Project Galileo presents: Protecting Human Rights Defenders Online

And thank you all for being here today. I am very excited for this panel and for being at this event.

I've been at Cloudflare now for seven years. And I remember taking on this project very early on and being at one of the things I also am incredibly proud about.

So I love the stories about it. And I am so excited to be with this amazing panel of folks that we work with.

So I want to introduce them because we have a great group.

So I want to start with with Jen Brody, who is the deputy director of policy and advocacy for technology and democracy at Freedom House.

Jen has done some amazing things.

She's been at Access Now. She's been in the Senate.

She's done lots of digital policy related issues. And of course, Freedom House does the amazing Freedom on the Net report, which is an amazing just compilation of what's going on in the world, which we can talk a lot about today.

And next, I want to talk about I want to introduce Emily Skahill, who is at at formal title.

I can get it here is a cyber operations planner from the Joint Cyber Defense Collaborative at CISA.

And Emily, which we'll talk a little bit about, has been working on this amazing project, which is the the high risk, the high risk communities project.

And we will talk a lot about how those pieces fit together, how government and the private sector and civil society work together to help protect civil society in particular.

And then finally, we have Adrian OJ, who is the chief operations officer from the Cyber Peace Institute.

Adrian, we have we've had a partnership with Cyber Peace for a long time now.

And but we have we have some amazing components of the work that we do together.

Cyber Peace is an amazing organization that tried to really think about how do you take volunteer activity?

How do you think about threats in a larger human rights context against civil society?

And I will let him talk about that in a little bit. But I want to start out with a little bit about what is what do we mean when we talk about global threats against civil society and why do we care about it?

So I want to I'm going to turn to Jen first, because Freedom House really does look at these issues.

So can you talk a little bit about what do we mean when we talk about global threats against civil society, against human rights defenders?

What does that look like from Freedom House's perspective?

What do you follow? So I'll start. Freedom House publishes a report called Freedom on the Net.

It's a very incredibly comprehensive look at the state of Internet freedom in 72 countries around the world, ranking the state of Internet freedom across various indicators, including government censorship, surveillance, also just access to the Internet in various countries, throttling what have you.

What what worries me the most is the increase in self-censor censorship we're seeing around the world.

I recently returned from a Freedom on the Net regional review meeting in Tbilisi, Georgia, looking at the Eurasia region and just hearing from, you know, an exile journalist from Azerbaijan about how, you know, the state of freedom of expression is, you know, extremely dire where where she comes from.

She's now exiled. That's deeply concerning. Also, digital attacks we're seeing, which is why we're so grateful for Cloudflare and Project Galileo.

Freedom House has loved working with you all over the years. Then also, I'll just end that I'd love to talk more about this later, but the threat of commercial spyware that we're seeing around the world as well.

So it's like it doesn't matter if you're using signal and your messages are encrypted.

You know, they'll they'll hack you and access everything in your phone at the end of the day is really concerning.

Thanks, Jen. You should. It's incredibly comprehensive what's going on in individual countries.

We send it around when it comes out internally.

So Emily, turning over to you. You know, it's really been interesting over the past few years.

I think DHS and CISA in particular have really started looking at this issue.

I'm often in the lens of transnational repression. You describe what that means for folks.

What how do you think about it? How did you how did you think about that?

That piece in particular and what the threats look like from your perspective?

Yeah. So transnational repression is the term that we use to describe efforts of foreign governments to intimidate, surveil, harass and silence both individuals and organizations across country borders.

And the targets of transnational repression are very often civil society and all the communities that we've been talking about today.

And, you know, I think some of the threats that we're seeing are very targeted spear phishing attempts against organizations and individuals that are expressing viewpoints that are contradictory to certain governments.

So there are APTs that we're tracking, including, for example, one is Felvitch Lima.

Another is Westing Panda. These are all very prolific threat actors that target nonprofits, academics, journalists, human rights defenders through spear phishing, through spyware.

And, you know, I really do want to recognize Freedom House, Access Now, Citizen Lab are really leaders in this space on reporting on these types of threats.

And I think, you know, the government is trying to kind of now start to to take steps in that direction to really recognize these threats against civil society.

So, for example, we published a report on May 14th in partnership with some international partners to really start outlining some of these threats to civil society.

