Around the world, civil society organizations — including human rights organizations, Indigenous groups, journalists, and many others — are targeted online by powerful, well-resourced adversaries, including governments. Yet most civil society organizations lack the funding and expertise needed to defend themselves against cyberattacks, disinformation campaigns, digital surveillance, and other threats.
Digital Safety Technical Assistance at Scale, a report by Sean Brooks, Founding Director of the Center for Long-Term Cybersecurity’s Citizen Clinic program, explores the opportunities and challenges of expanding the digital safety technical assistance resources available to match the sector’s needs. The report draws in part upon lessons learned from the first two years of operating Citizen Clinic, a first-of-its-kind program that engages interdisciplinary teams of UC Berkeley students to provide digital safety services to politically targeted civil society organizations.
In the report, Brooks offers practical guidance on what will be needed to deliver cybersecurity assistance on a larger scale, and highlights examples of diverse technical assistance projects, as well as tactics from sectors outside the cybersecurity space. His findings build upon a prior report, Defending Politically Vulnerable Organizations Online, which provided an overview of cybersecurity threats to civil society organizations and explored the ecosystem of resources available to help improve their cybersecurity.
In the new report, Brooks assesses the strengths and limitations of diverse approaches to scaling up digital safety technical assistance, including volunteer networks, cybersecurity clinics, and community hubs. These technical assistance models all provide potential benefits, Brooks concludes, but all contribute differently to scaling digital security services for civil society organizations.
Among the key findings outlined in the report:
- The first step in improving the digital safety posture of a civil society organization is not “hardening” its digital systems, but helping it overcome a perceived lack of agency. Security assistance needs to move civil society organizations to a point where they can withstand a basic attack, in order to generate the necessary confidence to take greater ownership of managing digital risk.
- Efforts to scale cybersecurity technical assistance for civil society must accomplish three interdependent outcomes: quality of service, increased organizational capacity, and a stronger technical assistance ecosystem.
- Finding new pathways for onboarding less-experienced professionals into the space is critical to providing more helping hands.
- Volunteer networks of experts can greatly expand the scale of assistance, and may have untapped potential for improving the state of the ecosystem. However, volunteer efforts require oversight mechanisms not yet in existence, and must be monitored to ensure their quality and long-term impact.
- University-based clinics address many of the challenges of scale in a cost-effective way. Clinics can specialize and build deep ties with communities, experiment with new methodologies in a rigorous manner, and create a pipeline for skilled assistance providers. However, any single clinic is unlikely to deliver significant scale to technical assistance. (The Citizen Clinic Cybersecurity Education Center aims to help other organizations adopt the clinic model in their own contexts.)
- Community hubs — organizations designed to provide digital safety services to specific communities in need — are an understudied model for providing technical assistance to civil society. Such hubs can move swiftly to provide direct technical assistance with relatively few startup costs, and can manage both capacity-building projects and emergency response efforts. However, these hubs are sometimes expected to be “everything to everyone” in their communities, and the level of support expected of them can be difficult to maintain.
- Technology platforms and providers can provide assistance, and governments can compel certain security, safety, and privacy-enhancing design decisions. But policy and products designed to serve the social good must be responsive to the requirements articulated by an active, connected, and high-functioning set of digital safety experts who are deeply engaged with civil society on a regular basis.
“The future will require innovation and experimentation to develop models and communicate about the risks to policymakers, technology firms, funders, researchers, and senior leaders in civil society,” Brooks concludes. “Activating already existing expertise and helping organizations utilize existing channels for support are important elements, but we must also expand the number of professionals in the space. A more nuanced perspective on the digital safety challenges facing civil society organizations is essential not only for providing a high quality of service, but also for designing appropriate technical products and policies.”