Category Archives: Uncategorized

2025 ConComms End of Year Report

By

Executive Summary

In 2025 our team delivered a comprehensive suite of digital‑security services to nonprofit partners across the United States. By combining hands‑on training, vulnerability assessments, full‑scale cybersecurity audits, policy‑framework development, on device forensic malware scanning, and secure intake software development, we helped these organizations raise their security posture, embed sustainable practices, and protect the communities they serve.

Key Outcomes

Metric2025 Result
Security‑Awareness Sessions & Phishing Simulations20 live trainings + phishing demos
Organizations Engaged7
Vulnerability Assessments Completed10
Full Cybersecurity Audits Delivered7
Digital‑Security Policies & Procedures Drafted5 customized frameworks
New Staff Trained in Device Scanning, Training & Ongoing Awareness2 new personnel trained
Device Scanning for Spyware and Malware2 organizations devices scanned and completed detailed remediation reports
Software Development and documentation for “first‑contact” communication bridge (CDR‑Link‑Metal)Published Gitlab project, detailed documentation, and active maintenance.
Overall ImpactPartner organizations reported a significant reduction in successful attacks and a major increase in documented remediation actions within three months of audit completion.

1. Security‑Awareness Training & Phishing Education

Scope – Delivered 20 tailored, organization‑specific live sessions or phishing simulations.

Approach

  • Contextualized Threat Modeling – Each session began with real‑world examples relevant to the nonprofit’s mission (e.g., donor‑data phishing).
  • Hands‑On Demo – Participants experienced a controlled attack,identified issues, and practiced safe reporting.
  • Habit‑Building Toolkit – Checklists, quick‑reference one‑pagers, and reusable playbooks.

2. Vulnerability Assessment Program

Engagement Model – 2–3 week intensive collaboration with key staff to embed a repeatable vulnerability‑management cycle.

Deliverables

  • Digital‑Security Checklist covering asset inventory, configuration baselines, and third‑party risk.
  • Final Audit Report (7‑12 pages) summarizing the security baseline and outlining actionable remediation steps.

Results

  • All seven partner NGOs now have documented remediation timelines.

3. Comprehensive Cybersecurity Audits

Engagement Model – 4–8 week deep dive with organizational leadership and IT/security staff.

Core Activities

  • Review of system configurations (email, cloud storage, endpoint protection).
  • Evaluation of access‑control policies, MFA adoption, and data‑loss‑prevention settings.
  • Interviews to map workflow‑specific risks (e.g., grant‑application portals).

Deliverables

  • Audit Report (12‑20 pages) presenting a holistic security snapshot and 15 critical recommendations (e.g., MFA rollout, encrypted backups).

Outcomes

  • Post‑audit, NGOs achieved MFA coverage for the majority of privileged accounts.
  • Identified and closed misconfigurations across the cohort.

4. Digital‑Security Policy & Procedure Development

Frameworks Leveraged – BSI, NIST SP 800‑53, ISO/IEC 27000 series.

Process

  1. Initial Compliance Review (3‑8 weeks) – Gap analysis against chosen frameworks.
  2. Stakeholder Workshops – Engaged executive officers, IT leads, and frontline staff to surface practical constraints.
  3. Draft Policy Suite – Included Acceptable‑Use, Travel, Incident‑Response, and Data‑Retention policies.
  4. Tool Demonstrations & Handouts – Provided ready‑to‑use templates, and resource links.

Deliverables

  • Five fully‑documented policy packages (average 7 pages each).
  • Implementation roadmap with milestones, responsible owners, and success metrics.

Impact

  • All participating NGOs now possess a formalized security governance structure.

5. Capacity Building – Training New Personnel

Focus – Equip emerging staff with practical forensic device‑scanning, Training, and awareness building skills.

Activities

  • Security Ops Bootcamp” covering:
    • Use of open‑source scanning tools
    • Interpreting scan results and prioritizing fixes.
    • Reporting procedures for suspected incidents.
  • Follow‑up mentorship (bi‑weekly check‑ins for two months).

Outcome

  • Two newly trained individuals now act as security champions

6. In‑Depth Malware & Spyware Forensic Scanning Collaboration

Partner Organizations – Two nonprofit tech‑advocacy groups (Org A and Org B) that manage large variety of staff laptops and phones.

Scope – Conducted full‑disk forensic static malware analyses to uncover persistent malware and spyware targeting activist communications.

