How vulnerable are NGOs to cyberattacks?

Last month, tech giant Amazon put out a warning that "malicious state actors" had targeted NGOs working in Ukraine. It’s just one of several reports of what are feared to be Russian cyberattacks against humanitarian organizations in the region since Russia invaded its neighbor on Feb. 24. This follows a pattern from other conflict zones, where NGOs delivering humanitarian aid or supporting refugees have been targeted. Earlier this year, the International Committee of the Red Cross announced that it had been the victim of a major hack, which it said was likely to have come from a “state-like” group. Over the past two years, Olivia Williams, an information security specialist and former aid worker, has studied NGOs to find out how vulnerable they are to cyberattacks. Williams said she became interested in the subject when working as a videographer for NGOs operating in Nepal, Malawi, and Iraq, where she conducted interviews with the people supported by NGOs. But Williams said she started to worry about the security of the data on vulnerable people that she was collecting. While attaining her Ph.D. from American University in Washington, Williams studied 39 data protection and information security policies at 10 different NGOs, carried out an anonymous survey of 182 aid workers, and interviewed high-level experts. Devex asked her about the risks of cyberattacks on NGOs. This conversation has been edited for length and clarity. How likely are NGOs to come under cyberattack? There have been reports of hacking attempts against organizations working in Ukraine, for example. Organizations in Ukraine right now will have very vulnerable systems. Russian hackers will be trying to penetrate those organizations in various ways. We have seen it happen in other crises. We have seen it happen in Myanmar with the Rohingya. There’s an overarching belief among people in the field, working day to day, that they aren’t likely targets for threat actors. They are already dealing with some of the most difficult situations imaginable. They aren’t thinking about cybersecurity. But if you take a step back and see that some of the agendas of these threat actors can be satisfied by getting the information and using it as a weapon, then it starts to get really frightening quickly. In some communities, there are people of significant interest. If you’re tracking someone down who’s against your agenda and can influence the hearts and minds of a community, the easiest way is to get the data from the humanitarian agencies protecting them. And it’s not just attacks from state actors. Humanitarian organizations also collect a lot of financial information — credit card details and similar information — which could be used for fraud or identity theft. If cyberattacks do occur, how vulnerable are NGOs? My research found that the sector hasn’t really currently got the tools to deal with this. Most agencies have access to good policies. But if you’re doing your work in an emergency context where you just have to get the job done, it doesn’t matter if you’ve got the best policies. In a conflict situation, you can have a well-structured policy which is turned on its head in a few hours and becomes unmanageable and impractical. [NGOs] might not have the money to support the implementation of the security software. There might be good policies which don’t fit where there’s high turnover of staff. Local staff may not have the same ICT experience. You are enforcing a policy with people who don’t necessarily understand the context. You may be enforcing English-language policy with people for whom that’s not their first language. “Aid workers don’t want to report data breaches or near misses. … We need a culture of data transparency.” --— Olivia Williams, an information security specialist The humanitarian sector also uses a lot of audio and video files. They are collecting stories from beneficiaries. But I would say that for 99% of organizations doing AV [audiovisual] recording, it isn’t protected. So if people can get hold of that, they have not just data but people’s faces, images of the place they live, and the date, time, and location that the recording was taken. If that gets into the hands of someone with bad intentions, that’s a nightmare. And there’s a lack of confidence among aid workers about using technology. When I asked them about managing access permissions, a lot didn’t know what that was. When I asked about post-employment debriefs at the end of a project, many said they didn’t have debriefs at all, and others mostly said they had never been asked about data handling. It comes back to budget. It is very costly to have the right systems in place. So what can be done about this? What’s your advice for NGOs in Ukraine, for example? I don’t think there’s anything they can do about it right this second. There’s a lot of thought that goes into understanding what’s happening on the ground. It’s not easy to quickly implement a series of policies and procedures. You need to be learning right now about things that will be a problem in six months’ time. We need to start asking ourselves difficult questions right now. One of the things that I found in my studies was that aid workers don’t want to report data breaches or near misses. They were very nervous about talking to me. We need a culture of data transparency. The organizations in the Nordic countries are good with transparency, for example. They will hold their hands up. But there’s a huge difference in accountability from country to country and culture to culture. And that filters down into whether people feel able to speak out. We want to encourage a culture of making things public as quickly as possible. If you are hacked, then unless you have the money to respond and to manage it, you remain a sitting duck. When you are dealing with an ever-changing landscape of cyberattacks, funders need to be held to account on this stuff. They need to support openness and honesty. Funders should be saying that “for every grant, part of that money should be going to secure your system.” They should be asking about cybersecurity, and they should be doing it at the start of each funding cycle. They should be asking for reports. One of the recommendations is there needs to be some kind of entity that collects data on threats to the humanitarian sector — a bit like the University of Maryland, [College Park] terrorism database. We’re in the early stage of developing that. We will collect data anonymously. People can come to us privately and report data breaches and cyberattacks against them and their organizations. Culture can be changed, but it needs bravery and it needs conscious work. We could have more honest conversations about the expectations on organizations. You need a piece-by-piece culture shift. We need to chunk it down and make manageable steps.