News

Submission on the Protection of the Humanitarian Sector

to the Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 

Introduction 

The CyberPeace Institute is an independent and neutral non-governmental organization which strives to reduce the frequency, impact and scale of cyberattacks, to hold actors accountable for the harm they cause, and to assist vulnerable communities. The Institute works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide, and provide assistance. By analyzing cyberattacks, it exposes their societal impact, how international laws and norms are being violated, and advances responsible behaviour to enforce cyberpeace.

In anticipation of the third substantive session of the Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 (OEWG II), and in line with our ‘Statement on the value of multistakeholder engagement in the OEWG process (2021-2025)[1]See the full statement here: CyberPeace Institute, “Statement on the value of multistakeholder engagement in the OEWG process (2021-2025),” December 13, 2021, … Continue reading and earlier recommendations for Member States participating in the OEWG II[2]See the full statement here: CyberPeace Institute, “Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 (OEWG II),” March 25, 2022, … Continue reading, the Institute has prepared a set of recommendations on the protection of the humanitarian and development sectors. This contribution is evidence-based, forward-looking and action oriented, keeping with the spirit of OEWG II. It aims to illustrate the threats to the humanitarian and development sectors emanating from cyber incidents while highlighting the harm they cause to organizations and people.

Purpose of the OEWG and the humanitarian sector 

Discussions and decisions arising from the OEWG process need to serve their ultimate goal – to maintain international peace and security. The actions of the international community must aspire to safeguard the peaceful use of ICTs to protect communities and individuals, enable enjoyment of their fundamental rights and freedoms, and advance the sustainable development of all countries. 

Protecting humanitarian and development organizations from cyberattacks is an important step toward fulfilling these aspirations. 

Awareness of cyber incidents against the humanitarian sector became higher on the global agenda further to  the cyberattack against computer servers hosting information of the International Committee of the Red Cross (ICRC)[3]ICRC, “Hacking the data of the world’s most vulnerable is an outrage,” January 29, 2022, available from: https://www.icrc.org/en/document/hacking-data-outrage – demonstrating a clear disregard for lives and suffering and the vital mission of this humanitarian organization[4]See the full statement here: CyberPeace Institute, “Statement: Cyberattack affecting International Committee of the Red Cross (ICRC),” January 20, 2022, … Continue reading. While the hacking of the ICRC, uncovered in January 2022, exemplified the vulnerabilities of the sector, the extent of this problem is substantially larger. 

States have already identified the need to address the existing gaps in capacity and/or knowledge connected to critical infrastructure sectors, including the reference to specific concerns about the threats of cyberattacks targeting humanitarian organizations[5]United Nations, Kingdom of the Netherlands, “National intervention under agenda item 5: Discussions on substantive issues,” available from: … Continue reading

In this regard, the CyberPeace Institute can contribute with its unique expertise and direct  experience – drawing on its cybersecurity support to and work with humanitarian NGOs over the last 2 years. The annex of this document provides detailed insights from the Institute’s CyberPeace Builders program on the resilience challenges the sector faces. 

NGOs need to be protected because of their critical mission 

Non-governmental organizations (NGOs), including humanitarian and development organizations and not-for-profit organizations make a vital contribution to humanity, assisting and protecting people around the globe. 

At the same time, they are frequently targeted by malicious actors – because of the work they do, for their funds, and the sensitive data they are hosting and processing. These organizations provide critical services to populations and vulnerable communities. 

Humanitarian NGOs help to protect the lives, safety, dignity, and rights of people in contexts  experiencing violence, armed conflict, and natural and man-made disasters. 

NGOs regularly ensure the delivery of essential services such as the provision of healthcare, access to food and nutrition, shelter, water, sanitation, and hygiene. Their work in complex emergencies to deliver necessities, as well as security and safety to affected populations, is essential to saving lives and supporting communities, and represents an important contribution to the fulfilment of the United Nations Sustainable Development Goals (SDGs). 

People are at the heart of NGOs

The NGO sector has become increasingly dependent on technology to improve the capacity to deliver and scale programs, engage with beneficiaries, and respond at speed to populations in need. Digitalisation enables these organizations to offer new services through digital means and build virtual proximity to people in addition to or instead of physical proximity.

As a result, humanitarian action nowadays means that organizations collect, manage and process large volumes of data electronically, including highly sensitive and personal information. This is often related to people in vulnerable situations – related to their status, those who experience detention, ill-treatment, and torture, missing people or data held on individuals who could be considered persons of interest by some authorities or actors.

