Why the cybersecurity industry should treat civil society as critical infrastructure

Cybersecurity risks now affect everyone, but those risks aren’t the same everywhere. The Record spoke with Access Now’s Asia Policy Director and Senior International Counsel Raman Jit Singh Chima about how the human rights organization helps secure activists and journalists around the world. Chima, who also serves as the organization's global security lead, shared details about risks facing human rights defenders in the Asia-Pacific region—from spyware and social media monitoring to disrupting access to certain apps or the entire Internet. 

Protecting civil society from these threats must be a key part of cybersecurity policy discussions, Chima told The Record, much like we think about how we need to protect power grids and other utilities that keep society functioning.

“Understand that people who protect civil liberties, rights, and democracy are critical infrastructure and need to be talked about as such when you engage in cybersecurity conversations with national governments in this region,” he explained. 

Chima shared information Access Now has learned through the more than 10,000 reports the group received through its 24/7 global digital security helpline, including insights into the heightened digital security challenges for the people of Afghanistan associated with biometric and digital identity programs and reports of attacks on local telecommunications companies.

He also reminded The Record that the threats facing people who live and go online in the region aren’t part of some abstract discussion about the future of securing networks, but instead risks threatening how most people experience the Internet and digital rights today. 

“The majority of the world’s internet users are based here, between India, China, and Southeast Asia,” Chima noted. 

Read the full interview, lightly edited for clarity and length, below. 

Andrea Peterson: Tell us about Access Now and its role today.

Raman Jit Singh Chima: We are an international human rights organization just over a decade old, focusing on digital rights and in particular protecting and defending the rights of users at risk. We provide security assistance to vulnerable communities and human rights defenders globally, we track policy matters that impact human rights and technology policy issues globally and campaign publicly on particular subjects—user rights on privacy, data protection, free expression, and more. And we convene communities in terms of civil society organizations, business and human rights groups, tech firms, and others who want to talk about human rights in the digital age. I work on the Asia-Pacific region, which is fun, active, and very interesting. 

AP: One of the things you alluded to was the data security help you provide—which I know includes a literal help line. Can you tell me more about that work and what you’re seeing through it now?

RJSC: The help line is, in a sense, the first original purpose of Access Now. The organization was convened by technologists and activists who wanted to provide assistance to democratic mobilizers, particularly during Iran’s Green Revolution protests... There was a recognition very early on that the Internet could help enable all sorts of communications and efforts to stand up for democracy, but it also put people at risk—it made them susceptible to cyber intrusions, to surveillance and other mechanisms—and you needed to provide them assistance, not just in authoritarian countries, but in democracy and other areas where they are at risk. That also required supporting policy and democracy conversations based on providing this security assistance, as well as providing a firewall and protecting those who help with this security work. 

What that represents today is a 24/7 digital security help line that Access Now runs. It operates in shifts around the world where any human rights activist or journalist can write to or contact us and they will receive assistance within two hours with further reactive or proactive guidance to mitigate cyber harms or other threats they might be facing, including at times mixes of physical and digital risks. We operate on that globally and in doing so we are in a sense an incident response team for civil society. 

In fact, we helped convene the Civil Society Computer Emergency Response Team, or CiviCERT, which we organize with other NGOs and activists working in the space. More recently it’s also a member of FIRST, the Forum of Incident Response and Security Teams.

AP: And what specific threats are you seeing to activists, journalists, and everyday people in the region you focus on?

RJSC: Quite a few. Just recently we published a report covering what we’ve learned from 10,000 cases and our global takeaways. But I can share more about the Asia-Pacific region. 

Obviously what we see through the helpline is the just tip of the full ecosystem of what people are facing, because the people who come to us are the people who know we exist. There are quite a few people who might not know about us or not see resources available in their local language, so may not come to us—but we’ve seen an increased targeting of civil society actors by both state and non-state actors over the last few years, and a particular expansion in the Asia-Pacific region as well. 

We’ve seen with the pandemic that civil society and human rights defenders are depending on the Internet even more so for their activities and communications, and therefore coming under even more targeted threats, but with fewer resources than others might have in this ecosystem to protect themselves. 

And we’ve seen particular problematic situations with military coups, changes in governments, and authoritarian trends in many countries. There is often physical intimidation that almost immediately extends to digital means as well, by targeting surveillance or attempts to campaign against activists on social media, but also sophisticated digital attacks against them. We’ve seen spyware and targeted cyberattacks against civil society groups in the region. 

AP: Can you give me some specific examples?

RJSC: Sure, so you would have seen examples where there are concerns about APTs being used, for example, in Cambodia targeting civil society there. We’ve seen the Pegasus revelations and particularly very aggressive use of spyware against journalists, human rights defenders, or even constitutional office holders trying to protect democratic values.

These are incidents we’ve documented, several years into the past. In Malaysia, for example, during past elections we’ve seen DDoS attacks, phishing and other activities targeting opposition figures. And we’ve really seen an increase in concerns about the usage of such techniques across the wider region over the last one to two years. 

