The difference between Humanitarian Data Security and Corporate Data Security is…
That sounds a bit over dramatic doesn’t it? This sounds like a line from a movie: “The Penalty for failure is Death!”, not operational reality. But when it comes to the personally identifying data of refugees, persecuted minorities, and others who are fleeing violence, the consequences of their data, innocently collected to qualify them for humanitarian assistance, falling into the wrong hands is potentially dire.
I spent 22 years in the Information Security field at just about all levels, from penetration testing, through to policy, training, and Research and Development. From corporates and consulting to the world of cyber-warfare between nation states. In parallel to that I have been involved in humanitarian action for the last 12 years, first as a volunteer and then as an occasionally paid consultant.
I’ve never seen such a mismatch between likely opponents; on one side are the Agencies and NGOs who have to balance spending on perceived support functions like technology with trying to deploy as much money to the field as possible for maximum reduction of suffering. On the other side, oppressive governments,their allies, and sophisticated non state actors who view those fleeing the violence as potential national security threats or, worse, potential targets. They may have budgets of millions to spend on gathering data.
An example: Homs, Syria. An Agency collects personally identifying data for e-voucher distribution. Names, photos, qualifying information is all collected. The system has the functionality to collect GPS location data as well. No harm in turning that on and collecting that data is there? Except the data is compromised and now the Assad regime now has a ready made list, with pictures of everyone who was living and active in the rebel held areas of Homs, with dates. They didn’t flee to government held areas, this likely makes them suspect at best, confirmed rebels targeted for elimination at worst. Can these people ever go home?
This sort of nightmare begs other questions, ethical, operational, legal: Does the Agency know where its data is? How confident is the Agency that its data is safe? How do the people whose data was collected know that the Agency took the right safeguards for the level of threat? Do the agencies have a good threat actor model; is their opponent a sophisticated Cyber Warfare actor like Russia, Syria or Iran or common criminals and extortionists? What rights do the beneficiaries have to know about how their data is used and what it is being collected for? Was this explained to them in language they understood? Did they correctly understand the consequences if this data were to leak? The list steadily gets longer the more one thinks about it.
The humanitarian community is only just starting to grapple with these questions. Initiatives like The Signal Code published by the Harvard Humanitarian Initiative are a good start, and some very nascent organisational work is taking place in organisations like NetHope, but at the moment there isn’t a coherent approach, and perhaps more immediately there isn’t the technical expertise extant in the humanitarian community to assess the systems that are extant or to assess the security of potential procurement. Even now, many might write off this as a hypothetical threat, but that would be a terrible mistake; it’s not hypothesis, it is history.
The mismatch in resources is stark. Time to even the odds a little.
Following our first bruising brush with the reality of humanitarian data system security, I think it’s now time to pull the humanitarian and computer security communities together in defence of the world’s most vulnerable people. Most Information Security Professionals profess to be dedicated to helping people stay safe, at this point in time, that privilege belongs primarily to those of us in the developed world whose service providers can afford to pay for the expensive testing and training needed to keep our data safe. Furthermore, even if our data leaks, the results are very rarely ever life threatening. It’s time we as information security professionals started to give back to those for whom the penalty for security failure is potentially death.
Want to get involved? Have the skills and the time to give? Contact me, let’s get set up here.
It is time to make things happen.