Organizations working to protect human rights and civil liberties around the world are now being targeted, and bombarded, with persistent and disruptive digital attacks — similar to the attacks reportedly hitting industry and government. But unlike industry and government, the civil society organizations have far fewer resources to deal with the problem.

A report released last month by Citizen Lab, entitled Communities @ Risk: Targeted Digital Threats Against Civil Society, explores the often overlooked digital risk environment for NGOs and other groups. The study draws on four years of research with Tibet Action and nine other cooperating civil society groups, eight of which are China- or Tibet-focused, while the other two are large international human rights organizations.

“The report represents a major systematic effort to identify the type of digital attacks vexing human rights and other civil society organizations,” explained Prof. Ron Deibert, director of the Citizen Lab, an interdisciplinary research center based at the University of Toronto’s Munk School of Global Affairs.

“It is well known that computer espionage is a problem facing Fortune 500 companies and government agencies," he said. "Less well known and researched, however, are the ways in which these same type of attacks affect smaller organizations promoting human rights, freedom of speech, and access to information. We set out to fill this gap in knowledge.”

The report found that digital attacks against civil society organizations are persistent, adapting to their targets in order to maintain access over time and across various platforms. The attacks aren’t always carried out by lone hackers, but often are targeted digital threats by states and governments that seek to increase their control over information and its release. The increasing attacks, says the report, raise major issues about online rights and freedoms worldwide.

There are many ways the attacks are orchestrated. Email attachments can download viruses onto an organization’s computers that can corrupt the system for days. And sometimes hackers physically visit organizations and hack into their systems directly, compromising confidential and important data.

The report worked with the Tibet Action group. In an Associated Press interview, Tibet Action's director Lhadon Tethong said she was approached by a hacker impersonating a well-known China scholar, who requested to proof-read a list of Tibetans who had set themselves on fire in protest against the government in Beijing. Tethong was suspicious because the request didn’t come from the scholar’s official address. But attacks like this often succeed.

hackersanon.jpg

The organizations participating in the study shared emails and attachments suspected of containing malicious software, network traffic and other data with Citizen Lab researchers, who undertook confidential and detailed analyses of the material. The researchers also paid site visits to the participating groups and interviewed them about their perceptions and impacts of the digital attacks on their operations.

As the AP reported, “All 10 groups were compromised at some point during the study, many of them through emails carrying booby-trapped attachments.” As the report states, “Information Communication Technologies (ICTs) are central to the activities of the groups, and help them balance an historic asymmetry between them and powerful, well-resourced state interests.”

Often, questions of cyber threats are lost in the bigger debates surrounding the security of Fortune 500 companies and other large corporations or organizations. Members of the Tibetan community shared with the researchers different accounts of Chinese authorities confronting Tibetans with organizations' call records and chat transcripts during interrogations. Research on Ethiopia revealed similar issues.

In an op-ed published on OpenCanada, Citizen Lab's Deibert asked an important question: “What do we mean when we say 'cyber security?'" Deibert explained that “the tension between these points of view is not unique to cyber security, but reflects a deeper tension at the heart of global politics today: between a slowly emerging sense of global responsibility and citizenship on the one hand, and the old Westphalian nation-state system on the other.”

planetbluecoat.jpg

As IT World Canada reported, the study found that many tools and software used by civil society organizations are often counterfeit and expired, which leads organizations to miss making vital systems updates. Many use free versions of tools and packages that typically have low levels of security compared to their for-sale counterparts.

The report argues that solving the problem will require major efforts among several stakeholders, from the foundations that fund civil society to the private sector to governments. It calls for a concerted effort to protect these organizations; for example, companies that build software or provide information security could be obliged to support at-risk non-profit groups through a “pro bono” model of assistance, as well as with creative licensing solutions to avoid the use of insecure, outdated software.

Finally, the report says governments that support the right to privacy and freedom of expression should take steps to raise the profile of targeted digital threats against civil society in their domestic policy and diplomacy, “treating the matter as of equal priority to their defense of the private sector.”

Follow the author @ParoP.

surveillance-cyber-crime-918x1024.jpg