Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Los_Angeles' for 'PST/-8.0/no DST' instead in /home/emercy5/public_html/languages/en.php on line 39
Emercy's Missionary Resources.org
The comprehensive resource center for missionaries.
(10-14) Globe International offers new series for church groups looking for missions curriculum                         (10-14) Jailed evangelists in Ethiopia win appeal but fail to obtain freedom                         (06-28) Soldiers Arrest Honduran President in apparent coup.                         (06-16) Waste pickers in Colombia now recognized as entrepreneurs...                         

Paul vs. John Information Security Then & Now

by John Edmiston (Cybermissions) with advice from Pete Holzmann (ICTA)

Differing approaches to missionary security go back as least as far as the New Testament. On one hand we
have Paul, whose incredible boldness caused concern to others and who had to be rescued from rioting mobs
on numerous occasions. Paul attaches long lists of names to his epistles, freely discloses his travel plans and is
'completely out in the open' as far as information security goes. He even goes to Jerusalem despite the
warnings of close friends, prophets such as Agabus - and to the obvious discomfort of James and the brethren.
For Paul security was simply not a major concern.

On the other hand we have the apostle John. His brother James is beheaded by Herod (Acts 12:1,2); next, his
good friend Peter is arrested and put in jail, awaiting execution. At this point John is the only 'free' member of
the three apostles who were closest with Jesus (Peter, James and John), and so John 'vanishes' from the record
of Acts, and even from the greetings at the end of Paul's epistles - which is rather strange considering both men
ministered in Ephesus! For forty-five years or so we hear nothing of John until his gospel, epistles and
Revelation appear in the eighties and nineties AD. And when they do appear they are coded and cryptic, they
do not have long lists of names and personal greetings nor do they give detailed travel plans. They say things
such as: 3 John 1:13-14 MKJV I had many things to write, but I will not write to you with pen and ink, (14) but
I trust I shall shortly see you, and we shall speak face to face. Peace be to you. The friends greet you. Greet the
friends by name.

John seems to have been much more security conscious than Paul – and yet both were undeniably apostles and
very great men of God who helped shaped both the Scriptures and the Church. As one wit remarked when I
pointed this out, ‘Paul got more press, but John lived longer!'

Undoubtedly personality, theology and temperament had a lot to do with their approaches, but the type of
persecution each faced was significantly different. Paul's early experiences of persecution were from bands of
Jewish agitators who had limited ability to intercept his letters to the churches. There is no N.T. record of
systematic, government-level persecution of Paul (who seems to have easily made friends with Roman
officials).

For Paul, standing up to the agitators who were trying to silence both him and the gospel was the correct thing
to do. Paul also had the context of being single ( 1 Cor 7:8) and thus did not have to consider protecting his
family.

In contrast, John 's experience of persecution was at a government level – first the insane Herod, and later the
persecution of Diocletian where any misspoken phrase or loose scrap of paper could lead to someone being
burned alive. For John, keeping the Church safe from inadvertent catastrophe was the priority. John was also
probably married (1 Cor 9:5), and that would have been a contributing factor to his security-consciousness.
Both approaches to security are found in missions work today –sometimes in the same organization, and this
can result in some very significant tensions.

This may be going a bit far, but I think the very different approaches that Paul and John had to information
security largely prevented their networks from working together, even when in the same city (such as
Ephesus). John's network leaders would simply have felt unsafe around Paul and his disciples. While they
would have preached the same Christ, they would have had different leadership structures, different house
churches and baptism policies (Paul baptized on the spot, but there is much evidence that in other areas there
was a long testing period to weed out false disciples first) and different methods of operation. In time Paul's
networks combined with Peter's and coalesced into the Western or Roman church, while John's network
remained distinct and became the Orthodox Church of today.

Differing approaches to security may also have been part of the reason for the historic WEC/UFM split
towards the end of the life of missionary pioneer C.T. Studd. Even today there are tensions both within and
between agencies. Trust is broken easily and takes a long time to build. A head office wire transfer containing
too much detail e.g. 'for Bibles' can alienate the field staff whom it impacts. And a single foolish mistake by an
unwise youth on a short-term missions trip can result in that whole agency being 'blacklisted' by other
agencies working in the same country.

In the rest of this article I will focus on 'information security' – that is, how we separate out the information we
keep secure from that which we keep out in the open for all the world to see. And I will also ask the question:
“How do we create a culture of caring about the consequences of communication?” Because, as the WW2
poster used to say, “Loose lips sink ships.'

What Is Information Security?

Information security, computer security and information assurance are closely related but different terms.
Information security is wider than computer security and deals with information as a whole and so may
concern something written by hand or even oral communication. Information security will include the terms
and language you use, as well as all the communication media – landlines, mobile phones, Skype, laptops, PCs
and various hand-held devices.

