What makes this story about the Washington Post creating hysteria by claiming the Russians hacked a Vermont electric company so incredible is that the paper broke a cardinal rule of journalism in publishing it.
They didn’t get confirmation from the electric company that the story was true.
After the story broke on Friday, the Burlington Electric Company issued a statement:
“Last night, U.S. utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks,” a spokesman for the Burlington Electric Department said. “We acted quickly to scan all computers in our system for the malware signature. We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems.”
The Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press, “The grid is not in danger.”
This is a far cry from the Post’s claim that Russians hacked the electric grid. In fact, it’s not even close.
The Post story was titled, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say.”
The story said, “A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials.”
The Post published the story before being able to get comment from the two utility companies in Vermont. The Burlington Electric Department would end up putting out a statement showing the premise of The Washington Post story as being untrue.
For all the coverage the Post has given the “Fake News” issue, it’s ironic that they, themselves, would be guilty of it.
Politico cybersecurity reporter Eric Geller said about the Post story, “Pretty amazing how badly the Post appears to have mangled this one. You didn’t call the Vermont utility regulator before publishing?”
The Post has since updated the story. The headline changed to “Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say.” The updated story said the “code entered the Vermont utility’s computers,” but the utility spokesman’s statement stated the code was found on one laptop.
Note that they didn’t even get the correction right.
To make such a fundamental mistake like not confirming the story with the primary source—a mistake that a high school reporter wouldn’t make—is inexcusable and should result in the reporters, Juliet Eilperin and Adam Entous, being fired. They embarrassed their employer and damaged what little reputation for accuracy they had left.
What the Post decides to do with them will tell us a lot about how committed the paper is to quality journalism.