The Human Security Dan Kaminsky Fellowship is expanding its support by providing Dr. Gillian “Gus” Andrews with financial and data resources to find ways to translate threat intelligence best practices to the world of human rights and civil liberties. The goal is to start formalizing ways to track coordinated harassment, stalking, and disinformation campaigns against activists, journalists, human rights workers, and non-governmental (NGO) employees that put their lives and liberty at risk.
Andrews is a digital literacy expert with deep roots in both human rights advocacy communities and the cybersecurity world. She teaches graduate-level courses at Columbia University’s Teachers College on technology and culture; technology and literacy; anthropology; and education. Her research has led her down professional paths exploring user behaviors and perfecting design to create better user experiences for a number of organizations, including Linden Labs, the Open Internet Tools Project, Simply Secure, and Thoughtworks. Simultaneous with this work, she has also pursued relentless personal interests in both human rights activism and cybersecurity.
Last year, Andrews helped the DISARM Foundation build a minimal viable product for a threat intelligence framework to track disinformation campaigns in similar fashion as the MITRE ATT&CK framework. This led her to musing about how threat intelligence practices and disciplines could potentially be used to help protect the human rights community, which in turn spurred her proposal to Human Security for this year’s Dan Kaminsky Fellowship.
The fellowship’s goal is to research how the human rights community can create more formal means for sharing threat intelligence information. As a part of that, Andrews will also be examining the links between traditional cybersecurity threat actors and the threat actors harassing and attacking human rights workers.
The fellowship really has two components. One was supporting that community’s ability to gather, share, analyze and make use of digital threat information to a greater extent than they have been because they have a cert in their group, but it’s sort of low-level what actually gets shared there. There’s not that much stuff. That was half of the proposal. And the other part of the proposal was me looking to compare indicators of compromise between disinformation campaigns and traditional cyber threats and see whether it’s common actors, whether there’s common infrastructure, stuff like that.
Andrews is looking for links between bad actors online. She stated that a woman journalist can be doing her work, but she is being attacked by shadowy forces or large online communities, people sort of coordinating campaigns to be like, “You shouldn’t be doing your work, you should stay at home.” And making other horrible gendered attacks, sometimes much worse than that. A lot of this stuff has a sort of coordinated, inauthentic flavor to it. There’s a lot of activity that clearly somebody has bought a botnet, somebody is doing a big campaign like that. And so from the beginning, one of her senses of this work is that one of the ways she could really help out is what if they can start to identify the command and control or just any indicators of what’s going on with this and see if that is something that they can do to support these folks who are being attacked.
It is an interesting thing to describe, but the human rights community is literally a loose affiliation of NGOs and then people working independently. People sort of go in and out of working at Facebook, working at Google, and then they’ll come back and do work in the NGO space again. But, like so many things in the digital security space, and particularly the threat intel space, they’ve built up a lot of trust over the years. They have all met each other at conferences, and they’re like, “OK, this is a real person. We trust them.” For Andrews and for a lot of people in this community, doing digital threat intelligence represents a lot of upskilling. There is just not that much in the way of threat intelligence chops there, and everybody’s really interested in doing more of it.
Andrews started attending the Hackers on Planet Earth conferences, like some random kid who had done a little bit of activist stuff. But she started attending it and just going to every single talk. She would sit through all the talks. And there’s no breaks between talks, there are no breaks for lunch. HOPE is still to this day a conference for 18-year-olds. And you have to remind them, “Go to sleep, eat a meal, and take a shower.” It’s still that conference, despite the fact that Emmanuel is now well into his sixties. Yeah, HOPE is a very stroll-up-and-you’ll-just-learn-things conference. So that was how she learned a lot of stuff.
She started speaking at the Hackers on Planet Earth Conference. She actually weaseled her way onto Matt Blaze’s panel one year. And Matt and she have been friends since then. They’ve been through a lot together, actually. She was sort of doing this casually outside of her doctorate in education. And she had this sort of weird dissociated thing where she had to keep her hacking work and her educational work apart for a really long time, to the extent that when she graduated from Teachers College, she talked to Renee Hobbs, who’s like a leading light of media literacy. And she was looking at her resume being like, “I don’t see your home conference. There’s no clear place that you’ve been.” Because she hadn’t talked about the fact that she’d been going to the Hackers on Planet Earth Conference for 10 years at that point. This was all in parallel until she took this job at the Open Internet Tools Project at New America in 2013 and then was finally able to bring this stuff together.
The DISARM Foundation is working on creating a MITRE ATT&CK-like framework for understanding disinformation, basically. Andrews worked with the DISARM Foundation last summer, and over MITRE ATT&CK, which turns out to have been made by Adam Pennington, who she just knew as a random guy who was at HOPE. She had no idea who was developing it.