Watch: Risks for NGOs in times of cyberwarfare

Cyberattacks on NGOs have become a higher profile issue in the last few months. In February, more details came to light concerning a major cyberattack affecting the International Committee of the Red Cross. And in March, reports emerged of attacks on NGOs responding to the Russian invasion of Ukraine. In a recent Pro Live event, Devex was joined by Olivia Williams, a data security consultant and former NGO worker from Apache iX, and Rohan Hewavisenti, chief financial officer at Amnesty International, to discuss the risks of cyberattacks and what to do in the face of them. Keep reading for the key takeaways from the discussion. Amnesty under attack in Hong Kong NGOs face challenges both as employers who can be exploited for purposes of fraud or identity theft, but also from foreign governments, Hewavisenti said. “In Hong Kong we had a data breach, and it was committed by the Chinese government,” he said. “Our head of it at the time could see data being withdrawn from our servers by the Chinese authorities, so we do get targeted directly by state actors.” Cybersecurity failures have led to significant real-world consequences for those using NGO services, Williams said. “In 2017 NGOs collected biometric data on the Rohingya community fleeing Myanmar,” she said. “It was collected in a humanitarian context but it was passed to Bangladeshi authorities and it was used to track individuals to ensure that certain people from this ethnic community weren’t granted refugee status. “In 2018 beneficiary data was exposed when beneficiary data was exposed when a vulnerability in a cloud-based server was used by an NGO in West Africa, and that exploited and revealed the names, photographs, family details, pin numbers, map coordinates of more than 8000 families receiving assistance,” she added. The gap between policy and practice There is a significant gap between the policy laid down by NGOs and what is actually practiced in the field, Williams said. “I read all of these well-written policies around best practice in the field, but I knew that those policies, the ones I'd seen anyway, what often weren't applicable to the field and the chaotic environment, especially emergency response,” she said. “I think we need to have a much, much richer, more in-depth, broader conversations about responding to those contexts, and not just applying best practice on a nice day when you haven't got chaotic things happening to you.” Aid staff face an extremely challenging environment and are often lacking in resources to deal with it, she said. She spoke of staffers taking their own devices to work and using them to transfer data, but not deleting it afterward. Many NGO staffers lack confidence when it came to cybersecurity, she said — and audiovisual equipment was potentially particularly vulnerable. Cybersecurity needs more resources NGOs are struggling to adequately resource their cybersecurity, Hewavisenti said. “We've got resources for three information security staff Amnesty International,” he said. “But currently we've only got one person. We just struggled to recruit. It's a candidate's market and so it's hard to recruit professionals, but it's particularly hard in the IT sector, and even harder in cybersecurity.” He also said it was extremely important for NGOs to plan in advance what they were going to do in the face of a cyberattack, and have resources ready to provide support. “I went to a seminar by Clive Woodward, who was the coach of the England rugby team, and he called it T-cup thinking: Thinking correctly under pressure,” he said. “You've got to think of those scenarios beforehand, run through what you're going to do, get some practice in doing it when you can think clearly. If you're under pressure, if it's 4 o'clock in the morning and you've been hacked, you're not going to think clearly.”