World

Humanitarians (and Data) #NotATarget

HUMANITARIAN AID IS DIGITAL. AND WHEN DIGITAL ATTACKS ARE PERPETUATED AGAINST HUMANITARIAN AGENCIES, THE OUTCOMES HAVE REAL WORLD EFFECTS. NETHOPE IS CALLING FOR A CEASE TO ALL ATTACKS ON HUMANITARIANS, IN THE DIGITAL SPHERE OR OTHERWISE, AND FOR INVESTMENTS TO HELP NONPROFITS TO PROTECT THEMSELVES AND THE PEOPLE THEY WORK WITH IN THIS AGE OF DIGITAL HUMANITARIAN AID.

On January 18, the International Committee of the Red Cross (ICRC) determined that servers hosting the personal information of more than 515,000 people receiving services from the Red Cross and Red Crescent Movement were compromised in a sophisticated cyber security attack. ICRC is noted to have some of the best data policies practices and staff focused on this issue in the entire international aid sector, and they deserve great credit for their transparency and timely disclosure around this issue, the reporting of which they rightly see as part of their role in upholding the broader public interest and public trust.

But if ICRC, with their robust practices and world class talent can be attacked, any nonprofit can be attacked, and indeed we are seeing more of this around the world. Our industry colleagues among the NetHope partner companies, are doing a thorough job of identifying proliferating cyber-threats against nonprofit organizations around the world. The data show that the frequency and severity of outcomes is increasing, that threat actors are widening their nets, and state-sponsored actors are stepping up to attack organizations that are providing direct support to people around the world. These attacks on the aid and humanitarian communities are not limited to NGOs. In 2021, USAID email service was compromised by a state-level actor with the intended downstream targets of 150 global NGOs.[1] Even in 2015, in the immediate aftermath of the major Nepal earthquake, the NetHope/Cisco first responder team detected state-sponsored malware on rescuer’s laptops within the first 72 hours after the disaster.

Humanitarian response to world geopolitical events, such as whatever may come from the current standoff between the US, the EU, and Russia over Ukraine, would typically have been protected under the Geneva Conventions, negotiated over the 19th and 20th centuries to ensure that aid organizations providing support to affected civilians could intervene to support victims of conflict. Today however, as a result of these heightened tensions over Ukraine, the U.S. Cybersecurity and Infrastructure Security Agency issued a related special cybersecurity advisory, which included encouraging “all organizations to take immediate steps to defend against potential cyber threats.[2] This includes implementing cybersecurity best practices, increasing vigilance, and preparing your organization for a rapid response.”[3]

The situation in Ukraine is worrying for nonprofits who would provide more humanitarian response to the region because they know that nations involved have extremely sophisticated means of cyberattacks. The nonprofits with programs in the Ukraine are severely at risk as their data and operations become attractive in hostilities, and they are most often the least able to defend themselves or recover from an attack. NetHope Members are already asking: “How do we ensure that our data is not compromised to suit untrue narratives in conflicts? How do we extend our humanitarian assistance of vulnerable people to the digital world? How do we protect them digitally, like we do physically?”

Humanitarian aid is digital. The very physical needs that these agencies meet for vulnerable people are supported by digital systems and connectivity. It is not a ‘nice to have,’ it is foundational to enable these agencies' delivery their missions. Geopolitical instability, a lengthening pandemic and economic upheaval are creating increased demand for humanitarian assistance. As global humanitarian nonprofits become more digital,[4] they collect more timely and accurate information on these situations and on affected people. This is information that is essential for service delivery, but as is the case with data on citizens, voters and consumers elsewhere in the world, it has value to criminals and autocrats, particularly when it comes to exploiting or targeting marginalized, activist, or politically and economically vulnerable populations. To get this information, perpetrators cyberattack nonprofits who need more digital protection expertise to be safe.

When digital attacks are perpetuated against humanitarian agencies the outcomes have real world effects. These effects include slower delivery of life saving aid and the physical targeting of at-risk groups – putting more people in harm’s way. Some are calling for a new, “Digital Geneva Convention” that would prohibit direct attacks on humanitarian organizations that have the equivalent effect of attacking the very citizens, civilians and people they serve. In lieu of these protections being in force today, NetHope is calling for an end to all attacks on humanitarians, in the digital sphere or otherwise, and for investments to help nonprofits to protect themselves, and the people they work with, in this age of digital humanitarian aid.

Fortunately, the tools and means for protection of humanitarians, the aid they deliver, and those they deliver it to, are equal to the task. NetHope is actively working with our corporate partners in the IT industry and government agencies to extend protection efforts to support NetHope Member organizations and the broader NGO community.

Nonprofits cannot respond to this crisis in isolation. A digitally platformed, interconnected, and expert web of partners and funders is required to tackle what has already become a humanitarian emergency in its own right. NetHope stands in the center of that network and can make a meaningful difference as we prepare for a future where, absent strong intervention, cyber threats and insecurity will be rampant.

NetHope believes that humanitarians are #NotATarget, and likewise the data and systems they need to do their life saving work should also not be a target.

[1] https://www.devex.com/news/usaid-hack-is-wakeup-call-for-aid-industry-on-cybersecurity-100028

[2] https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

[3] https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf

[4] The Evolution of the NetHope Effect and its Collective Impact. January 2022. https://nethope.org/2022/01/18/the-evolution-of-the-nethope-effect-and-its-collective-impact/