While the transition of aid from the physical to the digital space has brought many benefits for the humanitarian community and the people it serves, the digitalization of essential services does not come without costs.
For example, the internet can be used as a weapon of war, whether through shutdowns or cyberattacks — as evidenced by recent internet outages in Yemen and hack of the International Committee of the Red Cross’ servers.
USAID hack is 'wakeup call' for aid industry on cybersecurity
A cyber attack targeting humanitarian and development organizations, by the same group behind the SolarWinds hack, sends organizations into emergency response mode.
These can be matters of life and death for vulnerable people worldwide.
Now, as tensions between Russia and Ukraine escalate, experts tell Devex that the humanitarian community must prepare for its digital systems to come under attack — or become yet another example of the risks of an increasingly digitalized humanitarian sector.
Some argue the humanitarian sector has not been particularly humanitarian in the way it has gone digital.
Investments in innovation have been responder- and donor-centric, instead of beginning by asking what is best for affected communities, said Nathaniel Raymond, a researcher focused on the human rights implications of ICT and a lecturer at Yale University’s Jackson Institute for Global Affairs.
“We have basically been spending all of our money on magic and on aspirations for what we want to have happen in technology,” he said. “As we become more reliant on technology, we become more vulnerable, and thus our beneficiaries become more vulnerable.”
Raymond called for the humanitarian community to invest more in two areas: updating international humanitarian law for the age of cyber information warfare, and developing contingency plans in case of internet shutdowns or cyberattacks.
“All of these situations require a very strong contextual sensitivity and a high technical literacy about what’s happening.”
— Dianna Langley, senior director of engagement, NetHope“We’re exactly in the world we made,” he said. “And we made this world not based on what we invested in, but based on what we didn’t invest in; not based on what we prioritized, but based on what we didn’t prioritize.”
Raymond has advocated for the creation of what has been called a digital humanitarian space, in which data is collected for humanitarian purposes with the same level of international protection as ambulances or aid workers.
He said the most recent quadrennial review of the Geneva Conventions in 2019 was a missed opportunity to make this a reality.
And now with the situation in Ukraine, which Raymond described as a “cyber informatics conflict that targets civilians,” the humanitarian community runs the risk of a data breach with dire consequences.
Humanitarian organizations are used to dealing with limited internet access, power outages, or slow internet speeds in many of the contexts where they work.
But the biggest risks and potential for harm lie in areas where governments or other actors block digital access entirely, said Ziad Al Achkar, a researcher focused on the intersection of digital technology, business, and humanitarian affairs.
From Yemen to Tigray to Sudan, when the lights go off, many people are at serious risk, unable to access food, send money, or reach out for help.
“We have to have redundancies,” he said. “Should the worst case scenario happen, we can use XYZ tools that can allow us to continue operations, deliver aid, and communicate with communities.”
The Pro read:
USAID’s chief digital development officer outlines his priorities
Christopher Burns, who assumed the role at the end of last year, speaks with Devex about his plans to "cultivate an ethos of responsible, inclusive, and democracy-affirming digital development."
While many humanitarian organizations can bypass government shutdowns, for example by setting up satellite connections, the people they serve cannot, Al Achkar said.
He said that in the same way groups working in natural disaster settings must build for constraints in those contexts, organizations in a broader range of geographies should be prepared to return to traditional means of data collection and service delivery.
As internet shutdowns continue, Al Achkar said humanitarian organizations must engage in high-level political conversations about how essential access to digital services are.
The nonprofit sector needs a set of strategies to handle emergency situations, whether internet shutdowns or cyberattacks, and the resources to put those plans in place.
Most nonprofits do have analog backup plans in case they have to take their work offline, said Dianna Langley, senior director of engagement at NetHope, which brings nonprofit organizations and tech company partners together for projects including connectivity and infrastructure.
“It’s just the speed and efficiency and impact level is greatly reduced,” she said. “So will they still get the job done? Absolutely they will. Will it be as fast, reach as many people, or be as efficient? Of course not.”
“We have basically been spending all of our money on magic and on aspirations for what we want to have happen in technology.”
— Nathaniel Raymond, lecturer and researcher on the human rights implications of ICT, Yale UniversityRecent news events highlight the growing number of risks of digitalized humanitarian aid.
“All of these situations require a very strong contextual sensitivity and a high technical literacy about what’s happening,” Langley explained. “Nonprofits are being outgunned.”
She said the sector needs more skilling and resourcing in order to not only maximize the opportunities but also minimize the risks of digitalized humanitarian aid.
Many humanitarian organizations are focused on the front end of technology: building it, deploying it, and closing out the project.
Opinion: Why civil society remains so vulnerable to cyber attacks
Despite increased awareness among civil society groups about cyber resilience, few have basic security policies and procedures.
“That’s only 20% of the problem,” said Rakesh Bharania, director of humanitarian impact data at Salesforce.org, during a panel Tuesday at the ICT4D conference. “Sustainability and supportability are key.”
Particularly when it comes to personal data, which is ripe for exploitation, it’s critical to pay attention to the back end — to maintain services and to keep that information secure and protected for the long term.
Bharania acknowledged some of this work is less appealing to donors, and called for humanitarian organizations to demand that donors increase support for digital infrastructure.
In a blog post Wednesday, he reiterated his concerns, in light of the unfolding crisis between Russia and Ukraine: “We would all hope that combatants and other digital threat actors would respect the role of humanitarians and not target these organizations and their data. But we must never assume that they will. We must prepare. Now.”
Last year, the United Nations Office for the Coordination of Humanitarian Affairs finalized data responsibility guidelines for the ethical, safe, and effective management of data.
It’s one example of how “the innovation narrative is increasingly becoming a protection narrative,” said Raymond of Yale.
The humanitarian community has taken steps in the right direction, but only because it had no choice, he added.
“They’re changes that have happened because reality has come and roosted in the henhouse of aspirational technology,” Raymond said.
He pointed to the ICRC hack as the latest example. But Raymond also applauded the way the organization came forward, saying that other organizations may not admit to such a breach. He warned that the sector lacks any kind of critical incident procedure, a set of actions to take in order to prevent and respond to an attack.
“And here’s the dirty secret,” Raymond said. “We are rewarded by silence. The perception is we’re going to get hit by donors if we go out and tell the truth.”
The humanitarian sector can’t abide by the do-no-harm principle if it doesn’t know the harm it is causing, he said.
“We are degrading the operational evidence we need to protect the people we have a duty to serve,” Raymond said. “Because we don’t want to tell the public and the donors that on a shoestring and no training we got knocked over by the most advanced cyber actors in the world and we had actual data they could use to do harm.”