Process and Outcomes– 4–5-week engagement where the ConComms Team performed forensic scans of critical work and personal devices. We detected and remediated signs of malware, spyware or default device settings facilitating organizational data loss and vulnerability. At the completion of the forensic scans we delivered a empowering action steps scan report to the designee tailored to the organizational needs and the maturity of their security posture with actionable recommendations to concretely reduce risk.

7. GitHub Maintenance & Secure First‑Contact Solution Deployment (CDR‑Link‑Metal)

Objective – Harden the open‑source repository ecosystem supporting a secure “first‑contact” communication bridge (CDR‑Link‑Metal) to compartmentalize messages and provide efficient uniform organizational response framework for first contacts with WhatsApp, Signal, and Twitter/X.

Key Activities

  1. Repository Hygiene
    • Conducted a comprehensive audit of all branches, tags, and pull‑request histories to eliminate dependence on big tech surveillance based tools.
  2. Installation & Training on CDR‑Link‑Metal
    • Created platform‑agnostic installer scripts that provision isolated Docker containers with minimal privileges.
  3. Documentation & Community Building
    • Produced a step‑by‑step deployment guide covering prerequisites, and step by step deployment.

8. Overall Impact & Lessons Learned

AreaInsight
Phishing ResilienceActive Demos and interrogatory learning modules cement behavior change.
Vulnerability ManagementEmbedding a short, repeatable workflow drives sustainability.
Policy AdoptionCo‑creation with staff yields higher buy‑in.
Staff EmpowermentTargeted, hands‑on training accelerates internal capacity.
Malware & Spyware DefenseDeep device forensics combined with rapid remediation pays immediate dividends.
Secure Messaging BridgeRobust supply‑chain security and clear documentation foster trust and adoption.

Key Takeaways for 2026

  1. Integrate Continuous Training – Quarterly learning modules keep awareness fresh.
  2. Expand Scope – Bring additional nonprofit sectors (e.g., environmental advocacy) into the program to amplify collective security hygiene.
  3. Invest in Supply‑Chain Hardening – Ongoing GitHub security automation prevents regression and builds community confidence.
  4. Maintain Threat‑Hunt Cadence – Regular malware‑scan cycles with partner organizations keep adversaries at bay.

Closing Note

Our 2025 effort demonstrates that focused, collaborative security initiatives can dramatically improve the resilience of mission‑driven nonprofits. By coupling education, rigorous assessments, policy scaffolding, deep malware forensics, and secure‑by‑design software practices, we’ve laid a foundation that these organizations can build upon for years to come.

Growth, Updates, Audits and Book features in 2022-2023

By

So much has happened over the past two years, it is hard to keep up! First, we are thrilled that our work was recently featured in the book published by Beacon Press  “I Have Nothing to Hide” by Heidi Boghosian. In Chapter 13 on the myth that the attorney client privilege is sacrosanct she highlights our work in the section “Monitoring Lawyers Imperils Democracy” (pg. 135) where she writes: “The expectation of privacy between lawyer and client has been a cornerstone of the common law justice system for hundreds of years. Related entitlements are the right of an accused to a zealous legal defense and the right of an attorney to decide whom to represent. These rights are perhaps most precious to individuals who have been accused of crimes against the US or who hold viewpoints that the government does not favor. When lawyers know their communications may be monitored, the nature of their professional responsibility is impacted. Jonathan Stribling-Uss is devoting his legal practice to bringing secure communications to fellow practitioners. As necessary as digital proficiency is in the legal profession, many lawyers have barely made it past the analog age. “Our current system of Internet communication is not constitutional, especially regarding attorney–client communications,” he says… the concept of attorney–client privilege is a core American value and that when mass surveillance programs routinely violate that protection, it undermines one of the bedrock principles protecting our freedom…Lawyers’ failure to encrypt is largely due to governmental collusion with industry to confuse the issue and ensure that basic systems have been backdoored, he asserts. “Attorneys have not been given good information about this since the companies advertising are selling products that are actually broken.” He continues, “Clients have also not been educated about this. Clients control attorney–client privilege so they can demand that their lawyers use open-source encryption for their communication.”


Happily in the past years we have found many clients and organizations who are thrilled to have expert advice on how to secure their communications while fighting for secure attorney client communications and against surveillance.

Three of them who were able to share their experience with us were Annunciation House, the Foundation for Middle East Peace, and The Highlander Center. 

