The Digital Security Ecosystem for Human Rights Defenders

While many organizations have documented cyberattacks against human rights defenders (HRDs), these threats are nonetheless significantly underreported. This is largely due to the challenging and often dangerous nature of their work. The Office of the United Nations High Commissioner for Human Rights defines an HRD not by a specific profession but by their actions and the context in which they operate. As outlined in the Declaration on Human Rights Defenders, they are individuals and groups dedicated to advancing human rights and eliminating human rights violations. This broad definition, which includes a wide range of work and advocacy, makes it incredibly difficult to identify and analyze all of the cyberattacks against them. Compounding the problem, HRDs may have limited knowledge on how to report an incident or a legitimate fear of reprisal if they do. This underreporting makes it very difficult to understand the full scope of digital threats HRDs face.

Yet, while digital threats are hard to track, the physical risks faced by human rights defenders are well-documented and extreme. In a 2023 survey by the Kvinna till Kvinna Foundation, three-fourths of the 458 women human rights defenders surveyed reported being threatened or harassed because of their work promoting women’s rights.¹ The foundation reported that almost one in four respondents had received death threats and 37 activists had survived attempted murders. A 2023 study by Front Line Defenders made clear the extreme risks faced by HRDs, documenting the deaths of 300 activists in 28 countries.²

Physical threats to HRDs have also moved into the digital world, including online abuse, surveillance, phishing attacks, malware infections, data breaches, and denial-of-service attacks. For example, Access Now’s Digital Security Helpline, which supports at-risk civil society members, received 3,709 requests for digital security help in 2023.³ Cybersecurity company Cloudflare blocked 108.9 billion cyber threats targeting organizations in human rights, journalism, and civil society—an average of nearly 325.2 million attacks per day over an 11-month period in 2024 and 2025.⁴ According to a 2024 report by the Center for News, Technology & Innovation, one in three journalists had been harassed or threatened in the past year. The report found that online abuse was a significant factor, with 78 percent of journalists who perceive themselves to be at “very high” risk reporting such abuse.⁵

This rest of this section identifies and discusses three key challenges human rights defenders face in protecting themselves from digital threats: (1) their prioritization of their primary mission over cybersecurity, (2) threat environments that differ dramatically depending on region and area of work, and (3) global cybersecurity support systems that are fragmented and uncoordinated.

Human rights defenders and small nonprofits often work with limited resources. While cybersecurity is becoming a priority across all sectors, these organizations face unique challenges due to small teams, budgets, and a focus on their core mission. A 2025 report by NetHope found that only 31 percent of nonprofits considered their cybersecurity budgets to be adequate. Additionally, only 17 percent of these organizations reported having a dedicated chief information security officer in 2025, further highlighting the significant staffing gaps.⁶

The consequences for organizations that lack the resources to invest in cybersecurity can be devastating, as illustrated by a Brazil-based media outlet focused on deforestation in the Amazon. The outlet consisted of just three staff members, each of whom wore multiple hats—as journalist, website manager, funding coordinator, and environmental advocate. In 2023, soon after the organization began referring to itself online as a feminist organization, the organization was hit with a protracted denial-of-service attack that took its website offline for a week. To restore access, the organization had to hire a tech firm at the cost of 5,000 Brazilian reals (about $900)—a significant portion of its annual operating expenses.⁷

The lack of investment also extends to crucial areas such as digital skills training. A 2018 report by Microsoft and NTEN found that 59 percent of nonprofits had not provided any cybersecurity training to their staff.⁸ This gap persists. A November 2024 report published by the Center for Long-Term Cybersecurity at the University of California at Berkeley found that 53 percent of San Francisco-based nonprofit organizations do not offer any type of cybersecurity awareness training.⁹ This is concerning, especially as the sector is rapidly adopting new technologies. (For example, as of 2025, 83 percent of organizations had acquired threat detection and response tools, up from about 70 percent in previous years.¹⁰) The president and CEO of a small nonprofit surveyed for this report noted that while cybersecurity had become essential for his organization’s work, choosing the right tools was difficult and resource-intensive. “For every application we use, there are at least three more we’ve heard of but can’t properly assess,” he said. “We have to think about cost, how long it will take to implement, whether we’ll need to train staff, and if the tool will still meet our needs six months from now. We’re often making decisions in the dark, unless we can get guidance from someone who really understands the threat landscape.”

The situation has become more uncertain following the Trump administration’s closure of the U.S. Agency for International Development (USAID) in July 2025. The shuttering of USAID resulted in the elimination of an estimated $150 million that directly funded journalism and media support, as well as funding for related digital rights and freedom of expression programs. This has had a devastating impact on crucial support systems, forcing digital security helplines and other services to shut down or reduce aid to at-risk groups. For example, Internews’s digital safety initiatives that were funded by the U.S. government were brought to a halt, leaving independent media organizations more exposed to digital threats.¹¹ In addition, the 988 Suicide & Crisis Lifeline’s specialized services for LGBTQ+ youth were terminated, removing a vital resource for a vulnerable population.¹²

As a result, many nonprofits in high-risk areas have been disproportionately affected, particularly on the cybersecurity front. According to a survey conducted by the Tech Global Institute, 71 percent of digital rights organizations in “global majority” countries had scaled back programming in the first three months of 2025 due to funding challenges.¹³ In sub-Saharan Africa, according to an Internews report, the loss of U.S. government funding has affected programs across the region, including the Adisi Cameroun initiative in Cameroon, which has lost 80 percent of its funding for open data, digital rights, and journalist training. In countries such as Ethiopia and Zimbabwe, the same report states that media partners have had to cut up to 80 percent of their staff and reduce operations, further impacting media operations.¹⁴ This loss of direct funding and specialized security support leaves these organizations even more exposed to digital threats.

