When Josh Levy woke up on the morning of Nov. 9, 2016, he knew that change was afoot, both political and social change. And he was worried about what that might mean for the security and privacy of the human rights activists and advocates he worked with through Access Now. He knew he wanted to do something, but he wasn’t exactly sure what.
He had been helping to connect people in the activist community with security experts on an ad hoc basis, but he thought there might be a way to formalize that process and make it more efficient.
“I’d been involved in promoting the work of digital security and found myself hustling to connect people. In the aftermath of the election, there were all those suggestions about use Signal, use Tor, and they were so out of context,” said Levy.
“There wasn’t any literacy in the community about how to threat model an organization and there was a lot of anxiety. I realized early on that it wasn’t enough to connect an organization to a provider. It was about, how do I even know what’s vulnerable? It became an idea of let’s develop a system helps facilitate entry into digital security.”
From those seeds nearly 18 months ago, grew the roots of what has become the Digital Security Exchange, a new organization that Levy describes as a modern version of the telephone switchboard concept. The idea is simple: An organization that has a need for security help gets in touch with the DSX, which then connects the organization to one of the DSX’s approved providers. DSX focuses on helping civil society organizations, including those that deal with issues such as immigration and gender equity, and also works with journalists and news organizations.
“There wasn’t any literacy in the community about how to threat model an organization."
Both the organizations requesting assistance and the providers in the DSX network go through an assessment and vetting process. Levy, the founder and director of the exchange, said providers--both individuals and organizations--need to have an existing member of the network vouch for them or have a couple of outside references.
“I personally get a lot of emails from people asking how they can help. So it shows you that there’s a lot of pent up supply of people who want to know what they can do,” said cryptographer and author Bruce Schneier, who is on the advisory committee for DSX.
“Their problem is, where do they go and how do they help? The return on investment for this is awesome and it’s powered by desire and expertise.”
Most of the organizations that DSX works with tend to have between 10 and 30 people on staff, and of the providers in the exchange, Levy said about a third are individual contributors and the rest are organizations.
The aid and advice that the providers in the Digital Security Exchange network give to organizations in need starts with an initial security and strategic assessment to get a sense of what’s needed and who can help.
"It's not a fair fight, especially when your adversary is Russia."
“You have to see what you’re dealing with. Do we need to go deeper and see what the other needs might be?” Levy said.
By nature and design, DSX is built to work with organizations rather than individual activists, journalists, or others in need.
“We’re better set up to work with intermediaries rather than the front line people. It’s just trended more and more in the direction of front-loading a strategic assessment of an organization,” he said. “I expected we’d be acting much more as the switchboard, facilitation connections, and getting out of the way. But organizations want more from us than that, and one of our guiding principles is building human trust.”
"It's about how to jump-start their security and get their work done in a secure way," said Jamie Tomasello, a member of the DSX advisory committee. "You hear generic advice and when like-minded organizations aren't talking with each other they may not realize that advice isn't appropriate for them. The consideratons could vary wildly based on the organization.
The DSX, Schneier said, can help level the playing field for groups that don't have the money, resources, or expertise to protect themselves.
"It's not a fair fight, especially when your adversary is Russia," Schneier said.