And while that's something that Freedom House and Access Now have done for years, this was really a significant step for CISA, which is traditionally thinking more about traditional critical infrastructure.

So I think as we continue to mature as an agency, we really do want to start looking more at these threats to civil society.

So I'm really interested to hear what that looks like from your angle.

How do you think about what kinds of assistance they need, but also how that then corresponds to the threats they see?

So I think I think both Emily and Jen have flagged that there is a remarkable amount of attacks for, again, civil society.

I think it's only recently really fully tracking exactly what it looks like.

I think it's been hard to track even for an entity like Freedom House.

So what does that look like from your angle?

You see the personal stories often. So very curious to hear what that looks like.

Well, thanks for having me first. Just a few words for those of you who don't know the Cyber Peace Institute, where CISA and NIST provides all of the guidance for those organizations and Freedom House to help them think about cybersecurity, where CloudStare and other tech companies provide tools for free or at a discount to equip those organizations.

Our humble contribution resides in the people space.

We try and bring talent to those organizations so that they can consume those guidelines and use the tools that are available to them.

So we've created a network of volunteers and helps those organizations defend themselves against cyber attacks.

What we see is that they're getting attacked for three main reasons for the data that they have, the sensitive data that they have.

You may have heard of the attack against the International Committee of the Red Cross.

They get attacked for the operations that they're leading.

So CloudStare blocks a lot of data attacks. And those are activists and governments that are unhappy about what civil society organizations are doing and try to prevent them from conducting those operations.

We see, unfortunately, a rise in disinformation campaigns that are also trying to affect the trust that people have in those civil society organizations, which affects their operations.

And last but not least, we see a rise in attacks that are financially motivated, which was not the case before.

And we attribute that to the rise in the ransomware attacks. The rise in particular in ransomware as a service allows a lot of small time criminal groups to attack pretty much anything they can.

And civil society has transformed digitally over the last decade to the point that they're getting increasingly connected.

Their attack surface has expanded and cyber criminals that are attacking pretty much anything and not necessarily focusing on going after non-profits.

And I'll tell you after stories of criminals that are and don't even realize they're attacking non -profits.

But when they do, they don't really care.

They still want the money. So financially motivated cyber attacks, unfortunately, are causing harm in civil society.

And because of the nature of ransomware attacks, when you don't pay the ransom, you don't get your fines back.

And so that worries me because I see such attacks that are literally wiping out the entire backups of organizations.

We just helped a non-profit in Paris, a journalist organization working for supporting the Jewish community that lost 16 years worth of their data.

So how do you recover from that? I actually want to follow up on that piece because I think, I mean, what does that mean for an organization like the one that you saw in Paris?

How did they recover from that? How did they think about, did they go out and talk to other organizations?

What does that look like on an individual level and how do you engage with them to help make sure that it doesn't happen to others?

We helped a non -profit that manages orphanages around the world that got ransomed.

So kids' pictures stolen, potentially sold to pedophiles and whatnot.

And they ended up negotiating with the cyber criminals. And when the cyber criminals realized it was a non -profit, their answer was, oh, sorry, we didn't know.

Which tells you that they attack pretty much anything they can. But when they were told that it's a non -profit, they said, oh, but we have a special price.

We'll make you a discount. Don't worry. So just like other companies have NGO discounts for their tech products, criminal groups had discounts too.

But it tells you that non-profits are now legitimate targets. So in the case of that non-profit, we pushed the criminals to the point of boredom and they gave back the keys and they were able to get their files back.

In the case of the non-profit in Paris, the criminals wouldn't be bothered to give back proof of decryption.

And so the advice from our volunteer to the non-profit, even though the ransom was low, was not to pay because you would probably not get your files back.

And so they just lost their data.

16 years worth of their data. Their IT provider had no backups.

And that's it. The history of that non-profit is erased. We helped a non -profit in California that got millions of dollars from USAID to help farmers in Afghanistan transform minefields into vineyards.

So it's a demining operation. They lost 1.2 million US dollars to a sea of fraud attack.

They had to take a loan, use their own house as a collateral.

It's been four years and they still haven't recovered from that loss.

So we've engaged many times with that non-profit and on purpose, I'm not mentioning their name now.

