A key part of any modern disaster or crisis response is that of the volunteer technical community (VTC). VTCs have emerged in the last few years to enable the collection, analysis, fusion and dissemination of maps, imagery, social media and other products. These products are in turn used by responding humanitarian organizations and governments on the ground to better inform their emergency response operations. VTCs are largely volunteer-driven, and rely upon the goodwill and energy of individuals collaborating and coordinating their crowdsourced efforts.
Because of the inherently critical nature of the work of these VTCs, attacks against individual volunteers or entire VTC communities has the possibility of degradation or disruption of critical emergency response activities during a crisis. Complicating the picture is the fact that most crowdsourced volunteers operate on an ad-hoc basis, often using their personal computers and technology, without any requirements or enforcement of good security practices.
Of course, it’s not reasonable to expect enterprise information security protections within a crowdsourced volunteer community – but neither should security be left entirely unaddressed.
In order to better mitigate the risks, I suggest VTCs adopt the basic principles and consider certain information security controls:
Basic security principles for VTCs…
- Assume you are a target. Organizers and leaders of volunteer technical communities should begin with the underlying assumption that their organization and volunteers will be subject to attack exactly when it is most inconvenient for their mission. With that assumption, they can start to consider policies and practices to mitigate that risk.
- “Do No Harm” All VTCs have the ethical duty to “do no harm” – that requires consideration of unintended consequences of their activities, and especially of the use or misuse of the information and data that they gather and analyze. Consider the misuse of the VTC’s technology in the context of other digital responders, emergency workers on the ground, and the victims of the crisis. “Do no harm” also compels VTCs to appropriately secure and manage the information and technical resources they use.
- Security postures may be dynamic. While an organization may adopt a basic security stance, certain types of crises may require additional security measures because of the types of possible threat actors (organized crime, government-sponsored attacks), the nature of the crisis (natural disaster vs conflict situation) , or the types of data that are to be handled (personally identifying information, healthcare records). The leadership of the VTC must be able to re-evaluate basic security assumptions and adjust posture as needed.
Security practices for VTCs…
- Vet your volunteers. Have a process for on-boarding/credentialing volunteers into the community – especially during times of crisis when spontaneous volunteers are more likely to emerge. This need not be a “background check” in the traditional sense, but even having two existing and trusted members vouch for a would-be new member may be sufficient.
- Know your data. What sort of data are you working with? Is some of that data particularly sensitive? What about the products from the VTC? Is it for the public, or does the product need to be kept confidentially for the use of specific organizations? Consider the development of an information classification and handling policy.
- Patch your systems and applications. All individual members of a VTC should have the responsibility for ensuring appropriate and current anti-virus, software patches, etc. are on their devices. VTCs should consider establishing minimum technical criteria based on security for participation (e.g. volunteers who still run Windows XP in 2017 may be excluded from working in the community due to inherent security risks). Consider requiring volunteers to demonstrate their current patch levels against established standards set by the VTC.
- Communicate and collaborate securely. VTCs should organize and collaborate using tools and applications that are currently supported (not end-of-life), and that include security and audit (e.g. support applications that use SSL/TLS or other best-practice encryption and avoid legacy applications that send traffic unencrypted across the Internet such as plain email, telnet, FTP or Internet Relay Chat [IRC]). Applications or tools that are homegrown (including hackathon apps), or not regularly updated, or otherwise unsupportable should be avoided.
- Consider the cloud. Because of the highly distributed nature of VTCs, it may be more advantageous to centrally store and manipulate data in a trusted location in the cloud, instead of having individuals manipulate and store data on their personal devices.
- Enforce good credential and password practices. Applications that support VTC operations should be configured to enforce strong password properties. Individual volunteers should not re-use passwords used for VTC activities on other sites or applications (professional or personal).
- Have an incident response process. All VTCs should establish at a bare minimum a basic incident response process that designates whom to alert in the case of a suspected security incident, and roles and responsibilities for dealing with that incident.
- Know how to manage and revoke access. Access to applications, tools and data should follow the principle of least access. Individuals should only be given the access necessary to perform their tasks. Administrative or privileged access should be conferred only on a trusted subset of individuals. Administrators should know how to revoke access to individuals when they leave or become inactive in the VTC . Periodically re-assess access to individuals to ensure that only current, trusted members of the community have access to the data, and that individuals who left the community or haven’t been active in it no longer have access.
- Use two-factor authentication on everything. Wherever possible, members in VTCs should use two-factor authentication for VTC applications as well as other common social media and applications (e.g. Facebook, gmail, etc…) Remember that users may use their personal email or social media accounts while supporting the mission of the VTC – two-factor authentication should be encouraged across the board.
- Educate your volunteers. Volunteers coming into a VTC should be educated about their information security responsibilities and expectations. All members of the VTC should know where to access any relevant security policies and procedures, as well as when and how to activate an incident response process. Specific training around social engineering, phishing awareness and other common attack methods are freely available online and should be used.
Remember that good security is never a one-time activity. VTCs should work on instilling a “culture of security” in the work that they do, so that security controls and processes are just incorporated into the day-to-day work of the community. Security management in VTCs should be seen as an ongoing, cyclical activity of identifying risks, mitigating hazards, responding to incidents, and then incorporating lessons learned into the organization so that the security posture of the VTC continues to evolve over time.
As the humanitarian and public safety community grow increasingly comfortable with the use of VTCs, it will become increasingly important for those VTCs to maintain the trust that their supported agencies and the public have instilled in them. Breaches of confidentiality, integrity or availability of VTC data and resources may have dire consequences – up to and including physical harm – of people on the ground who are already inherently vulnerable due to the overarching crisis or emergency they find themselves in.
VTCs may be limited in funding and highly distributed – both of which complicate the security challenge for these organizations. However, many things can be done to minimize risks at low/no cost to reduce the attack footprint that VTCs present. The time for VTCs to incorporate good security practices is before the next disaster or emergency strikes as it will obviously become much harder to introduce new policies and procedures during a time of crisis. By incorporating security into the day-to-day operations of the VTC, it further ensures that security doesn’t become an afterthought when the emergency eventually does strike. If volunteers are trained to follow secure processes beforehand (and trust that they can do their work while still maintaining security), they are much less likely to abandon them when faced with a stressful emergency situation.
How should the crowdsourced community tackle information security? Share your thoughts in the comments below!