by John Edmiston (Cybermissions) with advice from Pete Holzmann (ICTA)
Differing approaches to missionary security go back as least as far as the New Testament. On one hand we have Paul, whose incredible boldness caused concern to others and who had to be rescued from rioting mobs on numerous occasions. Paul attaches long lists of names to his epistles, freely discloses his travel plans and is 'completely out in the open' as far as information security goes. He even goes to Jerusalem despite the warnings of close friends, prophets such as Agabus - and to the obvious discomfort of James and the brethren. For Paul security was simply not a major concern.
On the other hand we have the apostle John. His brother James is beheaded by Herod (Acts 12:1,2); next, his good friend Peter is arrested and put in jail, awaiting execution. At this point John is the only 'free' member of the three apostles who were closest with Jesus (Peter, James and John), and so John 'vanishes' from the record of Acts, and even from the greetings at the end of Paul's epistles - which is rather strange considering both men ministered in Ephesus! For forty-five years or so we hear nothing of John until his gospel, epistles and Revelation appear in the eighties and nineties AD. And when they do appear they are coded and cryptic, they do not have long lists of names and personal greetings nor do they give detailed travel plans. They say things such as: 3 John 1:13-14 MKJV I had many things to write, but I will not write to you with pen and ink, (14) but I trust I shall shortly see you, and we shall speak face to face. Peace be to you. The friends greet you. Greet the friends by name.
John seems to have been much more security conscious than Paul – and yet both were undeniably apostles and very great men of God who helped shaped both the Scriptures and the Church. As one wit remarked when I pointed this out, ‘Paul got more press, but John lived longer!'
Undoubtedly personality, theology and temperament had a lot to do with their approaches, but the type of persecution each faced was significantly different. Paul's early experiences of persecution were from bands of Jewish agitators who had limited ability to intercept his letters to the churches. There is no N.T. record of systematic, government-level persecution of Paul (who seems to have easily made friends with Roman officials).
For Paul, standing up to the agitators who were trying to silence both him and the gospel was the correct thing to do. Paul also had the context of being single ( 1 Cor 7:8) and thus did not have to consider protecting his family.
In contrast, John 's experience of persecution was at a government level – first the insane Herod, and later the persecution of Diocletian where any misspoken phrase or loose scrap of paper could lead to someone being burned alive. For John, keeping the Church safe from inadvertent catastrophe was the priority. John was also probably married (1 Cor 9:5), and that would have been a contributing factor to his security-consciousness. Both approaches to security are found in missions work today –sometimes in the same organization, and this can result in some very significant tensions.
may be going a bit far, but I think the very different approaches that Paul and
John had to information security largely prevented their networks from working
together, even when in the same city (such as Ephesus). John's network leaders
would simply have felt unsafe around Paul and his disciples. While they would
have preached the same Christ, they would have had different leadership
structures, different house churches and baptism policies (Paul baptized on the
spot, but there is much evidence that in other areas there was a long testing
period to weed out false disciples first) and different methods of operation.
In time Paul's networks combined with Peter's and coalesced into the Western or
Roman church, while John's network remained distinct and became the Orthodox Church
Differing approaches to security may also have been part of the reason for the historic WEC/UFM split towards the end of the life of missionary pioneer C.T. Studd. Even today there are tensions both within and between agencies. Trust is broken easily and takes a long time to build. A head office wire transfer containing too much detail e.g. 'for Bibles' can alienate the field staff whom it impacts. And a single foolish mistake by an unwise youth on a short-term missions trip can result in that whole agency being 'blacklisted' by other agencies working in the same country.
In the rest of this article I will focus on 'information security' – that is, how we separate out the information we keep secure from that which we keep out in the open for all the world to see. And I will also ask the question: “How do we create a culture of caring about the consequences of communication?” Because, as the WW2 poster used to say, “Loose lips sink ships.'
What Is Information Security?
Information security, computer security and information assurance are closely related but different terms.
Information security is wider than computer security and deals with information as a whole and so may concern something written by hand or even oral communication. Information security will include the terms and language you use, as well as all the communication media – landlines, mobile phones, Skype, laptops, PCs and various hand-held devices.