Because even though they've come forward and tried to talk about that story and tried to explain what happens when you're the victim of a cyber attack, and they were a victim of the Taliban in the past, so they know about victimization.

The sad story is that they've not been able to recover that loss and they don't want to talk anymore about this issue because they don't feel that it's helping their situation.

So the reality on the ground that we're seeing for those attacks are that they mean life or death in many cases for the organizations.

And sadly, even for the very beneficiaries that those organizations are trying to help, there's another non-profit, which is quite famous and I'm not going to mention their name, that was not attacked, but was managing a list of confidential informants in DRC.

And that database was unfortunately open on the Internet, on the website of the initiative with virtually no protection.

So I'm not trying to put the finger on that non-profit, but just highlight the fact that not only are these organizations attacked by governments, by Russia, by cyber criminals, by little cyber criminals even.

They struggle to find the resources to equip themselves, to protect themselves.

And so that makes for an asymmetry that, to the point of what the first panel was discussing about, for me, is creating an existential threat to the technologies that we've built.

What is the Internet if it's being used to prey upon those people?

Obviously, what you were talking about, Adrian, was this thing that is happening to a lot of different small businesses.

It's happening across the world. And in some ways, it's not discriminating against civil society.

But I think on the Freedom House side, that's a certain set of attacks that we have to just worry about from a cybersecurity standpoint.

So you have small, poorly resourced entities that are particularly vulnerable from a practical standpoint to even common attacks.

But it's not just the common attacks that civil society faces.

Jen, can I turn that over to you?

Because I think what we see is often civil society is itself a target for a lot of different reasons.

And I'd be really interested to hear how you think about that piece.

When are they a target? How do you distinguish between when they're a target of opportunity only, where any entity might be, and when they are really a target because somebody doesn't like the work that they're doing?

Yes. So human in closed and closing spaces around the world, human rights defenders who speak truth to justice and seek to hold government actors accountable are often targeted and silenced.

And I neglected to mention in my intro, Internet freedom as a freedom on the net last year has declined for the 13th year in a row.

And this year, the report comes out in October. We expect it to decline for the 14th year as well.

And as you said, Alyssa, these organizations are extremely vulnerable.

I was chatting with Freedom House's digital security team, and they were sharing with me that folks can't afford to pay for subscription services, so opt for the free version, which is vulnerable to attacks.

And oftentimes, they may be able to hire a one-off digital security consultant, and then they lose the institutional knowledge because this person leaves.

So, yeah, it's quite a vulnerable position to be in.

But, Emily, you've actually been doing work in this space, too, the high-risk communities effort.

I really would love for you to talk about how CISA got involved in this space, what it means, what you've done so far, because there's some amazing resources out there even for the civil society community.

It was really a response to the government's growing concern around digital transnational repression.

And within the Joint Cyber Defense Collaborative at CISA, our goal is really around stakeholder engagement.

So the goal of this effort was to unify stakeholders from across industry, academia, civil society, and the federal interagency to identify ways that we could take collective action to bolster the cybersecurity of what we called high-risk communities.

And when we talk about high -risk communities, we're primarily talking about civil society or other organizations and individuals that are more likely to be targeted by APTs because of their work to advance democracy.

And, you know, I think some of the challenges that we faced with the work initially were we didn't want to add additional noise to the space.

We really did want to be a force multiplier of all the really good work that stakeholders in this environment were already doing.

And, you know, I think at the same time, we were also looking at how this is a build trust with civil society, right, as kind of a government entity trying to kind of work in this space.

So through that year-and-a-half effort, we worked with stakeholders on developing that threat report that I mentioned, as well as developing a suite of resources that are on CISA's website right now.

So one of those is a series of cyber hygiene and operation security guides that are developed for individuals that have kind of a low technical background, kind of acknowledging that a lot of civil society organizations don't have those resources to invest in enterprise-level solutions.

A second is a toolbox of resources, including Project Galileo and including resources from our other industry partners and really trying to centralize those.

And then the third part was our Cyber Volunteer Resource Center, which is kind of our one-stop shop of information on cyber volunteer programs, including the Cyber Peace Institute, and really trying to help individuals find out information about their local cyber volunteer programs.

If you're a volunteer, how can you help support that organization? Or if you're an under-resourced organization, like a nonprofit that needs that hands-on keyboard support, how can you get support from your local cyber volunteer program?

