Cybersecurity for think tanks part five: how to create safer spaces for sensitive conversations online

SERIES Cybersecurity for think tanks 5 items

Many think tanks are in the business of ‘off the record’ meetings and confidential policy advice. After all, this is one of the central offers we make to policymakers: we create safe spaces to think through and discuss an idea before it goes out into the open.

Some of us also work on particularly sensitive topics such as defence policy, peace negotiations or cybersecurity. We might engage in sensitive diplomacy, articulate evidence that is unpopular with our own government, or do research on authoritarian regimes where our speakers and participants may fear retribution for speaking out.

In face-to-face events, therefore, we have rules and norms to ensure confidentiality, e.g. the famous Chatham House Rule that restricts the attribution of statements to speakers. These work great in analogue settings.

But is there a way to ensure at least some level of confidentiality – and therefore security – of information at a time when, due to the COVID-19 lockdowns, many think tanks have had to move their operations online?

Choose the right tools for your purposes and the security needs

As threat models are highly individualistic, there is no one size fits all approach. The think tanks we spoke with tend to use different tools for different purposes and needs.

Therefore, first you need to define these purposes and needs. For example, if confidentiality is your core value, and more important than public outreach and media visibility, then certain options are off the table. If you are a highly event-driven think tank with lots of conferences and webinars, functionality may be more important than top-notch security.

As a general advice we found:

1. For sensitive one-to-one meetings with external parties

If you want to do sensitive, one-on-one political consulting with external partners your best options are open-source tools that use strong end-to-end encryption and cannot be easily strong-armed by governments.

Good indicators are if a company publishes transparency reports about lawful access requests and how quickly it responds to reports about published vulnerabilities.

The downside of these tools is that they rarely scale to include a large audience, often are somewhat less-intuitive to use, and are not as popular. Smartphone messengers like Signal or Threema are a top-choice.

2. Sensitive video conferencing within the organisation

If you want video conferencing for internal communication, including sensitive issues such as budgeting or recruitment, you need a compromise between tools that integrate well into digital work environments and those that offer a reasonable degree of security.

Self-hosting a platform like Jitsi or Big Blue Button may be a preferred option for security and data control, but might struggle in terms of reliability and quality, especially if your Internet connection is not great and you don’t have resources for dedicated servers.

Commercial systems like Microsoft Teams/Office 365 or Cisco Webex offer high quality, reasonable security and an excellent integration into other digital collaboration tools like internal chat, project management and more. These tools can be found in early-digitised government agencies too.

If you go for them, make sure you sign up for the business version where you tend to have better encryption and data protection standards. If you are located in Europe, pick a provider that allows you to sign a data processing agreement under the General Data Protection Regulation. Depending on your resources, you also could use both a commercial and an open-source system as a backup.

3. Public events

 For larger public events, like conferences or webinars, Zoom is still a reasonable choice. It offers most relevant functionalities like webinar and meeting modes, screen-sharing and break-out sessions. The easy onboarding process and high user adoption make are also attractive.

Video-conferencing is a dynamic market with lots of competitors. Microsoft and Google have also upped their game. So be flexible, as market trends and user adoption might change. Also consider that not all tools are commercially available everywhere. If you work on or in countries such as Belarus and Sudan, you or your partners might not be able to use Zoom due to US sanctions and export restrictions.

If you are using Zoom, send all employees a ‘first aid kit’ to improve security

If you are already using Zoom, as a quick fix you can develop something like a security ‘first aid kit’. This essentially is a list of best-practices to set up Zoom calls securely and avoid ‘Zoombombing’:

  • Educate your team when to use what tool. Zoom may be good for public meetings, but for internal or small meetings with external participants, it may be preferable to use Microsoft Teams (if you have it) or your secure back-up alternative.
  • Never share the link for participating in Zoom webinars publicly. Not on Facebook, nor on your website, because this invites intruders. Send the link directly to participants after registration with a note not to pass it on.
  • Do not make the webinar or meeting public. Use a password as default. Consider sending the password in a separate email to the one with the participation link.
  • Always lead the webinar/meeting in a team of two. One team member acts as the conference guide, the other as a behind-the-scenes moderator and community manager: managing the waiting room, collecting comments and questions from the chat. The moderator also can kick-out potential disturbers. This way you can keep a better overview and support each other.
  • Use the waiting room for your Zoom event, so you (or someone from your team) can check each person that wants to enter and let them into the room one-by-one.
  • Restrict rights of interaction at events, including functions like microphone, video, chat and screen sharing.
  • Block the webinar/meeting after the start so that no one can open the link.
  • If you do find uninvited guests in your meeting, address the fact head on and announce that you are removing the interferer from the meeting.
  • Last resort: end the meeting!

Some last words

These are some of the ideas, tricks and techniques used by think tanks we spoke to while collaborating on this topic. Keep in mind that there is no one-size fits all and that you may need to adapt what you read here for your particular situation. A few additional resources shared by think tanks include:

A comparison of online collaboration tools.

Please let us know what you and your organisation has done to boost IT-security while working remotely. We are interested in further tips, comments or even first-hand testimonials from your organisation.