 All right, next up here we have Megan DeBlois talking about blue teaming for human rights. Please give her a warm welcome. All righty, can you guys hear me all right? So I am going to talk a little bit about blue teaming for human rights. My name is Megan DeBlois, I work for intern news which is a non-profit. My team at intern news focuses on proving security for high-risk communities around the globe, journalists, activists, human rights defenders. I'm also doing a part-time masters over at Oxford. I am a San Diegans, so if you all have any questions about San Diego, please come and find me. I would love to talk to you if you need advice on food, tacos, whatever it might be. Because I know it is early, I wanted to include a puppy photo nice and early in the talk just to catch people's eyes, and yes this is my puppy dog. So let's jump into it. So the problem that we face in the human rights community, often people ask me sort of where do you start? What's why do human rights groups struggle so much when it comes to information security? First off, most human rights groups that we're talking about in this talk are not ones based here in the US. They're the ones that are based in places like Syria, places like Turkey, places like Venezuela. They're highly underfunded, much more so I would say than some of any of the organizations that we've ever worked with. What about IT staff? There are none. Most human rights organizations we work with have no IT staff. If they're lucky, maybe they have a part-time person they know that's a bit more technical that comes and helps them out every once in a while. When they have a technical problem with the website or they think they've actually downloaded malware. Staff dedicated to security, when people ask me this, I normally laugh. That's just a big joke. No one in the community has dedicated staff to security. So what's on the flip side? What does our adversary look like? Well, a lot of our adversaries are state level actors. So they are highly capable. They've got APTs, advanced persistent threats that they have in their arsenal, although oftentimes they do not have to use them. But they also sometimes have additional capabilities like legal authority, to subpoena, to force companies to show them their data that is actually on their servers. Legal legislation that they've passed to actually force companies to keep data inside the jurisdiction of the country. All of these make it really difficult and make very capable adversaries. Obviously, if you're a nation state actor, you are well funded, although it's very easy to be better funded if you have no money. So relatively, whether or not you are a Russia or you are an organized country with less funding, more money means more capabilities. And they have teams. They actually have staff that are dedicated to strategizing on how to compromise different communities, including human rights groups. And if you don't believe me, we can just check out the news. So even recently, Fancy Bear has made a reappearance. Bellingcat recently reported, I think in August this year, that they had a massive campaign against a lot of their proton mail accounts, against their particular journalists that were later determined to be Fancy Bear. We've got Pakistan. Pakistan last year, Amnesty International actually published a report about how Pakistan was found to not just surveil and use technology to surveil different communities and human rights defenders, but they were actually using offline sort of tactics and techniques as well. And then even more recently, we have the NSO group that was found to have actually perpetrated or actually gone after more than 100 different human rights defenders. Citizen Lab released this report very recently. It was specifically talking about the WhatsApp vulnerability back in May. It was later found that over 100 different cases of human rights targeted attacks had actually occurred. And the list goes on, right? Human Rights Watch published some interesting research about the Uyghur community in China and their surveillance technologies that are being implemented and deployed there. We have cases like Zambia and Uganda where different surveillance technologies are being used. And the list goes on. So this is kind of what it feels like oftentimes in the human rights space. The odds are all stacked against us. It's definitely not an even playing field. We have a lot of challenges. So what can we do? To be honest, a lot of human rights organizations and defenders right now are just getting by. They do lack a lot of the knowledge. They do lack a lot of the skill and the know-how to do anything at all. But let's focus on what some that are doing actively and proactive mitigations, what those groups are doing. Oftentimes, these groups are really reliant on trust relationships. So again, you're looking to someone that's maybe more technical who you trust. You're looking for a recommendation by a trusted person, for another trusted person to give you support and to give you some sort of mitigation or help. So you can kind of easily see how this is quite constraining because it's kind of who you know. And when you're in your human rights organization in a far off place with very few contacts, you're not a technical organization. You have even less technical infos at contacts. It can be very, very difficult. And we see sort of getting trapped in this bubble. So we're going to talk a little bit about that's sort of the lay of the land in terms of human rights groups. I'm going to talk a little bit about some specific needs. You guys are at this talk, hopefully y'all are interested in how you can support human rights groups. And I'm going to lay out a little bit of what the needs are, some approaches, and then what you can actually do today to help support human rights organizations, journalists, activists all around the world. So for this talk and for this particular audience, I put a lot of thought in what this group might be more able to do or able to contribute to in terms of bodies of knowledge and capacity building for these communities. So when we talk about needs, we really like to focus on information. Human rights groups around the world are