From the moment the Tibetan community came online we have faced persistent digital espionage. Over decades of being targeted, the community has grown capacities and resilience for defending against digital threats.

A key mission of Tibet Action institute is to defend against relentless cyber attacks and surveillance from China. Since its inception, the group has led campaigns for digital security awareness and training.²⁵ Efforts include digital security education campaigns focused on fundamental topics such as basic web browser security and how to prevent malware infection. These campaigns feature references to Tibetan culture such as the Detach from Attachments campaign that drew on Buddhist teachings to impart a similar message:²⁶

This type of behavior change can be an effective way to defend against targeted digital espionage. A study from the Citizen Lab found that in the early 2010s malicious file attachments were the most common threat Tibetan organizations received. The researchers found that simply not opening email attachments would have prevented over 95 percent of the threats the Tibetan groups in the study received.²⁷ These findings show that education is an essential foundation for increasing digital security defense. However, there is an inherent asymmetry between the digital defenses of Tibetan groups and the capabilities of the operators who target them.

State sponsored espionage operators have exponentially more resources to develop and conduct digital espionage than civil society has to defend themselves. As our review of digital espionage shows, threats evolve over time and are quick to adapt to changes in how the community uses technology and implements defenses. Changing the behaviour of a community is a slow and gradual process, while an adversary can evolve overnight. Therefore, while education and training are essential efforts that must continue, more was needed to sufficiently respond to the threat including a platform through which Tibetans themselves could enact their own cyberdefense instead of relying solely on outside support and through this platform elevate the skills of community members to provide this protection.

The Tibetan Computer Emergency Readiness Team or TibCERT²⁸ was started in November 2018 as a program of Tibet Action Institute as a way to combat the threats that Tibetans have faced and continue to face. TibCERT was a natural progression to the digital security work that Tibet Action Institute had been carrying out in the community for over a decade. It was about bringing all the stakeholders together and building a community wide response.

TibCERT follows the standard model for CERTS (Computer Emergency Response Teams) which are expert groups that handle computer security incidents. Countries have government run CERTS that operate on the national level tasked with protecting their country from digital threats. There are also sector level CERTS that facilitate threat intelligence sharing between companies in specific areas such as finance. TibCERT operates in this model to provide threat intelligence sharing, incident response, and technical support to Tibetan member organizations. TibCERT includes two main programs. TibCERT Recon focuses investigating threats facing Tibetans in exile and surveillance within Tibet, including this report. TibCERT Response facilitates knowledge sharing and collaborative threat mitigation among stakeholders. Forming a professionalized Computer Emergency Readiness Team for the Tibetan community represents a significant milestone in developing robust resilience to digital threats.

Lobsang Gyatso Sither, one of the founders of TibCERT, reflects on the motivations to start the group.

"There were a number of reasons why TibCERT was formed. It came from discussions internally and with partners at the Citizen Lab about how the Tibetan community in the diaspora has been targeted with spyware as a community and any solution that we develop must be community led.

At the same time, there was another reason which was about taking the online CERT space back for Tibet so that TibCERT is an entity responsible for protecting the digital space for both Tibetans inside Tibet and outside Tibet. Our goal is to build internal capacity and also standardize the structure of this community led initiative so that it can partner with global researchers on shared protocols."

To extend its reach, TibCERT has deployed Digital Security Ambassadors in major settlements in India, providing technical assistance and incident response to local communities. Additionally, TibCERT has initiated the TibCERT Response Hub Program, establishing hubs in Dharamshala, Mundgod, and Bylakuppe, where volunteers convene monthly to address community-specific challenges and implement solutions. In 2022, TibCERT expanded its reach by establishing two TibCERT Community Centers in South India, dedicated to addressing digital security challenges, particularly within monastic institutions.

Currently encompassing over 50 organizations and institutions, TibCERT seeks to broaden its reach within the diaspora community, offering incident response services for suspicious emails and assisting in the implementation of digital security policies. These efforts aim to foster a secure work environment and fortify the overall digital resilience of Tibetan individuals and organizations within the community and beyond.

The primary goal of this report is to empower Tibetans by fostering a sense of ownership and pride in confronting cyberattacks with unity and innovation. While the Tibetan community has made significant strides in coming together to address unprecedented digital threats and sustain the freedom movement in the digital age, it still requires substantial support and collaboration from global and security experts. The necessity of prioritizing digital security stems from decades of being targeted by government-sponsored espionage. However, Tibetans are not only ones facing such challenges - these threats extend to civil society globally.

Numerous investigations have revealed that the sponsors and operators of these operations often share common tactics, techniques, and procedures. This makes it crucial for civil society as a whole to adopt a similar approach, coordinating efforts to exchange knowledge and data about threats while sharing best practices for defense. Given the shared experiences of civil society groups worldwide in confronting information security challenges, a collective strategy may lead to more substantial results than tackling these threats in isolation.

Another goal of sharing the first hand experiences of Tibetans targeted by digital espionage and how our community responds to this challenge is informing and providing inspirations to other human rights groups who may just be becoming aware of digital espionage.

The Tibetan community must continue to work together to maintain resilience to digital espionage and the long reach of China. We also must stand in solidarity with civil society groups around the world that are facing transnational repression from authoritarian regimes. Together we can empower each other and form a more secure, free, and open Internet that enables movements to create positive social change.

This report in its entirety aims to put a face to these attacks and underscores how these attacks impact real people and at the same time, how community led initiatives are key towards building resilience.