And, you know, I think a lot of these deliverables weren't particularly novel.

I think what our intent really was was to use CISA's platform and to leverage the collective voice of our stakeholder community to really drive additional momentum, awareness behind the challenges that civil society faces.

And so I think beyond the deliverables, probably the most important outcome of the planning effort was the partnerships that we made along the way.

I think there's a famous saying that the plan is nothing, but planning is everything.

And I think that's really something that we discovered through this planning effort was really that process of building these partnerships so that we can continue this work moving forward is just really essential because the threats to civil society aren't going away, and we need these really ingrained partnerships to continue to combat threats to civil society.

I actually love that piece because I think certainly, you know, we're now celebrating 10 years.

I think when we first got into the space, not that I was even a cloud player, but when we first got into the space, there just weren't that many entities in it, and government was not in it at all.

And I think that we've seen sort of a massive shift in the last few years.

And I guess, you know, thinking about that collaboration piece, my hope is that we think about how to build all of those pieces together.

And I'm sure there's a Star Wars reference here that I should be making about how we all come together to fight something.

I don't know. But clearly, I don't know my Star Wars references well enough, so I will not even attempt it.

But I guess I'm curious, you know, what do you think has driven that shift?

How do we sustain it? How do we maintain it? What does it look like? And maybe I'll go back to you, Emily, on that one, and then we can kind of go down to everyone because I'm very curious about how we keep it going.

So the National Security Council has increasingly seen, I think, and mobilized around the threat of spyware, and really seeing it as a threat that's at the nexus of not only national security, but also human rights, too.

And so I think, you know, that kind of momentum around spyware combined with DHS's increasing focus on transnational repression is really starting to drive efforts like this as a high-risk communities protection initiative.

And I think it's been really interesting in the past year and a half to see the paradigm shift that is starting to take place even within CISA around how leadership thinks about nonprofits.

And Adrian always has the most eloquent way of describing nonprofits as critical infrastructure, and I think that's a message that we're trying to convey to our leadership.

And, you know, I think it will take time, especially for an organization like CISA that thinks about very, like, hard, critical infrastructure targets.

But it is a transition that's taking place, and it is a paradigm shift that I think we can continue to keep pushing.

We talk about elections sometimes, and we talk about the reality of different entities who are involved, and one of them is civil society, because they get involved in everything, right?

They're part of democracy.

They help put pressure when you need it from an advocacy standpoint when things aren't going well.

But I want to, you know, Jen, you do a lot on the advocacy side from the civil society perspective.

Spyware certainly is something that you have done a fair amount on.

How do you think about, one, civil society as critical infrastructure, but then also how you get involved in those efforts?

Describe the spyware effort, for example, and how that collaboration has gone forward.

Sure, yeah, thank you. The spyware space has been really inspiring to be a part of, and yeah, you took my talking point.

That we're seeing, I think, for the first time national security on one hand and human rights on the other being viewed as mutually reinforcing rather than mutually exclusive, which is super exciting.

Yeah, and then just speaking, you know, civil society has been critical in this work.

Access Now, Citizen Lab, Amnesty International with their research has been, you know, phenomenal.

And then the U.S. government internationally has really been a leader in seeking to combat the proliferation of commercial spyware technologies used in the facilitation of human rights abuses around the world.

You know, whether that's putting NSO Group on the Commerce Department's entity list.

There's been treasury sanctions, State Department visa bans.

Diplomatically, the State Department has led on a joint statement bringing together like-minded governments, expert controls and human rights initiative.

I can go on and on.

So yeah, it's been fantastic to see this positive momentum. And as Emily said, to really like a real recognition that national security at its core is about humans, right?

It's human security centered. Well, you know, Emily called you out, Adrian, on the point about civil society as critical infrastructure.

So, you know, actually one of the things I think that CyberPeace does incredibly well is really thinking about ecosystems and attacks on whether it's attacks on civil society.

So where did that statement come from? And how do you think about it? And what does it mean in the bigger picture as we think about the issues?

Look, the idea is simple.

Civil society exists where governments and the private sector don't. So they offer critical services to very vulnerable communities, but they're not considered critical infrastructure.

And so they don't really benefit from state support, even though Emily and César have been doing great work for the last year.

