The World Economic Forum, in a January 2022 paper, argued that the humanitarian sector needed to make cyber and information risks a funding priority. One shocking statistic indicated that in the month following the death of George Floyd in the US in 2020, cyber-attacks against non-profit and advocacy groups increased by 26 per cent. This particularly revealing statistic reflects the increasing risk to humanitarian and non-profit groups from digital attacks.
The threats facing the humanitarian and development sector
For organisations working in fragile or conflict states, the risks from cyber-attacks are even more acute and consequential. A pattern of attacks suggests growing evidence of authoritarian governments seeking to undermine the ability of international organisations to respond to disasters or report on atrocities.
Such attacks have highlighted the need for change in how the humanitarian and development sector combats digital and information risks.
This includes the 2020 Nobelium incident, which attacked USAID’s email server and resulted in subsequent phishing attacks against an array of email lists, a large proportion of which were development or humanitarian-focused. Nobelium is a Russian-linked cyber group connected to the initial SolarWinds cyber-attack. Analysts subsequently attributed the motivation for attacking USAID to a strategy to gain intelligence on international and development actors. Another significant attack occurred in July 2019 against the UN, damaging dozens of its servers and losing significant personal information. A subsequent investigation by the New Humanitarian suggested that the incident was initially covered-up and the compromise of personal information not revealed.
Disinformation is becoming more sophisticated, and its consequences more damaging. In countries such as Guatemala and El Salvador, net centres and PR or communication companies have been used to develop or fund enhanced technological capabilities which generate narratives that isolate humanitarian organisations from beneficiaries via messaging across social media. Other risks include governments developing or planting false stories to confuse the narrative of what is occurring during a disaster or to drive more support or aid to their country. This technique has the potential to confuse civilians, displaced persons, or refugees who are desperately seeking information on potentially life-saving support or to prevent them from entering new countries or areas where support might be more available.
Equally concerning is the use of surveillance techniques by governments which seek to monitor individuals or organisations involved in gathering information within conflict zones. It is not hard to collect specific data about individuals, aid workers, or human rights defenders, which enable them to track their movements through social media or digital IDs. Digital surveillance enables governments to conduct disinformation attacks or cyber-attacks against individuals to isolate, marginalise, or impact their reputations. This risk is compounded if a government has laws granting them sovereignty over all data within their country and preventing it from being shared with other countries.
The growing use of technology
The resulting risk to humanitarian and development actors is perhaps more acute than almost all other sectors. After all, in many conflict or fragile countries, humanitarian staff gather information in treacherous conditions, sometimes at great personal risk. They may rely on WhatsApp or use Kobo and other data-gathering tools to collect highly sensitive data on beneficiaries, some of whom have potentially been tortured or witnessed grievous human rights abuses.
There is also a concerted effort across the humanitarian and development sector to invest in more technology when responding to humanitarian emergencies and to help drive innovation and efficiency in their organisations.The ever-increasing use of artificial intelligence, the shift to the cloud, and using blockchain are all potential opportunities here. However, the consequences of a cyber-attack against an aid organisation will become increasingly significant from a cost, reputation, and business continuity perspective.
How can the aid and development sector reduce risks?
Ultimately, humanitarian and development organisations require more money and funding to help build their cyber infrastructure. The financial sector, by comparison, benefits from hundreds of millions of pounds (or dollars) per year which it can spend to develop robust and competent infrastructure to help prevent and mitigate cyber and information attacks. This funding level is inevitably unavailable in most humanitarian or development counterparts.
Still, work can be done to help mitigate these risks. This can include allocating more resources to building cyber risk management capabilities, such as funding a security operations centre (SOC) team with skilled analysts and investigators, incident response teams, and embedding and enforcing strategic governance and policy development across the organisation, from operations and the C-Suite to human resources.
The evolution of the role of the Chief Information Security Officer is another crucial avenue to mitigate cyber risks. This position would be responsible for implementing a cyber roadmap, understanding the legal obligations for data protection when operating in different countries, influencing senior management and board members on the importance of cyber and information risks, implementing mitigation measures, and developing and leading incident response teams.
Across the sector, particularly for those responding in conflict countries, significant improvement can come from improving cyber hygiene through a cultural and educational shift in training and prioritisation. Most cyber incidents are due to human error, so improving the culture can help to mitigate the most common risks.
Upskilling humanitarian security professionals with cyber and information risk skills through organisation-paid training courses like Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) will become increasingly important. Other initiatives, such as establishing humanitarian information-sharing groups specifically related to cyber and information risk and the potential to develop a cyber risk management framework specific to the humanitarian sector, might be longer-term but necessary goals.
The reality is that recent attacks and developments in technology mean that the humanitarian and development sector can no longer hide behind its impartiality and act as good global citizens to prevent or mitigate specific attacks against it. The ongoing events in Ukraine and elsewhere show a need to prioritise funding and learn to help ensure life-saving humanitarian operations can continue to take place while helping to protect and mitigate the risks to information, staff, and affected communities.
About the Author
James Blake is a security and risk management consultant. He has over 15 years experience in security risk management, conflict, and geopolitical risk, including helping organisations in the humanitarian and human rights sector combat cyber risks and prepare and respond to disasters. He is the founder of Next Generation Risk Management.
Image Credit: Christian Aid
In the wake of the devastating earthquakes in Türkiye and Syria, NGOs are playing a crucial role in supporting communities affected by the disaster. In this blog, NetHope's James Eaton-Lee explores the digital risks that NGOs responding in the context need to be aware of, and how they can manage these risks for reliable and safe connectivity and information sharing.
Pressure to get the job done and suppress emotions in the face of immense suffering can negatively impact aid workers' wellbeing and, consequently, their security. In this blog, Gemma Houldey explores the implications of burnout for security and how organisations can help staff feel safe to speak up.
It’s time to research how humanitarian non-governmental organisations define risk and how those definitions affect the work of security managers. Will one size fit anyone?