Global Trends in Digital Security: Civil Society and Media

"The decline in global freedom and rise of authoritarianism both allows for and benefits from the decline in digital freedom and rise of digital threats."



This Internews report explores the digital threats that civil society groups, journalists, and activists face and the impacts of these threats on their work and activities. These attacks are employed by both state and non-state actors, with some being associated with the rise in digital authoritarianism, as well as more traditional forms of cyberattacks. The threats outlined in the report include commercial spyware, the interception of communications, device seizures, distributed denial-of-service (DDoS) attacks, and online harassment and gender-based violence. In addition to a description and examples of the threats, the report discusses the impacts and provides tips on protection and mitigation strategies.



As explained in the report, "Worldwide, civil society and media organizations are increasingly operating in challenging environments due to shrinking civic spaces; rising authoritarianism, both political and digital; and conflict. Governments and other actors deploy digital tactics and tools to restrict civic space and hamper the work of activists, human rights groups, and journalists." These digital tactics and tools are increasingly deployed during war, elections, and other conflicts to restrict civic space at a time when civil society and the media are already operating under precarious circumstances. Examples cited in the report include the elections in Brazil and Mexico, the war in Ukraine, and the conflict between Armenia and Azerbaijan.  



The report's methodology combines desk research and findings from a forensic analysis on digital attacks against civil society groups conducted by Threat Labs. Threat Labs are local organisations with expertise in cybersecurity that provide swift and trusted incident response and threat analysis services to civil society and media organisations with whom they work. Internews collaborated with: Conexo, based in the Latin America and Caribbean region; CyberHub-AM, based in Armenia; Digital Security Lab Ukraine, based in Ukraine; Jordan Open Source Association, based in Jordan; MariaLab, based in Brazil; SHARE Foundation, based in Serbia; and SocialTIC, based in Mexico. Individual threat landscape reports for five countries (Armenia, Brazil, Mexico, Serbia, and Ukraine) have also been published as part of this work (see Related Summaries below). The incidents used to inform this report were documented between September 2022 and June 2023. Additional data were collected using secondary sources such as news websites, press agencies, statements, and research by human rights and digital rights groups.



The types of threats outlined in this report include:

• The use of commercial spyware and targeted surveillance - Commercial spyware and its use by state actors poses a major threat to the work of civil society. Between September 2022 and August 2023, the Threat Labs who collaborated on this report responded to dozens of suspected and confirmed incidents of spyware attacks brought to them by civil society organisations, media organisations, journalists, and human rights defenders. Pegasus, developed by the Israeli company NSO Group, is the world's most infamous spyware.
• Phishing - This is the most common type of cyberattack. Phishing messages targeting email and messenger accounts generally contain malicious links that lead users to a web page that captures information, such as login details. Threat actors may target victims' professional communications, sources, and location data; they are also known to collect personal information, such as intimate photos and videos or information about the victim's relatives, to use in smear and harassment campaigns.
• Account compromise - Threat Labs responded to dozens of incidents pertaining to successful and unsuccessful attempts to compromise accounts, mainly email accounts and social media accounts including Facebook, Instagram, Telegram, Twitter, Viber, WhatsApp, and YouTube. Account hijacking can result in the loss of hacked accounts and unauthorised access to account data, including messages, location data, and documents. When users are unable to recover their accounts, their work is put on hold, partially or fully.
• Interception of communications and internet traffic - Civil society and media also face government deployment of interception technologies to monitor communications and internet traffic. In the past, internet traffic was generally unencrypted, allowing governments to censor specific content or target people based on what they were viewing or saying online. As of 2023, most internet traffic was encrypted; however, governments instead tried to control online behaviour by monitoring web traffic and either blocking connections to particular websites or monitoring behaviour on public websites.
• Online harassment and gender-based violence - Non-governmental organisations (NGOs), human rights defenders, journalists, and activists around the world regularly face forms of online harassment that range from doxing, hateful attacks, and smear campaigns to gender-based violence and death threats. Attacks often happen or peak at times of protests, elections, political turmoil, and other events where civil society's watchdog role is even more essential.
• Attacks against websites - State actors, hacker groups motivated by political agendas, and cybercriminals are known to target the websites of media groups and NGOs using cyberattacks like defacement, DDoS, hacking, and backdoor access.
• Platform censorship - Platforms' content moderation policies and practices also hinder civil society organisations' and media outlets' efforts to publish and disseminate content and information, reach audiences, and inform the public. Platform accountability falls short for various reasons, including the lack of diverse and adequately trained content moderators, bias, the increasing role of algorithmic content moderation using non-diverse training datasets, and the censorship demands of governments.
• The seizure of devices - In addition to the use of spyware and phishing tactics, the physical seizure and search of devices remains a serious threat that infringes on the privacy of activists, journalists, human rights defenders, and organisations.

In conclusion, the report states that to withstand these threats and mitigate their most serious impacts, civil society organisations and the media need support to implement security measures - and this requires knowledge, human resources, and financial resources. "In some cases, basic knowledge, such as how to protect accounts and avoid becoming a victim of phishing, can go a long way in preventing attacks. Oftentimes, however, affected organizations need in-house experts and investment in protection tools such as DDoS protection (for which there are several free options for NGOs), secure storage systems to protect their work, and modern devices that continue to receive security updates." In addition, resources should be dedicated to gaining an in-depth understanding of the threats facing civil society and the media, as this allows digital security practitioners to tailor their responses and better support the civil society and media organisations with whom they work.