As Ali Boyd, Human Rights Attorney, Annunciation House Board Member (https://annunciationhouse.org/) put it: 

“Jonathan is an expert in digital security practices and a highly skilled facilitator and trainer. Most importantly, he shares our values as an organization and understood the nuances of our work as an NGO at the US-Mexico border. He provided comprehensive answers to our questions, important context, and concrete tools for our organization to utilize moving forward. We highly recommend Jonathan and Constitutional Communications!” 

or as Kristin McCarthy, Director of Operations, (https://fmep.org/) says:


“Working with Constitutional Communications was a pleasure and a massive value-add for our small foundation. Over a short period, Jonathan was able to audit our current digital security risks, educate our key staff on what those risks are and how we can address them, and provide training on how to make recommended changes. We walked away with a new policy and procedures document that will continue to provide value to our organization even as the digital threat landscape evolves.”


Finally, Maria Rincon, Highlander Research and Education Center, (https://highlandercenter.org/) thought that the audit and trainings were:


“Extremely humbling and eye-opening to realize how little I actually knew about both the threats that exist and the ways to protect yourself, your co-workers, and your organization. This training has done an excellent job of preparing us with the resources and tools to begin to implement our learnings across the organization”


We are continuing to build our practice, and have new Roadmap Digital Security Cohorts in the works. We also have many other groups that we are working with to go deeper into security audits and education. We look forward to filling everyone in about those new partnerships in the coming months. 

Growing our Impact from 2020 to 2021

By

We begin 2021 with expanded advocacy and excellent partnership. Along with Peter Micek, Access Now’s General Counsel, and The ACLU of NY (NYCLU) ConComms staff wrote a powerful article entitled “Encryption is vital for attorney-client privilege in the digital era, and lawyers should fight for it” that highlights the cybersecurity risks faced by clients, attorneys, and especially incarcerated people.

This article builds on the recent report entitled “Legal Cybersecurity in the Digital Age” published by The ACLU of NY and written by our Director, Jonathan.

The report received significant coverage in the Legal and Business press.

We also received excellent feedback from Organizations, like Momentum Community, that we supported for many months of deep work on digital security processes:

“Working with ConComms was incredibly helpful for our organization to level-up our digital security knowledge and practices. We received not only immediate hands-on support as well as broader context about the importance of digital security for activists in this time.”

– Davida G. Momentum Community

We also received some excellent testimonials from our Fall 2020 election digital security cohort with Roadmap Consulting:

“There are so many cool tidbits I didn’t think I would come across. The training helped as a reminded to take your organizational and personal security very seriously”

– Javier H. G., United We Dream

“This course is an extraordinary opportunity to learn about many aspects of digital security, get concrete recommendations about secure apps, platforms and strong choices, and learn how to bring these best practices to to your organization”

– Cicily D., Black Organizing for Leadership & Dignity

“I love learning new aspects for digital security. To be able to bring this experience into my work and even personal life is really rewarding”

Ohio Organizing Collaborative

“Covered everything you would want to know”

– Alan N. / Voces de la Frontera (Wisconsin)

“Good training”

– Sarra Black Lives Matter Phoenix metro

Roadmap Consulting and ConComms partner for 2020 Digital Security Cohort

By

Constitutional Communications had over 20 organizations enroll in our spring six week digital security cohort with Roadmap Consulting. While the difficult news surrounding the Coronavirus outbreak overshadowed our work, participants found that having a consistent training every week was helpful and supportive. Many organizations were forced to rapidly move most operations to fully digital platforms. In response we were able to shift some of our curriculum to respond to the critical moment and address the importance of digital security in a virtual ecosystem in which “Zoombombing” has become a household word.

 

Some testimonials from ConComms & Roadmap’s Weathering the Storm’s Spring 2020 Digital Security Cohort participants:

“My knowledge of digital security has expanded and will serve a life-long purpose in both my professional and personal life as an ever-changing entity.”

– Kris T., Girls for Gender Equity -NYC

“Well worth the time and money. We gained valuable information and tools that every non-profit should use to protect the integrity and security of their work.”

-Tyger C., Grassroots Policy Project

“Digital security tailored to the values and concerns of our movements! We got knowledge and tools we can start putting to to use right away. Great program!”

-Orson M., Grassroots International

“Even when you are the IT professional on staff, there are always new concepts to learn.”

-Terenee P., Shriver Center on Poverty Law

Constitutional Communications partners with The American Bar Association Rule of Law Initiative to train on Ethics and CyberSecurity

By

Constitutional Communications cybersecurity educators began 2019 by partnering with the American Bar Association’s Rule Of Law Initiative to assess organizational security threats and train lawyers and staff on cybersecurity and legal ethics.

