Read on Twitter
Over the last year @CLTCBerkeley has looked at the range of cyberattacks targeting civil society organizations and the existing ecosystem of support those orgs receive to counter these attacks. We’ve published our report today: cltc.berkeley.edu/defendingpvos/ /1
We focused our report on “politically vulnerable organizations” – in other words, orgs whose work makes them the focus of targeted cyberattacks as a means to achieve political ends (as opposed to criminal or mischief) /2
Previous research shows us that nonprofits in general suffer from poor cybersecurity posture. This is hardly a surprise – any type of IT investment is expensive, and only 1 in 11 IT professionals have any background in security. /3
As a result, resource-constrained civil society organizations are unlikely to have anyone on staff with the skills necessary to protect networks and endpoints, or to encourage staff adoption of better security practices. /4
While there have been recent high-profile examples of activists and journalists targeted with 0days, the vast majority of attacks faced by civil society start with simple phishing attacks. /5
Interviews with over 30 threat researchers, activists, and #cybersecurity professionals pointed to most attacks on civil society being of low technical sophistication, but using highly sophisticated social engineering tactics. /6
Other attacks were as you might expect, taking advantage of out of date software, unsecured websites and services, etc. /7
The theme remained the same: tech is expensive, and CSOs will focus on mission-driven priorities in tech infrastructure spending before security. Fortunately, there’s a growing ecosystem of organizations supporting civil society cybersecurity. /8
We looked at the work of over 100 nonprofits, companies, government agencies, and academic institutions to see what kind of help is available for orgs under attack. Here’s what we found (chart time!): /9
Most of the orgs helping defend civil society are NGOs themselves – and subject to many similar resource constraints as those they are defending. /10 
The types of support provided are varied, and most orgs we reviewed provided more than one form of assistance. In general, the dominant methods were analysis and advocacy – direct technical assistance and publishing detailed data about attacks was rare. /11
The vast majority of the organizations providing cybersecurity support are in the North America or Europe, and the majority of the organizations they support are in the developing world. In many ways, this space looks very much like other areas of international development. /12
A few important takeaways about the state of direct technical assistance in cybersecurity: there are some organizations doing great work (such as @accessnow, @FrontLineHRD, and @opentechfund), but as NGOs, their ability to address the broad scope of the problem is limited. /13
The focus of existing technical assistance is most often on emergency assistance and attack recovery. This is critical work, but there’s little in the way of capacity building. (teach an org to phish, etc.) /14
Providing good cybersecurity assistance to civil society is challenging. Good support is tailored to context in order to find security controls appropriate to threats. Nonprofits are rarely able to adopt a robust, layered approach to security. Harm reduction is the goal. /15
(@evacide has a lot to say about this)
This is time-consuming, and there’s simply not enough people working in the space to address the problem at scale (if we assume the scale is “global civil society”). /16
We need new models to expand the existing community’s ability to share info, provide risk-informed security assistance, and to build the volume of professionals working to protect civil society. @CLTCberkeley has exciting news coming on this soon – so stay tuned. /end
• • •
Missing some Tweet in this thread? You can try to
force a refresh