Ultimately, cyberattacks against NGOs leave vulnerable people even more vulnerable physically and online. 

Cyberattacks cause harm to vulnerable individuals 

The harm caused to organizations that experience a cyber incident can be catastrophic – from exfiltrated and leaked data to disruption of systems and services causing financial loss, internal information compromise and supply chain failures. For instance, the targeted cyberattack against the ICRC led to compromise of personal data and confidential information on more than 515,000 vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. Because of the attack, the ICRC had to shut down the systems underpinning their Restoring Family Links work, affecting the Red Cross and Red Crescent Movement’s ability to locate missing people and reunite separated family members[6]ICRC, “Cyber-attack on ICRC: What we know,” February 16, 2022, available from: https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know; ICRC, “ICRC cyber-attack: Sharing our … Continue reading.

Many NGOs, such as Oxfam Australia and the Child Protection Commission (KPAI), have experienced compromise and data leaks. In the first instance, the Oxfam charity branch focused on alleviating poverty amongst indigenous people, publicly confirmed an unlawful access to its supporters’ data which potentially affected 1.7 million registered people. Oxfam Australia announced that their investigation had found supporters’ information on one of its databases was unlawfully accessed by an external party in January 2021. The personal data was possibly used to create mistrust in the functioning of the system in an organization for which donors’ support is crucial[7]Oxfam Australia, “Oxfam Australia data incident,” March 26, 2021, available from: https://www.oxfam.org.au/updates-suspected-data-incident/.  

In the later case, the leak of KPAI data in October 2021 included personal information of people who had filed reports on alleged child abuse cases, like bullying, kidnapping, violence against children and rape. The breach exposed the names of the children and their guardians, underscoring minors’ vulnerability to malicious actors in cyberspace[8]Protego, “KPAI Data Leaks Allegedly Covering Minors’ Identity,” available from:  https://protergo.id/kpai-data-leaks-allegedly-covering-minors-identity/. Such attacks risk significant individual harm to people whose data was illegally accessed, and can cause long term harm to the organization, contributing to possible re-victimization, including enabling online abuse and fraud. 

Through a series of devastating cyberattacks in January 2020, Roots of Peace, an NGO with a mission of turning the scourge of landmines to sustainable agricultural farmland in Afghanistan, experienced a financial loss of USD 1.34 million as threat actors tricked the employees to transfer money. These attacks[9]CEO Fraud – also known as Business Email Compromise/Email Account Compromise (BEC/EAC) – is a cyberattack scheme in which cybercriminals fake company email accounts and impersonate executives or … Continue reading hampered the charity’s efforts in a conflict-ridden zone and brought severe concerns during harvest season in the country. With a need for securing internet access for field employees as well as the farmers whose livelihoods depended on the organization, the founders had to resort to personal resources, taking a loan against family assets, to ensure continuing operations[10]See the full statement here: CyberPeace Institute, “Hackers Trick Humanitarian Non-profit into Big Wire Transfers,“ July 14, 2020, available from: … Continue reading

CyberPeace Institute Analysis

While the examples given in this submission are non-exhaustive, several trends can be drawn from the data collected and analyzed by the CyberPeace Institute about the complex landscape of cyber incidents experienced by organizations in the not-for-profit sector serving vulnerable people. 

Data on attacks on not-for-profit organizations showcase some of the challenges faced by NGOs, which are delivering critical support and services to vulnerable individuals. 

Between July 2020 and June 2022, the CyberPeace Institute recorded 157 cases of cyber incidents impacting the not-for-profit sector, for which data was publicly available. The geographical distribution of the incidents is focused on 16 countries, with the most affected country being the USA – accounting for 120 cases[11]The full list of countries extends to the United Kingdom (13 incidents); Australia (4 incidents); Canada (3 incidents); Austria, Belgium, Ireland, Palestine, and Switzerland (each 2 incidents); … Continue reading) – followed by the UK with thirteen cases, Australia and Canada with four and three cases respectively, and twelve countries with two or less cases. There are several factors contributing to the high number of cyber incidents observed in the USA including the large number of not-for-profits registered and headquartered in the country and the associated reporting requirements.

The high concentration of data points is also due to the US security and data breach notification laws. In fact, while lacking a comprehensive federal law, all 50 states have enacted data breach legislation that requires private entities or government agencies to notify individuals whose personally identifiable information has been compromised by security breaches[12]National Conference of State Legislatures, Security Breach Notification Laws, 17 January 2022, available from: … Continue reading.

