The Persistent Problems Of Digital Resilience
Marek Tuszynski, Executive Director and co-founder of Tactical Tech. January 2025
In this article, I'll share some of the key lessons we've learned about navigating the complex world of digital security. I'll look at how to identify the right tools, services, resources, and organisations to protect your community, network, or organisation from cyber threats - and why this work is more important than ever. Consider this: almost everything we do online relies on the infrastructure and services of the 'big five' technology companies - Google, Apple, Facebook, Amazon, and Microsoft (GAFAM) + rapidly catching up with Chinese counterparts: TikTok, DeepSeek. At the same time, the regulations and policies that govern these digital spaces and their gatekeepers can be overturned overnight by shifting political agendas with the stroke of a pen, while the sophistication of surveillance and hacking tools is no match for what civil society has at its disposal. It's a precarious environment and difficult times, and understanding how to protect against these risks is more important than ever.
Choosing tools wisely
We are often asked to recommend the use of specific tools such as virtual private networks (VPNs), secure messaging applications, and secure web browsing applications. However, we strongly advise against relying on tools alone when a more holistic approach is required. While tools can provide basic protection, they are not a silver bullet and will require significant changes to your organisation's processes and culture. And these are just the tolls - any tool is only as good as the mastery of its use.
The limitations of fixing what we have
A common misconception is that addressing digital security is simply a matter of deploying new security tools or technologies. However, this approach often overlooks the underlying structural limitations that reduce an organisation's ability to address long-term systemic issues. In reality, many organisations lack the necessary resources, including long-term funding and strategic partnerships, to address these deeper challenges. This is because addressing complex security issues typically requires significant investment in people, processes, and infrastructure, which can be difficult to secure within existing funding programmes and budgets.
Everyone needs to be involved
Effective digital security requires a collaborative effort across your organisation, network, or movement. It's essential that everyone is involved in identifying potential threats and vulnerabilities, and in developing and adopting strategies to mitigate them. This means that no one person or team should be the sole point of contact for all security issues. This is particularly important if your organisation or network works across multiple projects, regions, or themes, each with its own specific contexts, activities, staff, audiences, etc.
Your weaknesses determine your strengths
Our experience also highlights the importance of understanding your organisation's strengths and weaknesses. Just as a chain is only as strong as its weakest link, our digital security efforts will only be effective if we understand how our own vulnerabilities can be exploited by attackers. Think of it like a person-overboard (MOB) drill on a boat. It's usually practised in nice summer conditions with a floating fender as a mock casualty - but it's very different when you're in a storm, someone goes overboard, hit by the swinging boom, and someone else in your crew has to radio for help but doesn't know how, and the engine just won't start. You may have been the most experienced skipper on the boat, but the situation got out of control in a split second because no one else was properly prepared, even if they knew some theory pretty well.
Risk assessment is critical but difficult to achieve
Risk assessment is an essential aspect of digital security. While it's tempting to focus on identifying risks rather than mitigating them, this approach often leads to a one-size-fits-all solution that may not address your organisation's specific vulnerabilities. A good risk assessment takes time, effort, and resources, but it's ultimately a living document that helps you understand your vulnerabilities and develop effective mitigation strategies. It's also vital that this assessment is developed with the attitude that things will definitely happen when you're least prepared for them, rather than if they happen at all.
Soft spots are not where you think they might be
We see a lot of focus on the, let's call them, frontline activities and needs - the tools used by investigative journalists, human rights defenders, environmental activists and so on. Rightly so, but there are many operations, communications and relationships with organisations and institutions that use problematic tools for their accounting, travel planning, auditing and funder reporting. These systems collect, store and process a lot of valuable information and assets that are often overlooked in security planning and risk assessments. In addition, at the end of the day it all comes down to people - and we live and work under a lot of pressure and stress, the technology we use is and will remain confusing, non-intuitive, frustrating and easy to make mistakes with.
It used to feel like a game of cat and mouse, now it could just be a game of trap
If you are an individual such as the Prime Minister of Spain Pedro Sánchez, Slaviša Milanov, an investigative journalist from Serbia - or an organisation such as Human Rights Watch, or one of the tens of thousands of people whose phone numbers are believed to have been targeted by customers of the NSO Group, or Cellebrite DI Ltd, companies that make tools such as Pegasus and Cellebrite, which are well-known and well-documented examples of sophisticated tools available to state-level agencies, these are often going undetected, you might only see post factum if your phone was targetted at all. It is almost impossible to protect yourself from such tools, short of going completely dark, but who can? Now add some AI to the equation... and goodbye!
Conclusion
In summary, effective digital security is not just about tools and technologies; it requires a holistic approach that includes cultural change, collaborative efforts, ongoing risk assessments, and awareness of hidden vulnerabilities in operational processes. By addressing these issues, non-profits, networks and movements can build more resilient systems that are better equipped to deal with unexpected challenges and threats. This text will not conclude here without giving some suggestions and pointers on how to actually choose tools if you must, where to start and where to look for advice and help, which will come in the following sections.
How we choose tools
At Tactical Tech, we advocate for a rethinking of technology - from short-term convenience to long-term - with trust at its core. Proprietary software (black boxes) demands blind trust, leaving users in the dark about data and security. In contrast, open source software (open boxes) promotes higher levels of transparency, empowering users and giving them control over their digital environments.
The tools we use and promote are guided by eight key principles:
- Open Source: Transparent and non-proprietary. This does not mean that you can take open source at face value - it is better that the code is open source and has a good open licence - but that does not automatically make it perfect code. Also, check the claim that tool vendors often make: it may be that the client application is open source, but the server operations are not - for us, that's not an open source project. You can read more about this in the 2022 report. - BASICS Report on Open Source Digital Security Tool Ecosystem.
