Cyber-Security and ICT4D: Notes from the Info Security Tech Salon

Cross-posted at the Tech Salon site: http://technologysalon.org/2013/04/why-information-security-matters.html

First off, please thank the Internets for creating this site, which can serve as a guide on when you should use the prexif cyber: http://willusingtheprefixcybermakemelooklikeanidiot.com

The tech salon on security and privacy was a predictably raucous debate on finding a sane balance between using 30-character passwords with symbols, numbers, and mixed-case letters that must be changed every month for your timesheet systems ... and taking basic security measures to protect super-private data. How and where do we build in information security in ICT4D? When is it unwarranted, and when is it irresponsible to not address it?

There are the obvious cases, ones with a clear adversary -- be it a repressive government or a group working aggressively against your goals. When you have this clarity, there is an awareness of the need for information and communication security, and

The problem is when there is no clear adversary - when no one actively hates your work. In ICT4D, we normally see this as a good thing, but it means that building in security becomes one more extra, annoying and costly piece of your overhead costs, defending against an unspecified threat - and it often gets dropped.

This is a false sense of security. Project databases often contain the names and addresses of beneficiaries, who also happen to be private citizens. They may also contain that information on children and their school performance, community members with an HIV positive status and whether they are LGBTQ or MSM, their income, their micro-savings balances, their micro-loan debt, or any other collection of very personal information. Perhaps your organization works with people operating at or beyond the reaches of the law. It takes one database breach, or even one piece of paper left out on a desk during an unexpected visit to seriously damage your community, your organizational reputation over how you handle informed consent, and even put your beneficiaries at risk of direct personal harm.

Locking a filing cabinet is easy to understand. Controlling who has or could easily get access to the key to that lock is only a little bit more difficult; but adding additional layers of the digital world, where the technology has moved far beyond our instinctual understandings of what is and isn't "safe", is complex - and it has to be approached holistically, but also realistically.

Balance and Context Matter. A Lot.

Balancing the cost and complication of security with the potential threats for an organizations staff and beneficiaries is very important. You may not need to go to all ends of super-best-practice-security for each and every project, database, or mobile app -- but you do need to think through the implications of what data you collect. This means pondering who you share it with, how you share it, who might be motivated to steal it, and what would happen if it were made public by accident or by intent. If you use third party solutions (Certainly no one uses Dropbox or Google Docs for sensitive data, right?), or have reporting requirements to a funder - what happens if that service is breached? What happens if the funder is subject to a FOIA?). Consider a "Golden Rule" type approach, where you consider the implications of the data you collect as if it were your own data that was collected and then made public -- would you be okay with how your organization collects, communicates, distributes, and stores its data if it was your phone number, health records, bank balance, or the like? What are the standards you expect institutions and corporations to meet when managing your sensitive information? Are you meeting those expectations when you handle the sensitive information of those you work to assist?

This basic line of questioning should be a first step for any program that is collecting data. Most organizations do not even have good information security policies and practices for their own staff and (in particular) field offices, let alone a core practice of reviewing each project for tailored information security choices.

Information and communication security is not an all or nothing approach. Security must be an ongoing practice, and it will take both implementers educating themselves on the real risks they and their beneficiaries are in, as well as donor support in a willingness (and expectation) to fund at least project-centric security measures. There are scale problems here; small NGOs which may already be struggling to fund and sustain technology components won't also have the ability to also add security expertise.

The good news is that there's a vibrant (if often contentious) community of passionate folks around who care deeply about supporting mission-driven organizations with information security, But there remains far fewer information security resources for development and humanitarian organizations than there needs to be, and they can be hard to weed through for updated, contextually relevant information -- this is a point where donors can help as well.

The salon ended with a strong call for further discussion and community-building between the security community and the ICT4D world. Here are a few great starting off points, and check back in the comments here to see where this goes!

  • Tactical Tech’s Security-in-a-Box is multi-language (11 ! ) resource with localized contextual examples. It is both approachable and comprehensive. (Note: Security-in-a-Box is undergoing an update, which will be released in late 2013/early 2014.) https://securityinabox.org/
  • EISF’s 2010 Report “The Information Management Challenge: a Briefing on Information Security for Humanitarian NGOs in the Field,” is a excellent holistic introduction to information security, particularly in the context of NGOs operating in the field: http://www.eisf.eu/resources/download.asp?d=2127
  • FrontlineSMS -- “User Guide on Data Integrity,” focused on mobile and data security: http://www.frontlinesms.com/user-resources/user-guide-data-integrity/
  • SMI’s 2009 “Cyber Security for International Aid Agencies: A Primer,” by Dmitri Vitaliev: http://securitymanagementinitiative.org/index.php?option=com_docman&tas…
  • Internews’ SpeakSafe Guide. Some excellent resources for Windows users in this guide that are not currently in other guides.
  • SAFETAG will provide a framework designed to help sufficiently tech savvy users perform and document meaningful digital security assessments for small, at-risk civil society organizations in the field. Internews hopes to publish the framework more broadly toward the end of the year. To get information about this project as it nears launch, email [email protected] .