Cybersecurity investigative journalist Kim Zetter on breaking news on Substack and why she hates the “blitz approach to PR”

Editor’s note: This post is the latest in Security Outliers, a series of interviews with people who are tackling big security problems while questioning the status quo.

Kim Zetter is one of the most dogged journalists in the business and probably the most well-sourced for cybersecurity coverage. I remember meeting her at Def Con in 2000 when the event still felt like an underground party for security geeks, whose antics drew legal threats from software vendors and unwanted attention from the FBI. Over the years, we covered the cybersecurity landscape — the threats, the attackers and the ethical hackers — as it matured into the $200 billion industry it is today. Through it all, Kim was the one to watch, whether it was her ground-breaking coverage of election security, even years before election security was hot, her book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” or her recent live chat with cybersecurity expert Alex Stamos and Chris Krebs, ex-director of the Cybersecurity and Infrastructure Security Agency (CISA).   

Earlier this year, Kim launched a Substack publication where she publishes her investigative pieces, in addition to freelancing for The New York Times, The Washington Post, Politico, The Intercept and other news outlets. She and I chatted recently about her work, the state of cybersecurity and her pet peeves about working with PR professionals. Here is an edited version of our conversation.

I’m curious to hear about your Substack called “Zero Day.” Can you talk about why you decided to move to Substack?

I kept getting encouraged by people who were doing things on their own that I should try it, especially during the pandemic when freelance budgets dried up. I was uncertain what the reception would be because people tend to roll their eyes at journalists doing substacks. But people have been extremely positive and there’s been tons of support from the very beginning. I launched it on a Friday and two days later my father died. I had planned to launch hard and publish once a week and build up from there. But that plan got derailed and I found it hard to focus on writing for a bit after that. So I didn’t publish as often as I wanted.

Each time I publish a new story I get a slew of new sign ups -- many of them in industry, government and academia -- but not all of them are paid subscriptions, which is normal for Substack. I've had a lot of boosts. Substack has featured Zero Day a couple of times on its Suggestions page and people in the infosec community have been promoting it on Twitter. So there’s been steady growth. Substack tracks the traffic on each piece, and the readership has consistently been four to five times the number of subscribers, which means the stories are getting widely shared. I put them on LinkedIn and that brings in readers too. I’m just really happy and grateful that people want to read it and support the work. I decided not to go with a traditional newsletter format, which are more like columns. I just write a single story each time I publish.

Your specialization in the past has been election security and nation-state hacking, especially impacting critical infrastructure. What are you focused on now?

A lot of the same stuff. Zero Day is focused on spies and surveillance and the cross between cybersecurity and national security. I keep those in mind when I pick stories to do for that publication. I’ve done a couple of election security articles but SolarWinds was the first topic I covered (on Substack). I've done Colonial Pipeline stuff, and surveillance as well. When there's urgent news, if I feel there's something missing in the coverage elsewhere, or I've spoken to a source and they provide new information that isn’t published somewhere else, then I cover it — not like a beat reporter, but one-offs. 

You work with a number of different outlets. How do you manage freelancing and posting on Substack? 

I haven't put as much energy into freelancing since the launch because I wanted to focus on Zero Day for a bit. I’m still freelancing though, and am always looking for good stories to write for other publications. Sometimes I’m able to publish a story in both Zero Day and another outlet. There was a story I was going to do after an explosion at a nuclear facility in Iran -- the same facility in Natanz that I had covered in my book about Stuxnet. I was going to do a Substack article on that, but then The Intercept contacted me and wanted that story. They let me publish it on Substack simultaneously. I promoted the Intercept version on my Twitter feed, but then also sent it out in Substack.

What do you think of this new model?

It's not going to replace traditional journalism but it gives journalists a new choice and they haven't had a choice in a long time. Media industry has gone through a lot of depressing changes over the years and the freedom of journalists to do in-depth stories has narrowed. It gets harder and harder. Journalist salaries aren't great to begin with, and then many newsrooms have had layoffs or shut down entirely. Substack gives journalists a parachute. A lot of journalists are doing good work on Substack and I think they feel relieved to have a little more control over their time. Depending on the news outlet, journalism can sometimes mean you’re working or on-call 24 hours, 7 days a week. Having your own publication gives you more control over when you write and what you focus on.

