Understanding patterns of cyber conflict coverage in media

In February 2014, the cyber threat intelligence community was stirred by the discovery of ‘The Mask‘, a highly advanced hacking group thought to be backed by a national government. This group had been targeting a range of entities, including government agencies and energy companies. Kaspersky Lab, a Russian cyber security company, described their activity as the world’s most advanced APT (Advanced Persistent Threat) campaign. However, despite the sophistication of The Mask, which had been active since at least 2007, its media coverage was surprisingly limited, failing to make significant headlines.

Fast forward to 2018, when Kaspersky Lab reported on Olympic Destroyer, the cyber attack that disrupted the 2018 Olympics, paralyzing IT systems and causing widespread disruption. This incident garnered immediate and extensive media coverage, with over 2000 news stories published, showcasing a stark contrast in the media’s approach to reporting cyber operations.

These two cases highlight a critical and intriguing question: Why do some cyber operations receive extensive media attention while others do not? It is important because media reporting shapes how the public and policymakers perceive the cyber threat landscape. 

Yet, there has been a surprising lack of analytical research addressing why some cyber operations attract more media attention than others. Until now, our understanding has largely been shaped by anecdotal evidence rather than systematic analysis.

Our recently published academic article in the Journal of Peace Research begins to tackle this question by introducing a comprehensive collection of cyber operations reports derived from commercial threat intelligence providers, which are often the primary sources for journalists. Using multivariate regression, we identify the characteristics that correlate with the extent of media reporting on cyber operations. 

Four tests

First, we explored the intensity of effects produced by cyber operations. Historically, violent and shocking news stories have garnered more attention, encapsulated in the adage, ‘if it bleeds, it leads.’ We hypothesized that the more intense and threatening the effects of a cyber operation, the greater the media coverage it would receive. Our findings revealed that disruptive and destructive cyber operations generate more news stories than their espionage counterparts. However, while cyber effect operations receive more coverage than espionage, this result is not statistically significant.

Next, we examined the type of target involved in cyber operations. Previous assumptions paralleled the media coverage of cyber operations with terrorism, where attacks on more politically or symbolically significant targets garner more attention. However, our research indicates a different pattern. We found that operations targeting the military or financial sectors actually generate less media coverage.

The third aspect we considered is the perceived sophistication of cyber operations. The media often gravitate toward stories that are easily understandable and remarkable. In this context, we expected cyber operations employing zero-day exploits, an easily observable indicator of sophistication, to receive more coverage. Our research supports this expectation, showing a significant increase in media stories for cyber operations that use these advanced techniques.

Lastly, we investigated the origin of the threat. Previous studies in communications have highlighted a media tendency toward bias against those outside the audience’s primary demographic, often leading to an exaggerated portrayal of non-white individuals in terrorism-related news.

Extending this insight to the realm of cyber threats, we anticipated a similar pattern, with adversarial threats groups being overrepresented in media narratives. This presumption aligns with past research, which observed that operations attributed to Russia, China, Iran, and North Korea tend to receive more attention.

However, our research does not find a significant correlation between media coverage and cyber operations attributed to key adversaries of Western powers, such as Russia, China, Iran, and North Korea.

Double bias

Our findings reveal a ‘double bias’ in media reporting on cyber operations. This bias originates from the reporting practices of commercial threat intelligence firms, further skewed by media outlets’ preference for stories that resonate with their audiences. This layered selectivity results in a narrow and potentially distorted portrayal of cyber threats, influencing academic discourse and policy-making.

There is a fascinating trend to watch regarding the double bias. Traditionally, mostly Western cyber threat intelligence firms have publicly disclosed details on APTs. Kaspersky Lab, based in Russia, stands out as an exception. The company has also published on various Western covert cyber operations that haven’t been widely reported elsewhere. However, lately, Chinese cybersecurity companies have begun to publicly attribute cyber threat actors as well. If this trend continues, it will be intriguing to observe how the media reacts to these reports and how much they are taken as credible compared to reports from Western intelligence companies.