really sort of blinded. They don't know what capabilities the threat actors have. They don't know how those capabilities are actually being used in the wild live. In addition to that, under resource groups means very little capacity. So there's not a lot of capacity internally to actually detect things. There's not a lot of capacity to implement mitigations. So a little bit more on what types of information that we really need in the human rights space. We need information about the adversary. There's only a few groups that actually do active threat research around targeted attacks for human rights defenders. It can often be very difficult to get that information, which is one of the reasons, but there's not a whole lot of money to be made in the human rights space doing threat research against those type of actors. Surveillance technologies. Again, we only know what's reported, so a lot of human rights groups are dependent and reliant on journalists and people that are doing investigative reporting to get information about what types of surveillance technology are existing in the space and what's actually being implemented by governments. More information around protections and mitigations is also a really crucial component. Things change so quickly. Vulnerabilities change so fast. Different techniques and improvements that we make in industry sometimes take a really long time to get to human rights groups and civil society groups who are oftentimes facing those same threat actors if you're looking at governments or you're looking at the same vulnerabilities. So sharing that information is also super valuable. In terms of capacity, it's been widely recognized in the industry that we need more cybersecurity professionals in the space. We have lots of universities that are starting cybersecurity programs. We have companies that are dedicating more resources to building up their internal staff's capacity to implement cybersecurity solutions and improvements. Where does this leave the human rights groups? Oftentimes, they're left out in the cold. They don't have those type of resources or sort of support networks to push them forward into learning the most advanced or the most up-to-date techniques on how to solve these really tough challenges. Most organizations that I've worked with and that Internews has worked with have very little detection capabilities, not being able to detect when something malicious is happening is a huge barrier for most of those communities. So improving the ability and capacity of organizations, both on the human resources side but also on the technology side on being able to detect things so that you can actually respond. So those are, again, some of the specific needs. I'm going to take a quick sip of water. Some of the specific needs that I think this particular community can really help address. Some general sort of guiding principles, though. Before you just jump into working with human rights groups, I thought it would be pretty important to talk about just so we have sort of a shared understanding of our approach. I have a lot of folks that come up to me and say, hey, I want to help out, what can I do? And then before I can even tell them sort of the needs they're going on and kind of going on about what these different communities should be doing without understanding the context. So it's really important to have a harm reduction approach. It's really important to understand the threat models of the communities that we're working with and design solutions based on that. Too often I also see a lot of Beyonce's. I mean, we love to be divas, we love to be heroes, but at the same time, that's not what the community needs. We need more backup dancers. We don't need more Beyonce's. We need people to support human rights organizations to build their capacity and empower them to make the decisions on their own. If you're here today, but gone tomorrow, that doesn't sustain communities in different parts of the world where they're already under resource. It makes them more self, more dependent, less self-reliant. And this is a screenshot of Brene Brown's empathy talk. If you haven't seen it, I definitely recommend it. But designing security solutions with empathy in mind, being a listener, not assuming, and asking why. Those are all super important and critical as we are working with human rights groups. Again, because their risk tolerance, their threat model, is going to be dramatically different than yours. Understanding why they're doing things the way they're doing them is a critical component before engaging with different groups. So again, we've got harm reduction. We've got be the support, not the Beyonce, be the backup dancer, and designing empathy-driven security solutions. So how does this scale? The vast majority of people on the planet's security is still too hard. If you look at the human rights community, it's not just hard, it's super consequential. So not having a licensed version of your Windows operating system can actually be super detrimental. That's like having your front door open. Those are very basic things, but are oftentimes done because of the under-resourced ecosystem that they're in. So how might we actually design systems, tools, and partnerships that support human rights groups? We're going to look at three proposed ways. One is hardening the systems that surround human rights defenders, maximizing adoption where we can, and making more partnerships with private sector and industry folks. So when I say harden the systems that surround human rights defenders, oftentimes I use the analogy of threat information sharing. If you're able to get something to Google or to the Gmail team that says, hey, this is a fancy bear piece of infrastructure, dropping some indicators, they actually can prevent those emails from coming into the inbox in the first place. So hardening things that human rights defenders are often using, which are what a lot of us use. They use Gmail, they use Windows, they use a WhatsApp. All of these things, hardening them makes it harder for the adversary to compromise. Software licenses, again, that sounds so simple and so basic, but I cannot tell you the number of times I go