NGOs face an uphill battle against state-sponsored attacks

Cyber-attacks pose a serious threat to smaller organisations, especially NGOs, according to a new report from Munk School of Global Affairs.

More than 40 governments hit by suspected Russian-state cyber attack
More than 40 governments hit by suspected Russian-state cyber attack

Research just published claims to show that NGOs (non-government organisations) and activist groups are losing the battle against state-sponsored cyber-attacks, many of which originate from China and other areas of the Far East.

The report - from the University of Toronto's Munk School of Global Affairs - entitled `Targeted Digital Threats against Civil Society' - analysed more than 800 suspicious emails, plus 2,800 malicious payloads and malware families.

It concluded that the nature of cyber-attacks against NGOs is the same as against Western government IT systems, but that the NGOs lack the resources to counter the problem.

These attacks on civil society, says the research, raise major issues for the sustainable promotion of rights and democracy worldwide.

After analysing attacks against ten civil society groups that enrolled as study subjects over a period of four years, researchers found that a series of sustained attacks were taking place against the groups, concluding that their frequency and severity were equal to the cyber-attacks being waged against government systems.

According to Professor Ron Deibert, director of the Citizen Lab and lead author of the report, it is well known that computer espionage is a problem facing Fortune 500 companies and government agencies.

"Less well known and researched, however, are the ways in which these same type of attacks affect smaller organisations promoting human rights, freedom of speech, and access to information. We set out to fill this gap in knowledge," he explained.

Researchers found that the technical sophistication of even the most successful attacks against CSOs tends to be low. Instead, the report notes that attackers put more significant time and effort into crafting legitimate-looking email messages or other "lures" designed to bait targets into opening attachments or clicking on links.

The content for these lures, says the report, is often derived from information gathered from previous breaches of individuals in their organisation or partners in their wider communities.

The constant use of socially-engineered attacks as bait erodes trust among those communities and creates disincentives around using the very communication technologies that are often seen as CSOs' greatest asset, it notes.

Solutions

Delving into the report reveals that companies that build software or provide information security have an obligation to support CSOs at risk, and the report recommends they explore a `pro bono' model of help as well as creative licencing solutions for CSOs to avoid the use of insecure, outdated software.

According to Fran Howarth, a senior security analyst with Bloor Research, the work carried out by organisations such as Canada's Munk School of Global Affairs, is of interest to many, especially those who do not agree with their views or have lax standards of civil rights and democracy.

"Anyone using electronic communications and resources such as social media can be a target of disruptive attacks, no matter what the size organisation they represent," she said, adding that the assertion that it is just major companies and governments that are attacked itself shows a lack of understanding.  Howarth went on to say that clearly the major issue that needs addressing is security awareness.

"This report seems to conclude that the issue is someone else's problem. Whilst there is undoubtedly more that technology vendors can do to help CSOs, there are already resources such as the Charities Security Forum in the UK that would be a good place to start for such organisations," she explained.