Digital and informational impact

The data obtained from public sources on the 157 cyberattacks that the Institute collected and analyzed outlines a picture of what is likely a considerably larger problem. However, this analysis offers insights that are indicative of the types of incidents and impacts faced:

  • In 96 (61%) incidents the organizations issued a notification of the breach[13]This is a notification individuals receive after data breaches, for example, when personal data was accessed or exposed for the affected users, from which 89 (93%) incidents took place in USA
  • In a minimum of 60 (38%) incidents personal data was exposed[14]Data was potentially exposed in a further 52 (33%) incidents
  • In at least 28 (18%) incidents data was exfiltrated[15]Data was potentially exfiltrated in a further 34 (22%) incidents
  • In 45 (29%) incidents there were system disruptions and in a minimum of 8 (5%) incidents there were disruptions of services[16]Services were potentially disrupted in a further 2 (1%) incidents
  • In at least 32 (20%) incidents there was the unauthorized access or take-over of an  email account

The highest number of cyber incidents (38) was recorded in human services such as adoption and children’s aid centres, community support services, rehabilitation facilities, and care centres helping the elderly and persons with disabilities. Healthcare services and medical disciplines (37 incidents), philanthropy (13 incidents), civil rights and youth development (each 11 incidents), and international affairs and security (10 incidents)[17]Human services (38 incidents); Health Care (20 incidents); Diseases, Disorders & Medical Disciplines (17 incidents); Philanthropy, Voluntarism & Grantmaking Foundations (13 incidents); Civil … Continue reading

Analysis by the CyberPeace Institute has revealed that personal identifiable information was exposed in at least fifty cases out of all of the 60 recorded incidents where data was exposed, while the real extent is potentially twice as large[18]The field values are counted with available information from the sources. For example, if a data breach notification mentions personal data has been exposed or exfiltrated, it is counted as so, while … Continue reading. This type of sensitive personal information can be monetized  or simply used to cause further harm. Such exploitation has a strong potential for re-victimization of individuals as well as the organizations themselves.

Types of cyberattacks

The Institute observed a wide range of malicious cyber threats in the past two years. Most common types of incidents included unauthorised access (56 incidents)[19]The CyberPeace Institute uses the “Unauthorised access” classification when there is limited information about what happened. For example, an organization identifies suspicious activity on an … Continue reading, supply chain attacks (18 incidents) and data breaches (each 16 incidents) and ransomware attacks (36 incident)[20]The CyberPeace Institute recorded 36 cases of ransomware with 7 additional cases where data was encrypted but there was no available information about ransomware.. Less frequent but still present were cases of hacking, phishing, spyware, distributed denial-of-service (DDoS) attacks, fraud and defacement[21]The full list of types of events extends to unknown attacks (7 incidents), phishing (4 incidents), DDoS, fraud, and spyware (2 incidents), data leak, defacement, hacking, and other (each 1 incident). … Continue reading

From among the recorded cases, 44 incidents can be considered as targeted attacks against NGOs – comprising ransomware, DDoS, defacement, fraud, spyware and data leaks. Indiscriminate attacks are also likely to have occurred and caused damage to the NGOs. These types of attacks are not deliberately targeting a specific organization but the risk of their occurrence is heightened by an organization’s reduced  cybersecurity resilience. 

Types of threat actors

Despite limited data to date, malicious actors attributed include states or state-sponsored actors, criminal groups, ideological actors (so-called hacktivists), and others[22]The research of the Institute indicates that attribution was made to groups including REvil with three cases, Conti with two cases of ransomware attacks, followed by APT35, Babuk/Chernobil, C77 (Raid … Continue reading. From the 157 recorded cases, only twelve incidents – seven of them ransomware[23]Out of the 36 recorded ransomware cases there is known attribution for only 7 of them. – have been linked to a threat actor through either technical, political or legal attribution or have been self-attributed by the actor themselves. There is an evident attribution gap due to the complexity of tracking and identifying the perpetrator of a cyberattack and the length of the attribution process.

