Last month, we learned that a data breach had exposed personal information from more than half a million people in the International Committee of the Red Cross’ (ICRC) family reunification programs including migrants, refugees, and others fleeing conflict, famine and natural disasters. Though we don’t know who accessed this data or why, the sophisticated nature of one of the largest ever cyberattacks on a humanitarian organization indicates that the perpetrator(s) was a state-like actor.
This should raise alarm bells for all of us. The ICRC is a leader in data security in humanitarian spaces and has been warning for years of the growing risk of cyber crime in fragile contexts. As one expert explained, “[i]f the ICRC, the organization that has invested the most, has trained the most, has developed the most doctrine, can be susceptible, then the question is what’s happening to other organizations where we don’t even know that the hacks are occurring?”
We should have seen this coming. Researchers have been long called for seeing cybersecurity as a development issue. And looking ahead, we can anticipate what’s next as the use of digital technology in sensitive development contexts continues to expand. In fact, it’s already become clear that the risks of biometric data collection in humanitarian aid settings may at times outweigh the benefits, as Development Gateway’s Josh Powell wrote in this edition of the Digest focused on Afghanistan.
There’s been widespread failure across the development and humanitarian sectors to reckon with this challenge and its implications even though the stakes couldn’t be higher. These are the organizations of last resort for some of the most marginalized people in the world. If ICRC and others can’t do their work because of digital security threats, then no one is going to do it.
Numerous advocates and agencies have called for a Digital Geneva Convention to provide a legal framework for protecting organizations that work in the digital humanitarian space and non-combatants caught in digital warfare. This is a crucial piece of the response that demands coordinated action from advocates, countries, international organizations, and others. But legal structures are just one part of the solution.
Our economies and societies are transforming so rapidly that nothing short of systems-wide change in the development and humanitarian sectors is needed. This requires leadership that prioritizes cybersecurity and sees it as an enabler of development and humanitarian action, not just a defense against threats. It also requires upgrading systems and re-skilling staff, giving them the tools to understand, recognize and address threats. Operational parts of this effort include: data minimization, investing in the back-end of development projects, file encryption, and more.
Funders and donors have a key role to play in this. In development as in public policy, funding drives priorities. The challenge lies in misalignment and segmentation of development projects and cybersecurity. Donors are focused on project outcomes while cybersecurity is intended to prevent events from happening making it a hard sell. Strengthening the systems and skills in humanitarian and development organizations has rarely been a donor priority. This has to change, and it can.
Movements like the Data Values Project can spark conversation among a diverse range of actors on these issues. As NetHope’s recent call for action stated: “Nonprofits cannot respond to this crisis in isolation. A digitally platformed, interconnected, and expert web of partners and funders is required to tackle what has already become a humanitarian emergency in its own right.” This is where partnerships hold enormous power to convene and organize the field, mature and advance this conversation, and to design smarter and more forward-thinking responses.