CyberScoop’s Greg Otto on the evolution of cyber journalism, the importance of accountability, and his favorite story to date

2024 CyberScoop’s Greg Otto R3

By Bianca Gorospe  |   Posted on October 24, 2024

Share

If you’ve been paying attention to cyber news over the past decade, chances are you’ve read a piece written (or edited) by Greg Otto. Greg recently returned to CyberScoop as editor in chief and oversees all of the publication’s content. He and his team cover cybersecurity regulation, emerging vulnerabilities, and public sector threats. 

I recently sat down with Greg to chat about how cyber journalism has changed, what trends he and his team are interested in covering, and one of his favorite stories that he’s worked on during his career so far. 

Earlier this year, you returned to CyberScoop as EIC. How do you think the cyber journalism landscape has changed since you previously left in 2020?

Information is not taken at face value anymore –  whether it’s from companies, researchers, or I think writ large. The block of reporters that are covering cybersecurity are starting to ask the pertinent questions that really bring the context needed to how all of this sort of works together, whether that is from a government standpoint, a critical infrastructure standpoint, a criminal standpoint, an economic one, or how it fits into a corporation or organizational standpoint. 

From a technical standpoint too, I think that there’s been a maturation. I would say that really the coverage is starting to reflect truly what the industry is for better or for worse. That’s a good thing because as journalists, that’s all we’re really trying to do, which is to give everybody a look and a vision of what is happening, truthfully, honestly, and letting the audience decide how they want to use that information to enrich their lives moving forward.

Before you came back to CyberScoop, were there any internal goals that you set about how you’d like to do things differently this time around? 

One thing I’m trying to do is to hold people accountable. There’s a lot dedicated to the technology and the actions that happened before breaches, but then when things go bad, everybody just sort of goes, “Oh well, let’s clean that up and on we go.” And I didn’t really get a sense that anybody was learning anything from it. I’m starting to see that change a little bit, and I want to be able to help that change to say, “Well, okay, if the breaches still are happening and ransomware keeps ticking up, what are we doing wrong?” 

I mean that collectively, and it’s not necessarily just a people thing. There are some fundamental things that need to change, and I don’t think that enough is being done right now. Things are changing, it’s getting better, and I hope to better that conversation, but I still think there’s a lot of room for improvement in that regard. 

 I want to be useful to practitioners because, look, this stuff is hard and every IT system inside an organization is different. Not everybody is the federal government. Not everybody is a Fortune 500 company. There are a lot of small and medium businesses out there. They need cybersecurity too – they’re the ones that are dealing with ransomware as well. 

What trends are you/your team laser-focused on covering right now? 

I would say election security is a big one, but obviously the window on that will be closing within the next month, six weeks to eight weeks. AI security is a big thing, especially with the generative AI boom. We’re sort of looking at how cybercriminals are using AI, but also how AI companies are guarding their own infrastructure and their own models because the models are the basis of what we’re seeing with the growth of generative AI. And if some malicious actor were to be able to manipulate those models, that could be potentially more damaging than getting inside an infrastructure. 

Cybercrime in general, really the ransomware side of things – obviously I’m really interested in just the cybercrime underground and how it has really fragmented the sort of cyclical nature. We see a group cause havoc, law enforcement goes out, shuts them down, and steals their infrastructure. The group then scatters and then they spend three, four months retooling and they slap a different name on their ransomware and they’re back to it. That’s something that’s very, very interesting to me. Sort of how they communicate the underground forums and the private telegram channels, and the community building that goes on there, for lack of a better term. I mean the term community building gets thrown around as something that is generally positive and well, cyber criminals, it’s community gathering. Unfortunately, it’s for terrible purposes, but it’s still community gathering, so it’s interesting to cover that. And then I would say particularly we cover the nation-state stuff. We do have to cover that.

What is the most challenging part of your job? 

I would say the biggest challenge is that a lot of what we are covering gets deeply, deeply technical right off the bat. I don’t have a technical background. I have a journalism degree, so I understand how all of this works conceptually, but it takes years to get to a point where you have the ability to look at whether it’s technical malware reports or encryption stuff or even just the underlying technology in AI models, anything here, people go to school to get IT degrees. This stuff is complicated. So when you are thrown into covering this, it gets very specialized. And then there’s this other little specialization where you start to talk about industrial control systems and that where it’s like, okay, the cybersecurity part of it is difficult enough, but then you need to understand how technology is intertwined in electricity, in water plants, in cars, in railroads, you name it.

This stuff is so incredibly specialized that it’s incredibly difficult to be able to find the time to learn how to write about it the same way that the audience cares about it, but also keep up with just the breakneck pace of journalism. It took me years to understand a lot of this stuff and I’m still learning, and I think that that’s a good way to go about it. Understanding that you’re not going to understand all of the technical stuff right off the bat and making an earnest effort to get to a point where you’re not going to have a computer science degree, especially with some of the sources that we talk to. I’m talking to people at the NSA who are on the cutting edge of cybersecurity and technology overall. I’m never going to get to that level, but knowing enough to be dangerous enough to write about it where it’s, I know how to put this in layman’s terms.

Of all the stories you’ve written (or edited), which one is your favorite? Why? 

At CyberScoop, we cover cybercrime. The DOJ is always putting out, “We’ve indicted, we’ve arrested, we’ve extradited somebody…” and a lot of them are young men from Eastern European backgrounds. Their defense lawyer was always the same guy – this guy, Arcade Burke. And after a while, I finally turned to one of my reporters. I was like, “Why is this guy the Better Call Saul of cybercriminals? What’s happening here? I want a feature on him.” And it goes back to the personalities in the greater context of what’s going on in the cybersecurity community. 

While we all get bogged down in technical stuff, there are still people at the end of the keyboards or there are still people that are, what I call cyber-adjacent where they’re taking traditional skills, whether it’s lawyers, accountants, public relations, whatever. And they’re in this industry, so they’re adjacent. And it’s always been interesting to me to be like, “How did you end up here? What’s your deal?” Basically, we ended up doing a very, very big profile on him that was very, very interesting.

This took years because I wanted it to be a WIRED feature, basically. I was like, “Look, I know we’re a small publication that normally is federal government trade. Pretend you’re writing for Wired or New Yorker.” It turned out fantastic. I mean, it took, I want to say two years to put together because of our small team and the treatment that we wanted to give it. The pandemic slowed it down, he’s in court so he can’t always sit down with us, and he’s got clients to represent. It turned out fantastic. Stylistically and content-wise, it stood out.