Editor’s Note: The Council’s legal team regularly receives questions regarding the data security of foundation operations and donor and grantee information. Lara Kalwinski, Senior Counsel, connected with Lucy Bernholz to find the right expert to break down these issues for us. Meet Josh Levy a fellow at Stanford’s Digital Civil Society Lab, where he’s building a Digital Security Exchange to coordinate the digital security community and help it be more responsive to the needs of high-risk communities and civil society organizations.
It’s a year after a plethora of high-profile digital attacks — at Open Society Foundations, the Democratic National Committee, and in Egypt, Qatar, Nepal, and beyond — and this type of attack continues to pose a strong threat.
Smaller community organizations’ data infrastructures are especially vulnerable right now. They’re struggling to secure their existing technologies and help their staff transition to new ones free from harassment, doxxing, and the like. And while there are efforts underway to increase their digital security literacy, one shift could aid those efforts exponentially: switching their focus from individual behaviors (such as suggestions to use this or that messaging app or encryption protocols) to an institutional approach.
Large-scale digital security protection means persuading leadership to spend time, resources, and social capital on infrastructural fixes. As John Scott-Railton recently wrote for Citizen Lab, “despite facing substantial threats, [civil society groups] don’t operate in managed environments or compute on managed endpoints. Security decisions are, to a great extent, left to individuals.” Among other things, leaders must work with the digital security community to develop, implement, and stick with BYOD (Bring Your Own Device) policies, account security guidelines, and strategies for combating online harassment.
It’s relatively easy to insist on technological fixes across an organization, but the hardest part of digital security isn’t securing digital data or downloading the right applications — it’s changing human behavior and ingrained habits. Given the reality that staffers’ personal devices, social media, and email are intertwined with “official” use, it’s not practical to solve the problem by just asserting strict security practices. Instead, we need to build digital literacy across organizations — from the front desk to the executive director — and to partner with experts to develop plans that help staff and the communities they serve change their habits for good.
Taking such a holistic approach will require a renewed commitment from foundations and individual funders to go further than one-off webinars and workshops. They should develop funding mechanisms that support long-term engagement, and that includes support to train technologists on navigating organizational hierarchies and politics.
Here’s what some organizations are doing (and struggling with):
- Frontline organizations like Center for Media Justice, 18 Million Rising, Color Of Change are taking digital security trainings seriously — but they need help hiring internal staff and external support.
- Organizations like the Electronic Frontier Foundation, Access Now, Tactical Tech, Freedom of the Press Foundation, RoadMap, and others that provide security trainings need help addressing increased requests and the need for longer-term engagements with frontline groups.
- Independent trainers and capacity builders are currently overworked, under-capacity, and under-resourced.
- I’m leading a project called the Digital Security Exchange that’s coordinating a network of capacity builders, establishing frontline groups as community intermediaries, and working to build trust across communities. The idea is to create a kind of marketplace that makes discovering needs and allocating resources a bit more efficient.
As you can see, these types of efforts come with growing pains — but it’s a start, and I’d suggest that your organization make its efforts and struggles known as well. Once needs are made more apparent and we have a better understanding of what kind of resources are needed and missing, we can do a better job of building processes and infrastructure that support the hard work of tackling the digital security equation’s human side.