AP: Another topic I always think about when I talk to Access Now is actual Internet access. What have you seen in terms of coordinated attempts to disrupt communications?

RJSC: In fact, one of the most important things we’ve noticed is that while technologies can put people at risk, denial of access to technologies when the Internet has become a key part of normal life can also have grave human rights implications—even more so than before. We helped convene the Keep It On Coalition that documents and advocates against Internet shutdowns—it has hundreds of members across the world who track Internet shutdowns, produce data regarding them, and advocate against them nationally and internationally.

We’ve seen an increase in intentional shutdowns over the past several years, and the Asia-Pacific region has the highest number of those shutdowns—particularly because India is the number-one perpetrator of Internet shutdowns and, in fact, leads in the number of shutdowns by a substantial margin. There have also been shutdowns ordered elsewhere in the region, such as in Pakistan, as well as some of the longer-term shutdowns in both India and Myanmar. 

Particular countries of note are India, Myanmar, Pakistan, occasionally Bangladesh and Sri Lanka in the past, but also more recently Indonesia. There are also trends of hyper-localized shutdowns being considered in Thailand, Hong Kong and elsewhere where they may not have been ordered, but authorities were actively considering using those powers or were advancing legal proposals to cement their ability to conduct Internet shutdowns. 

AP: We recently reported on how four suspected Chinese threat actors had infiltrated one of the largest telecom firms in Afghanistan. In this case, it involved a corporate mail server—but you could potentially get a lot of information about other security concerns related to telecom from that access. How do attacks on telecommunication structures themselves impact the ability to keep people secure?

RJSC: Definitely the telecommunications sector as well as key apps and services that are often in effect serving as the gateway or represent the Internet for some people in certain countries are coming under more targeted attacks, intrusions, and disruptions. There are different ways through which governments have been forcing shutdowns or trying to otherwise interfere with Internet access points in the Asia-Pacific region—some of it is de facto measures, like they’ve ordered shutdowns or installation of increased surveillance or monitoring technologies on telecommunications networks. 

For example, Myanmar and India have often proposed and advanced such measures and we are hearing more about them in other countries in the region as well, such as Cambodia, that have considered in the past the idea of having a single Internet gateway—the idea of routing traffic through one point where the government could more easily access and monitor it. 

We’ve also seen intrusion activities targeting telecommunications and other actors, or deployment of surveillance and spyware where they want to go above what they already make telecommunications firms do or when they don’t want to depend on executives who might push back on orders so they either directly hack devices or part of the network ecosystem to get access to data. 

Another thing we are, of course, seeing is countries putting pressure on telecommunication companies to assert political influence or political control measures. A good example of that is in Vietnam, where it was documented that Vietnam essentially throttled infrastructure and CDNs being used by Facebook and other companies in the country, and really the wider region, because the country wanted to pressure Facebook to comply with their political censorship and their interpretation of how their legal rules should be applied against Facebook conduct. 

You go from de facto activity and more strict legal mandates, to more surreptitious activity, to intentional disruption attributed to governments in this fairly wide region. 

AP: It also really shows a role that a lot of these private actors have in what many people consider their access to the Internet, as you alluded to earlier—it’s access to Facebook, it’s access to Twitter, depending on the particular community and how they have been able to access or not really access the full online experience do to economic factors or censorship…

RJSC: It really varies greatly based on which country. You’d see, for example, significant differences between India and Myanmar. In Myanmar, it’s definitely been the case that Facebook has been the Internet and represents the experience the vast majority of Burmese nationals encounter. 

Even today after a wide variety of disruptions and other activities, while more sophisticated users may use Twitter or other channels, for many Burmese people Facebook is still the place they prefer to turn to and use. In other countries there may be other preferences, or local apps people are using there. But definitely the role of companies to in a sense intermediate people’s experiences and be the key gateways… this region is definitely showing a lot of that. 

It’s also putting the companies under more scrutiny because many of them are international or based in the U.S. and operating in a region where they aren’t normal residents—so they are often under more regulatory pressure from these countries or may be more circumspect about what they may say or not say to them. 

You also have a situation where local companies are often more careful about what they may do because they may not come from political or legal cultures where it’s easy to challenge what the government does publicly or in court. It varies from country to country. You’ll see a lot of litigation in India and Pakistan for instance. But in India, you might see legal action from an Indian company, but not a Chinese app maker because they might not believe they would receive sympathy in court due to, say, the geopolitical relationship between China and India at present. 

AP: Experts I have spoken to say they haven’t seen much actual disruption of online access since the Taliban recaptured Afghanistan, but many digital security concerns among the Afghan people—especially among those who worry the digital evidence of their human rights work might make them targets. Can you talk about the resources you’ve released for people there and the other risks they are still facing? 

RJSC: One of the challenges in Afghanistan is that you can argue the digital rights community was underinvested in preceding years. Many people haven’t engaged as deeply in Afghanistan as they might have elsewhere in Southeast Asia, or even in places like Myanmar. So people had to really scramble to help with the incredible situation that happened in terms of the Taliban retaking the country, and you had people believing they are coming under significant risk. 

