JCDC Working and Collaborating to Build Cyber Defense for Civil Society and High-Risk Communities


By Clayton Romans, Associate Director of Joint Cyber Defense Collaborative

Last fall, the Cybersecurity and Infrastructure Security Agency (CISA) and United Kingdom’s National Cyber Security Centre (UK-NCSC) held the first international convening of the Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression. With the convening eight countries, we discussed options to advance the cybersecurity of civil society and calibrate our agencies’ support to the communities at highest risk. The second meeting is planned for May 2024.    

Recently, CISA participated in the third Summit for Democracy in Seoul, South Korea, as part of our continuing commitment to counter cybersecurity threats against civil society. In alignment with this summit and our strategic dialogue work, CISA is providing a suite of resources on our new High-Risk Communities webpage today to help civil society organizations with bolstering their cyber defense and resilience.   

These resources are the product of a year-long effort spearheaded by the Joint Cyber Defense Collaborative in partnership with industry and civil society. Informed by the unique expertise and experiences of our civil society and industry partners, these resources directly respond to the unique threat profile and operational realities of high-risk organizations that are targeted by sophisticated threat actors.  

As leaders of high-risk organizations know all too well, operating a robust cybersecurity program can be costly. And many sources of funding do not account for the cost of hiring and retaining information security professionals or implementing effective cybersecurity solutions. At the same time, civil society organizations and their affiliates are at heightened risk of becoming targets of Advanced Persistent Threats – and cybersecurity incidents that lead to disruptions in their work can have dire ramifications for the vulnerable communities they serve.  

Here are some of the resources that CISA released today as part of its cyber defense plan to support civil society organizations:   

  1. Launch a Webpage for High-Risk Communities.  

CISA’s High-Risk Communities webpage serves as a one-stop-shop for cybersecurity guidance and free or discounted tools and resources that are tailored to meet the needs of high-risk organizations that want to improve their cybersecurity baseline while operating with limited resources.   

  1. Release Project Upskill: CISA’s Tailored Cybersecurity Guidance for High-Risk Communities. 

Research from the CyberPeace Institute shows that less than 15-percent of non-governmental civil society organizations have cybersecurity experts on their staff and 33-percent do not have dedicated IT or security resources available to secure their individual employees, let alone the enterprise. That means employees at high-risk organizations serve as the first line of defense against malicious cyber actors that seek to disrupt operations or conduct reconnaissance.  

Project Upskill is designed to arm individuals employed by or supporting high-risk organizations with simple steps to meaningfully improve their cyber hygiene. We crafted it to be accessible to a non-technical audience so that all individuals across civil society are empowered to support their own cyber defense.  

The steps outlined in this new resource are not a “silver bullet” against cyber intrusions however, they can make it more difficult and costly for malign cyber actors to target individuals and the organization.   

  1. Highlight Free Tools & Services for Mission-Based Organizations.  

Collectively, a wide array of free or discounted tools and services are available to high-risk communities. For example, certain organizations can apply to receive free cybersecurity protection under Cloudflare’s Project Galileo. Individuals who enroll in Google’s Advanced Protection Program (free to the public) benefit from additional account safeguards, including enhanced protection against phishing attempts and harmful downloads. Organizations seeking guidance on how to harden their enterprise will benefit from visiting the Global Cyber Alliance’s Cybersecurity Toolkit for Mission-Based Organizations, and high-risk individuals and organizations can turn to Access Now’s Digital Security Helpline for support with incident response if they believe they have been compromised.   

All of these resources, and more, are located on CISA’s High-Risk Communities webpage.     

  1. Help Prospective Volunteers Connect with their Local Cyber Volunteer Clinic. 

Across the United States, academic institutions, non-profits, and municipalities are setting up cybersecurity clinics and volunteer corps to provide free, hands-on support for incident response and resilience building.   

High-risk organizations often qualify for support from these volunteer clinics. Therefore, CISA is building a webpage that will have information about the cyber volunteer programs across the country. Our intent is to help build capacity by providing a centralized place for prospective volunteers to learn about prerequisites and application processes for joining their local cyber volunteer program, and help qualifying organizations learn how to obtain assistance.   

At the third Summit for Democracy, Secretary of State Antony Blinken stated, “As authoritarian and repressive regimes deploy technologies to undermine democracy and human rights, we need to ensure that technology sustains and supports democratic values and norms.” We believe that the work initiated through this partnership across civil society, technology companies, the US government, and international partner governments we are contributing to a rights respecting digital world.”  


CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.