Information security experts use terms such as confidentiality, integrity, authenticity, possession, utility and
availability of information. I will boil all this down to the identification, separation and preservation of
confidential information that could potentially compromise your ministry. Identification means you have
policies that help people accurately identify what is confidential (finances and specifics such as names, places,
and meeting venues) and what is not confidential (general publicly available information about your agency).
Confidential information is any specific, real-time information (in contrast to general statements) that can form
a basis for action by an enemy.

Separation means you wall the information off so that (supposedly) only those who should see it, do
see it. A safe or an encrypted hard-drive is a simple form of such separation as is a locked file cabinet, or an old
briefcase used just for confidential papers. Preservation means that the information is kept intact and can be
retrieved in an intelligible format and includes things such as: backups, decryption keys, virus-scanning to
prevent data corruption and checking of physical media so that information is not scrambled.

What Missions Are Currently Doing In This Area

I did some research into this issue in the form of an online survey that was answered by 62 people (full survey
analysis available upon request). In brief, the most security conscious were listed as being: a) Western
missionaries, b) the IT staff and c)those in creative access ministries. Those who were least security conscious
were listed as being: a) older missionaries, b) head office bureaucrats, c)those who preferred to 'just trust the
Lord', d) those whose work computer was also their home computer, e) supporters back home, f) partner
ministries that use inappropriate stories in publications and g) some national missionaries.

Many of the responses indicated a high level of emotion among many of the survey participants with some 'us
vs. them' polarization occurring between the most security conscious and least security conscious groups due
to their differing age, as well as their cultural and theological perspectives. People reported anger and
confusion around the implementation of information security policies and people divided between 'we trust
God and pray' and those who want absolutely every possible security contingency covered (which is not
practicable).

The following question was asked about the kind of security policies that were in place: Do you have specific
policies for security in regard to: (tick all that apply) (Statistics were only taken from completed responses)

  • Email - 71%
  • Hard-drive encryption - 26%
  • Viruses, malware, phishing, scams etc. - 58%
  • USB (thumb) drives - 26%
  • Server / network security - 50%
  • Other - please specify - 24%
  • Web browsing - 47%
  • We do not have any information security policies - 11%
  • Laptop security - 42%
  • I have no idea of what policies we may or may not have - 16%
  • Use of Internet cafes - 37%

I found it remarkable that over a quarter (27%) either had no information security policies or had no idea of
what such security policies were. Email, viruses and server security seem to be the main concern of the
security policies that did exist.

Covenanting To Keep Each Other Safe

Because of the Internet, links between missionaries in different agencies are now very extensive, and
missionaries in an agency with good security practices may be compromised by a missionary in another
agency with very poor security practices. Security is only as good as the weakest link, and the weakest link is
often in the publicity department at mission HQ! The dramatic stories that are good for fund-raising are also
the material that can cause serious problems on the field. We have to covenant to keep one another safe.

At a recent large missions gathering in Thailand, the story was told of people visiting a certain closed country
on a short-term missions trip, who were expressly told not to hand out tracts. On the way home one woman felt
it was her duty to start throwing tracts out the bus window. They were soon arrested and taken for interrogation
by the secret police. Within twenty minutes they were crying on the floor and within thirty minutes they had
divulged the names of the local pastors and Christian leaders.

We have to do better than that! We have to care deeply about those who may be affected by our actions, and
that should give us a 'holy restraint' that stops us doing things like throwing tracts out bus windows in closed
countries! That is why I advocate for organization-wide policies that are understood and signed off on by
everyone from the board chairman to the bus driver on the short-term missions trip. Detailed information
security policies need to be created by each mission organization to suit its own particular requirements. These
policies should be contained in a single concise document that should be personally reviewed and signed off
on by all staff in each organization, including the leadership.

Of course, everything must be held in balance. There are good missionaries who recognize their lack of
understanding, and are trusting the Lord to provide needed protection. They would love to act on the basis of
more understanding... yet one thing was stated quite strongly: the basis of our security is Christ, not policy. No
policy can be allowed to determine what we will or will not do.

How do we then proceed, given that in many contexts some increase in information security is desirable? First,
information security practices might need to be greatly simplified to make them more user friendly. As far as
possible, information security should be 'automatic' and built into the software, email systems and server
systems used by missionaries. While it is acknowledged that perfect information security is impossible, greater
security can be achieved by the thoughtful development of simple yet effective information security processes.
Some of these simplified information security practices could include:

BASIC SECURITY (All missionaries everywhere, even in free countries)