We started seeing that in terms of people reaching out to us with exactly those concerns—saying they are a human rights activist, or we are a group that talks to activists, or a development group that does work on gender justice and other issues. And they are deeply worried that they are at risk, that pictures or even public reports of the great work they’ve done on things such as media freedom, gender justice, even development work will make them a target or be considered a collaborator by the Taliban or be used as an excuse to intimidate, harass, bring them to threats of physical harm or in some cases death.

They needed to see what people could do to take down content, what steps they could take to secure social media accounts... There may be people trying to flee the country through air or land corridors—how can they secure their accounts so they can make it through Taliban checkpoints? What can they do to secure their devices? What can they do if their devices are seized? 

We’ve seen that in political churn, starting with Hong Kong, then in Myanmar, and also in parts of India during crackdowns on democratic organizers, and in Afghanistan now: When those in charge see someone coming through a checkpoint, they seize their phone, unlock their phone and see who they are talking to, compromise accounts, or even clone and copy the device and SIM cards so they can track them just in case. 

Those are the sort of things our help line has seen and again, that’s just the tip of things—there are many more sophisticated attacks where we shared very topline advice and then that was shared through the community. We also did a public post at the end of August that we then translated into Dari and Pashto that included some basic resources and tips for everyday users and activists in Afghanistan on digital security. We supplemented that with more tailored advice and guidance to clients one-on-one and to circulate with trusted networks.

AP: Can you comment on the risks related to reported biometric databases in Afghanistan, including the Afghan Pay and Personnel system originally created with U.S backing as an attempt to combat fraud, but now some fear may be used to target people?

RJSC: Our concerns in this area came from Afghans and others on the ground in the country who came to us and said “we are worried about information collected about us because what was regarded earlier as legitimate activity, democratic protest, or working with the government, may now be considered collaboration—somehow un-Islamic activity in the Taliban’s eyes—and we will be made to suffer for it.”

Immediately because of that, and before it went public, we had an internal hypothesis that identity information existed in the country that could be used to target people. 

We originally thought it might be from humanitarian agencies or other places like that. But after the first few stories about U.S. government biometric devices being captured came out, we said what’s really concerning is what databases they may be connected to, then it became very clear that Afghanistan was used as a petri dish for very problematic digital identity and biometric experimentation over the last decade. 

Unfortunately, this was pushed by international actors and other governments, including NATO members and the U.S., as well as international aid and development agencies actors such as the World Bank and others who wanted identity and biometric databases to be used for security purposes at the Afghan Interior Ministry, and for repatriation programs where information collected about returning Afghans by other countries was shared with the local government, and is now assumed to be in control of the Taliban. 

There was also more generally the rapid digitization of identity programs in Afghanistan under pressure and with funding from the international community even when Afghan government actors raised concerns about it being potentially problematic in a country with deep ethnic tensions and often quick political churn and violence. 

Also in a South Asian context, people had seen how digital identity programs could be used to target minorities or people governments don’t like whether in India, Pakistan, or the wider region. They deployed it rapidly and at scale, and now you could say in a sense that Afghanistan is a lesson for how the global digital identity evangelist community has allowed an incredibly problematic and frankly appalling situation to come to bear. 

That’s why there was a joint statement from many organizations including ourselves that calls for governments to immediately take steps to mitigate these harms, but also to pause and reflect on what they’ve done and that this is why they should be cautious about pushing forward digital identity programs that can place people at risk without human rights safeguards. Also, frankly, not to digitize for the sake of digitization without taking into account cybersecurity, or even national security and local context considerations.

AP: What else should people keep in mind when considering the landscape of cybersecurity in the region?

RJSC: There are a lot of security developments across the region, but I think it’s really important for people to notice there’s rapid digitization and use of digital technologies and in turn communications by actors at all levels. You have a lot of users, sometimes using big global products in their local languages—which requires more engagement on how policies and measures are being applied in these local contexts and remedy mechanisms being available in their languages. 

There’s also a situation where there’s a fantastic group of people in the digital security and civil society communities who are trying to deal with a very problematic situation where there are significant capabilities being acquired by nation-states and other bad actors, but with far fewer resources than in the West and sometimes less attention and support. I think it goes to this larger issue of how cybersecurity in this region is even more so about the security of individuals and of civil society: You need to protect civil society like infrastructure.

In fact, understand that people who protect civil liberties, rights, and democracy are critical infrastructure and need to be talked about as such when you engage in cybersecurity conversations with national governments in this region.

Sometimes those governments might be taking steps publicly like creating new laws or units they say are about fighting cybercrime and protecting critical infrastructure and networks, but actually it’s being used to target people’s devices and attack encrypted communications. Not just in broad crude measures, but sometimes very sophisticated capabilities in terms of malware deployment, DDoS attacks, and other mechanisms. 

We need to take more concrete steps to know what sort of cybersecurity concerns individual users and the human rights defenders protecting them are facing today also because the future of the Internet is not just in the Asia-Pacific region—the present of the Internet is here. The majority of the world’s internet users are based here between India, China, and Southeast Asia.