A Toronto-based organization focusing on information technology and communications research is calling on software and technology companies to assist human rights groups around the world that are being bombarded with cyber attacks.
Just like large corporations and government agencies, so called civil society organizations (CSOs) face a barrage of persistent and disruptive targeted computer attacks. However, CSOs have far fewer resources to repel and deal with these assaults that pose a risk to civil rights and democracy around the world, according to the Communities @ Risk report by the Citizen Lab, an interdisciplinary research laboratory based at the University of Toronto’s Munk School of Global Affairs.
“We have observed that CSOs are often stuck in least-common denominator models of organizational security because thet are unable to standardize software prducts and devices across their organizations,” the report said. “This lack of sofware adaptability makes it hard to create a security policy or consitent set of security guidelines within the organization.”
Over the course of four year, Citizen Lab researchers conducted a study involving 10 civil society groups. The researchers used malware analysis, field work and interviews to determine the technical, social and political nature of the digital threats the organizations faced.
They found that many tools and software used by CSOs are often conterfeit and expired, a practice that leads such organizations to avoid systems updates. Many use free versions of tools and packages that typically have lowe levels of secrity compared to their for-sale counterparts.
The U of T-based organization is urging technology companies to consider either lending developers and techniians to CSOs to help them develop better cyber security systems and policies or contribute resources to these organizations.
“As a first step, we encourage technolgy companies to consult staff and management to ascertain interest in pro bono programs, and begin thinking through the other benefits, but also reputational risks and how they might be migigated,”according to the Citizen Lab. “Many developers and technologists would likely find it rewarding and meaningful to contribute time and resources to CSOs with the support and approval
of their employers.”
Other key findings of the study were:
- CSOs face the same cyber threats as private and government sector organizations, but they CSOs have fewer resources to protect themselves
- The types of malware used against CSOs are typically low in technical sophistication but the use of social engineering methods is high
- Digital attacks against CSOs are persistent and attackers adapt their methods in order to maintain continued access to targets
- Targeted digital threats undermine a CSO’s core communications and missions. The threats range from minor nuisances, to resources drains and major risks to individual safety
- Digital threats “extend the reach” of state and other threat actors beyond borders and “into safe havens.”
Many organiozations receive emails emails that actually contained file attachments with malware that exploit flaws in programs such as Adobe’s PDF Reader and Microsoft Office. The malware enables attackers to access computers in the offices of the target CSOs and turn the machines into spying devices that steal files, record keystrokes and turn on computer Webcams and microphones.
“The tech sector has substantial resources that can be tapped,” according to the Citizen Lab. “As the sector professionalizes, as with law and medicine, it is time to examine pro bono models of support for digital security assistance to civil society.”