  • State actor: The DDoS attacks taking place between July and August 2021 against the website of human rights alliance Karapatan in the Philippines were suspected to be because of the organizations’ human rights work, and the attacks were traced by a media foundation to an Office of the Philippine government[24]Karapatan, “Karapatan hits cyber attacks against its website anew,” August 19, 2021, available from: https://www.karapatan.org/karapatan+hits+cyber+attacks+against+its+website+anew.
  • State-sponsored actor: Phishing attacks in November 2021 targeted United Against Nuclear Iran, a not-for-profit organization formed to “combat the threats posed by the Islamic Republic of Iran”. The organization indicated Iranian state-sponsored group APT35 as the threat actor which perpetrated the attack[25]United Against Nuclear Iran, “Statement On Recent Cyber Attacks Targeting UANI,” November 10, 2021, available from: … Continue reading.
  • Criminal group: The group behind the RansomEXX ransomware variant claimed responsibility for a ransomware attack on the Scottish Association for Mental Health (SAMH) in March 2022. The attack was reported to have affected the charity’s email system at both national and local offices and phone lines[26]SAMH for Scotland’s Mental Health, “SAMH Announcement: Cybersecurity Attack”, March 21, 2022, available from: … Continue reading
  • Ideological actor: The Royal National Lifeboat Institution charity’s website was the subject of suspicious activity  in December 2021, which forced the organization to temporarily take down its site. The organization’s mission is to rescue people from the sea while earlier alleged threat actors with far right extremist ideologies prompted them “to abandon their support for illegal immigrant and people trafficking and focus instead on saving British lives”[27]Third Sector, “RNLI website down after ‘suspicious activity’ detected,” December 6, 2021, available from: … Continue reading

Cyberattacks threaten operations of NGOs

The dependence on technology for NGO operations also creates an environment in which these organizations, and by extension the individuals and communities they seek to assist and protect, become increasingly vulnerable to cyberattacks which disrupt systems and services. 

Malicious actors are committing cyberattacks on these sectors with devastating outcomes in efforts to steal funding, exfiltrate data or intentionally disrupt the ability of an NGO to operate. 

Many NGOs may not have the budget, know-how, or time to properly secure their ICT infrastructure and develop a robust incident response system that could deal with a range of cyberattacks. This exposes them to potentially negative consequences of cyberattacks, including the need to pay a ransom to continue their operations and to ensure the needs of their beneficiaries are secured. NGOs confronted with cyberattacks may also face secondary impacts on their operations through downtime, recovery time and costs, and reputational harm resulting in the loss of the trust and confidence of their beneficiaries, donors and other stakeholders. As a consequence, the essential services that NGOs provide are impacted or even halted, limiting the help they can provide to people in need. Ultimately, the most vulnerable suffer. 

Improving the cyber resilience of NGOs 

Cybersecurity posture and overall vulnerability of NGOs remains a problem. The Institute has observed this trend based on its practical support to NGOs as well as collected information. For example, among the Swiss NGOs that joined the CyberPeace Builders program and have completed their General Security Assessment (GSA)[28]The GSA intends to provide an overview of some of the key cybersecurity elements of an organization. This assessment allows the organization to go deeper in the analysis of its cybersecurity … Continue reading, 19 NGOs as of time of writing, the average cybersecurity assessment score is 28 points out of 100. While the results are only illustrative and vary from one NGO to the other, the following conclusions can be drawn from the sample:

  • 11% NGOs that completed the GSA had cyber insurance
  • 21% NGOs backup and verify their data thoroughly. 68% NGOs do only a partial backup of their systems/data
  • 5% NGOs has Security Information and Event Management (SIEM) in place to monitor their devices/network
  • 21% NGOs have two factor authentication (2FA) activated and implemented throughout all their platforms. 6 of them have it only partially implemented
  • 16% NGOs have a limited incident response plan that is not always reviewed and updated
  • 53% NGOs have next generation endpoint protection antivirus implemented
  • 5% NGO had their staff trained and exposed to a simulated phishing exercise. 21% NGOs have partially trained their staff against cyber threats.
  • 26% NGOs have a password manager in place
  • 5% NGO partially monitors the dark web on an ad-hoc basis.

