Cybersecurity
/Cybersecurity
Another concern is cyberattacks. Local governments have been on the receiving end of cyberattacks, especially ransomware, at alarming rates in the past few years. In a ransomware attack, hackers gain access to sensitive data and/or control of your software. Then, they demand a ransom in return for promising to restore your access or delete your data although you can't trust them to keep their word on that. In other cases, governments have increasingly tight control over the internet and social media, allowing intense surveillance of citizens’ activities. The sensitive data they collect on political opponents or the entire population could be used for yet-unknown future applications.
What you can do about it
Even if there doesn't appear to be a threat on the horizon where you live, we recommend making a plan on what to do if the situation changes, as that can happen literally overnight.
One way to protect your participatory platform from a ransomware attack is to avoid being a rich target in the first place. By minimizing the amount of private or sensitive data you collect from users, you limit the value (and potential damage) of a ransomware attack. If your data is just publicly available participation content, you won’t be a good target for ransom.
Instead of storing passwords, many operators of digital products now are asking users to authenticate themselves through "magic links" sent via email or mobile phone notifications (which themselves rely on biometric authentication like a finger print or facial recognition). Two-factor authentication is also now common practice, and strong implementations of it rely on digital 'passkeys' rather than text message codes that can be intercepted. Passkeys are supported by tech giants like Google, Apple, and Microsoft, and are easy to use for end users.
If you do collect and store sensitive data, such as users’ passwords, it should be sufficiently encrypted and protected so that even if hackers gain access to the database, they cannot use the information.
If you're paying for a SaaS platform, the provider will respond to any cyberattacks that occur. Many of the paid platforms explicitly promote cybersecurity as a reason to use their product. While this isn't an iron-clad guarantee, their tech team might have more resources to protect your platform than you, depending on your team.
If you are hosting your own platform, automating frequent backups and setting up a content delivery network (CDN) like Cloudflare can help prevent or mitigate cyberattacks. With servers around the world, CDNs can quickly shift web traffic to help mitigate the impact of an attack (although you and your team will still need to address the attack itself, which may require changing the code).
Digital participation platforms that collect important votes or determine budgetary allocations must also be secure from internal manipulation of outcomes. Some platforms achieve this using blockchain, which is essentially an open, decentralized ledger of transactions, to publicly record votes so that manipulation is more easily detectable by anyone involved.
Cybersecurity is a holistic concern. You should consider implementing best practices for cybersecurity across your institution, and keeping them up to date. If you rely on a large technology vendor like Microsoft, Google, or IBM, each provides specific cybersecurity resources and programs you can enroll in.
If you do find yourself on the receiving end of a serious cyberattack, several civil society groups and cybersecurity companies offer pro bono resources. These include digital 'hotlines', clinics, funding, and other forms of guided support.
Regardless of who's maintaining the platform you're using, make sure it is actively maintained. Researchers discover new security risks in commonly used software every day. The platform you're using must be regularly patched, or updated, to address these discoveries. You can determine if this is occurring by looking to see when it was last updated (in the app store, or the platform's open code repository, or website, where it's often referred to as a “changelog”).
Next: Evaluation and accountability
Previous: Moderating a civil discussion