Cyber-attacks: what are the risks for aid agencies?
Healthy bank accounts and cyber vulnerabilities make aid organisations a risk, but cyber-attacks on them also have real humanitarian consequences.
Every day, the ICRC’s restoring family links programme reunites, on average, 12 missing people with their families. These are people who have been separated by war or natural disaster. Tracing the missing has been an enormously important part of Red Cross work for more than a century. My own great grandmother found out about the fate of her husband, missing in battle during the first world war, thanks to the Red Cross.
But on January 19th this year, the restoring family links website was abruptly taken offline after it was the victim, an ICRC statement said, of a “sophisticated cyber security attack.” The attack, the statement said, “compromised personal data and confidential information of more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.”
Who would do such a thing? And why? What can be gained by illegally acquiring the data of highly vulnerable people? That is the subject for this week’s Inside Geneva podcast, where I was honoured to be able to interview the ICRC’s head of data protection Massimo Marelli, and Stephane Duguin, CEO of Geneva’s CyberPeace Institute, an organisation which supports aid agencies with their cybersecurity.
More
Cyber-attacks on humanitarians
No surprise
Many of us, when we hear about cyber-attacks, think almost automatically of targets such as the military or big financial institutions. Not so many of us would see humanitarian organisations as prime targets, but for Duguin the attack on the ICRC was no surprise.
As Duguin tells Inside Geneva, the humanitarian sector raises billions of dollars a year, and any organisation with money is at risk of being targeted by cybercriminals and their ransomware. Added to that risk, Stephane says, is that “only one in ten NGOs train their staff regularly in cybersecurity, three out of four do not monitor the network, and four out of five do not have a cybersecurity plan.”
So do a combination of healthy bank accounts and a certain naivety make humanitarian organisations easy, low risk targets? Perhaps, but that still doesn’t really explain what happened at the ICRC. It is a huge organisation, with, Marelli believes, very good data protection – without it, the attack may never have been detected in the first place.
At the time of writing, the ICRC has received no demand for ransom money in exchange for the stolen data, nor is there any sign the data is being sold on the dark web. The identity of the attacker remains a mystery, but what Marelli knows for sure is that this was a “very sophisticated” attack.
More
Hack of Red Cross exposes data on over 500,000 vulnerable people
Moral qualms?
In the absence of any information, the only thing the ICRC can do is upgrade its system to close, hopefully, the cyber loopholes which allowed the attack, and hope the attackers have moral qualms about using the data they stole.
“That information is not data,” he told Inside Geneva. “It’s not an organisation… it’s actually people. It’s an attack on people who are already living in the anxiety of being separated from their family members and their loved ones. It’s an attack on their dignity, it’s an attack on their privacy.”
Duguin agrees. “Attacking the humanitarian sector is not something virtual,” he explained. “It’s not machines attacking machines, it’s attacking water, sanitation, it’s attacking food security, it’s attacking healthcare.”
But Duguin is not especially optimistic that appealing to the better nature of cybercriminals will succeed. At the height of the pandemic, he told us, there was an attack every day on healthcare systems, despite promises, from known cyber attackers themselves, that healthcare would remain off limits during the global health emergency.
Restore trust, and be honest
So what can humanitarian organisations do to protect themselves? Like other plum targets such as banks or governments, they may find themselves playing catch up to ever cleverer cybercrime. But Duguin still urges all NGOs to prepare “because an attack is not a maybe, it’s a certainty”.
The other key element, Duguin and Marelli agree on, is to be completely open once a cyber-attack has taken place. Unlike the United Nations, which remained quiet for rather a long time after its offices in Geneva and Vienna suffered a cyber-attack in 2019, the ICRC issued a statement as soon as it knew what had happened, and followed that with updates. All 515,000 people whose data was compromised are being contacted, to let them know about the attack, and what the ICRC is doing about it.
Such openness is essential, Marelli believes, to retaining the trust of vulnerable people who need to share often sensitive information with the ICRC in order to try to find missing loved ones.
It may also, our analyst Daniel Warner told Inside Geneva, help to increase support for aid agencies. Since the attack, which aroused widespread outrage, the ICRC has received multiple offers of support from governments, and from the tech industry.
“The ICRC is not any humanitarian organisation” he points out. “They are the guardians of the Geneva Conventions, so an attack on them is something special.”
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here. Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.