When activists and human rights groups are targets of government hackers, where can they turn for help?
There's precious little technical support for civil society groups facing online threats, new research says
In Mexico, journalists, lawyers and activists have all been targets of suspected government spyware. Members of the Tibetan community — of particular interest to the Chinese government — have faced persistent phishing attacks for years. And in countries such as the United Arab Emirates and Bahrain, access to political criticism and LGBTQ content is frequently monitored and outright blocked.
When it comes to fending off a wide range of online threats — denial-of-service attacks, phishing, malware, trolling, harassment and more — there's precious little hands-on support available to "politically vulnerable organizations," according to a new report from University of California, Berkeley researcher Sean Brooks.
"There are a couple of well-resourced groups operating in this space, but it's limited," Brooks said.
There can't be many more than 40 people globally who provide technical support to civil society organizations reeling from a hack or targeted attack, he said, and most are stretched thin, helping many individuals and groups at once.
That needs to change, Brooks says.
As the internet becomes more central to how civil society groups work, NGOs, independent journalists, activists, dissidents and human rights advocates will only become bigger targets of online threats.
Good security should be understood contextually and therefore differently based on the organization's needs and threat models.- Cybersecurity researcher Yuan Stevens
"The internet has provided those global communities with a way of connecting with one another, to become more effective in fulfilling their missions … lifting up the lives of many individuals who would otherwise be disproportionately harmed by rising authoritarianism," said Brooks. "And therefore these groups will continue to be targeted."
Mostly advocacy and analysis
In developing regions, civil society groups often advocate for causes that might seem uncontroversial in the West — the recognition of basic human rights, for example, or protests against government corruption.
But such campaigns can put them in the crosshairs of governments, criminals, hate groups or hacktivists who seek to intimidate or prevent such messages from getting out.
What's worse is if a human rights organizer in India, or a political blogger in Egypt, finds themselves infected with spyware, or perhaps knows that their phone may be under surveillance, they may not have the time, financial resources, technical knowledge or support to deal with such threats, as an organization in North America or Europe would — especially not long term.
Brooks looked at more than 100 organizations — most in North America and Europe — that have tried to help.
More than half were NGOs themselves, predominantly small groups of less than 30 members; the remaining were a mix of academic groups, private companies, charitable foundations and government agencies.
Most focused on advocacy work and analysis of law and policy, while one-third provided funding, security training, the development of technological tools — or a combination of the three.
- Welcome to the neighbourhood. Have you read the terms of service?
- They thought they were downloading Skype. Instead they got spyware
But part of the problem with such arm's-length work is that training, tools or practices that might make sense in a Western context doesn't always work in other regions.
In some countries, it can be difficult to obtain a burner SIM card. Encryption might be seen as something subversive — a sign you have something to hide. And keeping your operating system up to date might be impractical when internet access is expensive or limited to only a few hours a day.
"Good security should be understood contextually — and therefore differently — based on the organization's needs and threat models," said Yuan Stevens, a cybersecurity researcher, hacker and board member of the Canadian non-profit Open Privacy.
Stevens believes it's only a matter of time before more organizations have an in-house programmer or engineer on staff who understands the local landscape — the same way they might have legal counsel or someone handling HR.
But until that happens, an increase in groups offering direct technical assistance could help.
Long-term security
The report found that only nine of those 100+ organizations offered direct technical assistance, such as protection from denial-of-service attacks, or analysis of phishing attempts and spyware.
But even that was often limited to emergency situations — something Brooks sees as a stop-gap toward building long-term partnerships with at-risk groups, and helping build up their own in-house cybersecurity.
This is an area where both philanthropic organizations and private-sector companies could help, he said, through funding and grants for cybersecurity personnel and resources, as well as long-term partnerships focused on knowledge transfer and direct technical support.
One challenge is convincing these organizations that good security is worth the investment in the first place; that it can help support their core mission and isn't separate from it.
"Ten years ago, we were having the exact same conversation about private-sector cybersecurity as we're having about civil-society cybersecurity right now," Brooks said.
He points to an example in Tibet, where a long-term partnership between the Tibet Action Institute and the University of Toronto's Citizen Lab spawned a localized educational campaign that successfully discouraged Tibetans from passing information around via attachments — a popular vector for targeted malware.
As a result, phishing attacks that relied on attachments dropped.
"A giant government security apparatus up against a 10-person NGO — the asymmetry is just so dramatic that I think it really opens up a lot of questions about what can be done," said Brooks.
But he says it's not all doom and gloom.
"I think there are some very inspiring stories within this whole ecosystem of individuals and groups really making a difference … not necessarily levelling the playing field, but raising the cost for those adversaries.
"And that's I think a huge accomplishment."