Information security experts use terms such as confidentiality, integrity, authenticity, possession, utility and availability of information. I will boil all this down to the identification, separation and preservation of confidential information that could potentially compromise your ministry. Identification means you have policies that help people accurately identify what is confidential (finances and specifics such as names, places, and meeting venues) and what is not confidential (general publicly available information about your agency). Confidential information is any specific, real-time information (in contrast to general statements) that can form a basis for action by an enemy.
means you wall the information off so that (supposedly) only those who should
see it, do see it. A safe or an encrypted hard drive is a simple form of such seaparation as is a locked file cabinet or an old briefcase used just for confidential papers. Preservation means that the information is kept intact and can be retrieved in an intelligible format. This inclludes such things as backups, decryption keys, virus-scanning to prevent data corruption, and checking of physical media to ensure that data is not scrambled.
What Missions Are Currently Doing In This Area
I did some research into this issue in the form of an online survey that was answered by 62 people (full survey analysis available upon request). In brief, the most security conscious were listed as being: a) Western missionaries, b) the IT staff and c)those in creative access ministries. Those who were least security conscious were listed as being: a) older missionaries, b) head office bureaucrats, c)those who preferred to 'just trust the Lord', d) those whose work computer was also their home computer, e) supporters back home, f) partner ministries that use inappropriate stories in publications and g) some national missionaries.
Many of the responses indicated a high level of emotion among many of the survey participants with some 'us vs. them' polarization occurring between the most security conscious and least security conscious groups due to their differing age, as well as their cultural and theological perspectives. People reported anger and confusion around the implementation of information security policies and people divided between 'we trust God and pray' and those who want absolutely every possible security contingency covered (which is not practicable).
The following question was asked about the kind of security policies that were in place: Do you have specific policies for security in regard to: (tick all that apply) (Statistics were only taken from completed responses)
Email - 71%
Viruses, mlaware, phishing, scams - 58%
Server network security - 50%
Web browsing - 47%
Laptop security -42%
Use of Internet cafes - 37%
Hard-drive encryption - 26%
USB / Thumb drives - 26%
Other - please specify - 24%
I have no idea of what policies we may or may not have - 16%
We do not have any information security policies - 11%
I found it remarkable that over a quarter (27%) either had no information security policies or had no idea of what such security policies were. Email, viruses and server security seem to be the main concern of the security policies that did exist.
Covenanting To Keep Each Other Safe
Because of the Internet, links between missionaries in different agencies are now very extensive, and missionaries in an agency with good security practices may be compromised by a missionary in another agency with very poor security practices. Security is only as good as the weakest link, and the weakest link is often in the publicity department at mission HQ! The dramatic stories that are good for fund-raising are also the material that can cause serious problems on the field. We have to covenant to keep one another safe.
At a recent large missions gathering in Thailand, the story was told of people visiting a certain closed country on a short-term missions trip, who were expressly told not to hand out tracts. On the way home one woman felt it was her duty to start throwing tracts out the bus window. They were soon arrested and taken for interrogation by the secret police. Within twenty minutes they were crying on the floor and within thirty minutes they had divulged the names of the local pastors and Christian leaders.
We have to do better than that! We have to care deeply about those who may be affected by our actions, and that should give us a 'holy restraint' that stops us doing things like throwing tracts out bus windows in closed countries! That is why I advocate for organization-wide policies that are understood and signed off on by everyone from the board chairman to the bus driver on the short-term missions trip. Detailed information security policies need to be created by each mission organization to suit its own particular requirements. These policies should be contained in a single concise document that should be personally reviewed and signed off on by all staff in each organization, including the leadership.
Of course, everything must be held in balance. There are good missionaries who recognize their lack of
understanding, and are trusting the Lord to provide needed protection. They would love to act on the basis of more understanding... yet one thing was stated quite strongly: the basis of our security is Christ, not policy. No policy can be allowed to determine what we will or will not do.
do we then proceed, given that in many contexts some increase in information
security is desirable? First, information security practices might need to be
greatly simplified to make them more user friendly. As far as possible,
information security should be 'automatic' and built into the software, email
systems and server systems used by missionaries. While it is acknowledged that
perfect information security is impossible, greater security can be achieved by
the thoughtful development of simple yet effective information security
processes. Some of these simplified information security practices could
BASIC SECURITY (All missionaries everywhere, even in free countries)
1. Using free firewall software such as ZoneAlaram, and free anti-virus software such as AVG or Avira antivirus and free spyware and root-kit detectors such as Spybot Search & Destroy and AdAware – and regularly updating them.
2. Use CCleaner to remove cookies, browser history and general compromising 'junk' from your computer
3. Give some consideration to using a non-Windows operating system such as Apple OSX, Ubuntu Linux, FreeBSD, or OpenSolaris. You can still run your Windows programs by using a 'virtual machine' such as VMWare and they will run quite quickly. These non-Windows operating systems are generally quite secure and are far less targeted by hackers and virus writers.