This survey has been performed on a limited number of organizations, but its observations are supported by other studies that also indicate that cybersecurity posture is a growing problem for NGOs. According to research conducted by Microsoft, 31% of all nation-state notifications of targeted attacks that the company sends out to organizations go to NGOs. Most NGOs do not have the same advanced network security protocols or resources or security models that a private global company with more resources might have. This is reflected in poorer investments in cybersecurity measures and training. Based on Microsoft’s research findings, 70% of NGOs have not conducted a vulnerability assessment and 80% do not have a cybersecurity strategy in place. At the same time, the non-governmental sector is facing cyberattacks that are becoming more sophisticated each day[29]Microsoft, “Strengthening cyber defenses for nonprofits,” October 21, 2021, available from: https://blogs.microsoft.com/on-the-issues/2021/10/21/cyber-defenses-security-program-nonprofits/

Conclusions

NGOs present a vulnerable target for malicious actors in cyberspace both because of their mission and their lack of cyber resilience. These organizations are vulnerable due to the lack of financial resources, know-how, or time to properly secure their ICT infrastructure and develop robust incident response systems that can effectively deal with sophisticated attacks. 

Threat actors are seeking to exploit their vulnerabilities to access the money provided by donors, exfiltrate data and sensitive information that the NGOs gather, and disrupt their ability to operate. Organizations could potentially find themselves in situations where they may be forced to pay a ransom in order to gain back access to data and systems which are essential for their operations and to ensure the needs of their beneficiaries are met. 

Moreover, the spill-over effect of malicious cyber activity poses a significant escalatory threat to additional organizations and services. Such behaviour creates risks for the entire humanitarian sector where the security, availability, and confidentiality of the data can be a matter of life and death for individuals. States need to ensure that the organizations providing essential services to those who are already vulnerable –  their beneficiaries – are not further victimised by cyberattacks. 

NGOs must be able to focus on bringing programs, assistance and protection to those in need. The CyberPeace Institute is committed to working with NGOs to call for collective action against cyber threats and attacks.

Recommendations

The Institute has the following recommendations for Member States for consideration during the OEWG discussions.  This is based on the Institute’s mission and the analysis outlined above, and is in line with the objective of deliberation at the OEWG II to continue, as a priority, to further develop the rules, norms and principles of responsible behavior of States and the ways for their implementation and, notably, to study, with a view to promoting common understandings, existing and potential threats in cyberspace to prevent and counter such threats:

  1. Clarification on the applicability of international law 

States need to act in line with their obligations under international law, as well as agreed upon norms to protect the humanitarian and development sectors from malicious activities in cyberspace. To do so, States need to develop clarification on the applicability of international law in the use of ICTs toward sustained protection of humanitarian and development action. The deliberations should be extended to identifying whether gaps in common understandings exist on how international law applies, as well as the possibility of additional obligations that would protect the humanitarian and development sectors. 

  1. Protection of the humanitarian and development sectors

States bear responsibility for the respect of human rights and fundamental freedoms and have obligations to ensure the rights of people to security, dignity and equity in cyberspace. In line with these commitments, States should respect and ensure  respect of existing laws and norms and advocate for strengthened protection for humanitarian and development organizations to enable them to fulfil their missions and mandates. Attacks on NGOs in wartime and peacetime should be off limits – including both kinetic and cyberattacks, against staff and volunteers, resources, systems, services, programs, property, and data. 

  1. Protection of data under domestic legal frameworks

States should maximise the protection under domestic legal frameworks and introduce safeguards that effectively protect humanitarian and development organizations and their operations within their territory. This should build from the experience of other sectors (i.e. the financial sector) which adapted rules and compliance measures to the challenges of digital transformation on a large scale. A similar approach will provide humanitarian and development organizations with similar protection to the ones afforded to other critical infrastructure organizations as well as safeguard organizations from any existing or future extraterritorial body of law. The specific nature of humanitarian action should inform the design of  data protection frameworks and the legislative approach to safeguarding humanitarian interests.  

  1. Study of existing and potential threats

States should study existing and potential threats to build the knowledge about the cyber threat landscape and promote common understanding on the cyber threats to the humanitarian and development sectors. Toward this goal, States need to increase transparent reporting on the cyberattacks against NGOs, including the impact of these incidents on the organizations and the beneficiaries of their services and programs, within the constraints that ensure protection of personal identifiable information, the mandates and modus operandi of organizations. 

This will require cooperation and clear communication between organizations, donors, and government entities to ensure transparent and accurate reporting, which should be limited to data necessary to understand the cybersecurity and operational implications of the attack. Reporting must ensure that it does not subject individuals to further harm or is used as a tool to disclose information on beneficiaries. This is particularly pertinent in relation to offering clarifications on how existing and potential threats are experienced differently by countries and different segments of society and how the OEWG can address the differentiated impact. Reporting can make the humanitarian sector safer, increase its resilience, prevent further revictimization, and provide a body of knowledge for decision makers about trends in cyberattacks such as the vector of the attack and its impact, tools used, and the malicious actors. 

