Informing humanitarians worldwide 24/7 — a service provided by UN OCHA

World

Civil society should be defended like other critical infrastructure

Humanitarian and other nonprofits deliver essential services to billions, so why are they not defended by governments?

By, Lance Pierce, CEO, NetHope

Essential services, whether provided by the private or public sector, are prioritized as critical for the minimum functioning of a society and economy. We invest in the resilience of these services, in both the physical and digital world, so that our society and economy also have this resilience and strength to withstand shocks and attacks. Today, humanitarian and development agencies provide many of the same essential critical services like health, water, elections, and even banking and financial services, to over a billion people worldwide. However, nonprofits are not recognized by governments and multilaterals as critical infrastructure in the same way as the transport, energy and aviation sectors, so they do not benefit from the same support and resourcing for their protection, including in cybersecurity.

As the early days of optimism about the unlimited possibility of the internet began to fade, the realization dawned that in addition to those potentially enormous benefits to humankind, it could also be a vector for the destabilization of communities and lives when misused - with defense being the inevitable cost of doing business in the 21st Century.

Yet in recent years it has become clear that cyber attacks cannot be deterred simply on the basis of technical safeguards such as firewalls and security software implemented by individuals and organizations alone: a collective response is required and is much more effective. Much like security and protection in the physical realm, no single entity, be it an organization or a government, is as able to withstand attacks nor understand the threat landscape as effectively as a group of like-minded entities working together. Cyber resilience is not a competitive marketplace; it is an adversarial endeavor which organizations can only truly win by engaging together as if a team sport.

Recognizing this group-benefit, public-private groups were increasingly established with direct government support allowing focus on the protection of foundational parts of modern society’s infrastructure from digital attacks that disrupt them. Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organization (ISAO) enable members to join communities of practice which voluntarily share cybersecurity information with each other and may join together to build their capacity and perhaps generate unique sectoral insights and approaches.

In the United States, new agencies sprung up to protect critical infrastructure with the recognition that successful attacks on the digitized foundations of society could disrupt daily life or shut down whole sections of the country. In the U.S., critical infrastructure is explicitly recognized in law, and typically includes energy companies and public utilities, hospitals and health care, aviation and transportation, and manufacturing - but not the humanitarian and/or nonprofit sector. This pattern repeats in Europe with many government interventions following a view of critical infrastructure or economic interest in which the global humanitarian and wider nonprofit sector was and is a consistently missing piece.

But while this recognition in the U.S. and Europe is part of the issue, it also occurs against a moving backdrop in which the risk of cyberattack is sharply increasing. The tools enabling these attacks have become so inexpensive to launch that smaller state and non-state actors are able and motivated to target businesses, nonprofits, humanitarians, and government in lower and middle income countries. In these countries and regions, humanitarian and development organizations sometimes deliver the most highly functioning health care delivery systems, the most effective local energy and water providers, and the most reliable money transfer platforms, the loss of which can be devastating to local people and communities.

One only has to recall the recent Covid19 pandemic to recognize the critical role global nonprofits played in delivery of health services and how many low income countries struggle to reach those vulnerable communities at the last mile. They provide a much needed layer of stability to communities and countries affected by unrest or natural disaster when governments have failed or are unable to respond. Yet increasingly they do this in environments in which cyber targeting of states and NGOs is a regular externality impacting their work - NetHope Members are reporting and responding to such attacks against them and the populations they work with in almost every recent humanitarian crisis.

It is time we recognized that the humanitarian sector is global critical infrastructure that provides vital support around the world; NetHope Member organizations alone serve 1.67 billion people and that number is growing. Attackers already recognize their pivotal role with nonprofits and think tanks being the second most targeted sector by nation-state-level digital aggressors - second only to government-to-government cyber aggression. The world economy and digital community is so intertwined that if any one country is disrupted or destabilized by cyber attack, it can have devastating ripple effects in the surrounding countries and region - and can produce unwarranted fear, uncertainty, and mistrust which can destabilize communities and interventions as part of Mal, Dis-, and Misinformation attacks. What starts as a victim of one can become a contagion of many.

Whilst most people will easily recognize that these agencies provide critical services to many people both domestically and worldwide, a failure to more formally recognize this critical role as a global society results in a lack of multilateral resource allocation and support for cybersecurity in humanitarian and development funding mechanisms. Without the same recognition as critical infrastructure, the international nonprofit sector will be enshrined as a second-class space in its ability to access much government and multilateral coalition support for cybersecurity - subsisting where other spaces thrive.

Inevitably inadequate support will result in this sector falling behind in its ability protect itself. This lack of resilience and cyber vulnerability will have real life consequences in a world with an increasing number of humanitarian crises - and in which communities may lose access to services of last resort, or be directly harmed via the targeting of vulnerable digital systems or malicious reuse of their data to amplify or enable repression.

Ultimately, humanitarian networks and the services they deliver are critical to people and thriving communities, and they foster peace and stability in some of the most turbulent parts of our world. Civil society and humanitarians must be recognized, defended, and supported as critical infrastructure for the good of society. We must protect them for the same reasons and with the same urgency as we do the other foundational facilities, for both reasons of international stability and the sanctity of human life.