In the midst of a heated U.S. election season, non-profit advocacy organizations must be prepared to defend themselves against an array of online threats, including harassment, spear phishing, and disinformation campaigns. What can organizations do to be more resilient to potentially damaging attacks before and after the election?
On September 22nd, a virtual panel discussion presented by Citizen Clinic, part of UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), tackled the question of how civil society organizations can build the capacity to remain secure online. Moderated by Steve Trush, a research fellow at CLTC and Interim Director of Citizen Clinic, the panel featured Sarah Aoun, a human rights technologist, and Chris Garaffa, Technology Director for Trans Lifeline, in a conversation focused on the importance of cybersecurity for civil society organizations, even those not involved in political campaigns.
The topic is closely aligned with the work of Citizen Clinic, the world’s first public-interest digital security clinic, which enables teams of UC Berkeley students to provide digital security assistance to civil society organizations. “We are building a new public-interest technology community where digital safety is part of the foundation of civil society,” Trush explained in his opening remarks. “We are empowering the organizations that we partner with to use technology to fulfill their missions, defend against digital threats, and build their capabilities. We also are serving as a model for other universities to replicate.”
The election season can be particularly intense for advocacy organizations whose missions are directly affected by changes in political leadership. “We were just in a state of panic the day after the 2016 election, but also it brings trolls and it brings harassers as they find out about us as well,” Garaffa said. “We saw a huge spike in 2016, and honestly, we’re getting ready for a repeat. It’s not going to be over in November, it’s not going to be over in January, it continues almost year round for us, because the impact of the elections really has a significant impact on our work.”
Aoun explained that, following the 2016 election, she worked with an organization that helped provide digital security workshops to help New York City and other cities become “sanctuary cities,” including by improving their password hygiene, raising awareness about phishing, and ensuring data was encrypted and stored securely. “There are not a lot of people that provide digital security support for for nonprofits and for NGOs,” Aoun said. “There are a lot of people that work in cybersecurity in the corporate sector, but there are not a lot of people that do this work in civil society. I’ve definitely seen a change over the past few years.”
There are a lot of people that work in cybersecurity in the corporate sector, but there are not a lot of people that do this work in civil society.
In the face of growing threats —from surveillance by law enforcement agencies to coordinated “doxing” campaigns, when individuals’ personal information is made public — organizations need to maintain strong security practices, the panelists agreed. Garaffa recalled that Trans Life was targeted through a sophisticated spear phishing campaign in which the sender of an email to an employee pretended to be the executive director. “Thankfully, due to the training we have done… we were able to identify it…. When we think about cyberattacks, we often think about China, Russia, or Iran, but the vast majority of our attacks come from the United States.”
The panelists stressed the importance of building organizational cultures that are focused on security — and taking incremental steps toward improving their digital security. “It’s never too late,” Garaffa said. “If you haven’t done anything, or you don’t have time or budget, you can take some very simple steps now. And it will help you every day you do something…. You don’t have to do it all overnight.”
“I often work with people who are quite overwhelmed at the prospect of securing themselves or their organization and they don’t really know where to start,” Aoun agreed. “Thankfully, at this point, there are so many so many amazing resources out there [including Citizen Clinic’s Cybersecurity Education Center]. Thinking about your risk assessment or threat model is a great starting point.”
The panelists discussed the importance of strong password hygiene (including using a password manager), as well as two-factor authentication. “Shifting the culture at an organization is quite hard,” Aoun said. “But a good place to start often I find is an onboarding policy centered around security, so at least you’re establishing that baseline from the start…. Just the small things really make a difference.”
Watch the video of the panel above or on YouTube.