1. Using free firewall software such as ZoneAlaram, and free anti-virus software such as AVG or
Avira antivirus and free spyware and root-kit detectors such as Spybot Search & Destroy and
AdAware – and regularly updating them.
2. Use CCleaner to remove cookies, browser history and general compromising 'junk' from your
computer
3. Give some consideration to using a non-Windows operating system such as Apple OSX, Ubuntu
Linux, FreeBSD, or OpenSolaris. You can still run your Windows programs by using a 'virtual
machine' such as VMWare and they will run quite quickly. These non-Windows operating
systems are generally quite secure and are far less targeted by hackers and virus writers.
4. The use of encrypted PDF files (for example PDFCreator for free software that does this easily) to
store confidential information - especially when sending attachments. Having to use simple
passwords to open files reminds the reader that they are confidential. For further security the
ability to print, or to copy, cut or paste can be turned off in a PDF file.
5. Use strong passwords – longer than 12 characters and involving uppercase letters, lower case
letters, numbers and punctuation. The more scrambled up the better. For instance get a bible verse
and take the numbers and jumble them up between the letters and add some punctuation on the
end to get at least 12 characters - so John3:16 might become J3o:h1n6!?@> a much stronger
password.
6. Do not get the 'latest and greatest' - wait at least six months until the security issues have been
found and patches fixed. For new releases of MS Windows or Microsoft Office, wait one year.
7. The use of the same free / low-cost 'seamless' encrypted email across all members of the
organization (it is then as pain-free as sending a normal email).
8. The regular use of Google and other search engines to check what is 'out there' in cyberspace
about the ministry - and even to ask people to remove confidential information from a website. It
may also be wise to Google for any sensitive email addresses.
9. Training all staff and partners in the difference between what is 'confidential' and what can be
shared freely, especially when fund-raising or in newsletters.
10. Merge with your context. For instance, using Linux in Africa or China is fine because it has a
strong following in those places but in some other countries it may look 'geeky' and attract
attention. Also, selecting unusual hardware or software means that a typical user is a) less likely
to understand how it works; b) less likely to have a community of friends who can help them use
their technology well; c) more likely to be identified as an "outlier" simply on the basis of the
unusual tools they use. It's worth considering the selection of tools that fit in well with those in the
neighborhood (whatever that may mean). This applies not only to OS but also to email practices.
11. Stay away from politics in all publications and communications both on-field and at HQ, as it is
often a brochure with a strong political statement that alerts a government to commence
surveillance of the organization.
12. Do not publish sensitive conversion statistics, particularly of Hindus or Muslims, as this will
cause them to defend their religion - by finding and persecuting the converts in that area.
13. Do not keep any confidential information of any sort on servers connected to the Internet.
14. Use a high-quality shredder for all financial and confidential paperwork.

MODERATE SECURITY (Most missionaries in the 10/40 Window, occasional light surveillance)

15. “Need to know' basis for information sharing. This includes yourself. Evaluate whether you really need to
know a particular piece of information.
16. Be 'semi-paranoid' and make people earn your trust.
17. Do not use Skype. It has been compromised by most governments.
18. Do not use Internet cafes - not only a high virus infection risk but key-stroke loggers are common and can
record everything you type and send it to those watching you.
19. Do secure web browsing using Sandboxie, Megaproxy or multiple proxy servers.
20. Do not use cellphones in some countries, particularly in police states, as mobile phones can not only be
listened in on, but their microphones and cameras can be turned on remotely. Removing the battery is the only
safe way to prevent this.
21. A forest is a great place for a sensitive conversation. It is very hard for others to listen undetected, even
using wireless electronics (which do not work well in greenery).
22. The use of free software such as TrueCrypt as a way to create encrypted hard-drives or encrypted 'file
containers' within hard-drives – and the use of these encrypted partitions for all highly confidential data. It
just takes a little practice.
23. Generate as little confidential information as possible. Do not ask for specifics (such as full names
addresses, etc) that might compromise people.
24. Keep a low profile, be useful, friendly and non-annoying. Take care with financial transactions so that no
one is ever burned or gets a grudge against you (and thus has a motive to betray you).
25. Do not have large, obvious meetings. Do not have all the converts or church leaders in one place at one
time (so they can all be arrested at once).
26. Train your memory so that records of appointments and other compromising information does not have to
be kept on paper in sensitive situations.
27. Use a "split messages" policy. If you need to share a confidential message, break it apart and send via
different paths. You might send one element (e.g. date or location) by email, then make a phone call or fax to
send the rest.
28. Appoint someone in your team to be your 'security consultant' who updates computers regularly and who
does the necessary nagging that is required to keep people secure.

HIGH SECURITY (Really tough places, extensive government-level surveillance)

29. There are no effective technical counter-measures that a missionary can take to counter determined
government surveillance. The missionary must carefully evaluate whether God has called them to such a
situation and the risk they may pose to themselves, their family and the national church. Western
missionaries can unfortunately draw unwanted attention to those that they meet with in such countries.
30. A wise, consistent respectful, God-honoring lifestyle is generally good security anywhere.