A coalition of organizations are coming together to launch a central resource to support the information security needs of humanitarian organizations. Photo by: Lex Photography / Pexels
High-profile incidents, from hackers mimicking the U.S. Agency for International Development’s email marketing account to a cyberattack targeting the International Committee of the Red Cross servers, have served as wakeup calls for the aid industry.
Still, most NGOs are unprepared to face the growing threat of cyberattacks.
Last week, NetHope, a consortium of nonprofit organizations focused on technology for good, USAID, and Okta, a technology company that offers identity verification products, announced a partnership to tackle the challenge — the coalition of organizations are coming together to launch an Information Sharing and Analysis Center, a model that many organizations use to share cyberthreats within their sectors.
The ISAC aims to provide a central resource to support the information security needs of humanitarian organizations, offering training and advice on cybersecurity and threat response, identifying risks and suggesting fixes, and providing tools and technology to react to threats.
While protecting the sensitive data they collect can be a matter of life or death, many aid organizations are unable to prioritize information security, as they respond to increasing humanitarian emergencies.
“The bad guys get to innovate too, and the bad guys have been innovating, so while we’ve been trying to figure out how to get the ball rolling, the threat continues to change and evolve”
— Rakesh Bharania, president, Tarian Innovation“How do we know when we’ve actually been breached by an intruder?” said Lance Pierce, CEO of NetHope, at the virtual event announcing the new partnership. “Well, the answer is that breaches are discovered by information security and digital protection professionals who regularly come together in an ISAC to share relevant information, to analyze potential anomalies that could signal a breach has taken place, and to take collective action in shared strategies that isolate and contain the threat, and ensure continuity of operations and human safety.”
Across many sectors, ISACs have helped organizations to deliver their services in a secure manner by identifying shared threats, developing joint responses, and dealing with their collective cyber-risks.
Pierce said NetHope has consulted with ISACs across other industries as they stand up this new effort.
NGOs face a number of challenges in cybersecurity maturity, said Stéphane Duguin, CEO of the CyberPeace Institute, a Switzerland based NGO focused on reducing the harms from cyberattacks, which has also agreed to join the partnership.
For example, they often struggle to attract and retrain cybersecurity talent, and report to donors who by and large do not understand the importance of investing in cybersecurity, he said.
One out of 10 NGOs train staff on cybersecurity, one in four NGOs are monitoring the network, and one in five have a cybersecurity crisis plan, Duguin said.
Cybersecurity is a key focus of USAID’s digital strategy, providing one example of how donors and implementers alike are seeing the growing need for digital protection.
“There is less and less distinction between digital work and humanitarian work,” Stanley Byers, cybersecurity team lead at USAID, said at the event.
These digital technologies come with exciting opportunities as well as dangerous, even deadly, consequences.
“We need to build an acknowledgement and response to those threats and risks into everything we do. And to all the different ways that we think about it,” Byers said.
The private sector can play an important role in helping NGOs counteract these threats, said Erin Baudo Felter, vice president of social impact and sustainability at Okta.
“We have to listen first. We need to ask civil society organizations what they are facing, what the impact is that they're trying to deliver, and what they need. And we need to do that before we try to sell them anything,” she said.
Companies can support NGOs with their people, their tech and tools, and their dollars, including through corporate philanthropy that can often take greater risks than more traditional donors, Baudo Felter said.
There is growing urgency for public private partnerships to address humanitarian cybersecurity with a new and increasing threat coming from nation-states.
“Nations using state-of-the-art technology are increasingly targeting the humanitarian sector to identify the individuals they’re serving and where they're located,” NetHope’s Pierce said. “They want to know the locations of service that these organizations are providing and the names, and the location, and in some cases the homes of the staff who are providing those services.”
This ISAC is an example of the kind of collective action humanitarian organizations need to take, because their digital security is in crisis, experts told Devex.
“Humanitarian organizations are in this terrible situation where they have high risk but low capacity,” said Rakesh Bharania, president of Tarian Innovation, which focuses on the thoughtful application of technology for humanitarian assistance and disaster relief.
ISACs are a proven vehicle for trusted information sharing across sectors, he said.
“Even organizations that are competitors with each other will be able to go behind closed doors and share really sensitive information knowing it will be shared in confidence,” Bharania said.
In fact, Bharania proposed the ISAC idea to NetHope back in 2016, when he was a leader in technology company Cisco’s humanitarian response program. While an organization called NGO-ISAC supports United States-based nonprofits with cybersecurity best practices, nothing like it has existed for the wider humanitarian sector serving some of the most vulnerable populations on the planet. Bharania saw NetHope as a natural center of gravity to tackle the risks of an increasingly digitized humanitarian sector.
Since then, a number of factors have converged to make the vision a reality. Cisco provided NetHope with a $15 million grant that enabled the organization to make digital protection a programmatic priority. There’s a growing number of crises ringing the alarm bells for the humanitarian sector to devote more resources to protecting digital infrastructure, most recently the war in Ukraine. And the right partners are coming to the table, with USAID bringing funding, Okta bringing technical expertise, and CyberPeace Institute bringing the experience of building cybersecurity capacity in other sectors.
While this ISAC is promising, more needs to be done to make the kind of progress that’s needed for digital protection in humanitarian action, Bharania said.
“The bad guys get to innovate too, and the bad guys have been innovating, so while we’ve been trying to figure out how to get the ball rolling, the threat continues to change and evolve,” he said.