WASHINGTON - This week, the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (UK-NCSC) held the Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression. The Strategic Dialogue was formally announced during the second Summit for Democracy in March of this year. During the Strategic Dialogue, eight countries convened to discuss ways to advance the cybersecurity of civil society and to align priorities for future work to support the cyber resilience of high-risk communities (HRCs). In addition to the U.S. and U.K., participating countries included Australia, Canada, Estonia, Japan, New Zealand, and Norway. Prior to the inaugural dialogue, all countries in the partnership participated in staff level meetings to share insights that were incorporated into today’s discussion.
The rise of digital authoritarianism threatens the democratic values that lie at the heart of our way of life. It presents a grave threat to the security of our nations. Our common adversaries have created a heightened threat environment that requires more of us to work together than ever before. Democracies must respond together to advance efforts to thwart adversaries’ attempts to target civil society and other high-risk communities with malicious cyber activity.
During the meeting participants affirmed their commitment to take action to support the cybersecurity of civil society and recognized that each participating country can do more to partner with civil society to advance the cybersecurity of this high-risk community. Participants highlighted existing initiatives focused on this work, discussed each country’s understanding of the communities at heightened risk of advanced persistent threat (APT) targeting, and identified opportunities for further collaboration and alignment of efforts across HRC protection work.
Current Work to Further Civil Society Cybersecurity. Participants shared information about current initiatives each country is engaged in to build trust between government and civil society and to further the cybersecurity of HRCs. Throughout the dialogue countries raised the diverse array of communities and organizations which fall under the broad term of civil society and the importance of developing materials that are accessible by individuals and organizations of all sizes, budgets, and levels of technical experience.
CISA highlighted its High-Risk Community Protection (HRCP) initiative. Established in 2023, CISA’s HRCP initiative serves as the enduring home for the agency’s work to identify and partner with high-risk communities to understand the threats they face, identify the resources which can bolster their defense, and close gaps in support. Throughout 2023 the Joint Cyber Defense Collaborative (JCDC) has partnered with civil society organizations, tech companies, and interagency partners to assess existing APT threats to civil society and to commit to produce 10 deliverables that support civil society cyber defense.
“Malicious cyber actors routinely target not only a wide range of U.S. and allied governments, businesses, and critical infrastructure, but also civil society organizations who are often the most vulnerable and least well-resourced to protect themselves,” said CISA Director Jen Easterly. “Such attacks threaten to undermine the democratic values we collectively cherish. I couldn’t be prouder to partner with the United Kingdom and other like-minded nations to identify and implement measurable actions to help defend civil society organizations around the globe.”
The UK’s NCSC takes a whole of society approach to cyber defense and views civil society as one of three sectors of focus for their work. Through the NCSC’s Defending Democracy work, the NCSC is seeking to partner with high-risk public and elected officials to advance understanding of the sophisticated threats targeting individuals across personal and enterprise devices.
“Protecting civil society from cyber threats is vital so it can continue its important work upholding our democratic values in the UK and around the world. The NCSC with CISA and international partners have reaffirmed our commitment to support at-risk communities to bolster their cyber security in the face of a heightened threat of transnational repression,” said Lindy Cameron, Chief Executive of the NCSC. “This strategic dialogue is the latest step we are taking to defend our democracy and improve our collective cyber resilience against online harms.”
Norway similarly highlighted work they have led to engage with and advance the cybersecurity hygiene of political parties, elected officials, and nonprofits. Through these efforts Norway has partnered with high-risk civil society organizations to enhance adoption of key security controls, such as multi-factor authentication.
Estonia, Canada, New Zealand, and Australia each highlighted the importance of making cybersecurity awareness campaigns and training materials accessible to high-risk communities including by translating materials into multiple languages which reflect the diversity of each country.
Each country acknowledges that there is more work that must be done to enhance government’s support for civil society cyber defense. The partnership is eager to expand upon this work, learning from one another and from impacted civil society organizations.
Additional High-Risk Communities of Concern. Participants recognized both the diversity of communities who comprise civil society and the reality that there are additional communities who are at heightened risk of targeting by APT actors whom government needs to do more to support including:
- Civil society including non-governmental organizations, think tanks, faith-based organizations, journalists, activists, and dissidents
- Public and elected officials
- Indigenous communities
- Diaspora and linguistically diverse communities
- Universities and academia
- Legal professionals
The communities at heightened risk may shift over time so the Dialogue will be balanced between discussion of what we are doing today to support civil society and alignment on prioritization of work for the coming year.
Improving the Cybersecurity Baseline for All. In addition to the work we must do directly with impacted communities, Japan highlighted the criticality of raising the baseline of what all individuals and organizations can expect regarding the security of the products and services they use through implementation of a secure by design and default approach. Ensuring that devices are secure by design and default will have outsized impact for individuals and small organizations who may not otherwise have access to the resources and expertise required to implement a defense-in-depth approach to security.
Commitment to Ongoing Work and Opportunities for Alignment. To continue to push forward this critical work, CISA and participating countries will continue to work together on the following:
- Engagement with civil society and HRCs
- Continued collaboration to understand the threat landscape facing HRCs.
- Collaboration across countries to prioritize work in 2024 to advance the cybersecurity of civil society and other high-risk communities highlighted during the Strategic Dialogue.
The next Strategic Dialogue is scheduled for May 2024. Details and information on how to attend will be forthcoming.
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.