Choosing Strategy over Tactics

Providing Digital Security Guidance to Vulnerable Groups in Changing Environments

There is a great deal of uncertainty and fear right now in the US. With the recent election there are many vulnerable civil society organizations and advocacy groups who are looking to protect themselves from a range of unknown threats. These groups are ready to take action but have no concrete threats they can directly respond to. For digital security trainers and advisers like myself this current context can be both good and bad.

There are many individuals in the digital security space who are providing general digital security guidance right now to take advantage of this new-found agency. This can be valuable, if the right advice is taken. The effort that the members of these groups go through to adopt the individual security practices and tools recommended now can be wasted effort if these do not respond the future threats that they actually face. And, taking action on inappropriate advice now can lead these newly activated groups to digital security exhaustion.

Digital security trainers and advisers should leverage this newfound energy to teach strategy over tactics. In times of change we need to be mindful that while tactics are easier to teach, unfocused tactics can be ineffective, if not disastrous for organizations who think they provide blanket protection against new and changing threats.

It is important for those who may be targeted in the future to know that digital risks will continue to change, should be reconsidered, and will need to be addressed. Let them know that you, among others, can guide them to develop effective tactics to address new and changing risks. This comforts those who are scared and uncertain, provides them concrete guidance on what to do when their threat landscape changes, and does not provide static tactical advice that may not protect them from the most important threats they will face in the coming days.

Organizational Change

For many groups there is an opportunity to leverage recent events to kick off organizational security awareness and capacity building programs. These processes take time, but strategical building organization wide security capacity is one of the only ways to ensure that your organization is ready to respond to the threat landscape as it changes. There are many ways to go about this, but resources and expert guidance are crucial factors in moving these processes forward. This is resources intensive work. Many organizations cannot afford the financial or human costs of this when the needs first appear. Helping an organization start to develop strategy and internal agency for a long-term digital security process can leverage the agency that currently exists without providing “rapid response” that may be ineffective.

Rapid Response

There are, of course, also groups currently facing short-term challenges that stem from recent events (harassment, DOS, cyber-attacks, etc.) and for those individuals knowing where to go to seek rapid response support is vital. Many digital security trainers and advisers do not know where they can recommend groups seek out support. Collection and dissemination of these resources among a wider community will continue to be beneficial as this situation evolves.

Examples include:

Awareness Raising

I have focused on making sure that individuals are aware that as the situation evolves there is a community of individuals who will be able to guide them to the appropriate tools and techniques for responding to their changing threat landscape. At this moment of uncertainty I feel it is more appropriate for me to make sure that individuals know who they can go to for support and guidance when threats become more concrete than to provide them guidance that is generally good, but not built for their goals and threats.

This does not mean shutting down conversations with the uninformed but newly excited with “it depends on your threat model.” This is the time to start having our intro to risk management conversations with those around us. This is the time to start practicing how to train an individual to use a secure channel over an insecure channel. This is the time to start teaching digital security strategy.

I know that every group we talk to is looking for the “use Signal and use Tor” solution to this changing environment. But, by using this time of uncertainty to start their journey and inform them of where they can go when they are in need it will do more to prepare them for whatever comes