4. The use of encrypted PDF files (for example PDFCreator for free software that does this easily) to store confidential information - especially when sending attachments. Having to use simple passwords to open files reminds the reader that they are confidential. For further security the ability to print, or to copy, cut or paste can be turned off in a PDF file.
5. Use strong passwords – longer than 12 characters and involving uppercase letters, lower case letters, numbers and punctuation. The more scrambled up the better. For instance get a bible verse and take the numbers and jumble them up between the letters and add some punctuation on the end to get at least 12 characters - so John3:16 might become J3o:h1n6!?@> a much stronger password.
6. Do not get the 'latest and greatest' - wait at least six months until the security issues have been found and patches fixed. For new releases of MS Windows or Microsoft Office, wait one year.
7. The use of the same free / low-cost 'seamless' encrypted email across all members of the organization (it is then as pain-free as sending a normal email).
8. The regular use of Google and other search engines to check what is 'out there' in cyberspace about the ministry - and even to ask people to remove confidential information from a website. It may also be wise to Google for any sensitive email addresses.
9. Training all staff and partners in the difference between what is 'confidential' and what can be shared freely, especially when fund-raising or in newsletters.
10. Merge with your context. For instance, using Linux in Africa or China is fine because it has a strong following in those places but in some other countries it may look 'geeky' and attract attention. Also, selecting unusual hardware or software means that a typical user is a) less likely to understand how it works; b) less likely to have a community of friends who can help them use their technology well; c) more likely to be identified as an "outlier" simply on the basis of the unusual tools they use. It's worth considering the selection of tools that fit in well with those in the neighborhood (whatever that may mean). This applies not only to OS but also to email practices.
11. Stay away from politics in all publications and communications both on-field and at HQ, as it is often a brochure with a strong political statement that alerts a government to commence surveillance of the organization.
12. Do not publish sensitive conversion statistics, particularly of Hindus or Muslims, as this will cause them to defend their religion - by finding and persecuting the converts in that area.
13. Do not keep any confidential information of any sort on servers connected to the Internet.
14. Use a high-quality shredder for all financial and confidential paperwork.
MODERATE SECURITY (Most missionaries in the 10/40 Window, occasional light surveillance)
15. “Need to know' basis for information sharing. This includes yourself. Evaluate whether you really need to know a particular piece of information.
16. Be 'semi-paranoid' and make people earn your trust.
17. Do not use Skype. It has been compromised by most governments.
18. Do not use Internet cafes - not only a high virus infection risk but key-stroke loggers are common and can record everything you type and send it to those watching you.
19. Do secure web browsing using Sandboxie, Green Border or multiple proxy servers.
20. Do not use cellphones in some countries, particularly in police states, as mobile phones can not only be listened in on, but their microphones and cameras can be turned on remotely. Removing the battery is the only safe way to prevent this.
21. A forest is a great place for a sensitive conversation. It is very hard for others to listen undetected, even using wireless electronics (which do not work well in greenery).
22. The use of free software such as TrueCrypt as a way to create encrypted hard-drives or encrypted 'file containers' within hard-drives – and the use of these encrypted partitions for all highly confidential data. It just takes a little practice.
23. Generate as little confidential information as possible. Do not ask for specifics (such as full names addresses, etc) that might compromise people.
24. Keep a low profile, be useful, friendly and non-annoying. Take care with financial transactions so that no one is ever burned or gets a grudge against you (and thus has a motive to betray you).
25. Do not have large, obvious meetings. Do not have all the converts or church leaders in one place at one time (so they can all be arrested at once).
26. Train your memory so that records of appointments and other compromising information does not have to be kept on paper in sensitive situations.
27. Use a "split messages" policy. If you need to share a confidential message, break it apart and send via different paths. You might send one element (e.g. date or location) by email, then make a phone call or fax to send the rest.
28. Appoint someone in your team to be your 'security consultant' who updates computers regularly and who does the necessary nagging that is required to keep people secure.
HIGH SECURITY (Really tough places, extensive government-level surveillance)
29. There are no effective technical counter-measures that a missionary can take to counter determined government surveillance. The missionary must carefully evaluate whether God has called them to such a situation and the risk they may pose to themselves, their family and the national church. Western missionaries can unfortunately draw unwanted attention to those that they meet with in such countries.
30. A wise, consistent respectful, God-honoring lifestyle is generally good security anywhere
© Copyright, John Edmiston 2008