Cloudflare’s Five-Year Project to Protect Nonprofits Online

Credit to Author: Lily Hay Newman| Date: Wed, 12 Jun 2019 13:00:00 +0000

In May 2018, the Middle East-focused free speech and information access group Majal suffered a major cyberattack. Someone had managed to infiltrate a Majal Amazon Web Services account, access a content repository and backups, and wipe out six months of user data and posts across the organization's various message boards and social media platforms.

"The more time we took trying to figure out what was going on, the more damage the hackers were doing," says Bahrain-based Esra’a Al Shafei, Majal's founder and director. "I remember my heart was beating out of my chest, because this is my life’s work that was falling in front of me—a lot of years of investment, people risking their lives to produce this kind of content, people who had risked deportation, imprisonment for the kind of content that we host on our platform."

Majal eventually reconstructed the lost data from offline backups, but the incident underscored to Al Shafei how vulnerable the organization was online. Majal faced DDoS attacks, defacements, and malicious script injections for years but couldn't afford pricey digital defenses on its shoestring budget. So Al Shafei wrote to the internet infrastructure firm Cloudflare and its initiative called Project Galileo, which offers free defense tools and technical support to human rights groups, activists, journalists, and artistic organizations around the world.

"We used to think maybe we should just shut down, because we thought if we can’t protect our users, what’s the point?" Al Shafei says. "But things have been a lot more stable since we joined the program in August. And knowing that that capability is out there is very comforting—that when we get attacked someone will collaborate with us."

Project Galileo, launched five years ago in June 2014, has grown to support nearly 600 organizations. The service is often compared to Alphabet's Project Shield, first announced in October 2013, which also provides free DDoS protection and other defenses to vulnerable humanitarian and free speech groups. But multiple Project Galileo users, along with Cloudflare itself, note that organizations benefit from having choices about who to work with. Cloudflare's CEO Matthew Prince says that he wishes even more companies would offer similar services.

"In this time where so many tech companies are rightfully being criticized for being kind of myopic in their view, there’s plenty to criticize us for too, but Project Galileo is one of those things that we’re incredibly proud of," he says. "Especially when there are well-resourced, state-sponsored attacks making sure that there are multiple lines of defense that people have. And even though the attacks that we see sometimes are really big and hairy—and do occasionally cause issues for us—we definitely will continue to do this."

Prince says that Cloudflare's work with Project Galileo clients is a big part of what emboldened the company to eventually offer free, unmetered DDoS protection to all of its users. In recent statistics collected for Project Galileo's fifth anniversary, Cloudflare found that every organization that uses the services had dealt with digital attacks over the last month, and 60 percent experienced daily attacks. Some of this is par for the course on the internet these days, given the prevalence of sweeping, untargeted attacks that aim to find any weakness possible on any site. But Prince says that Project Galileo users are more likely than most to experience pernicious, targeted attacks.

Rather than project its own politics onto decisions about who should receive free services, Cloudflare works with an advisory board of organizations like Amnesty International and the Center for Democracy & Technology to vet coverage requests. A green light from any single partner—which started as a cast of 15 and is now up to 28—is enough for approval. And Project Galileo will cover both nonprofits and small commercial entities, just so long as they have a demonstrated need and are doing politically or artistically important work.

"We won’t let our commercial interests stand in the way of this, so we really do outsource it to the group of 28 organizations," Prince says. He adds that there is generally at least one request per day for an organization to join Project Galileo.

For many groups, the big value of Project Galileo is that it helps balance traffic spikes—both legitimate and malicious—and gives organizations access to analytics and system logging, so they can understand how people use their sites and track any suspicious activity more easily. For example, VOST Portugal, a communication organization in Portugal for natural disasters and other community crises, alerts Cloudflare when an incident occurs that may trigger a spike in legitimate traffic to its site.

"In April 2019 there was a huge fuel crisis in Portugal, so we set up the website and we had a form going around crowdsourcing information about where people could still get gas and where they couldn't," says Jorge Gomes, VOST Portugal's co-founder. "We got like 200 people on the site in the first 10 minutes. Two hours later we had 12,000 people on the site. In 24 hours it had 12 million page views."

But in addition to all the legitimate traffic the service needs to handle, Gomes says VOST Portugal also faces hackers—whether script-kiddies or more sinister attackers—trying to take down the site with DDoS attacks and other manipulations. Between the two types of strain, it would likely be impossible for VOST Portugal to stay live consistently without Project Galileo, Gomes says.

Reliability and international accessibility are also the main priority for equality activists at Women’s March Global. Its interim executive director, Uma Mishra-Newbery, says that ensuring the security of the group's site is also crucial to protecting the identities of people working on Women's March Global campaigns, or even just taking an interest in the organization's work. "We’re directly calling out really oppressive regimes—regimes and governments that are known to target women human-rights defenders, patrol social media sites, and silence activists based on their activity online—so the privacy aspect is incredibly important," she adds. "Without Project Galileo we wouldn't be able to have that assurance for the work that we are doing."

Through the program, organizations say that they get hundreds of dollars per month in free services from Cloudflare—services that they likely couldn't afford otherwise. And while some cloud providers like Amazon Web Services offer various voucher programs or other assistance to nonprofit and humanitarian organizations, many say that cloud costs alone are overwhelming, making cybersecurity a luxury most can't access without initiatives like Project Galileo.

"The hoops that Silicon Valley makes us jump through—it just pisses me off so much," Majal's Al Shafei says. "I know activists who are selling furniture to keep their sites up, people selling their cars. I sold my car! It’s not sustainable, because we don’t have enough allies in the field."

https://www.wired.com/category/security/feed/