into an organization and at least a third of the organization is using cracked Windows licenses. That's still such a basic thing that is out of reach because it costs money. Free and open-source software. So this is why free and open-source software has such an important impact on the human rights community. Because they have very little money, very little resources, they're oftentimes forced to use free things. Free and open-source software that's been audited is better than running a cracked Windows operating system. So that ecosystem is something that we very much support as well through some of our work that we do. Maximize security adoption. This, again, is some kind of talking about some of our work that we've done on how we can lower the barrier to adoption of security practices. This is one of my favorite personas that we worked with some of our Ukrainian colleagues to create and the quote is gold. I forgot my password again. Passwords we all know are really difficult, really consequential if you're a human rights defender in Ukraine. If you can't use a password manager, it's really hard to have good account security. So keeping usability in mind as you're creating tools, keeping usable processes and procedures again as you're engaging with human rights groups, making sure that you're designing things that aren't just the most secure thing, things that work within the workflows and work within the context that they're living in. Security by default is a game changer. What's up is an example of that. And then designing for cases like human rights groups, designing for those extremes can actually better protect users everywhere. If you design something that is secure enough for someone like Oleksander, that will be secure enough for a lot more users as well. Why partnerships with private sector are so important for human rights defenders? I think we've talked about that. Better funded, large entities with more access to information. Y'all have a lot of information that sometimes isn't necessarily shared broadly, but sharing that with human rights groups might have significant impact. Understanding those threats and tactics and techniques that are being used are really critical. More access to expertise. So again, a lot of folks in private sector have formal education in security. Most folks that I work with in the human rights space do not. That doesn't mean that they're not experts as well, but it means that there's a lot of co-learning and dialogue that can be happening to share experiences and share learning methodologies and approaches that might work. So today, what can you all do? And I really hope that at least this sort of starts the conversation for those who are interested in working with human rights defenders. I think the number one thing if you want to start working with the human rights or civil society space is work with trusted intermediaries. We all know the quote, the road to hell is paved with good intentions. I cannot tell you the number of horror stories I've heard of people reaching out to folks or communicating in an insecure way and that person ending up in jail or that person ending up at the police station getting interrogated. So working with people that are intermediaries tends to be the safest and best way that you can support a lot of these high-risk groups. Work with trusted organizations and individuals like internews, like first responders. These people play critical nodes within this ecosystem. They have trust networks, but they also have the ability to safely communicate with you and build relationships. I think that's one that we're trying to work a lot with human rights groups as well. Go to conferences, build relationships with these communities, like rapid response groups, the civil society group, CIVASERT just started a community emergency response team, CIVASERT, and they need more support. So build those relationships and continue. Teach our community to fish. I think that's one that's also often overlooked. It's really easy to come in and just do. It's a lot harder to pause and give people the tools to learn and do it themselves. That might necessarily be the case always, but look at it from a perspective of how am I contributing to a sustainable community of security for human rights groups? If I'm here today but gone tomorrow, will they still be able to be resilient? Will they still be able to implement the things that I've set up for them? Firewalls, intrusion detection systems, things like that. All of this gives communities much more agency and better able to make informed decisions for their own security needs, not just today, but for the future as well. And be the backstop. I cannot stress this enough. Collaboration is definitely a two-way street. Be the backstop and know that you are supporting the human rights defender first. When they are asking you for help, that's when you come in, not the other way around. So continue sharing your knowledge with others, be a mentor, and work with existing ecosystems of support. Again, if you don't know what those ecosystems are, that's why you're working with intermediaries. And again, know your role. So I spent some time with some of my colleagues to put together some ideas we had, but for private sector platforms and companies providing licenses and services, CrowdStrike, Cloudflare, ThreatConnect, VirusTotal, all provide licenses to civil society for free. And that's super beneficial. Share your knowledge, host webinars. If you're interested in sharing some cool techniques and you would like to design some webinars with us, we would love to host you. Create online resources. There's a few that I might go to, especially for the reverse engineering space, that are really valuable for the community. And again, threat researchers. We're building up in-region experts right now, and if you're interested, be the backstop for them. Help them as they work through, help them as they get stuck when they're analyzing malware and phishing that is being targeted at high-risk communities. Share your process and continue to host learning sessions. And let's connect. Please, please come talk to me afterward and I hope we can continue the conversation. Thank you.