They're virtually the only government in the world that's been paying quite a bit of attention to protecting high-risk communities.

So hopefully you're inspiring all the governments.

We're doing our bit as well in Geneva and in the city of The Hague, which are seeing this as part of the value proposition as host cities and host nations to protect the nonprofits that they host.

But yeah, I think there's a fundamental shift in the public sector that needs to happen when it comes to critical infrastructure doctrine that is rooted in kinetic warfare.

And, you know, those doctrines are 10, 20, 30 years old, even though I think it was just updated here in the US.

It was sudden to see that nonprofits were not really part of it. So I think we need to recognize that through spyware, through digital technologies, criminals and state actors have ways to kill.

They have ways to affect human life that were not possible when those doctrines were created 10, 20 years ago.

So anyway, we're trying to create those ecosystems of support, bringing the public sector, whether it's at national level or at city level, together with local industry to protect local nonprofits, to try and make sure that there's ecosystems of trust that can be created.

It's very difficult to bring foreign partners in very sensitive areas when there's no trust, existing trust.

So trying to create those local ecosystems of trust first and foremost to protect the most vulnerable organizations there.

So we have we talked a little bit. I think actually the last panel talked a little bit about Internet shutdowns.

We think about sort of network restrictions.

And, you know, it's a really interesting discussion about freedom of expression and what actually what do we actually think about on it?

So I'm curious how you think those larger actually I'm going to turn this one to you, Jen.

You know, Freedom House obviously tracks things like Internet shutdowns.

I think there's a you know, Access Now has done a really comprehensive list of Internet shutdowns over time.

How do you see those as fitting into this ecosystem? And if you're thinking about protecting human rights defenders and just vulnerable populations, where does this sort of cut off of access or restriction of access, where does that fit?

Right. So I think that's, yeah, extremely critical to keep in mind.

Like journalists can't operate without the Internet, you know, and disseminate their information.

Yeah. And people people can't organize. And if I could just add one thing on this point, I think oftentimes in D.C.

circles, we forget that about a third of the world is not is not connected online.

That's changing.

You know, there's a large push for digital public infrastructure. There's a lot of, you know, amazing benefits that will come from this.

There's also serious risks that that we need to consider.

And I know right. International development banks play a large role in pushing for digital public infrastructure programs and DPI.

And I and I would love to see when when these projects are under consideration, also taking a human human rights lens.

So, for example, if an authoritarian government, I don't know, like El Salvador that uses Pegasus spyware to spy on dissidents, journalists, what have you, if they're if they're seeking to build a national database that, you know, international development banks can help them think through data protection measures.

With whom are you planning to share this data like data retention, data minimization?

So I think, yeah, I just wanted to add that.

How do you figure out how you solve that challenge? And maybe I'm not sure who's best equipped on this one, but how do you figure out how you think about in that example that you just gave?

You know, they're they're consolidated.

Often the efforts can be about consolidation of power and consolidation of access, not not not sort of expanding it out.

How should they measure that?

How do you look at that even from a Freedom House perspective? Yeah, I think it comes back again to the last panel rule of law.

Like if we're talking about the growing trend towards data localization, there's legitimate reasons to localize sensitive data, health care data.

What what matters is, is rule of law expected are, you know, these countries seeking to comply with international human rights law.

I think that's an important place to start. And it's tough because it's so gray, right?

It's not it's not a black versus white binary. Thinking about, you know, what what what kinds of attacks are appropriate?

Certainly in the Ukraine context, for example, I think one of the things that we saw sort of early on is it certainly early on.

But even now are attacks on on access, right? So attacks on communications, infrastructure attacks on satellites.

How do you all think about that?

How do you how do you think about that concept of building norms, in addition to sort of doing the core work of helping individual people, changing the changing the overall perspective about what is appropriate, and what is sort of making sure that things that are going to cut off a lot of people are not okay under long term international law?

What what we're doing at the Institute is trying to provide those that are going to be in a position to create those norms with evidence of what is happening and what is not happening.

So it is not my role to say what the norms should be.

It's not part of my remit. But it is part of my remit to surface information about how people are getting preyed upon how people are getting attacked, because of bad norms, because of lack of norms, because of poor accountability.