Digital threats targeting human rights defenders are specific to the context in which they work, including the region and political landscape. This means there is no universal threat model that can serve all human rights defenders worldwide. Instead, security strategies must be uniquely tailored depending on the threats or perceived threats by the user, which makes providing protection and advice a challenge.

For example, an environmental activist in Brazil faces threats from a mix of actors, including paramilitary groups, corporate interests tied to environmental exploitation, and state-based actors who are opposed to the activists’ goals. A 2003 Global Witness analysis identifies the Amazon, where environmental and land rights activists are often targeted with violence and assassination attempts due to their work, as one of the most dangerous places in the world for activists.¹⁵ This is a different threat model from that faced by an activist in China, where the primary adversary is a highly technical state operation. The technical environments of these countries make the cyberattacks look different. For example, China maintains a closed internet system designed with state surveillance built in at the infrastructure level. As a result, activists there face constant challenges with tracking and surveillance and have limited access to tools such as virtual private networks. Freedom House cites the widespread use of surveillance networks and censorship to monitor and suppress criticism against the state as a rationale for maintaining China’s “not free” rating.¹⁶

The disparity in threat models creates a challenge for security professionals and organizations aiming to protect activists globally. One security strategy may be effective against physical threats in one region but could be inadequate in another. This forces organizations to develop and maintain multiple, specialized security protocols, which can be costly and can lead to security gaps. This approach can leave activists in certain regions exposed to threats that their security plan is not designed to handle.

Compounding these external threats is the inherent insecurity of the technology available to many human rights defenders. Due to limited resources, these groups often rely on consumer-grade or low-cost software that lacks robust security protections. Even when more secure tools exist, they might be unaffordable, as large software companies charge premium prices for enterprise versions with better protections. Even their discounted pricing schemes for nonprofits often leave crucial security features out of reach.

Furthermore, the principle of “secure by design”¹⁷—which mandates that security be a core component of a product from its inception—is rarely applied to tools accessible to the nonprofit sector. For example, many constituent relationship management systems and case management tools used by nonprofits lack the necessary security controls to protect sensitive data. This risk was highlighted by the 2020 Blackbaud ransomware attack, which compromised millions of donor records due to the failure to implement basic secure-by-design features such as multi-factor authentication.¹⁸ The inability of HRDs to acquire state-of-the-art cybersecurity protections—because of affordability or any other reason—leaves HRDs in a dangerous predicament in which the tools they rely on can actually increase their risk, resulting in sensitive information being stored on servers vulnerable to targeting or surveillance by an adversary.

The ecosystem surrounding the digital security of human rights defenders is an uncoordinated and complex landscape. This ecosystem is composed of a variety of actors—both those providing support and those posing threats—whose actions are often isolated from one another. While many of the efforts of specific support actors are effective, the lack of coordination prevents the formation of a unified safety net, leaving HRDs with significant protection gaps. There are three main actors that play large roles in providing cybersecurity support to HRDs: (1) civil society organizations, (2) private sector companies, and (3) governments.

The Role of Civil Society Organizations

Within the broader landscape of civil society, a subset of organizations provides essential digital security training, threat awareness, and advocacy on human rights issues worldwide. For example, Access Now operates a 24/7 Digital Security Helpline that has responded to thousands of incidents, offering direct emergency support to human rights defenders under attack. Organizations such as Global Cyber Alliance, CyberPeace Institute, and Common Good Cyber also provide crucial incident response services and resources to protect vulnerable groups.

However, beyond these well-known organizations, a less visible but highly critical ecosystem of specialized protection and rights groups provides direct, on-the-ground support to HRDs. This includes groups with a global footprint such as Open Briefing as well as region-specific groups like Digital Security Lab Ukraine and CyHub Armenia. These actors, along with prominent research and advocacy groups like Citizen Lab and Amnesty Tech, focus on the high-risk, direct work of defending activists, investigating cyberattacks, and providing targeted support.

