Why the humanitarian sector needs to make cybersecurity a priority

In the not-too-distant past, international organizations (IOs) and non-governmental organizations (NGOs) working on humanitarian initiatives largely depended on landlines and fax machines to communicate and convey data back to their regional hubs or headquarters.

Now, like most businesses, NGOs and IOs have invested significant funds in information and communication technologies to enhance their crisis management capabilities. For example, better and faster decision-making is achieved through capturing and analyzing demographic data to identify vulnerable groups, online surveys have proven critical for water, sanitation, and hygiene teams in the delivery of population health services, and biometric-enabled digital vouchers have been instrumental in reducing errors and fraud in the payment of traders.

These changes make humanitarian aid faster and more efficient. Picking up these digital tools helps save lives. However, digital transformation has also made IOs and NGOs enticing targets for cyber attacks by criminals, terrorists, and authoritarian regimes. The reasons for this range from the purely financial – people in crisis make easy targets for scams and theft – to the political – digital is becoming another avenue to attack a regime's perceived enemies.

For example, in the United States, cyber-attacks against human rights and advocacy groups increased by 26% during the protests for racial justice that took place in the aftermath of the George Floyd killing. Throughout May and June 2020, the website security firm Cloudflare blocked 135,535,554,303 online requests to perform distributed denial of service (DDoS) attacks or break into websites and apps (that’s ten times more blocked requests per second than Google’s typical entire search volume over the same period).

The most targeted organizations by far were advocacy groups, who experienced a 1100-fold increase; many going from zero attacks to 20,000 requests per second on a single site. The anonymity of cyberspace makes it impossible to tell who the attackers were for sure, but the impact of these organizations included websites going down, issues with infrastructure and increased vulnerability to other cyberattacks.

Larger organizations have also experienced these new vulnerabilities. The United Nations was breached by hackers in early 2021, and persistent threats based on that breach are still ongoing. The data breach was said to have originated from employee credentials being sold on the dark web. The attackers used this entry point to move farther into the UN’s networks, conducting reconnaissance and initiating further attacks.

And even connections with some of the most well-funded and secure governments in the world can’t offer protection from cybercriminals. In May 2021, a hacker group called Nobelium infiltrated the email systems of the US State Department's Agency for International Development (USAID) and proceeded to send out an infected message to 3,000 accounts targeting 150 different organizations across 24 countries, with more than a quarter of them involved in international development, humanitarian, and human rights work.

IOs and NGOs are significantly underfunded when it comes to addressing growing cyber threats, all while they are increasingly being targeted. Some of these attacks are surely driven by the nature of these organizations’ work, but many other online attackers simply see them as low-hanging fruit in their bid to extract a ransom or fraudulently access funds. The lack of funding has makes it challenging for many organizations to recruit talented practitioners and implement much needed cybersecurity roadmaps. In light of the global economic impact of COVID, fundraising has become even more difficult.

This is why thinking about risk is vital to IOs and NGOs. Even if the funding pool will never match that of private sector cybersecurity defense, leaders in these organizations can take on some of the strategic lessons the private sector has learned. To implement and sustain resilient online systems, the points below should be considered. Many of these ideas do not add to an organization’s costs, they merely require planning and understanding of cyber risk issues at the leadership level.

· Risk assessment: understanding the various risk exposures is key to securing IT systems. When developing new systems or applications, a risk assessment should be performed to identify all threats and impacts, and match them with countermeasures, owners, and due dates.

· Capacity building: at a bare minimum, there should be a dedicated information security focal point within the organization, who is responsible for monitoring and responding to threats, and who can quickly engage external subject matter experts as required.

· Business continuity and incident response: an organization must have a business continuity plan in place that it can use in the event of a disruptive security incident. Personnel must also know what to do and who to contact when a security incident happens. The information security focal point or incident response team must have a documented plan to respond to a breach or compromise, and that includes what external parties to engage for reliable assistance.

· Independent security audits: security audits should be conducted at least annually and should be performed by an external party with no associations or entrenched interests in the organization.

· Data governance: a data governance policy ensures that the organization’s data is reliable, accurate, timely, and available to those with a legitimate need for it, and the authority to access it. Such a policy also makes certain that data is secure and protected based on its sensitivity.

· Better budgets: one more consideration, budgets, requires a mindset shift on the part of donors and organizational leadership. Donors must view cybersecurity as critical to aid operations, and detailed presentations should be made to funders that outline the financing needed for humanitarian organizations to get up to speed, build security teams, and develop cybersecurity response capabilities.

Finally, like many issues in cybersecurity, cooperation between defenders is key. Humanitarian organizations can benefit from closer working relationships with the private sector.

These organizations should ensure that their boards have some cybersecurity expertise at their disposal. Depending on the organization’s risk profile, that might mean bringing in a technology or cybersecurity expert from industry. At the very least, boards must consider cyber risk as a recurring topic on the board’s agenda. This will allow organizations to position cybersecurity as a pervasive risk, understand the legal implications of cyber risk, enhance the protection of valuable assets against cyber-attacks, and focus on supply chain risks, among others.

Corporations need to exercise corporate social responsibility in relation to digital trust. They must consider funding the important work of IOs and NGOs, and also reflect on how the technologies they develop and promote can have an adverse impact on humanitarian and social goals. They could provide direct financial assistance, or could make gifts in kind of cybersecurity tools and infrastructure, helping these organizations to build their capacity.

In one specific example of how technology can be implemented more responsibly, cloud providers should recognize how these organizations use their products. They need to work with them to develop customized offerings that allow IOs to take advantage of their privileges and immunities through a ‘sovereign cloud’ or a ‘digital embassy’. This can help organizations to better leverage the security capabilities of cloud, while ensuring that their systems and data also maintain their traditional protections against to undue court orders from oppressive nation states. In this way, technology, responsibly developed and implemented, can improve IO’s capabilities without compromising traditional protections.

Already, many private companies and other organizations have developed offerings to support IOs, NGOs and not-for-profit organizations. Replicating and scaling such programs through greater private sector investment would be instrumental in broadening support for NGOs and IOs.