So in the case of Ukraine, for instance, we've created a platform, pretty much when the invasion started, to document every single cyber attack that has happened on all sides of the conflict, right?

To keep, to keep it available, right, so that it's not forgotten, and to derive information products for policymakers, so that they can discuss norms.

Of course, the Institute comes up with its own advocacy work that we promote at the Open Ended Working Group at the United Nations and their Paris Peace Forum and other multilateral processes, but we engage also bilaterally with decision makers in the private sector.

And in the public sector, to tell them, look, this is what is currently happening in Ukraine, is what is what's happening during the pandemic.

In the healthcare sector, those are the things that are not working, those are the things that are working, and let's work together to protect those that, you know, tend to be forgotten.

And I'm going to turn back to you, because I think that idea of trying to protect the people who aren't protected, and maybe changing the longer term narrative in the process is really something that I think CISA has done some thinking on.

So I'm curious how you think about that, how you think about the high risk communities protection effort contributing to exactly those pieces, and how maybe raising the standards, raising the improvements for cyber protection across the board can help.

And, you know, just very curious to, and I know CISA works primarily domestically, but still, I think it has a longer term impact.

Yeah, yeah, no, I think that's a great question.

I think over the past year, so GCDC has a number of priorities, and one of our priorities for 2024 is raising the cyber baseline.

And I think it's really come out of conversations with a lot of stakeholders and insights from efforts like the high risk communities protection effort around the need for us to work with these communities, whether it's, you know, small water utilities or nonprofits, that have like a very low level of cyber kind of capability and resourcing, and really bringing them up a level.

And understanding how that has a national security impact.

And again, I think that goes back to the paradigm shift that is kind of going on within CISA, whereas we've traditionally been focused on the more well resourced owners and operators.

But really understanding that we need to bring the entire cyber community up to this higher baseline is a paradigm shift that's occurring within CISA.

And, you know, I think it's, it's something that's going to take a while and will require continued partnership with organizations like Cyber Peace, with organizations like Freedom House, because cybersecurity is really a team sport.

And that's something that we've really learned through this effort.

Yeah. And I can just add, it's been wonderful to see CISA engage in strategic dialogues with like UK governments and many other governments.

And Freedom House looks forward to engaging.

It does seem like these are potentially efforts that can help a little bit, at least.

So taking away some of the mechanisms for, for attack, right, is really the concept long term.

That doesn't mean it will happen overall. But I mean, how do you see these efforts fitting into that broader, that broader piece?

So can, can we improve the cybersecurity components, you know, slowly in collaboration?

Do you think that will help? I mean, what's your, what's your sense?

Yes, I think, I think CISA's efforts will certainly help and are most welcome.

I also, you know, think the role of governments and organizations like the Freedom Online Coalition are extremely critical.

Freedom House sits on the advisory network of the Freedom Online Coalition, which is a coalition of democratic governments.

The US was the chair last year. This year, it's Netherlands.

Next year, it's Estonia, I believe. And they've, you know, done a lot of excellent work, for example, putting out a joint statement condemning Iran's Internet shutdown.

They also released guidance. I believe it was titled like principles for government surveillance.

So yeah, I think I see room for governments to engage there as well.

Thinking about how these pieces fit together, do you have long term thoughts on sort of what it will look like?

So, you know, CISA, you know, you really are, I think some of the first sort of, you're getting into a world that really, governments really haven't been in.

Do you think that will expand to other governments?

I mean, do you think, what is the long term potential? What would you want of efforts coming out like that?

We had lots of dealings with the US and the US is the first nation when it comes to cybersecurity, maybe, you know, with Israel, but we do look up to a lot of the things that the US is doing.

So I do think that when the US is taking steps in a direction, everyone else looks at that.

Some, you know, China, Russia may be going the opposite directions, but certainly, the Western world will be inspired.

So I'm very excited to see the repercussions of the initiative that Emily, you've been leading.

Now, I always come back to this, it's critical that we have guidance, it's critical that we have more tools available.

But if there's no one in the nonprofits, if there's no one in civil society to install those tools, configure those tools, read those guidance, we can create better tools, more tools, more guidance.

We're not solving the issue. The average salary of a cybersecurity professional in the US is twice the average salary of an employee of an NGO.

The talent acquisition and talent retention of cybersecurity professionals in the nonprofit sector is not hard, it's impossible.

