Cybersecurity at the fringe: Protecting the most vulnerable
By Ming En Liew
In the heat of war and aftermath of catastrophic disasters, humanitarian NGOs are often the first on the ground to serve the vulnerable. But in cyberspace, they are the vulnerable ones. Stéphane Duguin, CEO of CyberPeace Institute, explains how the Institute’s Humanitarian Cybersecurity Center hopes to be their shield.
The CyberPeace Builders programme brings together private sector volunteers to support the cybersecurity posture of humanitarian NGOs and equip them with the necessary skills. Image: CyberPeace Institute
“In cyberspace, as long as not everyone is secure, no one is,” says Stéphane Duguin, CEO of CyberPeace Institute, a nonprofit based in Switzerland. “That’s why we focus on activities to protect the most vulnerable.”
In particular, the CyberPeace Institute has focused its efforts on protecting humanitarian organisations, which he defines as those providing relief in crisis situations and ensuring that aid is delivered to those who most need it.
When the operations of such organisations are hindered, it’s not just the people within the organisation that are impacted. “It’s everyone that this organisation is servicing - millions of people who are dependent on humanitarian action,” Duguin says. And when these organisations are targeted, the human impact is dire, he adds. In certain cases, it can even lead to the loss of life.
Besides being the keepers to large amounts of finances and data that make them attractive targets to both criminal groups and state actors alike, humanitarian organisations often also lack proper cybersecurity protocols.
Duguin quoted a 2018 study conducted by NTEN (Nonprofit Technology Enterprise Network), which found that only one in 10 non-government organisations (NGOs) train their staff regularly on cybersecurity. Meanwhile, only about a quarter monitor their networks, and about 20 per cent have a cybersecurity plan in place.
The cyber challenges hindering humanitarian NGOs
Several challenges impede the ability of humanitarian organisations to protect themselves, according to Duguin. First, the nature of their work means that most of their budget is dedicated to operational projects and activities.
“People in these organisations who specialise in fundraising…are not used to this narrative that they also need to ask for cybersecurity capabilities,” Duguin explains.
Another key gap faced by the humanitarian sector is the complexity of their operations. Humanitarian NGOs are often home to a mix of staff, volunteers, and other individuals. Oftentimes, their supply chain is extremely complicated and involves cross-order operations.
“It’s very difficult for the organisation to map their organisational technical landscape and make the threat assessment of where their vulnerabilities are because it’s so diverse in terms of jurisdiction, infrastructure and staff,” he explains.
And much like many other organisations, such NGOs find it a challenge to hire and retain cyber talents amidst stiff competition from the private sector.
Cooperating to serve the vulnerable
“We built the [Humanitarian Cybersecurity Centre] as an answer to these issues,” says Duguin.
The centre does not only provide cybersecurity services for free to these organisations, but also makes it easier for organisations to implement cybersecurity protocol. “If the friction of the help is too high, then this won’t work,” he explains.
One such initiative to facilitate this was a volunteer programme called the CyberPeace Builders, where private sector entities provide more than 300 volunteers to service these humanitarian organisations. Having this support enables the organisations to build up their resilience, increase their cybersecurity maturity and be less prone to cyber attacks, Duguin says.
Other similar projects are in the pipeline, but scale and sustainability can only be achieved with the right partnerships, Duguin says. Cyber criminals and malicious actors know very well how to cooperate. For humanitarian organisations to defend themselves, they too will need to work together.
“We want to have a similar system where cooperation is going to be very agile and very fast so that we can cope with the threat,” he says. “The Humanitarian Cybersecurity Center is the platform to foster these corporations.”
“We welcome governments who would want to support this ambition, to increase the resilience of humanitarian actors to make sure that there's going to be a decrease in the impact of cyberattacks against them,” he adds.
Governments in particular play an important role in enforcing regulation to protect these organisations, he adds. “That's where governments have this overall responsibility…when it comes to enforcing norms of responsible behaviour and international humanitarian law, that all of these bodies of law would be operationalised to protect the humanitarian sector.”
The need for data
“There is no way that anyone can take any action if we don't have data,” Duguin says. “You cannot police what you cannot measure.”
This is why another service the centre is looking to launch is a study into the threat landscape, Duguin shares. This includes in-depth analysis of the reality of attacks against the humanitarian sector about what types of attacks are most prevalent, what are the methods of attacks commonly used in different types of crises, and measuring the human impact of such cyber attacks.
The centre is currently in the process of developing a secure information exchange among NGOs that have been targeted by cyber threat actors and making the best of threat intelligence. The hope is that this can help the centre proactively detect attacks against the sector, as opposed to simply relying on reactive cybersecurity.
Data is also important for the organisation to be able to scale the help they are able to provide to NGOs, Duguin says. Their objective is to reach 1,000 humanitarian organisations by 2025, up from the 300 organisations they are currently serving. But to do so, Duguin says that an evidence-led strategy will be key.
“A lot of discussions that we had with NGOs were surprising…in the sense that they had no idea about the type of threat they were really facing,” he explains. This lack of understanding then makes it difficult for them to design a cybersecurity strategy, as they do not know who wants to attack them and why.
“This is why we have our own independent analytical capabilities in the institute with the capacity for big data analysis,” he explains. For instance, the Institute has been measuring the human impact of cyberattacks throughout the Russia-Ukraine War.
When data on such cyber attacks are monitored and recorded, it gives institutions a better idea of the impact of such attacks as well as the intent and modus operandi of the attacks. This then informs organisations on how to put in place protective measures faster and more efficiently, Duguin says.
Organisations and agencies keen to support the work of the Humanitarian Cyber Centre can contact the CyberPeace Institute to find out about their volunteering opportunities.
Also read: A fresh take on privilege access management to safeguard against cybercrime