- Trusted: Audited and reliable. Note that audits cost a lot of money, not every developer can afford it, there are tools out there that people trust that have not been audited.
- Mature: Stable, actively supported by users and developers. This is a good indicator - look at how often the tool is updated, how the development team responds to problems, and did the ownership changed? etc.
- User-Friendly: Accessible to a wide audience. There are a lot of amazing tools out there that require command line and terminal skills to run, if you can use them do so, but the rest of us are stuck with tools that have accessible graphic user interfaces (GUIs) and they need to be friendly.
- Multi-Language: Localisation support. This probably goes without saying.
- Multi-Platform: Compatible with Mac, Windows, Linux, and Android. Of course, we want everyone to be on Linux - but let's be realistic.
- Well-Documented: Easy to understand and use. Documentation is paramount, we rely on it and write our own - so should you.
- Transparent about data practices: Is it clear what happens to data, what data is accessed, collected, and stored? are there third-party trackers? does the tool require access to services it doesn't need? what is their data retention policy? Is it end-to-end encrypted?
What tools we use
This is not to say that you should use any of these tools - it is your choice - but it might be a good start to see the differences, set your own priorities and find what works for you.
Content collaboration and development:
Operating Systems: We prefer Linux in various flavours
Internet Browsers:
Text, Video, Audio Editing:
Encrypted Email, Calendar, and Contacts:
Password managers:
Instant Messenger:
Secure File Storage:
Connecting Securely to the Internet -VPNs:
Social Media and Video Sharing:
Email Newsletters:
Online forms and surveys:
Communication and Virtual Meetings:
Web Analytics:
AI:
Resources to check out in alphabetical order (ours is at the bottom)
Some are more up to date than others - this is not an exhaustive list - but a good place to start - we do not endorse any of these, including our own - it is up to you to decide what would work for you - the list below should speed up the process.
Access Now’s Digital Security Helpline works with individuals and organizations around the world to keep them safe online. If you’re at risk, we can help you improve your digital security practices to keep out of harm’s way. If you’re already under attack, we provide rapid-response emergency assistance.
Security Planner -(initially developed by Citizen Lab) - a self assessment tool for individuals to cut down on data collection and protect your sensitive personal information, health data, and geolocation.
DDP is an international programme that contributes to strengthening the resilience of Human Rights Defenders by increasing their digital security through a holistic and sustainable approach.
Aims to improve the security of Rights-based organisations, initiatives, foundations and activist collectives. Having a holistic approach for us means mitigating and responding to digital, physical and emotional risks.
A resource for people teaching digital security to their friends and neighbours
Ethical Alternatives & Resources - Ethical.net is a collaborative platform for curating, building and discovering ethical alternatives for tech products.
Totem - Digital Security training for activists and journalists - an online platform that helps journalists and activists use digital security and privacy tools and tactics more effectively in their work.
Security in a Box - a toolkit developed together with us - currently led by Frontline Defenders.
Global Investigative Journalism Network’s ‘Journalist Security Assessment Tool’ and training
The Journalist Security Assessment Tool (JSAT) was developed for the use of GIJN partners and journalists around the world. Upon completion, the assessment tool will display a series of recommendations.
Global Support Link
Help Desk - provides free resources to people and organizations who are part of the Powered by the People (PxP) global network. In addition to the online resources, members of the Help Desk can answer questions and provide advice on digital and physical security via chat, messaging or email channels.
Guardian Project creates easy-to-use secure apps, open-source software libraries, and customized solutions that can be used around the world by any person looking to protect their communications and personal data from unjust intrusion, interception and monitoring.
Internews Digital Safety Initiative / Safetag
Safetag - is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world.
Level-Up
LevelUp is a living project intended to provide support to, and enable creation of resources and sharing of knowledge within, a growing network of individuals providing needed digital safety training and education to users of technology worldwide.
Open Briefing
The Protocol - The Holistic Security Protocol for Human Rights Defenders (the Defender’s Protocol) helps us advance our physical safety, digital security, and well-being and resilience. By following the Protocol, we enhance our individual and collective security, and can reduce the burden of attacks, harassment, and censorship on us and our communities.
Rapid Response Network & CiviCERT
The Digital First Aid Kit - is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others.
Reporters without Borders (RSF)
Safety Guide For Journalists - a handbook for reporters in high-risk environments (pdf)
Tactical Tech’s many projects
Holistic Security is a strategy manual to help human rights defenders maintain their well-being in action. The holistic approach integrates self-care, well-being, digital security, and information security into traditional security management practices.
Holistic Security Trainers manual is a companion to the Strategy Manual for HRDs, drawing out key learnings from the holistic security project from a facilitator's perspective and bringing together best practices from the fields of digital security, physical security and psycho-social well-being.
Gender Tech Resources -note last time updated in 2019- is a resource that introduces a holistic, feminist perspective to privacy and digital security trainings, informed by years of working with women and trans activists around the world.
XYZ - is a space for practical tools to navigate digital security and privacy from a gender perspective, learn from each other's activism, inspire one another and co-create.
Safety First! - a guide and a related workshop curriculum to help you stay digitally, physically and psychologically safe and aware of potential risks at all times by adopting some basic good practices and tools to keep your human sources, yourself and your evidence protected.
Digital Enquirer Kit - the Digital Enquirer Kit is an e-learning course about media literacy, verification, and how to navigate the internet safely.
Data Detox Kit - a set of simple guides about Artificial Intelligence, digital privacy, security, well-being, misinformation, health data, and tech and the environment.
All the images by author from the series “Cemetery Surfaces” 2025