It's impossible, right? We're missing a half a million jobs here in the US.

Globally, 3.5 million jobs vacant next year, unsealed next year in cybersecurity. In APAC, they need to triple their cybersecurity workforce.

What do you think this means for nonprofits?

So for me, yes to more public, you know, efforts towards better guidance, simplifying the NIST framework, making cybersecurity more accessible, making cybersecurity cheaper, working with tech companies so they provide free indicators of compromise like we're doing together, protecting nonprofits with your product, Area 1.

But we need to solve the talent pipeline. If we're not cracking that, then, you know, there's no point in having more tools and more guidance.

And trying to think the long term, I mean, we have a cybersecurity problem, just cybersecurity professionals.

I think you're right. We have a dearth of cybersecurity professionals.

But you had some really creative thoughts in the high -risk communities protection program.

So can you describe a little bit about that and how you thought about it?

Yeah, absolutely. So I mean, I think, as Adrian mentioned, I think, you know, hands-on keyboard support is one of the vital elements of helping civil society organizations.

So one of the outcomes of the planning effort was a site on CISA that really centralizes resources or highlights the different local cyber volunteer programs across the country.

And the hope there is that we can really raise awareness about what these programs are, how you can get involved if you're a volunteer, how you can get support if you are an organization that needs those services.

And kind of the thought behind it, too, is that hopefully we can continue to build this resource.

Hopefully it can be living.

And hopefully one day it's, you know, this massive repository of local cyber volunteer programs.

And then on the other side, we do have our guidance for, like, non-technical individuals that are employed at nonprofits.

And our thought there is, you know, if there isn't an IT person in your organization, you know, at least this guidance is a way that you as a person can take steps to minimize the likelihood that an APT is going to personally target you.

And hopefully all the people in your organization are adopting that guidance.

That makes the organization a little bit stronger as well.

But, you know, none of these are silver bullets.

We know that there's still a lot of work to be done to protect civil society against digital security threats.

And then just one other thought, because Adrienne had mentioned it around, and I guess back to your question on, like, international progress in this area, too, is so CISA is also working with a lot of our international counterparts to really try and explain the work that we're doing and influence them to take similar steps.

And it's really interesting because there are some countries that are very advanced in this space and actually have programs, like, and I'm talking about the UK in particular here, they have programs that are specifically focused on civil society.

Other countries are asking us for a basic definition of what is civil society and trying to understand that group and the unique threat profile that they face.

And they're kind of in those early exploratory stages.

And so, yeah, I think there's a lot of opportunity for CISA to continue to grow in this work and then also to help kind of influence other cybersecurity agencies across the world as well in how we think about this work.

I just wanted to add that a lot of the people we talk to are indeed finance directors or people with a background that has nothing to do with IT.

And so having that guidance is precious to them.

But sometimes their issue is also that they're getting paid to do something else, and cybersecurity comes on top, and they only have eight to 10 to 12 hours a day.

And so it bears a conversation with donors, and we're here at the end that donates funds to many nonprofits, and there's plenty of donors in the US, USAID, and others.

How are they thinking about cybersecurity? Is it still considered an overhead, meaning that nonprofits that are spending on cybersecurity and hence not spending, you know, nine cents of a dollar on the ground are getting penalized for this?

But what happens when those nine dollars spent on the ground end up doing more harm than good because the database leaks of your war informants or because your patient health information is now in the open because the nonprofit was not able to secure it?

So the role of governance here, because nonprofits are unregulated, you know, they're not a regulated industry, it's difficult to have those regulatory discussions.

And perhaps it's premature too soon, but maybe five years, 10 years, 15 years in the future, like we've had with the private sector.

10 years ago, we were not so much talking about regulation, at least here in the US.

In Europe, a little bit more now, of course, a lot more.

But how are we thinking about regulating a little bit that space? It's sometimes I feel a hard word to use, but are we really protecting people when we're letting organizations handle their data the wrong way?

Of course, you did raise the idea that nonprofits would be critical infrastructure.

Be careful what you wish for, my friend.

There is a new cyber incident reporting requirement coming your way.

Can you describe it a little bit?

One of the things that makes me really proud about Project Galileo is that we started a project when we were tiny.

In 2014, we were not a big organization.