Over the past couple of months Constitutional Communications initially supported a cybersecurity risk assessment of the team and organizational programs. Our risk assessment then culminated in a responsive training for key staff in the Rule Of Law Initiative to bring the team up to speed on improved encryption implementations, secure access and credential practices that uphold current international law, ethics and human rights standards.

 

NY Law Journal On State Bar Association ConComms Panel

By

ConComms director, Jonathan Stribling-Uss, recently presented on a panel discussion as part of the NY State Bar Association 2018 Annual Meeting Here is the report on the event from the New York Law Journal:

From Public Wi-Fi to Encrypted Emails, Panel Probes Security of Lawyer Communications:

What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?

Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association’s annual conference (http://www.nysba.org/am2018/) in Manhattan.

One takeaway from the discussion, which was centered around data security in an attorney’s day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.

Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.

Some corporate counsel or firms even have internal reviews to make sure legal staff are sending encrypted email.

They get dinged if they don’t send out encrypted emails,” Bernard said.

The moderator of the discussion, Michael Ross, whose firm represents other lawyers

in ethics and disciplinary matters, said some engagement letters can even set out standards of encryption lawyers promise to provide.

If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss , a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.

In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.

That’s totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.

Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney’s ethical obligations vary depending on the firm.

Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm’s clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate’s Court work.

For Peters, who retired in December, the issue of cybersecurity is one
that her former colleagues on the bench must now face.

The question I would think for any judge who has this situation in front of him or her is, ‘What was reasonable under the circumstances,’ and those change depending upon the kind of business you’re in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.

Still, a firm of any size can be targeted.

Timothy O’Sullivan, executive director of the New York State Lawyers’ Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.

Turns out that check was bogus,” but it’s not caught right away, said O’Sullivan in describing the scam.

Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?

Stribling-Uss said that firms should be strict, confirming that personal use of equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don’t have to pay a fortune The best types of encryption are actually free,” he said. “You’re being fleeced by these security companies,” he added, pointing out encryption apps such as Signal and WhatsApp.

Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.

Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.

You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you’re transmitting,” Bernard said.

A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”

Reposted from:

https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2018/01/23/from-public-wi-fi-to-encrypted-emails-panel-probes-security-of-lawyer-communications/

2017 Annual Report

By

Consitutional Communications 2017 Annual Report:

We are happy to say we made significant gains in 2017. We achieved the most exciting impact around our training series. We completed two Roadmap Consulting six week cohorts for movement digital security staff from thirty-two organizations, with digital security trainer Iliea Burgos. We also finished a series of trainings with Harlo Holmes of Freedom of the Press Foundation for nearly a dozen member organizations of the Center for Media Justice. We led a digital security series with Social Movement Technologies and wrote a section of the nationally distributed digital security planning material for Roadmap’s “Weathering the Storms: Toolkit”. We also worked with Roadmap on intensive digital security webinars with PICO, Family Values at Work, National Day Labor Organizing Network, (NDLON), and MASA.

Every session was relevant and well facilitated. Especially the clear action steps, the great context and the specific examples of digital security’s importance. It was great and very much worth my time.”

– Mike Thorp, New Era Colorado, Roadmap/ConComms Cohort .

In our work to support attorney ethics we had our legal ethics trainings distributed nationally by The National Academy of Continuing Legal Education and conducted three ethics and rights trainings for attorneys at the NY County Bar Association (NYCLA). We also completed a six month organizational digital security planning and implementation process with Palestine Legal. In total, our cybersecurity trainings this year reached more then one thousand people, including over one hundred attorneys.

“Constitutional Communications helped Palestine Legal tremendously. They are extremely knowledgeable about mass surveillance and recommended concrete steps we could take to protect our digital information and communications from different threat actors. They understand why this is particularly important for organizations that support and defend Palestinian human rights.”

– Angela Rashid-Campion, Manager, Development and Operations PalestineLegal.org

For a printable PDF of this report:

Annual report concomms 2017(final)

NYCLA panel: technology always outruns the law

By

NYCLA Committee on Law and Technology presents “Technology Always Outruns The Law” a CLE training for attorneys featuring Jonathan Strilbing-Uss, (Constitutional Communications) Peter Micek (Access Now), Sarah McKune (Citizen Lab) Pery Krinsky, (Pery Krinsky, PLLC) and Joseph J Bambara, (UCNY)

https://www.nycla.org/NYCLA/Events/Event_Display.aspx?EventKey=CLE113017

ABA Journal Cites ConComms Cybersecurity Expert

By

Experts advise new tactics to fight data breaches

By Jason Tashea

Marcus Christian

Marcus Christian. Photo by David Fonda.

