For journalists, cyberspace is one of the ten most dangerous places in the world, it's as dangerous as countries like Egypt or Syria. #mediadev looks at some of the ways media development can deal with the threat.
Admittedly, digital security isn't usually a core focus of media development organizations but it should be an important cross-sectoral topic. Because threats within the digital space are too serious and the goods digital security should protect are too important to ignore: namely, the rights to freedom of information and expression and the integrity of the users, their privacy and their personal data.
But faced with multiple layers of threats and issues, the question is where should media development organizations begin.
Several experts recommend anchoring the issue of digital security at the political level (Internet governance level) because of its overarching importance – and then implementing digital security in a graduated process at all levels of action.
1. Start at the top and agitate for digital security at a political level
"Multiple security issues are damaging user confidence and have emerged as an existential threat to the future of the Internet," recently warned Kathryn Brown, the president and CEO of the Internet Society, an international non-profit organization.
"We must act to reverse this trend," she said at the latest annual Internet Governance Forum held in December in Mexico, appealing to forum participants to push for an open, secure and accessible Net.
The Freedom Online Coalition, a partnership of 30 governments working to advance Internet freedom, has also recently launched a series of digital security policy recommendations under the title, "A human rights based approach to cybersecurity policy making". The coalition warns against framing privacy as antithetical to public safety and reminds policy makers that "cybersecurity must take into account individual security and human rights and that, as a consequence, cybersecurity policies should be human rights respecting by design."
2. Incorporate digital security in all levels of action
Leaving the political level to consider how to build capacity among partners looks like a bewildering task for media development organizations. It can be difficult to know what methods are best suited to tackle the issue in a digitally dynamic world, with cloud computing, mobile communication, artificial intelligence, social networks and the Internet of things.
When it comes to practically implementing digital security, Tactical Technology Collective, a Berlin-based non-profit, suggest it should be part of a holistic security approach.
By holistic security, they mean considering security as integrating physical security (physical threats to people, homes or buildings), psycho-social security (threats to psychological health) and digital security (threats to information, communication and equipment).
As such, an organization's existing or traditional security strategies should be extended to include digital aspects of security (if not yet implemented) and digital security must be considered at all levels of activity.
Digital security must also become an integral part of media and information literacy programs.
This requires media development organizations to analyze the initial situation and then design and include digital security measures at all of the following levels: within their own organization, partner organizations, projects and target groups. This includes handling data according to a dedicated "responsible data policy", as data breaches and identity theft also pose enormous security dangers.
3. Identify digital security risks with threat modeling
Threat modeling can help identify digital security dangers and which instruments to use at which level, for there is no universal method that works at all levels. For example, using encrypted communication may be indispensable to a specific user group; however, in other cases, the use of encryption can be dangerous (in that it triggers attention from state authorities).
A post on cyber threat modeling by ICTworks, a site for international development professionals using new technologies, has some good background on the development of threat modeling, which is derived from software development and focuses on possible attack scenarios.
"When software designers review the tools they build, threat models help them to ask the hard questions. What assets, i.e., sensitive information, does my technology handle? Who might want to attack it? What gaps or loopholes could attackers use? Putting these risk factors together, they are able to evaluate the likelihood of different threats and how they can respond to them."
Putting this information into the international development context, ICTworks recommends:
"The next time you plan or discuss an ICT4D (information and communication technologies for development) project, play through the worst possible scenario and decide ahead of time how to react. Ask yourself these questions:
1. Assets: Where do you store sensitive and valuable information?
2. Adversaries: Who might want to access and abuse this data?
3. Attacks: How could these adversaries get, steal or compromise the data?"
There are several tools out there that can help media development agencies put their scenarios into practice. For example, the media development agency Internews has developed a framework that security experts can use to evaluate threats within smaller organizations (which are often targeted by cybercrime).
Called SAFETAG (Security Auditing Framework and Evaluation Template for Advocacy Groups), the framework uses a method to find an organization's most important information and communication processes to uncover vulnerabilities.
4. Don't forget – lack of analysis poses a major digital security threat
The effectiveness of a digital strategy ultimately depends on whether media development organizations are willing and able to provide the necessary financial, human and technical resources to design and implement it.
And finally, it's vitally important to be aware that this is an ongoing process. With technology, and the threats to it continually changing, digital security plans need to be constantly reassessed and updated.
Julius Endert (kh)