Similarities between local election defenders and human rights groups who are improving their security .
This past week I have officially selected my dissertation topic and have been heads down reviewing and reading what experts are saying about information security and risk management for the upcoming U.S. elections. As I was listening, reading, and reflecting, I could not help but relate the challenges and problems many local municipalities have in the U.S. with some of the very same or similar problems we face in the human rights space.
Lack of human capacity remains a large barrier for many in both the election security world and human rights spaces to achieve much needed security. Now, that is absolutely not to say there are not AMAZING practitioners who are top of their class and of the highest caliber working in these spaces. This is simply to say there are not enough of them! The risks are many and there are just not enough of these specialists to go around - something both local municipalities working on elections and human rights defenders have in common.
Other things they have in common, well you probably guessed it already, but sometimes our adversaries overlap. Nation states, by far not the only threat actor out there, is one that is highly capable and targets both the U.S. elections, but also civil society groups.[1][2][3]
At the end of a panel at DEFCON’s Voting Village last year, a quote from Noah Praetz really resonated with me. Noah and Barb Byrum essentially called for, “building a brigade of digital defenders”, something we have also been working toward for some time in the human rights context.
But what exactly does this mean … “building a brigade of digital defenders”? I think too often we get stuck on the hyper technical pentesting pathway into information security, when this is really, albeit a very important component, only one piece of the puzzle. Not only does focusing on the pentester and security auditor slice of the pie distract or reallocate our precious resources from other important areas of security, such actual implementation and adoption of better security, but it gives us a sense we are securing something when in fact we’re only halfway there (or perhaps even less). Identifying our baseline is necessary, but not sufficient, for security resilience.
So what exactly are the other pieces of the pie?
We have a wide array of important areas in security, but I’ve boiled things down into three critical groupings:
- Pentesting / Security Audits → Identify our baseline and find our vulnerabilities
- Implementation and Defense → Prioritize and make the security changes and design mitigations
- Threat Information Sharing → Communicate information that helps others protect themselves, what’s working well, and how we might improve
These three buckets are key to more resilient systems and are being implemented by many different industries across the globe today. Each category should be looking at the tooling and technologies, yes, but also the processes and practices utilized by different stakeholders and users in the system. Humans are at the center of the system, it’s why we are doing security in the first place. Reminding ourselves of this is important as we design processes and tech around the needs of people and attempt to solve the real problems they face. The third similarity between human rights groups and election defenders are the stakes. The stakes are extremely high for both and the consequences of bad security can be lasting and life altering.
All of this is to say and point out, we certainly have a lot to learn from one another and there are a lot places to build up your information security expertise. As we build our “ brigade of digital defenders”, we need to remember to build out this expertise in all of these categories. Perhaps we may even benefit from collaborating, sharing, and building on each other’s work and experiences, now, and in the future.
References
[1] https://www.amnesty.org/en/latest/news/2018/05/pakistan-campaign-of-hacking-spyware-and-surveillance-targets-human-rights-defenders
[2] https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/
[3] https://threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/