Creating a Culture of Online Safety: Wikipedia’s Security team rises to new cyber challenges

Wikimedia
Wikimedia
Nov 23 · 7 min read

We sat down with the Wikimedia Foundation’s Director of Security, John Bennett, to discuss efforts to solidify Wikipedia’s security and the impact of a new $2.5 million investment from Craig Newmark Philanthropies.

Original image by Rasheedhrasheed, (CC BY-SA 4.0); with transformation by the Wikimedia Foundation.

The Wikimedia Foundation’s Security team is an often invisible force that works tirelessly to protect the information and software of Wikipedia and our other projects. The internet has changed a lot since Wikipedia was created in 2001, and that change has brought with it myriad new security challenges.

From our vast army of diverse volunteer editors who create and maintain the online encyclopedia and its companion projects, to the millions of people around the world who use them every day, our security experts protect our community’s privacy and ensure safe and secure access to invaluable educational resources, acting in real time to confront cyber attacks.

John Bennett, The Wikimedia Foundation. Image by Myleen Hollero, (CC BY-SA 3.0).

The Wikimedia Foundation’s Security team is committed to fostering a culture of security. This includes growing security functions to keep up with ever-evolving threats to the health of Wikipedia and the free knowledge movement at large.

It also includes equipping those who are closest to the challenges with appropriate knowledge and tools so they can make good security and privacy decisions for themselves.

The Wikimedia Foundation’s Director of Security John Bennett recently shared in the following Q&A how the Foundation is getting ahead of changing security vulnerabilities, as well as positioning itself at the cutting edge of championing privacy and security on our collaborative platforms.

The world has come to rely on Wikipedia’s knowledge. We are also living through a moment in history where we are seeing the greatest number of threats to free and open-source knowledge. As we have seen over the past few years, disinformation and bad actors online can pose huge threats to democracy and public health. Wikipedia volunteers work in real time to fact check and ensure the public has safe, reliable access to critical information.

Wikipedia’s continued success as a top-10 site with hundreds of millions of readers means that it will continue to be a target for vandals and hackers. We have to constantly evolve our security efforts to meet new challenges and the growing sophistication of hacking and malicious behavior.

“We are living through a moment in history where we are seeing the greatest number of threats to free and open-source knowledge.”

Security and privacy are key elements in our work to be champions of free knowledge. Though fundamental, this behind-the-scenes work often goes unnoticed. You don’t recognize how important security systems are until they are broken. Investing in a culture of security now will allow Wikipedia to protect its record of the sum of human knowledge for generations to come.

This generous new funding is allowing Wikipedia and the Foundation to evolve with the times and get ahead of ongoing threats from hackers and malicious internet users. Over the next two years, we are boosting our security capabilities to an even more thorough level than where we’ve been before.

To take a step back, this investment from Craig is going to our Security team, which has the mission to serve and guide the Foundation and Wikimedia community by providing security services to inform risk and to cultivate a culture of security.

This donation is actually Craig’s second in support of our work. In 2019, Craig funded efforts to vigorously monitor and thwart risks to Wikimedia’s projects. That first investment allowed us to grow and mature a host of security capabilities and services. These include application security, risk management, incident response, and more. While threats to our operations happen nearly every day, we work proactively to prevent cyber attacks by following best practices, leveraging open source software to aid our security efforts, and by performing security reviews.

But to keep up with changing security threats, we need to do much more, and that’s what this new funding will help us to do — take our security to the next level. We’re very grateful to Craig for facilitating that. As the founder of craigslist, he has been a long-time supporter of the free knowledge movement and the work we do at Wikipedia, or as he calls it, “the place where facts go to live.”

We have developed a comprehensive three-year security strategy with three areas of focus:

First, cyber risk. Security risk is a tool that we use to assess potential loss and potential opportunity. It’s a framework for us to evaluate our priorities. We need to create a common language and understanding of risk within the Foundation and our communities. To that end, we will be rolling out a series of “roll your own” risk assessments for our staff and communities to learn about security and privacy best practices and equip them to make the best, informed decisions for themselves.

“Understanding and having an appreciation for security and privacy is in everyone’s best interest.”

Second, security architecture. Through this pillar of work, we will deploy robust security services and capabilities for the Foundation and our community projects, including Wikipedia. There are two projects I am particularly excited about. The first is a new internal differential privacy service for those seeking to safely use and release data. This will enable our staff, volunteers, researchers, and others to consume and share data in a safe and privacy-respecting way. The second project is an effort to move application security practices and tooling closer to those people who are creating code, which will enhance our current security practice and add velocity.

Third, capabilities management. Our main goal with this area of our work is to get better at what we do. It is essentially an ongoing internal audit of our security work, with the ultimate goal of improving security efficacy and creating solutions for Foundation staff and community members. We will evaluate the effectiveness of all of our security and privacy services, as well as establish standards and practices to modify or end services if needed.

Understanding and having an appreciation for security and privacy is in everyone’s best interest. What I mean is that by creating an understanding of risks, threats, and vulnerabilities, we are teaching others how to appreciate and how to apply an appropriate lens to various security and privacy situations.

In a large online community like ours, we want people to be comfortable with their security and privacy practices and in asking questions. In the spirit of Wikimedia, our team conducts this work with a human-first approach. We know we are going to have vulnerabilities and threats to our platforms and technology stack — that’s inevitable; but one of our greatest strengths to mitigate these challenges is our community. Empowering them and others to help understand and promote security and privacy is key to creating the culture of security we are seeking.

Wikipedia at its core is a bold idea that anyone can access and contribute to the world’s knowledge. Our platforms were built on the notion that security and privacy sustain freedom of expression. Security doesn’t mean policing the community of volunteer contributors that make Wikipedia work, but rather empowering all of our users and staff with security practices and resources that will protect and expand our reach. By making Wikipedia sustainable and safe from cyberthreats, we are setting an example for other online platforms that a culture of security can and should be a collaborative effort.

“We are setting an example for other online platforms that a culture of security can and should be a collaborative effort.”

I am super grateful to be part of this work and for the amazing group of people I get to collaborate with on a daily basis. Maryum Styles, Hal Triedman, James Fishback, Samuel Guebo, Sam Reed, Scott Bassett, Manfredi Martorana, David Sharpe, and Jennifer Cross make up a small but super powerful team. I am a huge believer in this team and what it can do and can’t wait to see what’s next!

Down the Rabbit Hole

Facts, stories, and people from the Wikimedia movement