Who is this Handbook for?

This Handbook was written with a simple goal in mind: to help your parliament develop an understandable and implementable cybersecurity plan. As the world increasingly moves online, cybersecurity is not just a buzzword but a critical concept for the success of parliaments, and the security of information (both online and off) is a challenge that requires focus, investment and vigilance.

Your parliament will likely find itself – if it has not already – the target of a cybersecurity attack. This is not intended to be alarmist; it is reality even for parliaments that do not consider themselves to be particular targets.

In an average year, the Center for Strategic and International Studies, which maintains a running list of what they term “Significant Cyber Incidents”, catalogs hundreds of serious cyberattacks, many of which target dozens if not hundreds of organizations at once. In addition to such reported attacks, there are likely hundreds of other smaller attacks each year that go undetected or unreported, many aimed at governmental institutions, legislative bodies, and political organizations.

Cyberattacks like these have significant consequences. Whether their aim is to disrupt parliamentary operations, damage your reputation, or even steal information that can lead to psychological or physical harm to your members or staff, such threats need to be taken seriously.

The good thing is that you do not need to become a coder or a technologist to defend yourself and your parliament against common threats. However, you do need to be prepared to invest some effort, energy, and time in developing and implementing a strong parliamentary security plan. 

If you have never thought about cybersecurity for your parliament, have not had time to focus on it, or know some basics about the topic but think your parliament could enhance its cybersecurity, this Handbook is for you. Regardless of where you are coming from, this Handbook aims to give your parliament the essential information it needs to put a strong security plan in place - a plan that goes beyond simply putting words on paper and enables you to put best practices into action.

---

What is a security plan and why should my parliament have one?

A security plan is the set of written policies, procedures, and instructions your parliament has agreed upon to achieve the level of security you and your team think is appropriate to keep your people, partners, and information safe.

A well-crafted and updated organizational security plan can both keep you safe and make you more effective by providing the peace of mind needed to focus on your parliament’s important day-to-day work. Without thinking through a comprehensive plan, it is very easy to be blind to some types of threats, focusing too much on one risk or ignoring cybersecurity until there is a crisis.

When you start developing a security plan there are some important questions to ask yourself that form a process called a risk assessment. Answering these questions helps your parliament understand the unique threats that you face and allows you to step back and think comprehensively about what you need to protect and from whom you need to protect it. Trained assessors, aided with systems like Internews’ SAFETAG auditing framework, can help lead your parliament through such a process. If you can get access to that level of professional expertise it is well worth it, but even if you cannot undergo a full assessment, you should meet with stakeholders across parliament to thoughtfully consider these key questions:

You can start answering these questions by creating a catalog of all your parliament’s assets. Information such as messages, emails, contacts, documents, calendars, and locations are all possible assets. Phones, computers and other devices can be assets. And people, connections, and relationships might be assets too. Make a list of your assets and try to catalog them by their importance to the parliament, where you keep them (perhaps multiple digital or physical places), and what prevents others from accessing, damaging, or disrupting them. Keep in mind that not everything is equally important. If some of the parliament’s data is a matter of public record, or information you already publish, they are not secrets that you need to protect. 

“Adversary” is a term commonly used in organizational security. In simple terms, adversaries are the actors (individuals or groups) that are interested in targeting your parliament, disrupting your work, and gaining access to or destroying your information: the bad guys. Examples of potential adversaries could include financial scammers, adversarial governments, or ideologically or politically motivated hackers. It is important to make a list of your adversaries and think critically about who might want to negatively impact your parliament and staff. While it is easy to envision external actors (like a foreign government or a particular political group) as adversaries, also keep in mind that adversaries can be people that you know, such as disgruntled employees, former staff, and unsupportive family members or partners.

Different adversaries pose different threats and have different resources and capabilities to disrupt your operations and gain access to or destroy your information. For example, governments often have lots of money and powerful capabilities including shutting down the internet or using expensive surveillance technology; mobile networks and internet providers likely have access to call records and browsing histories; skilled hackers on public Wi-Fi networks have the capability to intercept poorly secured communications or financial transactions. You can even become your own adversary, for example, by accidentally deleting important files or sending private messages to the wrong person.

The motives of adversaries are likely to differ along with their capacity, interests, and strategies. Are they interested in discrediting your parliament? Perhaps they are intent on silencing your message or disrupting parliament's work? It is important to understand an adversary's motivation because doing so can help your parliament better assess the threats it might pose.

As you identify possible threats, you are likely to end up with a long list which can be overwhelming. You may feel any efforts would be pointless, or not know where to begin. To help empower your parliament to take productive next steps, it is helpful to analyze each threat based upon two factors: the likelihood that the threat will take place; and the impact if it does.

To measure the likelihood of a threat (perhaps “low, medium or high,” based on if a given event is unlikely to take place, could happen, or frequently happens), you can use information you know about your adversaries’ capacity and motivation, analysis of past security incidents, other similar parliaments’ experiences, and of course the presence of any existing mitigation strategies you have put in place.

To measure the impact of a threat, think about what your world would look like if the threat actually did occur. Ask questions like “How has the threat harmed us as a parliament and as people, physically and mentally?”, “How long-lasting is the effect?”, “Does this create other harmful situations?”, and “How does it hamper our ability to achieve our goals now and in the future?” As you answer these questions, consider if the threat is low, medium, or high impact.

Once you have categorized your threats by likelihood and impact, you can begin to make a more informed plan of action. By focusing on those threats that are most likely to happen AND that will have significant negative impacts, you will be channeling your limited resources in the most efficient and effective way possible. Your goal is always to mitigate as much risk as possible, but no one – not the most well-resourced government or company on earth – can ever fully eliminate risk. And that is OK: You can do a lot to protect yourself, your colleagues, and your parliament by taking care of the biggest threats.