Unfortunately, many of these efforts struggle to keep up with demand due to unreliable funding and a lack of scalable services. Many of these groups rely on short-term project grants that are often designated for set outcomes, such as training workshops or advocacy campaigns. This is compounded by a challenging funding model for human rights work, which has been compromised by cuts from major funders, including USAID. This funding model rarely covers the long-term, sustained costs of managing digital security infrastructure, staff salaries, or the development needed to build long-term solutions. As a result, these organizations are often in a constant state of fundraising and diverting resources from their mission to deal with costly cybersecurity needs, making it difficult for them to plan for the future. A 2024 study by the Institute for Voluntary Action Research found that 92 percent of the 1,241 charities surveyed identified better access to multiyear funding as a top priority.¹⁹

In addition, organizations that provide cybersecurity services to HRDs are frequently targeted themselves. For instance, in 2023, the International Press Institute (IPI) published a report on a series of coordinated denial-of-service attacks against more than 40 Hungarian media websites critical of Prime Minister Viktor Orbán’s government.²⁰ After publishing the report, IPI itself was targeted by a denial-of-service attack that lasted several weeks and was responsible for taking down its website for multiple days.²¹

The Role of Private Sector Companies

In the last 10 years, a number of private sector companies have launched initiatives offering pro bono protection against cyberattacks or discounted access to technology services. These efforts are driven by a desire to help vulnerable communities but also strategic goals such as improving public relations, enhancing brand reputation, and identifying future commercial opportunities.

However, the technology and products offered are often not designed for the unique threats faced by HRDs and focus on protecting business data, not safeguarding individuals from cybersecurity threats such as data exfiltration or surveillance. A typical corporate security model focuses on protecting business data and infrastructure from financial and operational threats, whereas the threat model for a human rights defender is about safeguarding an individual from state-sponsored surveillance and other sophisticated attacks. This distinction is critical because tools built for corporate needs often fail to protect against tactics most frequently deployed against individual HRDs.²²

Even when companies offer free services, organizations may be hesitant to use them if they are required to turn over sensitive personal information to gain access. This is because governments can legally compel technology companies to produce user data under local law, often citing law enforcement or national security concerns. Cloudflare highlighted this trade-off in its comment on a proposed Commerce Department “Know Your Customer” rule, arguing that such broad data collection would not stop malicious actors but would instead “meaningfully restrict access to necessary services for those who most need them.”²³

In some cases, businesses are actually compounding the threats faced by HRDs by selling sophisticated surveillance technology to governments. This has given rise to a largely unregulated surveillance-for-hire industry. Companies such as Israel’s NSO Group and Germany’s Finfisher have reportedly sold spyware to governments with an established track record of abuse against civil society organizations. For example, NSO Group exploited a WhatsApp vulnerability in 2019 to install spyware on the phones of HRDs via a simple missed call.²⁴ In 2023, a joint investigation reported that the Mexican military used NSO Group’s Pegasus software to spy on human rights defender Raymundo Ramos and his communication with journalists.²⁵ Operating with little oversight and often hiding behind national security policies, these firms make it nearly impossible for victims to seek accountability for the resulting human rights violations. In response to the growing use of commercial spyware, the Biden administration in 2023 issued an executive order prohibiting U.S. government agencies from using commercial spyware that has been misused to target activists and journalists.²⁶

The Role of Government

The role of governments in protecting HRDs online is filled with contradictions. On one hand, a number of democratic governments have established crucial support systems. For example, the Freedom Online Coalition brings together 42 countries to diplomatically oppose internet shutdowns and censorship. The Open Technology Fund continues to provide essential grants for privacy-enhancing communication tools like Signal and Tor, despite facing funding freezes and legal disputes from the Trump administration. Nations such as Canada, the Netherlands, and Norway consistently provide financial support for NGOs that offer emergency assistance and digital security training.²⁷

However, this support is often at odds with domestic politics and geopolitical priorities. For many HRDs, the government is not a potential partner but a primary threat actor. This is evident in the case of Rose Njeri, the Kenyan software developer who was arrested in May 2025 for creating a website to facilitate public opposition to a controversial finance bill. Her arrest, and a broader government crackdown that led to at least 60 deaths and over 2,000 arrests, illustrates the state’s role as a potential adversary.²⁸ In June 2025, a Citizen Lab report detailed a Russian government-linked social engineering campaign that bypassed two-factor authentication to target activists.²⁹

Even within the nations that support human rights online, internal contradictions are common: A government may fund privacy tools with one hand while expanding its own domestic surveillance powers with the other. For example, the United Kingdom is a member of the Freedom Online Coalition, but in 2016 it passed a law—the Investigatory Powers Act—that has been criticized by Amnesty International for legalizing bulk data collection.³⁰ In France, the government advocates for digital rights internationally but has repeatedly expanded its domestic surveillance laws with powers that Human Rights Watch warns could be used to target activists.³¹

The United States also exemplifies these competing priorities, showcasing the shifts that can happen within a democratic country with a change in administration. While the Cybersecurity and Infrastructure Security Agency launched the Joint Cyber Defense Collaborative, an initiative to defend high-risk communities, the effort has been undermined by the shifting political agenda of the Trump administration. And while the Biden administration elevated the issue of internet freedom and digital rights, in 2025 the Trump administration has scaled back the State Department’s annual human rights reports; reduced staff for the Bureau of Democracy, Human Rights, and Labor; and rolled back funding for the civil society space.³²

This kind of ambivalence is also evident at the international level. Without effective international cooperation and with conflicting policies among democratic nations and pressure from authoritarian countries, coordinated global support for these groups remains lacking. As a result, the response remains ad hoc, leaving groups to struggle with a complex and often contradictory set of priorities.