The Panama Papers leak made global news in April, providing detailed financial and attorney-client information showing how the world’s rich and powerful hide their money through shell corporations. Not only did this leak hurt its clients—ending the prime minister of Iceland’s career, for instance—it also crippled the hacked law firm Mossack Fonseca.
While Mossack Fonseca was a headline-grabber, it experienced just one of many recent law firm hacks. Cravath Swaine & Moore has acknowledged it was hacked, and news reports listed “dozens” of other law firms that were targeted by a Russian hacker. Most of these firms denied important information was compromised.

But these attacks are costing lawyers credibility, argues Jonathan Stribling-Uss, director of Constitutional Communications, a cybersecurity firm based in New York City. With each breach, he says, “we’re losing trust in the profession.”

On account of increased and evolved attacks, attorneys and companies are rethinking cybersecurity. It is not sufficient to merely have anti-virus software. Plans for when a breach happens and software that can help ameliorate the damage are emerging cybersecurity trends.

Luke Dembosky, a partner at Debevoise & Plimpton in Washington, D.C., puts it succinctly, warning organizations to “start with the assumption that you will face one or more cyber breaches.”

There are three major cyberthreats to law firms, Dembosky says. These include ransomware, which locks users out of their computer or network until they pay a fee; ideologically motivated hacks, as with the Panama Papers; and hackers looking for insider trading information.

Jake Frazier, senior managing director at FTI Consulting, explains that “historically, the information security world has taken a fortress approach.” This approach is a reliance on anti-virus software, proxies and firewalls—all intended to keep malicious software out—but which provide poor protection once this perimeter security is compromised.

PLAN FOR ATTACKS

Evolving past the fortress mentality, attorneys and law firms are learning to plan for a breach. Marcus Christian, a partner at Mayer Brown in Washington, D.C., helps companies create such a plan.

Before the breach, an organization should have a team ready and a plan in place, he says. “Who’s going to be the quarterback?”

The team can be varied: digital forensics experts, crisis communication firms, and regulatory and legal teams can all play critical roles in the first 72 hours after a breach.

To help others create a plan, Christian and his colleague Stephen Lilley wrote Preparing for and Responding to a Computer Security Incident: Making the First 72 Hours Count (PDF), which can be obtained via Mayer Brown’s website.

Meanwhile, on the software side, two cybersecurity companies, enSilo and Terbium Labs, are also moving beyond the fortress approach.

Roy Katmor, a co-founder and CEO of enSilo, says the way we think about digital threats must evolve. “It’s not a virus anymore. … It’s like a chronic disease. With a chronic disease, you can control it.”

This mentality is reflected in the product: EnSilo maps a computer’s operating system to later find modifications in the form of malicious programs. According to Katmor, these intruding programs violate operating system instructions in order to remain stealthy and unobtrusive, making them hard to detect.

The enSilo product creates constant triage, Katmor says, which blocks the malicious software and allows the operating system to work uninterrupted.

LOOKING OUTSIDE

According to a Verizon Risk Team report, it takes months before a target is aware its data has been taken, also called exfiltration. The report says 92 percent of data breaches in 2015 were found by someone other than the target, often by law enforcement or a compromised client.

Tackling the detection problem, Baltimore-based Terbium Labs built Matchlight. This platform creates a unique fingerprint for sensitive data such as employee Social Security and credit card and source code. Once a fingerprint is created, an automated tool called a web spider crawls around the web looking for these fingerprints. When the spider finds a fingerprinted document, often on so-called dark web markets, the owner is immediately informed that a data breach occurred.

Matchlight “brings detection time from a couple of hundred days to a couple of minutes,” says Tyler Carbone, COO of Terbium Labs.

Still, even with the creation of new tools and improved preparedness, some precautions are tried and true. The Verizon report found in 2015 that 63 percent of confirmed data breaches involved weak, default or stolen passwords.

A lawyer himself, Frazier believes the legal field can get a handle on the issue. “Lawyers putting forth really good effort will always count for something,” Frazier says. “You never know what small risk control you put in place that might avert a disaster.”

This article originally appeared in the August 2016 issue of the ABA Journal with this headline: “Plugging Leaks: Experts advise new tactics to fight data breaches.”

http://www.abajournal.com/magazine/article/data_breaches_ensilo_terbium_labs