Humanitarian Organizations and Cyber Security Challenges
Not too long ago, humanitarian organizations working in crisis zones could only access telephone or fax, limiting their ability to communicate and supply data to their headquarters.
Digital Humanitarian Space
In recent years, the public and private sectors have been embracing a complete digital transformation. Humanitarian organizations have invested heavily in information management to improve their response to a crisis. Predictive and situational analyses can be done much faster now, and Disaster Risk Reduction benefits from quick and easy access to data within an organization’s digital infrastructure.
Vulnerability & Sensitive Data
Humanitarian organizations have been increasingly using and storing large quantities of data and communications within their digital infrastructure. This quick transformation of information and communication technology (ICT) in the humanitarian landscape has made it a new potential target for cyber attacks by criminals, terrorists and authoritative regimes.
Cyber Attacks on Humanitarian Operations
In October 2014, UNICEF’s official Twitter page was hacked and the hackers sent out seven tweets. Luckily, UNICEF was able to delete the tweets quickly, and they publicly attributed the hack to the SEA.
In 2016 British surgeon Dr. David Nott, who had guided medical operations virtually in Syria, suspected that a hacker used information from his computer to attack the M10 hospital in Aleppo. Dr. Nott helped his Syrian colleagues during an operation, via Skype and WhatsApp, on just one occasion. Weeks after this, the Aleppo hospital was hit by a “bunker buster” bomb.
In June 2018, an Amnesty International staff member was targeted by mobile spyware produced by the NSO Group, a major player in the shadowy surveillance industry. Last week on 3rd July, 2021, Amnesty International published an investigation that reveals the extent to which the digital domain we inhabit has become the new frontier of human rights violations.
The list of attacks on humanitarian organizations and its members goes on, but one incident makes it very clear that the attackers who target international humanitarian organizations are highly sophisticated.
On January 29th, 2020, The New Humanitarian published an investigative piece that triggered warnings to all Intergovernmental Organizations. While conducting research on cybersecurity, the respected publisher came across a confidential UN report that revealed the largest ever known cyber attack that affected the global organization. Many UN servers — including systems at its human rights offices, as well as its human resources department, were compromised and multiple administrator accounts breached.
Recent studies show that humanitarian organizations have a long way to go to ensure a sufficient level of technical security against cyber-attacks. Most staff are not aware of the nature of the threats faced by field operations or of basic data security practices, such as how to identify malware attacks.
“We live in a vulnerable digital world. Increasingly regular reports of cyberattacks on governments, private companies and individuals catalog successful and failed attempts by hackers to damage or hold hostage entire computer networks. There is still one sector that, to date, we have largely overlooked while exploring the importance of bolstering cybersecurity: our own.” writes Massimo Marelli, the Head of Data Protection at ICRC, in a blog series on a humanitarian cybersecurity strategy.
Most humanitarian organizations lack the expertise and technical skills to build a resilient digital infrastructure. The leadership of some of the world’s more important organizations are so focused on responding to crises that they overlook the need to conduct risk assessments before their data is the target of a breach. In most humanitarian organizations, there is often little to no funding for cybersecurity.
What Can Be Done?
While cybersecurity practices are very common in the private sector, their adoption is not widespread among humanitarian organizations. To build a sustainable resilient digital infrastructure, the following points should not be overlooked.
- Risk Assessment: Understanding the spectrum of potential data breaches is very critical to the security of a system. While building a new application or a system, a threat model should be created where each identified threat is matched with mitigation measures.
- Security Audit: Security audits should be conducted at regular intervals. An annual security audit is recommended by an external party not associated with the development team.
- Build Internal Capacity: Have at least one information security officer within the organization who can monitor the system and call in the external security provider when needed.
- Secure Security Funding: It is important to ensure the financing of security of any project, so make sure to include the security budget in the proposal to the donors. Make a comprehensive presentation to the donors on the potential threats and necessary mitigation measures.
- Contingency Plan: It is life saving if the organization has a contingency plan ready to go for when an incident or breach occurs. All staff within the organization must know who to contact once they detect a security compromise. The security officer or team must have an outlined plan on what to do with the affected infrastructure and what external organization can be contacted for assistance.
- Improve Communication with Partners: All the partner organizations must follow the same security protocols. Clear communication between partners can help flag any potential threat that can then be timely solved.
- Consistent Data Policy: A consistent and highly secure data protection policy must be adhered at all stages of the project.
Possession of data is a greater responsibility than just a digital asset and mismanagement of that responsibility can be costly.
The creation of data continues to grow in every sector and data is now an important part of the world economy. The Humanitarian sector has been producing digital data for decades and will continue to do so. Those data and analysis tools provide humanitarian organizations with insights for advanced intervention methods to a crisis.
Possession of data is a greater responsibility than just a digital asset and mismanagement of that responsibility can be costly. Data breaches can result in expensive fixes, lawsuits, and in the case of humanitarian organizations it can cause real harm for affected populations.
The humanitarian sector needs to be very careful with their data collection and storing methods and start using more cybersecurity practices.
Data Friendly Space (DFS) is a non profit, actively involved in the humanitarian sector providing data solutions and cybersecurity to humanitarian organizations.
DFS recently conducted a full security audit of the DEEP platform. DFS has also been involved in creating a secured system around the digital infrastructure of the Internal Displacement Monitoring Center (IDMC).
Please write to us at firstname.lastname@example.org to learn more about our approach and methodology towards data and cyber security for DEEP and IDMC.
Sign up for our newsletter on www.datafriendlyspace.com
Written by: Rishi Jha — Communications & Partnerships — Data Friendly Space