Most international staff I know who are working in the humanitarian field aren’t paying any attention to cybersecurity. Why is that? For starters, it’s an issue rooted in the security community which humanitarians have traditionally tried to maintain at arm’s length. But also humanitarians see themselves as the good guys; “we’re delivering food and water to needy people,” the argument goes, “who would want to launch a cyberattack against us?” While this argument has been undermined by the fact that even well-meaning humanitarians are targeted by armed actors using traditional weapons, there’s still a reluctance to pay attention to cybersecurity. And humanitarian actors are under pressure to keep their overheads low so that they can distribute most of their funds to people in need – not to beefing up their IT departments.
Inspired by my colleague Peter Singer’s new book, “Cybersecurity and Cyberwar: What Everyone Needs to Know,” I humbly suggest four reasons why humanitarians should pay attention to this field.
First, like everyone else, humanitarians are dependent on technology and on the Internet. Our systems are managed, our funds are recorded and our stories are told online. If our servers go down, we’re lost. Even though we work in many countries where internet access is unreliable, we depend on our computer systems. A few months ago, hacking of one retail store – Target – affected some 70 million people. I suspect that systems for tracking online donations for charitable donations are even less secure than for a big commercial enterprise than Target. And the risks may be much greater than those affected by the attack on Target. When life-saving aid isn’t delivered on time and to the right beneficiaries, people can die. This dependency makes us vulnerable.
Secondly, this vulnerability isn’t just a future threat. Armed actors and governments are already tracking our work online, sometimes tracking our words. They can use information collected from the internet to shut down operations or kick a group out of the country, as occurred in Darfur in March of 2009 when 13 international NGOs were asked to leave the country, a decision the government justified on the basis of documents it obtained through searching internet connections. The potential for even more deliberate and far-reaching attacks is clear. While international humanitarian agencies typically have security protocols which set out standards for compound security and provide training about what to do if kidnapped, there doesn’t seem to be a similarly robust approach to protecting computer systems (or if there is, it isn’t discussed by anyone except IT departments).
Thirdly, many humanitarians deal with sensitive personal data. Syrian refugees registering in Jordan, for example, have their biometric data – as well as their names and personal information – entered into a registration system. As UNHCR and others are well aware, that information could be a life or death issue if it falls into the wrong hands, say, a government-affiliated militia, if the Syrian refugee decides to return home. There is also personal information kept on staff which, if a criminal group wanted to get nasty, could be used to do lasting harm. Local and national humanitarian actors may be even more vulnerable if sensitive information falls into the wrong hands.
Fourthly, humanitarians should be grappling with the implications of responding to the victims of cyberattacks or cyberwar. Civilians are often targeted as a strategic priority in traditional combat – the same may be true for cyberattacks. Just as it’s easier for a militant group to attack an unarmed aid worker than a US soldier, it’s easier for a cybercriminal to hack into an NGO computer system than a military one. It may be that international humanitarian law would provide adequate guidance, for example in the prohibition against attacks on civilian institutions (although it is likely that cyberwarriors and cybercriminals haven’t read the Geneva Conventions). But if there is an attack; say, on the power grid which affects hospitals and schools, would humanitarians feel compelled to respond in the same way as if those institutions had been attacked by conventional weapons? What if something goes wrong with a cyberattack intended for a military target and civilians end up as the victims? Does it matter what the intention was? Moreover, as my colleague Peter Singer also points out, it can be harder to figure out who is launching a cyberattack than one carried out with traditional weapons, and thus harder to come up with accountability mechanisms. Would those responsible for launching cyberattacks fear being dragged into The Hague to face trial at the International Criminal Court? Do we need to rethink how international humanitarian law applies in a world where we’re all so dependent on computer systems? I’m glad that ICRC is looking into the implications of cybertechnologies on international humanitarian law but are these issues that potentially affect all humanitarians?
What can humanitarians learn from others who have taken cybersecurity more seriously? Actually, a good starting point (after all, I am a researcher) might be to collect information on the present state of affairs. A survey on humanitarian organizations’ cybersecurity policies could be very useful – just as Humanitarian Outcomes’ annual survey on physical attacks against humanitarian workers serves as a resource and a benchmark for humanitarian actors everywhere. Such a survey, without naming names, could perhaps encourage humanitarians to do more to take cybersecurity seriously, and could provide some basic information on such issues as: how many IT staff do humanitarian agencies have? What kind of training in cybersecurity is used in the humanitarian world? Could common training modules be made more widely available?
Another possibility is to learn from the corporate world, where sharing information on threats and strategies has been key to protect companies from cyberattacks. For starters, it might be useful for IT departments of major humanitarian actors to meet, share experiences and map out strategies. Moreover, maybe this is an area where pro bono corporate expertise might be welcome. Just like private law firms often offer free legal assistance to non-profits, perhaps corporate enterprises would be willing to share what they’ve learned (the hard way) with non-profits. While there are concrete measures that can be taken, perhaps the most important step is to recognize that cybersecurity is an issue for humanitarians.