This is the third part in a four-part series about journalism and cybersecurity. See part one, part two and part four.
If you’re a small, independent news publisher, the idea that the biggest internet company in the world is ready to step in and protect you from Distributed Denial of Service (DDoS) attacks – for free – may seem like an impossible dream.
But the team at Project Shield wants you to wake up — and sign up — before that dream turns into a nightmare when you’re attacked.
Project Shield is a free service created by Jigsaw, which is a company within Alphabet. Alphabet, Google's parent company, and Jigsaw serves as “an incubator that uses tech to address global security challenges in defense of free expression,” said Dan Keyserling, head of communication for Jigsaw.
“The mission of Google is to organize the world’s information,” said Keyserling. “Jigsaw shares those values and part of making that information accessible is making sure news stays online and someone can’t take down a news site for a few dollars.”
“All around the world, digital attacks are a crude from of censorship,” Keyserling said, adding attacks range from “frighteningly coordinated attacks at the high end” to “nuisance-level attacks, which can cost as little as US$5 at the low end.”
The biggest advantage of choosing Project Shield to protect your site is that it’s hard to imagine a DDoS attack that could overwhelm Google’s massive infrastructure – and it’s free.
If you think of DDoS protection like a bouncer that keeps unruly thugs out of your night club, then using Project Shield is like having an army of soldiers outfitted with tanks, cannons and weapon-sniffing attack dogs to keep the peace for you.
Let us repeat that one more time: you can get Google’s internet backbone to protect your website for free. (Note: you must apply for this service and meet their requirements to qualify.)
To sign up for Project Shield, you’ll need to fill out an application and go through their verification process. With few exceptions, if you run a news site you’re likely to be approved within 24 to 48 hours.
“Project Shield is free to news organizations, NGOs, human rights organizations and groups that do election monitoring,” said Justine Rivero, a program manager at Jigsaw who works on the Project Shield team.
If you think of DDoS protection like a bouncer that keeps unruly thugs out of your night club, then using Project Shield is like having an army of soldiers outfitted with tanks, cannons, and weapon-sniffing attack dogs to keep the peace for you.
Project Shield leverages Google’s massive infrastructure to thwart attacks and the team at Jigsaw has developed sophisticated data-identification tools to filter out the bot-nets used to launch DDoS attacks, while still letting your legitimate news audience into your site.
Setting up Project Shield is a relatively simple process that involves changing the DNS on your domain so that all the traffic to your website goes through Google’s system before it gets to your front page. (You’ll find detailed instructions for how to apply and setup Project Shield on the Jigsaw website.)
“We have a fair number of non-technical users,” Rivero explained, noting that in addition to the relatively small team that runs Project Shield, there is a growing community of Project Shield users who help each other (you have to apply, and be approved, to join the community because they don’t want the Bad Guys sneaking in and spying on you).
The best way to protect yourself against a DDoS attack is to sign up for Project Shield before someone tries to take your site down, but the team at Jigsaw will try to help you even if you’re in the midst of an attack when you sign up.
“Once you’ve set up your domain name, all the traffic to our website goes through Project Shield before reaching your web server,” Rivero said. “Project Shield determines if it’s legitimate traffic, and if it’s not, we don’t let it pass on to your server, or we serve them a cached version of your site.”
Note: Project Shield does not actually host your website. You’ll still need to pay your web service for hosting, but the service can help protect you from spikes in fees if you get attacked.
For very high-risk sites, or those who are hit with especially powerful attacks, they offer a second level of service with custom DDoS protection.
“If you’re concerned that diverting your traffic to Google could slow your site down, you may be pleasantly surprised to learn that the way Project Shield uses caching to shield sites from attacks actually helps some sites perform faster, especially small to medium-sized sites,” Rivero said.
Project Shield’s caching process involves storing a copy of your pages on Google’s servers, and in some cases this process can cause conflicts. However, turning off your own caching system, or changing to a different service usually solves any conflicts. The team at Jigsaw is also working on a new feature that will enable users to clear the cache themselves when they use Project Shield. (This was one of the most frequently requested features at the time of this interview in June 2017.)
It also helps to be proactive. The best way to protect yourself against a DDoS attack is to sign up for Project Shield before someone tries to take your site down, but the team at Jigsaw will try to help you even if you’re in the midst of an attack when you sign up.
“It’s not uncommon for people to contact us in the midst of an attack,” Keyserling said. “It’s never too late.”
Janine Warner is the founder and executive director of SembraMedia, an organization dedicated to improving the quality of news content available in Spanish. She is an expert at helping digital media entrepreneurs implement sustainable business practices and generate new sources of revenue online. Learn more about her work as an ICFJ Knight Fellow here.
Main image CC-licensed by Google Images via Pxhere.