Saturday, March 22, 2008

Cyber Attacks against Tibetan NGOs

So let's say you work for an NGO that's managed to irritate a government. And I don't mean cause minor irritation, as most organizations do or have done, but serious irritation, where a government (or proxy) decides to use its resources to mess you up. Not the typical expulsions, detainments or arrests, but really sneaky stuff.

Read this article about what's happening with Tibetan NGOs. It's been my experience that most NGOs are woefully unprepared to deal with such a threat. While I've encountered a few IT staff members who are security savvy (and a smaller number of security practitioners who are IT proficient), this tends to be the exception within the humanitarian community.

IT and security folks rarely talk. As you both have the interests of your organization in common, jointly discussing this article might be a good way to begin a dialog.



Anonymous Paul C said...

Obviously it's Digital Security Week! I made a similar observation about IT and security staff coming together, and suggested the reason why we might be having problems.

Most UN or NGO staff make such terrible security officers because project staff are problem-solvers, sent in to a situation to fix something that’s not working properly. As Bruce Schneier's article pointed out, that's not a security mentality, which needs to focus on failure.

That's also the reason why neither IT or security staff should be solely responsible for IT security - it takes both side of the fail / fix equation to build resilient IT infrastructure. So let's get them talking...

4:01 AM  
Anonymous Anonymous said...

I agree with Paul that security and IT need to talk. Most security conscious IT guys seem to concentrate on the 'sexy' threats like remote penetration and denial of service attacks. Unfortunately most NGO IT infrastructure remains very vulnerable to lower tech approaches like pretexting and social engineering.


2:45 AM  

Post a Comment

<< Home