In the wake of the devastating earthquakes in Türkiye and Syria, NGOs are playing a crucial role in supporting communities affected by the disaster. In this blog, NetHope's James Eaton-Lee explores the digital risks that NGOs responding in the context need to be aware of, and how they can manage these risks for reliable and safe connectivity and information sharing.
NetHope is a member-driven Non-Governmental Organisation (NGO) comprising ~65 of the largest humanitarian, development, and conservation non-profits. We are a member of the Emergency Telecommunications Cluster, and some of our Emergency Preparedness and Response Team are in Türkiye now supporting responders to establish reliable and safe connectivity for those responding to the Gaziantep earthquake.
We know from experience that digital safety in humanitarian response is not guaranteed. NGOs are lagging behind the investment levels of private sector actors in digital – and risk is amplified because humanitarians work in complex environments requiring different approaches and tools to those often inherited from the private sector.
In our 20-year history in NetHope, we have seen a progressive increase in disruption to NGOs and their work during crises as a result of internet shutdowns, indirect impacts of ‘hybrid’ warfare, and the direct targeting of humanitarians – including in attacks attributed to state actors.
For the first time, as part of our NetHope Digital Protection Program, we have begun incorporating structured analysis and recommendations on digital safety in our crisis response briefings with Members. In this blog, we include some key takeaways for security professionals attempting to manage these risks in the context of the Gaziantep earthquake.
Threats and responses
Various forms of tension in the region, particularly the ongoing civil war in Syria, have produced a contested digital space in which targeting individuals and groups has been increasingly commonplace for several years.
Digital surveillance and intrusion have been relatively sophisticated in this region, with public analysis attributing a variety of attacks to various state-sponsored groups, many targeting opponents, dissidents, commentators, campaigners, advocates, marginalised groups, and others.
These include the targeting of social media, mobile devices, and other accounts belonging to individuals; the compromise of government websites and institutions; targeting of infrastructure (within and outside the region); targeting of media; misinformation campaigns; and other forms of digital espionage.
But even sophisticated actors typically begin with basic attacks such as phishing or password stealing to gain access to user accounts. Foundational Cybersecurity controls such as Multi-Factor Authentication (MFA) and the five controls of Cyber Essentials are imperative in increasing resilience. Your NGO must ensure it embeds these controls to prevent these attacks. Any IT team should be able to answer the question, ‘Do we consistently implement the five Cyber Essentials Controls in the systems we are using in this response, and is MFA turned on everywhere?’
In this region, some attacks attributed to state actors are highly sophisticated – using bespoke spyware and redistributing community-specific mobile apps with embedded surveillance functionality in order to target key communities and groups by subverting tools built to help them. In this sort of context, we strongly recommend NGOs avoid building new apps or technology without deep and specialist support to do so safely (and sustainably), and when working with at-risk communities, ensure they are consulted and kept informed regarding risks.
Working in this context, NGOs should expect that various actors – state or non-state – may target the digital systems they use in order to obtain intelligence, obtain data on segments of the population they work with, or simply to disrupt work. We recommend crisis teams maintain a ‘harms register’ of key populations, data, or networks likely to be targeted – and activities which may be higher profile – to enable focused risk assessment or mitigating steps.
It is likely that when distributing funds or cash – or payments are made at speed to many new individuals – payment systems, distributions, or disbursements may be targeted by financially motivated attackers seeking to redirect funds or payments. Where possible, NGOs should leverage payment systems they have vetted before the crisis, ensure staff are consistently reminded to remain vigilant when making payments, and seek assistance from support agencies (such as CALP) for best practices to prevent common types of fraud.
More broadly, parties to conflict may also spread mis, mal, or disinformation regarding the behaviour of actors in the space to erode trust or amplify tension. The failure by NGOs to build resilient tools or collect data respectfully and with long-term planning carries the potential to exacerbate this problem and may undermine longer-term work – especially if breached, imitated, or misunderstood. NGOs should work closely with their communications and advocacy teams to provide consistent information through multiple trusted channels, risk assess work, and join collective efforts to counter misinformation with other NGOs.
Building digital resilience
Begin asking the question ‘What can my organisation defend against?’ – alongside the questions above – routinely in your risk management practice. Consider the types of threats and actors you are (or aren’t) capable of resisting, such as criminal activity using off-the-shelf ‘kits’ for ransomware or financial fraud or more sophisticated actors utilising specialist tools and knowledge.
Beginning to make this ‘threat modelling’ part of the language you use can foster joined-up risk management approaches. This can enable you to gauge if data collection or sensitive work can be safe in a particular context, guide other deployment decisions, and begin aligning more broadly on budgetary or risk management questions.
Consider engaging broader sectoral groups, donors, or others to solicit input and signal the need for (or access) support – particularly based on the tensions identified in earlier recommendations. Some large donors now have programmes which can fund remedial work – but only if they can identify your need.
NetHope Members can collaborate safely and privately – or access no-charge support – via its Digital Protection Programme. Platforms such as the AccessNow Digital Helpdesk have offered responsive support for civil society for some time.
The tools and approaches for managing digital risk in humanitarian settings are relatively new and constantly evolving. At NetHope, we’re working on a Global Humanitarian Information Sharing and Analysis Center (ISAC) to synthesise and share information on digital humanitarian safety in a sustainable and safe way, both in crises and day-to-day operations.
If you want to be involved, have proven approaches that work and should be amplified to the sector, or need support, please get in touch.
About the Author
James is NetHope’s Chief Information Security Officer, and leads the Digital Protection Program – aiming to support responsible digital humanitarian, development, and conservation interventions. Prior to NetHope, James was Director of Privacy, Responsible Data and Risk at Simprints, a startup building biometric technology for the international development ecosystem, and Head of Information Security & Data Protection Officer at Oxfam GB / Oxfam International where he built the cybersecurity and privacy programme.
Image Credit: Abdulsalam Jarroud/The New Humanitarian
Pressure to get the job done and suppress emotions in the face of immense suffering can negatively impact aid workers' wellbeing and, consequently, their security. In this blog, Gemma Houldey explores the implications of burnout for security and how organisations can help staff feel safe to speak up.
It’s time to research how humanitarian non-governmental organisations define risk and how those definitions affect the work of security managers. Will one size fit anyone?
When Security Risk Management and Technology Collide: getting humanitarian notification systems right
At first blush, the notion underlying humanitarian notification systems (HNS)—also sometimes called ‘humanitarian deconfliction’ or ‘humanitarian notification systems for deconfliction’—might appear quite simple. Humanitarians operating in conflict settings seek to cultivate relationships with armed actors to enable humanitarian access, mitigate humanitarian insecurity, and promote civilian protection. When engaging with an armed actor exhibiting no evident intent to harm humanitarian actors, how complex could it be to devise an information-sharing platform (i.e., HNS) that can enhance the armed actor’s situational awareness by transmitting geolocations for static humanitarian sites (e.g., warehouses, offices, or even education and health facilities) and planned aid worker movements (e.g., road movements or flights)?