This blog expresses only my personal views, and not the one of any organization or institution I have worked or currently work for.
At his opening speech at ICCM Patrick Meier has listed a number of topics that have been and will be very important in the field of crisis mapping. One of them was security.
It is sure that security is and will be in the years to come one of the major topic to be addressed in this field, but yet, I feel there is the need of a more pragmatic approach to this topic than the one used so far.
In one of the sessions at ICCM, which was entirely focused on this subject, some very interesting issues came out, which will give me some more ground to explain why I think that almost 90% of the discussions on cyber-security tend to take a tangent in the direction an academic – philosophical approach rather that a practical solution to practical problems.
1. One of the major discussions on security gravitate around the design or protocols, standards and code of conducts to try to crystallized the problem in predefined codes and in this way find predefined solutions. While I understand the need for some sort of universal documentation that would allow us to look at the problem of security in a much clearer way, I think that starting with this as the first step is an upside down approach that will not really help that much.
What I have learned in my experience in working with repressive regime and in dealing with security issues in crisis mapping projects is that everything is entirely related to the background of the place where you are implementing your project. In this regard I fear that if we design protocols and procedures before and then try to “customize” them to the specific case, we will end up missing a lot of the local specificity that can make something that is very safe in a situation super dangerous in another.
2. A second discussion has been focusing on the tools and the responsibility on who design, build and sell/make available those tools to the public. I have already discussed this in one of my previous blog post, but I will reiterate here what I think is the main problem in focusing on the tools instead of the uses, and I will explain it with an example. A knife is a tool that we always have, in every household. We all know a knife can be used to kill, or hurt people, but we also know that this isn’t the only use you can make of it. Now, while when we buy a knife the vendor will not tell us to be careful because we can also kill someone with it, since he assumes we know it, the situation is different when it comes to cyber/ digital tools.
The main problem here is the level of collective knowledge that we have about the risks we run into when using a certain platform. When we buy a phone, the vendor will not tell us that our phone can always be recognized and traced, that there is a unique identification number and signal associated with it, and that there are several ways that someone can use to access all the information in our phone. The same happen when we open an email account.
While there are certain information/tools that we know are accessible/ hackable, the knowledge about risks associated with a lot of tools is still not that widespread. I truly believe that the conversation about who has the responsibility to spread this knowledge is indeed useless: the responsibility according to me is shared in bw the users and the consumers, and we should all work towards more knowledge spread more broadly. Ultimately it is not about which tool is better than the other, it is about knowing exactly what vulnerabilities associated with each tool are and how to make this knowledge as accessible as possible.
3. The third big discussion is about what to do when risks are too many, or knowledge too poor or when solutions have not been designed yet. In this regard I am a big fan of the “if you don’t know what you are doing, do not anything” principle, but I also truly believe that we cannot think that inaction is the best solution for all security issues we face when doing a crisis mapping project. If there are security concerns, they need to be addressed carefully and responsibly, but in urgent situations – like a crisis – there is no time for prolonged conversations on what to do. Action needs to be taken, and better be a good one. So, what do to?
My 2 cents on this are the following:
1. Stop talking about who should do what and focus on what need to be done now. If u are interested in the topic and realized it is important, do it yourself. I am much less interested in the attribution of responsibilities then the actual lowering of the negative outcomes. With this I am not saying that there are no responsibilities, but that I would prefer to act in advance on the issue then to wait for fact to happen and then call someone guilty.
2. Go local! I will never be enough tired to say that local population normally have a much better knowledge of the risks and the dangers. Talk to them: they may not realized how to use a tool, but they will be bale to tell you how local actors will take advantages or not of certain possibilities, if presented to them.
3. Focus on what u can do and mitigate, since if you cannot do anything, there is no point in wasting your time trying to find a solution to it. To do this, you should not focus just on the cause of certain threats, but on their consequences: you may not be able to make a government weaker, or less repressive, but you can look at the practical consequences of their repression and mitigate it.
4. Dissect your problems and your security concerns: when facing a security issue, dissect it into all different and possible phases, components and possible outcome and look at all of them as if their were single factors. You may not be able to solve entirely the problem, but you may be able to act on single components and in this way lower the overall impact of the security threats.
Now, I know this is easier to say than to do, and there is no “how to do” guide on this, but we have to start from something no?
In my next post I will make a practical example to explain those suggestions.