The Canadian Centre for Cyber Security has joined an international consortium of cybersecurity and law enforcement agencies in warning the public about the growing threat to civil society which is deemed high risk for state-sponsored cyber threats. The high risk community of individuals and organizations includes nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalists, dissidents and diaspora organizations as well as individuals involved in defending human rights and advancing democracy. The growing cyber threat is of particular concern to lawyers engaged in human rights advocacy.

1. Introduction

On May 14, 2024, the Canadian Centre for Cyber Security, a part of the Communications Security Establishment Canada, announced the publication of an advisory titled Mitigating cyber threats with limited resources: Guidance for civil society co-authored by eight other agencies. (here and here) The advisory emphasizes that civil society organizations and employees are often targeted by state-sponsored threat actors who seek to undermine democratic values and interests. “Regularly conducted as a type of transnational repression (also referred to as digital transnational repression), state-sponsored actors compromise organizational or personal devices and networks to intimidate, silence, coerce, harass, or harm civil society organizations and individuals,” the advisory said. (here)

The other co-authors of the advisory are the U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security – Office of Intelligence and Analysis (DHS I&A), the U.S. Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) Japan, the Japan Computer Emergency Response Team Coordination Centre (JPCERT/CC), the National Police Agency (NPA) Japan, the National Cyber Security Centre – Finland (NCSC-FI) and the Estonian National Cyber Security Centre (NCSC-EE).

2. Civil Society at High Risk

According to industry reporting referred to in the advisory, state-sponsored targeting of civil society organizations and individuals, “comes predominately from the governments of Russia, China, Iran, and North Korea.” Industry reports characterize civil society organizations as high risk due to their high threat level and low defence capacity:

• Civil society organizations and their staff are at high threat of being targeted by malicious cyber actors. Based on industry reporting, these organizations and their staff are known targets as state-actors may seek to undermine democratic values.
• Civil society organizations often have low defense capacity. These organizations lack internal IT support and essential cyber hygiene to prevent the possibility of malicious activity (e.g., lifecycle management, patch management, multifactor authentication, password management). Individuals that fall under the civil society umbrella often rely on insecure channels for communication and need to manage public profiles to advance their work. Organizations with low defense capacity are ill-prepared for and vulnerable to common cyber threats, such as social engineering attempts.

I commented on social engineering tactics used by malicious cyber actors in my last post to On The Wire where I discussed the recent unsealing of an indictment by the U.S. Attorney’s Office, Southern District of New York, charging four Iranian nationals with conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft. (here) Social engineering is the use of deception to manipulate an individual into divulging confidential or personal information. Deception tactics are often used to obtain login credentials, credit card numbers, bank account information and social security numbers. The information can then be used to facilitate identity theft. Social engineering is an attractive tool for cyber thieves because it enables them to end around cybersecurity controls. The new advisory goes on to warn that low defence capacity is exacerbated in most cases “by products and services designed in a manner that places the burden of reducing cyber threats on the customer or end user” who is required “to take specific, sometimes onerous, actions to improve their cyber posture.”

3. Industry Reports

The advisory cites reports by Microsoft, CrowdStrike, CloudFlare and the European Union Agency for Cybersecurity to highlight the frequency with which non-governmental organizations are targeted by state-sponsored cyber actors. I will give you the following extracts from three of them.

According to the Microsoft Digital Defense Report 2023, “[r]ansomware operators are shifting heavily toward hands on keyboard attacks, using living-off-the-land techniques and remote encryption to conceal their tracks, and exfiltrating data to add pressure to their ransom demands.” (here) After a flurry of high profile cyber attacks the previous year, state cyber actors have moved away from high volume attacks and have now directed the bulk of their activity toward cyber espionage. The executive summary of the Microsoft report emphasized that, “[a]s nation-state threat actors continue to grow in sophistication, they have been increasingly used by governments to understand the plans of other nations, transnational bodies, and non-governmental organizations.” State actors, however, are not alone in the digital ecosystem as cyber syndicates leverage ransomware-as-a-service and phishing-as-a-service as key threats to the private sector. One recent example of the increase in aggressive tactics is Volt Typhoon, a Chinese actor using living-off-the-land techniques, that I discussed in a previous post to On The Wire. (here)

CloudFlare, an internet infrastructure and website security company based in the United States, has reported that malicious cyber activity against civil society organizations is “generally increasing.” (here) In the Project Galileo 9th Anniversary report, CloudFlare focused on organizations at the centre of public debate due to their work and, specifically, organizations that support LGBTQ+ rights, civil society, reproductive rights and health groups, and in Ukraine. One of the main findings was that, between July 1, 2022, and May 5, 2023, CloudFlare mitigated 20 billion attacks against organizations protected under Project Galileo. This was an average of nearly 67.7 million cyber attacks per day over the preceding 10 months. (here) Project Galileo provides cybersecurity protection to “at-risk sites” that are the targets of cyber attacks including human rights organizations, minority rights organizations, independent media outlets and democracy protection programs. (here)

In the ENISA Threat Landscape 2023 report, the European Union Agency for Cybersecurity found that, during the reporting period of July 2022 to June 2023,  the cybersecurity landscape witnessed a significant increase in the variety and quantity of cyber attacks and their consequences. (here and here) DDoS and ransomware ranked the highest among the prime threats with social engineering, data related threats, information manipulation, supply chain and malware following. A large number of cyber events targeted organizations in the public administration (19%) and health (8%) sectors. Events targeting digital infrastructure (7%) and digital service providers (6%) formed two other important sectors. A “considerable number” of events targeted civil society and not necessarily a particular sector. These events, labeled “targeted individuals”, amounted to 11% of the events observed.

4. Conclusion

The advisory “strongly encourage[d]” civil society organizations to implement best practices as defined by CISA’s Cross-Sector Cybersecurity Performance Goals that “provide a minimum set of practices and protections that are informed by the most common and impactful threats and behaviors.” (here) The recommendations specifically listed in the advisory include: (a) keep software updated on user devices and IT infrastructure; (b) implement phishing-resistant multifactor authentication; (c) audit accounts and disable unused and unnecessary accounts; (d) exercise due diligence when selecting vendors, including cloud service providers and managed service providers; and, (e) implement basic cybersecurity training. Both the advisory and the ENISA report recommended the development of an incident response and recovery plan. The ENISA report also emphasized the implementation of a “secure and redundant backup strategy” to maintain offline encrypted data that is regularly tested.