The recent cyberattack affecting the International Committee of the Red Cross (ICRC) has put a media spotlight on the threat to the humanitarian sector. Sadly our experience shows that cyberattacks in this sector are not rare. We look at the risk to NGOs and how they can prepare and defend against the growing proliferation of cyberthreats.
In an unprecedented statement by the Geneva-based ICRC it acknowledged that data related to its restoring family links program had been the target of cyberattackers causing severe disruption to their – and that of 60 National Red Cross and Red Crescent Societies – capacity to deliver this program. It is worth underscoring this program responds to one of the most basic of humanitarian needs – restoring contact between families separated by armed conflict, violence, migration and other forms of displacement. This data is highly sensitive personal data about individuals searching for news of their loved ones. Such an attack should rightly shock us all to the core. As history has shown, war, violence, disaster and displacement can happen without warning – any one of us, at any time, could need this program.
Organizations such as the ICRC, NGOs and non-profits involved in humanitarian action are heavily dependent on mobile and digital technologies to coordinate and fulfil their missions. Collecting and managing data collected for purely humanitarian purposes has always been an essential part of delivering humanitarian action, but the last decade has seen an increased reliance on technology to facilitate this work and to scale humanitarian capabilities. This reliance on technology has added a new vulnerability to humanitarian actors – the very real threat of cyberattacks.
The type of cyberattacks against the humanitarian sector
Humanitarian NGOs are no stranger to the growing trend of cyberattacks, and are often the victim of attacks targeting critical services they offer to vulnerable communities throughout the world. Cyberattacks against humanitarian organizations may be carried out with a view to:
- disrupting their ability to carry out their activities;
- access the data held on beneficiaries and other stakeholders;
- steal funds, data and information, e.g. CEO Fraud;
- spread malicious information and politically motivated messages e.g. through web defacement, hijacking and misusing identities
- manipulate stolen data as part of disinformation campaigns and/or
- hold the organization to scrutiny because of identified vulnerabilities in its cybersecurity.
Humanitarian organizations often operate in regions with limited or unreliable infrastructure that can expose them and employees to acute risk of data interception, tracking, or unauthorized access with potentially lethal consequences for volunteers, beneficiaries and other stakeholders.
The humanitarian sector raises over $30 billion annually in order to deliver programs to bring assistance and protection to people. Cynically, cyberattackers probably see this as a lucrative business opportunity. NGOs are seen as low risk and high reward for cyberattackers. Low risk as they are an easy target from a technical perspective, and relatively high reward because of the funds they may be able to access through ransom demands, fraudulent transfers, etc.
NGOs as the target of cyber attacks
The attack affecting the ICRC made media headlines, yet it is not alone.
In May 2021, New Zealand’s largest volunteer agency in international development, the Volunteer Service Abroad (VSA), was hit by a ransomware attack that encrypted vital information in its data systems, some of which were lost as a result. The VSA refused to pay the ransom and has since recovered from the attack and put measures in place to prevent a recurrence.
A Philadelphia food bank was hit by a US$ 1 million ransomware attack in December 2020 at a time when 5.6 million Americans were dependent on food handouts due to Covid-19 pandemic.
CEO fraud cost Save the Children US$ 1 million in 2018, and caused Roots of Peace a total loss of US$ 1.3 million in 2020.
As organizations whose primary function is the delivery of humanitarian assistance and protection to people made vulnerable by conflict, disaster, and other complex emergencies, cyberattacks can have a crippling impact on their ability to function. Such attacks put huge pressure on NGOs’ limited resources. They not only prevent NGOs from fulfilling their missions in the short-term, they can also inflict long-term reputational damage and undermine the confidence in its ability to fulfil its role in current and future crises and emergencies.
No motive for such attacks
There is no acceptable motive for cyberattacks. Such cyberattacks should be categorically condemned, and action taken to identify the perpetrators and hold them accountable – where the humanitarian organizations wish to do so.
We also see more and more NGOs have identified the threat of cyberattacks and are reaching out for advice and support to increase their cyber capabilities and resilience. Our work has shown that only 1 in 10 NGOs trains its staff regularly on cybersecurity, only 1 in 4 monitor their networks and only 1 in 5 have a cybersecurity plan. The CyberPeace Institute – through its CyberPeace Builders program, offers support and shared resources for NGOs to help them prepare for, prevent and recover from cyber attacks. Already in the last 6 months, we have been able to support more than 20 NGOs.
Stéphane Duguin is the Chief Executive Officer of the CyberPeace Institute.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.