EngageMedia and the Greater Internet Freedom South and Southeast Asia (GIF-SSEA) cohort co-hosted a session titled “Security Audit Co-learning” on day one of the Digital Rights in the Asia Pacific 2024 (DRAPAC24) in Taipei, Taiwan. Held last August 18, 2024, the session featured panellists from SAFEnet and the Foundation for Media Alternatives, Internews, ICT Watch – Indonesia and Civil Society Cyber Shield.
In 2024, the GIF-SSEA cohort initiated security auditing activities to enhance digital security support for civil society organisations (CSOs) and at-risk groups. Following the completion of a pilot program, the session aimed to reflect on the experiences, discuss challenges and lessons learned, and identify gaps needed to sustain these activities. The goal was to engage in collective reflection while gathering inputs, resources, tips, and learning opportunities from the wider security practitioner community.
Facing Digital Threats: Why Audits Matter for CSOs
The discussion highlighted various risks faced by CSOs and at-risk groups across Southeast Asia. In the Philippines, groups face threats of state surveillance, arbitrary detentions, and physical risks like extortion, with these threats exacerbated by repressive laws. Digital security audits have been introduced to help CSOs and at-risk groups better identify and understand their risks and vulnerabilities, but grassroots organisations often lack the technological know-how to apply critical safeguarding.
Meanwhile in Indonesia, political events tend to trigger a rise in digital security incidents, especially for activists. Although many groups are aware of these risks, they often lack resources and standard procedures to properly safeguard themselves.
In Latin America, similar trends have been observed, particularly during times of political tension. However, while digital security audits are seen as critical, implementation remains challenging due to limited resources and competing priorities. There is a significant gap in organisations’ capacity to respond, with staff members being stretched thin and resulting in inconsistent security practices.
In comparing the experiences in both Southeast Asia and Latin America, the common and recurring challenge is the imbalance between well-resourced adversaries and under-resourced civil society groups. Organizations, especially small ones, often struggle to prioritise digital security because of the additional workload required. Moreover, such organisations lack formal processes for dealing with security threats, making it harder for them to integrate security practices.
Breaking Barriers: Tackling Security Audit Challenges
The discussion also revealed several challenges encountered during security audits in different communities. One significant issue is adapting extensive audit methodologies, like SAFETAG, to specific local contexts. In Indonesia and other Southeast Asia countries, most organisations rely on widely utilized platforms like Google, which despite being accessible and free pose more security risks. Offering more secure alternatives is challenging due to resource limitations and the technical expertise required to implement these solutions.
Another challenge involves vulnerability testing, where tools generate excessive data, making it difficult to distinguish real issues from false positives. Due to limited capacity, auditors often struggle to verify the accuracy of the vulnerabilities they detect.
Physical security is also a concern, with devices and servers often exposed in offices, making them vulnerable. Additionally, there is a significant digital knowledge gap among participants, particularly in Indonesia, where expertise varies widely. Many continue to use less secure tools like WhatsApp and Google Drive, complicating efforts to promote more secure alternatives like Signal and self-hosted platforms.
Tailoring digital security training to meet the diverse needs of different contexts further complicates the process. Each location has unique risks, requiring auditors to adjust their approach rather than relying on a standardized curriculum.
The discussion also highlighted challenges for non-technical security trainers in Southeast Asia, where methodologies like SAFETAG can be overwhelming due to their complexity. Effective audits, however, often focus on simple, practical actions rather than comprehensive assessments. Smaller organisations benefit from targeted audits rather than complex technical reviews.
Participants also raised the issue of how audits are often treated as one-time events without follow-up support. Audits should lead to further actions, like training or incident response plans, and funders need to see them as the starting point of a longer process. While the SAFETAG auditor community exists, it is not very active. Programs like INFUSE can be leveraged as it provides mentorship in advanced skills such as forensics and website assessments, helping build the expertise needed for SAFETAG and similar methodologies.
Local Solutions: Customizing Security Audits for Success
The discussion focused on identifying opportunities to localize audit practices based on past challenges. Key takeaways include the importance of tailoring security audits to the specific needs of organisations since activists face different risks in various regions. Reviewing existing policies is a simple yet impactful step that helps smaller organisations recognise and understand the need to integrate digital and physical security.
Collaboration with technical experts, such as IDCERT in Indonesia, has been crucial for refining methodologies like SAFETAG to fit local contexts. SAFEnet’s approach emphasises introducing fundamental concepts in training, although completely addressing complicated methodologies in short sessions remains challenging.
Opportunities for future audits include modular frameworks that adapt to varied circumstances, focusing on essential security measures, and building local partnerships for incident response. In Taiwan, for instance, a volunteer-based approach begins with conceptual training before moving to audits, focusing on accessible recommendations tailored to the organisation’s capacity.
Real-World Insights and Lessons from Security Practitioners
The Q&A session covered important lessons and insights from real-world experiences in conducting security audits and training. One speaker shared about the mistake of creating overly long, technical reports that ended up ineffective and emphasised instead the importance of concise, focused assessments. The discussion also highlighted the value of holistic risk assessments, which address not just technical but also legal, administrative, and financial issues.
Another speaker described the need to have a variety of trainers involved, blending long-term experience with certified technical experts, to sustain training efforts. The conversation also addressed specific risks faced by women’s rights and LGBTQI organisations, emphasizing the need for tailored, localized approaches to security interventions based on the unique threats each group faces.
An audience member noted the potential to leverage certified professionals who need service hours but stressed the need for proper coordination to make this resource effective. Another point raised was the importance of clear goals when conducting audits, as many organisations mistakenly request audits when simpler assessments or training would suffice. The term “audit” should not be misused or overused since it can instil a false sense of security.
Lastly, there was a call for more context-based tools and methodologies, especially in urgent situations like protests or internet shutdowns, with a focus on bridging the gap between the real-time needs of activists and the tools being developed. The session concluded with a call for practical, harm reduction solutions to further strengthen digital defenses.