A key question has emerged since we initiated the Network strategy development process: what does digital resilience mean for each Network member and for the Network as a whole?
This question first arose during one of the Network’s online meetings in May 2022, where members began to understand each other’s work by sharing their diverse perspectives on how can organizations trust their infrastructure. For some members, digital resilience meant transitioning away from closed-source commercial tools to self-hosted, secure, and open-source alternatives. For others, this transition from closed to open-source tools represented a political statement against the centralization of internet services by big tech companies, and it aimed to regain ownership of their organization’s data. On the other hand, for others, outsourcing hosting, even to trusted parties, resulted in a loss of control over their data, but it was less resource-intensive than managing their own infrastructure.
This discussion highlighted the diverse range of enriching expertise and approaches to achieving “resilient” infrastructures within the Network. It also underscored the need to establish a framework for defining a loose term like “digital resilience”.
Inspired by an exercise that The Engine Room has conducted to define digital resilience, which was revisited in 2023, we facilitated a follow-up discussion where members shared keywords triggered by the term “digital resilience.” It was revealing to see how the collective answers expanded the definition of “digital resilience” beyond the realm of infrastructure to include human practices and institutional policies.
A resilient infrastructure is one that uses open source and decentralized tools, gives ownership and control to organizations over their data. It consists of software and hardware that adopts security by design, along with plans for redundancy and rapid recovery in the event of a digital attack. Others view a resilient infrastructure as one that provides tools accessible across different contexts, languages, and for staff with varying levels of experience and internet constraints.
Infrastructure alone cannot be resilient if it is not accompanied by a culture that promotes privacy across institutional and staff practices. This culture starts with organizations using tools aligned with its values such as open-source software. Some members shared that transitioning to open-source tools was not as simple as pressing a button. It requires periodic reminders to staff about the reasons behind this transition, achieved through continuous awareness, feedback collection, and iterative training. This process of internal knowledge sharing with staff should extend to continuously documenting digital attacks and sharing methods to mitigate them. This is especially important among organizations that provide digital forensics support.
Promoting institutional practices and moving towards solid infrastructure needs policies. These policies prepare for the worst case scenario to be better able to react to digital attacks, but hope for the best – where no incidents occur. Members shared the development of policies addressing disaster recovery plans, security frameworks, standards, and the principle of “data minimization” when storing or collecting sensitive data.
While we seemed closer to answering the question of what ‘digital resilience’ means, we were faced with other multiple questions about how to start translating this term into practical activities. How can this Network, through the framework definition of digital resilience, meet the diverse needs of organizations while also identifying common priorities?
Based on this exercise and discussion, we developed an initial framework. Digital resilience involves having the capacity to:
- Anticipate and study attacks, risks, security compromises, pervasive technological developments and vulnerabilities impacting on the infrastructure and people;
- Respond in times of security crises and emergencies and to pervasive tech developments;
- Recover after incidents, mitigate and heal the impacts on both the infrastructure and – to the extent possible – people;
- Create alternative models to colonial tech developments and related issues;
- Adapt to changing contexts and new tech developments, prioritizing the well-being of persons and communities; and
- Benefit from and have control and ownership over technology developments.
Digital Resilience as a Collective Act:
Even after reaching this Framework, additional layers the Network’s framework of digital resilience kept emerging. In a panel that took place at the Forum on Internet Freedom in Africa (FiFAfrica22) in Lusaka, Zambia, members reflected on the collective approach of digital resilience, as opposed to an individual perspective developed in Global North contexts. For them, what unites organizations and people from the Global South is “sociability”. However, most tools and resources on digital security that are designed in the Global North are designed with an individualistic notion towards digital security, rather than a collective, community-minded one. Digital resilience should be a more holistic, community-minded expansion of “digital security”.
These definitions and reflections served as the basis for brainstorming what the Network could become and achieve from learning and sharing knowledge. In specific to anticipate, respond, recover, create, adapt to digital threats.
As resilience also implies the flexibility to address changing realities, we acknowledge that this framework is preliminary, and revisiting this question will remain relevant during the Network’s initial years of development.
Pingback: The Engine Room joins launch of Global Network for Social Justice and Digital Resilience | The Engine Room