Substack gives journalists a parachute... Depending on the news outlet, journalism can sometimes mean you're working or on-call 24 hours, 7 days a week. Having your own publication gives you more control over when you write and what you focus on.

What are your thoughts on the state of cybersecurity? I know that’s a broad question, but given how long you’ve been covering the industry, what stands out for you about how things have evolved? 

My first job was at PC World as a features editor and I started doing security because one of my colleagues had just come back from Def Con shortly after I started and gave a presentation to staff and it was intriguing to me. That was 1999. I went to Wired News in 2003 (before it merged with Wired Magazine) and they didn’t have a staff security reporter, just freelancers, so I was hired to launch a daily beat on privacy and security. For a long time it's felt like nothing has changed; you write the same story over and over again, breaches keep happening for the same reasons, and they start to blend together. However, I’ve seen a real shift after the 2016 election. For example, election security efforts and more involvement from CISA changed the game with how elections are protected. There had been so much resistance from election officials toward security researchers who were finding vulnerabilities and (researchers) were shut out for such a long time. It took CISA tiptoeing their way into this to turn officials around and make them take election security more seriously. 

There’s also more security beat reporters today. When you and I were covering it i those early days, it was primarily relegated to tech publications, there wasn't such a thing as a cybersecurity beat at mainstream outlets. That changed in a lot of places after 2016. 

With regard to PR people, how do you like to work with them? 

I rarely get stories from PR people. Occasionally I'll get contacted about research a company is doing and I'm interested in that, but I don't like to write the same story 20 other journalists are writing. I don’t like embargoed stories. The blitz approach to publicity is just serving the company and doesn't serve the readers. From a journalist and reader perspective, you don't want 20 journalists publishing the same story. It’s not helpful or a good use of a reporter’s time. What I want from PR people are the unique stories and angles. 

I don’t like embargoed stories. The blitz approach to publicity is just serving the company and doesn't serve the readers. From a journalist and reader perspective, you don't want 20 journalists publishing the same story. It’s not helpful or a good use of a reporter’s time.

I also want them to understand what I cover. They think if you cover security you cover all of security, but I don't cover funding rounds and mergers -- that's business writing. I don't write about surveys or companies themselves, specifically. I write about issues and they might touch on a company, but I wouldn't specifically write about a company unless there’s something unique and outstanding about them. Where I’m helped the most by PR people, and there are a lot of good PR people out there, is getting answers to questions in a timely manner and to follow up questions. And I do value the “on background” and “off-the-record” discussions, within reason. I value the relationship where we can be informal with each other. Really good PR people understand the importance of relationships and not burning journalists. I’ve definitely been burned by PR people a few times, and I tend to not work with them again after that. The good ones know what I cover and cater the pitch to me specifically. And I tend not to like follow up emails after I get pitches -- especially when it’s for something I don't cover.

I do value the “on background” and “off-the-record” discussions, within reason. I value the relationship where we can be informal with each other. Really good PR people understand the importance of relationships and not burning journalists.

What do you see as the biggest threats from cyberattacks? What worries you the most?

I do think ransomware, obviously, is one of the biggest threats we're dealing with because it's effective, there doesn't seem to be an end to it, and the end game can be to shut down critical operations. People are just looking for a buck and going after the most vulnerable organizations, like hospitals and critical infrastructure, and there's potential for collateral damage, like what happened with NotPetya and Wannacry. Their aim wasn’t to go global and take down shipping and other industries around the world, but that was the effect of it because they used a worm to spread. 

How were Black Hat and Def Con for you this year? Did you attend any talks? 

I didn't go. I've done it for so many years and for so many years my summer was ruined as a result because I could never take a vacation in July or August. There’s the runup to the conference, doing interviews and writing advance stories about research being released at the show. Then there’s all the meetings with sources and attending talks, and I decided I would pass this year. I still watched talks and read coverage but didn’t do interviews or write any stories about it. 

One last question... I know you’ve tweeted reservations about “Ted Lasso.” Have you changed your mind?

[Laughs] I got a bit of blowback for that, but a lot of people also agreed. I haven't watched any more episodes besides the first three. People say it's not a great show, but it’s optimistic and positive. It’s just not pulling me in. It's a sweet show but I want more than that. Schitt’s Creek was sweet but it was also really funny and had brilliant writing and acting.