After deliberate cyber attacks against humanitarian organisations in 2022, this sector needs to move faster to develop a collective action mindset and improve risk awareness and cybersecurity.
By Balthasar Staehelin
In January 2022, the International Committee of the Red Cross (ICRC) detected that servers hosting personal data belonging to over 515,000 people worldwide had been hacked in what proved to be a sophisticated cyber-attack. This data from 57 National Red Cross and Red Crescent Societies and the ICRC had been gathered in the context of reuniting separated families. The event confirmed what many had feared: the growing trend of cyber-attacks would not spare the humanitarian sector.
Such attacks against humanitarian actors are particularly alarming as they could lead to direct harm to people in need and disrupt vital services to these populations. In the case of a data breach, should sensitive data fall into the wrong hands, it risks undermining the trust on which humanitarian access hinges.
An immediate, transparent communication on the attack to partners and the public kicked off ICRC’s multi-faceted crisis response. Actions included maintaining the humanitarian service via basic workaround solutions, launching information campaigns for the affected persons, carrying out protection risks assessments, reconstructing and rolling out the breached systems with enhanced security features, hardening ICRC’s overall IT environment, providing support to concerned National Societies of the Red Cross and Red Crescent, engaging donors and partners and monitoring the dark web to detect any possible publication or trading of the potentially exfiltrated data (to the best of ICRC’s knowledge, this has not occurred till date).
A crisis always brings the opportunity to learn and progress. This attack spotlights the paramount respect for humanitarian actors not only in the physical world, but equally in cyberspace, where humanitarian data must never be breached or used for any non-humanitarian purposes. This “sanctity” of humanitarian data is an important policy goal that the Red Cross and Red Crescent Movement now pursues.
"Digital technologies have a major impact on conflict environments, the people, and organisations working therein."
Digital technologies have a major impact on conflict environments, the people, and organisations working therein. The ICRC has long believed that to adequately deliver on its mandate to protect and assist victims of armed conflicts, it must understand the impact of such technologies, use them where feasible to help people, and seek to prevent or mitigate the consequences when the technologies can contribute to harm.
Thus, the choice of technology and the management of data cannot be approached from a purely technical perspective. Both have important operational, legal and policy ramifications that require due consideration and related investments.
In this vein, in 2015, the ICRC adopted binding rules on personal data protection whose implementation is overseen by the Data Protection Office and a Data Protection Commission. The ICRC recently opened a delegation to cyberspace, based in Luxemburg, as a safe testing ground for research and development on issues of technology, policy, operating modalities, and law related to cyberspace. Together with the Swiss Federal Institutes of Technology, it is now developing innovative solutions to safeguard its data in cyberspace. It is also advocating for the creation of a “digital emblem”, which indicates clearly in cyberspace that the marked entity enjoys special protection under international humanitarian law and must be protected against harm.
These initiatives underscore the growing need for a humanitarian actor such as the ICRC to manage its “footprint” in cyberspace. This would enable the preservation of its people with a protection-centred focus and in a manner consistent with the fundamental principles of impartiality, humanity, neutrality and independence.
"International cooperation is decreasing, tensions are increasing, and cyber operations are proliferating across sectors."
Looking forward, the humanitarian sector must brace for a challenging environment. International cooperation is decreasing, tensions are increasing, and cyber operations are proliferating across sectors. The most likely threat scenario that humanitarian actors will face includes ransomware attacks, hacks and leaks, denial-of-service attacks and information operations misrepresenting their work with an intent to undermine their action, as observed in the context of the international armed conflict between Russia and Ukraine. While increasingly aware of the risks, the humanitarian sector is grossly underprepared when it comes to tackling them.
So what can be done in 2023 and beyond, keeping in mind that higher walls (with stronger technical cyber defence) are needed but will not suffice and that no single entity can succeed on its own?
The humanitarian sector will need to move faster to develop a collective action mindset and implement common-sense measures that improve sector awareness and security. These should include: humanitarian networks and data systems which are protective by design; upskilling of staff to meet the new challenges; responsible and ethical use of technology adapted to the local context and the people it seeks to serve; creating a collective information hub where information on cyber incidents is shared; and advocating for donors to adequately fund cybersecurity measures.
The donor community should consistently fund cybersecurity, require appropriate data protection and cybersecurity policies and enforcement as part of their grant-making, and not ask for the collection, analysis, and/or sharing of data which could put people at risk. Clearly, protecting personal data implies protecting people. Ethical considerations should inform innovation projects.
Meanwhile, states should both publicly and privately commit and take appropriate action to prevent and stop cyberattacks that target humanitarian organisations, their staff, their digital infrastructure, and the data they collect, store and use to carry out their mission. States should hold perpetrators of such cyberattacks accountable. Also, they should refrain from requesting data if it may be used for purposes other than humanitarian.
Additionally, the private sector, whether working indirectly as a technology vendor or more actively contributing to a humanitarian response, should follow a conflict-sensitive approach. When working with a humanitarian organisation, there should be an investment in learning about humanitarian principles and ethics to both improve collaboration and preserve the security and dignity of vulnerable people.
Finally, both Switzerland and Geneva, traditionally very supportive of humanitarian action, should encourage and support the initiatives mentioned. Concrete actions could include: hosting a humanitarian cyber incident hub for information sharing and analysis; supporting the development of a secure cloud for humanitarian data; convening and facilitating discussions towards adoption of sector-specific policies and actions, and government action on laws, policies and actions, to advance cybersecurity and data protection in the humanitarian sector; and backing research and development in this domain. The 34th International Conference of the Red Cross and Red Crescent in 2024 should offer an important moment to take stock and further action.
While the proposed steps do not address all opportunities and risks associated with digital technologies and conflict, they would stand the humanitarian sector in good stead to strengthen its overall cybersecurity. Solid, achievable and measurable progress along these lines can only be of benefit to humanitarian actors and those they seek to protect and assist.
About the Author
Balthasar Staehelin is the Special Envoy for Foresight and Techplomacy at the International Committee of the Red Cross (ICRC). A former Deputy Director-General of the ICRC, he led the crisis response to the critical data breach the ICRC discovered in early 2022. This piece was written in the author’s personal capacity and does not necessarily reflect the views of the ICRC.
The opinions expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of the Geneva Policy Outlook or its partner organisations.