Identifying online threats: An NGO's experience

The German NGO Future Challenges and its partner “betterplace lab” are currently implementing a three-year digital human rights project in Uganda called the Digital Human Rights Lab. With guidance from DW Akademie trainer Daniel Moßbrucker, Future Challenges applied threat modeling to strengthen its security system.

Linda Walter is one of Future Challenges’ co-founders and the project lead for its Ugandan project. She explained the process of threat modeling and what her organization learned.

DW Akademie: What kind of organization is Future Challenges?

Linda Walter: Future Challenges is actually itself in a transformation process. But if you asked me to put it in a sentence: we are transforming human rights work.
The idea is to empower human rights organizations on the ground dealing with any kind of transformation. Right now, digitization is one of the biggest challenges they face. So we try to ensure that local human rights organizations can make the best out of digitization and also be aware of risks — and this is where the digital security aspect comes in.

What were your main worries and concerns about digital security and security in general?

For us, it's mainly digital security but you cannot think of one without the other. I guess our main worries and concerns arose from another project of ours dealing with verification of user generated content. We've been thinking about how to ensure that videos documenting human rights issues actually show what they said they'd show concerning things like time, location or people being shown in the video.

This project was actually our first connection to digital security. We've been working with several digital security advisers and we also had a programmer on board who's been an expert on digital security. While working on this project we realized that we were somehow lacking a concept on digital security on the side of our organization as a whole.

What did you know about threat modeling before you started this project?

Well, we'd heard of threat modeling, but we hadn't applied it. Numerous people within Future Challenges didn't take security seriously or didn't know what was of real importance. Somehow we never underwent threat modeling as an organization, we only applied some security measures for the already mentioned video verification project. I think we were lacking a lot of information.

What other threats did you become aware of after doing threat modeling?

While we did the threat modeling with DW Akademie trainer Daniel Moßbrucker, I think I really understood that, first of all, we have to think of who is actually threatening us. We never did this in detail - it was rather an abstract enemy. We realized that you have to think from the angle of adversaries.

And another thing I wasn't aware of is that the main threat to digital security is actually the people in your organization. If one of my colleagues was using their private computer or replied to a phishing email all our efforts as an organization could be in vain.

We were also taught to think of our daily work to set up a security concept that really suits us as an organization. We had to go through our daily routine and identify what this means for the threat modeling. That also really helped me.

How did you restructure your security system?

It's mainly two people in our organization who are taking care of this: The tech lead on one side and me on the other side.

We tried to somehow split the work and realize what needs to be done by whom. And obviously, I couldn't set up a new form of file sharing — that was his job. But I'd have to make sure that people were actually sticking to the rules that we gave ourselves. And I figured that the first part, the tech part, was rather easy. The second part is really challenging. And we're still struggling with that.

I think what we still need to work on is a hands-on routine or maintenance plan for digital security to remind ourselves of the rules we set for ourselves every two months or so.

What advice would you give to other organizations who are considering updating or changing their security?

I'd advise them to do a proper threat modeling with an expert. That was really helpful. It also made us feel much better prepared than before, since we felt that we were not properly upholding the things we were preaching to others. We're working with groups who are fighting for LGBT+ rights in countries where being LGBT+ is penalized. And we might endanger these groups if we do not stick to the security rules we gave ourselves after the threat modeling. So I do suggest that everyone who feels that this is crucial for their work should undergo a proper threat modeling — and that they do this on a regular basis.

DW Akademie’s Threat Modelling Guide will be released in October 2020. The guide helps organizations to identify potential threats and provides solutions to counter them.