own. But what should that agenda be? I think it has to be some kind of defence of US democracy and its central ritual: free and fair elections that engender trust in the outcome, and thereby make the peaceful transfer of power possible.
Earlier in the modern era, journalists covering election campaigns had been able to assume the existence of a stable system, and therefore focus on the contest itself. That doesn’t work for 2020. For it is by no means guaranteed that we will have a free and fair vote. Journalists have to plant their flag on the sacred ground of legitimate elections, and help defend it against all threats. Threat modelling can assist with that project. And that is my argument for its adoption by the big national news providers.