First Module: Introduction to Public Interest Cybersecurity
The purpose of this module is to provide a conceptual framework for small civil society organizations to address threats of harmful information including disinformation and online abuse such as harassment. These attacks spread hate and sway popular opinion using botnets, armies of trolls, and divisive fabricated content. They can target organizations, especially those engaged in political advocacy, with many tactics: activists and journalists are harassed, the reputations of advocacy organizations are tarnished, and public support for social causes is shifted. Complicating this picture, an organization’s ability to protect itself from harmful online information attacks can be impeded by the lack of a shared understanding of harm reduction across its own security, communications, human resources, and management functions.
- Understand the nature and the challenges of harmful information, such as misinformation and online abuse.
- Understand harms and risks of harmful information in order to prioritize controls.
- Learn major categories of improving defenses against harmful information from the perspective of a leader in a single organization.
- See Course Readings for “Harmful Information (Misinformation and Harassment)”
- Knowing the intent of an adversary is useful for anticipating how an incident might escalate in severity, persist over time, and evolve into future attacks.
- Factual accuracy can be leveraged in most information attacks since “kernels of truth” can provide the attack more credibility but complete falsehoods can still dangerously spread despite being easy to disprove to careful observers.
When might the organization not care about the accuracy or intent of the harmful information?
- Direct Targeting: Harmful information is sent directly to the organization and its members.
- Indirect Threats: Harmful information is spread about the organization to those outside of the organization.
- Ingestion: An individual or organization unwittingly incorporates and uses harmful information in its decision-making processes.
- Generation: The organization unwittingly creates or spreads harmful. information. Insiders may also harass or spread lies about fellow staff members or organization outsiders.
- Harm/violation occurred, usually to an individual.
- Information may or may not be false, attack may not even contain content.
- Different communities of action and approaches to mitigations.
- Both “trust and safety” problems that don’t fall into traditional digital security domain.
- Attacks and tactics can be similar or intertwined.
- Mitigations for harassment are an important subset of which actions mitigate the harms of larger misinformation problems.
Practical “Solutions” for Civil Society:
- Increase understanding / practices around holistic security
- Physical Security: Inadequate protection for our people, our devices, and workplaces allow online threats of physical violence to cause more psychological harm as the risk and perception of physical harm increases.
- Digital Security: The security of data and information systems are important as confidential information is often used in misinformation attacks and threats to the integrity and availability of our information can damage our credibility and hurt our ability to respond.
- Psychosocial Wellbeing: Misinformation and harassment can be damaging to our psychological well-being or mental health, yet the harms caused also confounds our ability to protect and respond to threats extending to both physical and digital domains.
- Integrate risk mitigation into existing systems and processes
- While some mitigations implemented by individuals may be adopted as organization-wide practices or policies, nearly all the protective measures can fit into processes that should already exist in most healthy, sustainable non-profit organizations. Alternatively, these existing practices, processes, and policies are generally “necessary but not sufficient” for protecting an organization from harmful information threats. For example, if an organization does not have practices for security incident response or policies to ensure inclusion and equity of its staff members, those will need to be created first.
- One example of integration into an existing Security program would be to match and nest additional mitigations within a previously selected framework. The NIST Cybersecurity Framework is a useful example given its functions parallel several activities in countering harmful information.
- Strengthen external relationships and collaboration
- Media outlets and tech platforms play an outsized role as vehicles for the spread and prevention of misinformation and online abuse while the governmental actors can have potential roles as both purveyors of harmful information and avenues to pursue legal action and criminal justice. Given limited formal systems to offer efficient incident resolution for human rights defense organizations, relationships with those entities ultimately will be only as strong as one’s personal relationships with their employees in influential operations, security, trust & safety, legal, and policy positions.
- These relationships can be personal, formal, backchannel, and collective.
- Identify Potential Threats
- Consider threats to individuals, groups, or the organization
- Consider direct targeting, indirect attacks, ingestion, and generation
2. Connect Threats to Potential Harms
- Identify the impact of potential threats to individuals, groups, and the organization
- Consider physical, reputational, financial harms
3. Create and Prioritize Threat Scenarios
- Describe threat scenarios in detail
- Evaluate and prioritize scenarios based on likelihood and impact
- Physical Security (‘Get out of Dodge’ plan)
- Digital Security (Lock down accounts)
- Mental Wellbeing (Preventing psychological harms)
- DOCUMENTATION PLAN
Have teams step through the Harmful Information Mitigation Framework using Case Study 1 or 2 in the Harmful Information Case Studies).
- What are the harms or risks you find most important to address? (top 3)
- Which mitigations would you prioritize for implementation? (top 3)