  1. Capacity building

States need to build capacity at the national and local levels, based on the gaps found through the reporting mechanism outlined in Recommendation 4. Certain trends and gaps will be identified through this process, which will help governments to create policies and initiatives to support the humanitarian sector and to reduce the proliferation of cyberattacks against NGOs. States should engage in broad participation when building the capacity of NGOs. Actors from the humanitarian, development, academic, corporate, and private sectors should be encouraged to participate in a multistakeholder process to break the remaining silos and support transparency, sharing of best practices, and increased mutual understanding.

  1. Secure digital infrastructure

Efforts should be increased to build the capacity of organizations to: 

  • strengthen their protection against cyber incidents, 
  • enable the establishment of secure channels of communications for humanitarian actors with staff/offices and with beneficiaries, 
  • increase protection for the confidentiality of data gathered, managed, processed, and stored, 
  • securely leverage technology for the provision of digital services, 
  • understand the cybersecurity threat landscape,
  • procure cybersecurity capabilities commensurate with the level of threat, and widely deploy encryption,
  • ensure understanding of jurisdictional issues, financing, viability, and sustainability of cybersecurity. 

States should increase their support for NGOs to build their network redundancy and resilience, and to avoid a single point of failure which could compromise their services in an event of a cyberattack. 

The CyberPeace Institute believes that this submission, based on in-house data analysis and corresponding recommendations, will inform the ongoing discussions at OEWG II, contribute to bridging the knowledge and capacity gap about the protection of the humanitarian and development sectors, and provide areas for collaboration between State and non-state actors. 

The Institute also believes that an effective implementation of the proposed measures necessitates a comprehensive multistakeholder approach. Addressing threats to NGOs emanating from cyberspace will require a joint commitment of all relevant stakeholders –  leveraging their diverse contributions, experience, and expertise. Ultimately, the peace and security of cyberspace is a collective goal that requires collective action. 

Annex

NGO resilience insights from CyberPeace Builders

The CyberPeace Institute works to provide free cybersecurity support to NGOs under its flagship CyberPeace Builders program. 

By identifying the vulnerabilities that attackers exploit and alerting NGOs to risks and vulnerabilities, the program helps to prevent future attacks on these organizations. 

Furthermore, as part of this support, the Institute has been able to analyse the impacts of a number of cyber incidents on the humanitarian sector and, importantly, witness and evidence the vulnerability of NGOs. 

Whilst NGOs suffer from similar difficulties as Small and Medium Enterprises to attract and retain cyber talent, and to acquire and maintain an increasingly complex technological stack, NGOs are more often than not structurally disadvantaged to invest in cybersecurity.

One factor in this regard is donor preferences and/or requirements limiting use of funds for direct program support and that consider funding cybersecurity as an indirect or “back office” cost instead of a part of securing program delivery.  

Because of these difficulties to even foresee a path towards cyber resilience, coupled with a perception that threat actors are able to penetrate the most advanced systems in large public administrations, corporations, and international organizations, many NGOs struggle to put in place even basic security measures that would fend off the majority of threats. 

Many of the NGOs that the CyberPeace Builders have helped had no clear view on their assets under management or their network map, which is a basic necessity for cybersecurity. Part of the reason is that IT teams are often located in the NGO headquarters but NGO staff is scattered around the world with a high turnover, making it difficult to have a real time view of the location of all the data and systems. 

In the same vein, NGOs often rely on a fluid workforce made of local contractors and volunteers who are provided temporary access to data, systems and even devices, making it particularly complex for IT teams to effectively control all these assets. And whilst there are technological solutions available on the market to manage this, such as zero trust architectures, these are not trivial to implement especially in low-connectivity environments. 

As a result, many NGOs are affected by simple, oftentimes automated cyberattacks, with attackers not even knowing that they had targeted an NGO. The Institute has worked on two distinct cases, one ransomware attack, and one network compromise, in which the attacker did not know they had targeted an NGO. 

As in humanitarian supply chains, last-mile delivery is essential to ensure that the most vulnerable are effectively able to receive humanitarian aid, yet, despite the vast amount of free or low-cost cybersecurity resources, from guidelines to training and technological solutions, what is missing to build NGO cyber resilience is last-mile expertise to bring these resources to them. A secondary issue is that cybersecurity resources are seldom developed with NGOs’ needs in mind: rather, they are developed for other sectors (e.g. banking, supply chain, etc.) and provided to NGOs at a discount. Poorly configured or maintained solutions can be problematic as they create an illusion of security, which is worse for cyber resilience. 

