Cybersecurity attacks on the civil society sector are on the rise. Microsoft’s “Digital Defense Report” in 2020 revealed that NGOs were the most targeted — at 32% — by nation-state’s cyber threat activities from July 2019 through June 2020, ahead of professional services providing consultancy and contract services, at 31%, government organizations, at 13%, international organizations, at 10%, and tech firms and higher education, both at 7%.
Increasingly, nonstate threat actors with capabilities that only powerful adversaries such as governments have hitherto preserved hit civil society groups with sophisticated attacks such as ransomware and phishing. Previously, these financially motivated cyberattacks were mainly targeted at public and private sector organizations.
In May 2021, the mass-mailing platform of the U.S. Agency for International Development was infiltrated by a sophisticated email-based attack operated by Nobelium. The cyber hacker group built an email phishing campaign targeting approximately 3,000 individual accounts across more than 150 organizations.
The digital protection rights organization Access Now notes that since the establishment of its Digital Security Helpline in 2013, account compromise, malware, censorship, denial of service and web-based attacks, harassment, and communications surveillance, have been the trending threats targeting civil society. Account compromise remains the top urgent incident reported each year. Against this evolving cybersecurity risk landscape, civil society groups found themselves in a more insecure and challenging situation.
As civil society groups increasingly rely on digital technology and the internet for their operations and service delivery, they are increasingly at risk of disruptions by various cybersecurity incidents. In this regard, maintaining organizational resilience means ensuring cyber resilience — the ability to prepare for, defend against, recover from, and adapt to adverse cyber incidents when they occur.
Despite increased awareness among civil society groups about cyber resilience, few have basic security policies and procedures. Our research with social services organizations in Macau confirms this global outlook. Most CSOs, NGOs, and nonprofits struggle to navigate their digital transformation securely and fend off basic technical online threats.
The targeting of the information they [CSOs and NGOs] manage could also result in increased vulnerabilities of their beneficiaries.
—It is even more difficult for them to analyze incidents and demand accountability for cyberattacks. Given limited resources available to these organizations for components beyond their mission-oriented needs, they mostly employ reactive, informal cybersecurity incident responses.
Civil society’s marginalization in the broader political space and cybersecurity ecosystems at the global and national levels adds to its vulnerable position within cybersecurity discourse, policy spaces, and practice.
First, the underrepresentation of cyber threats targeting civil society in commercial threat reporting that cybersecurity professionals often refer to has created a distorted picture of the general cyber threat landscape.
In several economies, the third sector where civil society groups belong is not considered a critical sector. Thus, it is not subjected to legal provisions in cybersecurity law. Our research on the cyber resilience of Asia-Pacific countries finds that only few recognize civil society stakeholders as target beneficiaries of the national computer security incident response teams. Most computer emergency response teams only provide emergency support to critical infrastructure operators.
Second, tech companies’ trust and safety teams have not offered adequate response and support to incident reports from civil society related to their services. Holding them accountable for managing online risks emerging from their product and services vulnerabilities and for providing prompt emergency assistance to civil society groups is crucial.
Third, civil society groups’ participation in cybersecurity policymaking rarely rises above the level of tokenistic participation. This has resulted in legal, normative, or regulatory mechanisms, which do not reflect the concerns of civil society: draconian cybersecurity laws restricting online freedoms; IT acts punishing internet intermediaries for third-party content deemed threatening public order and safety; and privacy-intrusive data collection and surveillance activities justified in the name of national security.
Today, a growing number of organizations and communities of practice provide cybersecurity assistance for civil society groups. Engaging with this ecosystem would benefit civil society groups with limited information technology expertise and incident management capacity. However, our findings reveal that many are unaware of this ecosystem despite its growth in reach and capacity to aid.
While important, external support and partnerships can only go so far. Strengthening baseline cybersecurity practices is crucial toward building civil society groups’ cyber resilience, particularly in managing a certain level of cybersecurity risks. To this end, donors and grantmakers providing financial support to these groups must include cybersecurity-specific resources and programs in their fundable areas.
For smaller organizations unable to procure security technologies, building a security culture through consciously embedding security into all organizational activities is vital. This includes enshrining cyber resilience practices into clear and simple written policies, undertaking targeted organization-wide cybersecurity capacity-building, and basic cyber hygiene training for general staff.
Early consultation with civil society groups and expanded opportunities for their participation across the full spectrum of policy process can help address the gaps between existing cybersecurity policy instruments and policy needs.
Civil society groups are in a strategic position to document the human and societal impact of cyber incidents and feed this information into policy processes. Multistakeholder policy dialogues such as the annual Asia-Pacific regional Internet Governance Forum facilitate this need for the exchange of information, knowledge, and good practices between participating stakeholder groups.
Furthermore, involving civil society groups whose work focuses on investigating cyberattacks against civil society in threat information sharing networks could benefit other actors in anticipating and mitigating cyberattacks — both the attacks that specifically target civil society groups and those using them as a proxy.
They can also offer valuable inputs into developing and delivering cybersecurity capacity-building programs that meet the specific needs and priorities of targeted communities.
At the multilateral level, cyber norms must clarify the applicability of international humanitarian law, or IHL, to cyber operations. To this day, two United Nations processes on advancing responsible states’ behavior in cyberspace have not yet successfully resolved how IHL applies in cyberspace.
Cyber norms also need to identify third-sector organizations as off-limits to cyberattacks. Not only could cyberattacks jeopardize the delivery of essential services by these organizations to the population, but the targeting of the information they manage could also result in increased vulnerabilities of their beneficiaries.