And we've grown over time. So we've actually tried to think about new things that we can do, new partners that we can have, new ways that we can potentially have an effect.

So whether it's putting information out about Internet shutdowns, or whether it's expanding the tools that we have.

And I actually think our cyber peace partnership is really unusual.

And it's the only one we have so far on it, but it's really interesting.

So can you describe it a little bit?

Sure. And USAID was used as a vantage point to send phishing emails to other nonprofits.

And so that got us thinking. And a couple of months later, a different attack, a nonprofit in peace mediation in Geneva, that ended up sending me a phishing email.

And it turned out that the person who sent me the email was on maternity leave.

So I came back to the nonprofit, and other people came back to the nonprofit.

And we ended up understanding that, obviously, that account got breached, and their active directory got breached.

And we ended up helping them clean up the mess.

It made us think that phishing, as boring as phishing is, phishing is still the number one attack vector.

And even though there are plenty of tools available, and Area 1 is fantastic for that, it's a tool that has been built by Cloudflare, no one is really looking, or I guess, you know, you don't have the capacity to be looking at the campaigns that are going against nonprofits.

So one of the things that we're currently piloting together with Alyssa and Jocelyne, and our technical teams back home, is to offer this protection, anti-phishing protection, and look at the campaigns that the nonprofits that we're working with, are all getting so that we can alert the community and prevent them, sorry, alert them, you know, watch out, this campaign is building up, you have activities in that region, you may get phished in that way.

So, you know, be careful.

And obviously, in the process, we're able to block the malicious domains, share that with partners so that they can block them at the NS level.

So, you know, really interesting how, out of the Galenio projects, Area 1, if I'm not mistaken, is not part of...

It is now. Okay, fantastic. Well, it wasn't when we started the partnership.

It's just fantastic to see how the give-back attitude that Cloudflare has led us to think that you would be a good sparring partner for that idea, and then we were able to flesh it together.

Really good.

competencies, and what it comes down to, as you were alluding to, like, when the rubber hits the road, it needs to be funded.

If it's not funded, it's not going to happen, right?

That's critical, and in the same vein, building local capacity for this work, and I'm thinking about...

I used to work at Access Now, that does digital forensic research, and that there's only three or four actors in the world who do this, and I was talking to an activist from Venezuela, and he was like, we have no where to go, and there needs to be more local support for this work so it's sustainable and it's not one-off.

As I mentioned before, and if I could just quickly, another shout-out to the Freedom Online Coalition.

They put out great... It's titled Donor Principles in the Digital Age, and they call out specifically the importance of prioritizing digital security.

Emily? In Project Upscale, which was our series of cyber hygiene and offset guides, a lot of our recommendations are around changing default settings on, for example, changing your social media to more private mode or implementing MFA.

And CISA has a huge Secure by Design initiative, and so I think something that I'd like to personally see industry do is really start to think about high-risk communities and the design choices that they're making in technology.

I think that there are a lot of ways that we can instantly make high -risk communities more secure just by having default settings that are secure by default.

So that would be my main recommendation.

Adrien, last word. I mean, we talked about government, we talked about what civil society could do to make things better.

I'd like to start and close on what industry can do better and take the example of Cloudflare as one of the best examples out there.

I've heard the saying, I don't know how you say it in English, but I guess it goes, a principle is only a principle if it costs you money.

And Matthew at the beginning was saying how at the very beginning of Galileo, you were kicking off some of the organizations because they were consuming resources and you were not sure that they were… Galileo costs you money, but you continue to provide it for free and you've been continuing to provide it for free for the last 10 years.

That's impressive. And we need more tech companies to realize that civil society needs that kind of program and not software at a discount that was not built with their needs in mind that gives them the illusion of security.

No, we need more, I don't want to say corporate social responsibility because it's such a loaded term.

I think we need more value-driven companies that are realizing the critical role that civil society plays in their business model.

If we fail to protect civil society, the Internet will have proven to be a Death Star or whatever Star Wars analogy you want, and it will die.

And Cloudflare will close, and Microsoft will close, and we will all die.

No, just kidding. Let's have more companies step up like Cloudflare is doing to help us protect civil society.

Well, thank you all.

I'm going to turn it back over to Patrick again. I think I have gone over.

Thank you so much.