One of the NGOs the CyberPeace Builders helped had put in place a firewall, which let the NGO leadership think that they were effectively protected, yet the IT team had not looked at the security logs and alerts for over 2 years because of the complexity of this task and the scarce resources in the team. 

Another common problem arising from solutions developed for others, provided to NGOs often without sufficient understanding of their technological reality and digital literacy, is that security controls degrade over time. Staff, because of a lack of understanding of cybersecurity threats, start to bypass security controls such as sharing passwords with each other or printing them, reactivating administrative privileges on their devices or deactivating second-factor authentication. 

References
1 See the full statement here: CyberPeace Institute, “Statement on the value of multistakeholder engagement in the OEWG process (2021-2025),” December 13, 2021, https://cyberpeaceinstitute.org/news/engagement-oewg-process-2021-2025/
2 See the full statement here: CyberPeace Institute, “Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 (OEWG II),” March 25, 2022, https://cyberpeaceinstitute.org/news/oewg-security-use-of-information-communications-technologies-2021-2025/
3 ICRC, “Hacking the data of the world’s most vulnerable is an outrage,” January 29, 2022, available from: https://www.icrc.org/en/document/hacking-data-outrage
4 See the full statement here: CyberPeace Institute, “Statement: Cyberattack affecting International Committee of the Red Cross (ICRC),” January 20, 2022, https://cyberpeaceinstitute.org/news/statement-cyberattack-affecting-international-committee-of-the-red-cross-icrc/
5 United Nations, Kingdom of the Netherlands, “National intervention under agenda item 5: Discussions on substantive issues,” available from: https://documents.unoda.org/wp-content/uploads/2022/04/220329-Netherlands-Existing-and-Potential-Threats.pdf
6 ICRC, “Cyber-attack on ICRC: What we know,” February 16, 2022, available from: https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know; ICRC, “ICRC cyber-attack: Sharing our analysis,” February 16, 2022, available from: https://www.icrc.org/en/document/icrc-cyber-attack-analysis
7 Oxfam Australia, “Oxfam Australia data incident,” March 26, 2021, available from: https://www.oxfam.org.au/updates-suspected-data-incident/
8 Protego, “KPAI Data Leaks Allegedly Covering Minors’ Identity,” available from:  https://protergo.id/kpai-data-leaks-allegedly-covering-minors-identity/
9 CEO Fraud – also known as Business Email Compromise/Email Account Compromise (BEC/EAC) – is a cyberattack scheme in which cybercriminals fake company email accounts and impersonate executives or trusted employees with the goal of fooling an employee, usually in finance or with financial transaction authority, into executing unauthorised wire transfers.
10 See the full statement here: CyberPeace Institute, “Hackers Trick Humanitarian Non-profit into Big Wire Transfers,“ July 14, 2020, available from: https://cyberpeaceinstitute.org/news/2020-07-14-hackers-trick-humanitarian-non-profit-into-big-wire-transfers/
11 The full list of countries extends to the United Kingdom (13 incidents); Australia (4 incidents); Canada (3 incidents); Austria, Belgium, Ireland, Palestine, and Switzerland (each 2 incidents); France, Indonesia, New Zealand, Philippines, Singapore, and South Africa (each 1 incident
12 National Conference of State Legislatures, Security Breach Notification Laws, 17 January 2022, available from: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach
13 This is a notification individuals receive after data breaches, for example, when personal data was accessed or exposed
14 Data was potentially exposed in a further 52 (33%) incidents
15 Data was potentially exfiltrated in a further 34 (22%) incidents
16 Services were potentially disrupted in a further 2 (1%) incidents
17 Human services (38 incidents); Health Care (20 incidents); Diseases, Disorders & Medical Disciplines (17 incidents); Philanthropy, Voluntarism & Grantmaking Foundations (13 incidents); Civil Rights, Social Action & Advocacy (11 incidents); Youth Development (11 incidents); International, Foreign Affairs & National Security (10 incidents); Religion-Related (7 incidents); Housing & Shelter (6 incidents); and other sectors with 4 or less cases. The classification used for the sectors is the US National Taxonomy of Exempt Entities – Core Codes (NTEE-CC) Classification System. The organizations are assigned one primary sector based on the classification. The classification is available here: https://www.foundationsearch.com/Assistance/help-ntee.aspx#p
18 The field values are counted with available information from the sources. For example, if a data breach notification mentions personal data has been exposed or exfiltrated, it is counted as so, while if the source claims personal data might have been exposed, the word “potentially” is used.
19 The CyberPeace Institute uses the “Unauthorised access” classification when there is limited information about what happened. For example, an organization identifies suspicious activity on an employee’s email account and after investigation they can only confirm that there was unauthorised access to the email. In cases with even less available information, the CyberPeace Institute uses the “Data breach” classification. For example, when an organization issues a notification saying, “personal data might have been exposed because of a data breach or security incident”. The high number of unauthorised accesses is because there are many incidents recorded in the USA with limited information such as “identification of unauthorised access to the email server” with no further explanation available. Similarly, “data breaches incidents” include cases when a notification of data breach is available online, but there is no other information.
20 The CyberPeace Institute recorded 36 cases of ransomware with 7 additional cases where data was encrypted but there was no available information about ransomware.
21 The full list of types of events extends to unknown attacks (7 incidents), phishing (4 incidents), DDoS, fraud, and spyware (2 incidents), data leak, defacement, hacking, and other (each 1 incident). It is important to consider that for the majority of the recorded incidents the intrusion vector is a phishing email. For example, an attacker sends a phishing link in an email, an employee from the victim organization clicks on the link and the attacker gains access to the victim’s system. The attacker later deploys a ransomware. For the purpose of the Institute’s analysis, the attack was classified as Ransomware as there is no available information about the intrusion vector, namely the phishing email. In 32 cases from the dataset there was an email compromise which most probably was achieved via phishing.
22 The research of the Institute indicates that attribution was made to groups including REvil with three cases, Conti with two cases of ransomware attacks, followed by APT35, Babuk/Chernobil, C77 (Raid forums), Kimsuky, RansomExx and a already mentioned group of far right extremists each with a case of malicious cyber activity.
23 Out of the 36 recorded ransomware cases there is known attribution for only 7 of them.
24 Karapatan, “Karapatan hits cyber attacks against its website anew,” August 19, 2021, available from: https://www.karapatan.org/karapatan+hits+cyber+attacks+against+its+website+anew
25 United Against Nuclear Iran, “Statement On Recent Cyber Attacks Targeting UANI,” November 10, 2021, available from: https://www.unitedagainstnucleariran.com/press-releases/statement-on-recent-cyber-attacks-targeting-uani
26 SAMH for Scotland’s Mental Health, “SAMH Announcement: Cybersecurity Attack”, March 21, 2022, available from: https://www.samh.org.uk/about-us/news-and-blogs/samh-annoucenment-cybersecurity-attack; BBC https://www.bbc.com/news/uk-scotland-60826263;  Jonathan Greig, “Ransomware group attacks Scottish mental health charity”, March 22, 2022, available from: https://therecord.media/ransomware-group-attacks-scottish-mental-health-charity/#:~:text=The%20attack%20on%20the%20Scottish,claimed%20credit%20for%20the%20incident
27 Third Sector, “RNLI website down after ‘suspicious activity’ detected,” December 6, 2021, available from: https://www.thirdsector.co.uk/rnli-website-down-suspicious-activity-detected/management/article/1735115, The Guardian, “RNLI takes down its website after suspected hacking attempt,” December 3, 2021, available from: https://www.theguardian.com/world/2021/dec/03/rnli-takes-down-its-website-after-suspected-hacking-attempt
28 The GSA intends to provide an overview of some of the key cybersecurity elements of an organization. This assessment allows the organization to go deeper in the analysis of its cybersecurity infrastructure and implement specific measures to improve its overall cybersecurity measures in a well-structured manner. The main objective of this assessment is to provide a structured approach to observe the wide-ranging cybersecurity challenges/needs of humanitarian NGOs. The GSA is usually done at the beginning of collaboration with a humanitarian NGO that joins the CyberPeace Builders program, and then informs the creation of missions/jobs.
29 Microsoft, “Strengthening cyber defenses for nonprofits,” October 21, 2021, available from: https://blogs.microsoft.com/on-the-issues/2021/10/21/cyber-defenses-security-program-nonprofits/

© Copyright 2022: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.

Donation

Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.

Newsletter

Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.