We live in a vulnerable digital world. Increasingly regular reports of cyberattacks on governments, private companies and individuals catalog successful and failed attempts by hackers to damage or hold hostage entire computer networks. Over the last year, this blog has stressed the potential human costs of cyber operations, from outlining the digital risks for populations in armed conflict to examining cyber operations and international humanitarian law.
There is still one sector that, to date, we have largely overlooked while exploring the importance of bolstering cybersecurity: our own.
Humanitarian organizations, alongside everyone else in the private and public spheres, are undergoing a process of radical digital transformation. New technologies create opportunities for improved humanitarian response as well as risks to the operating organization and the people it seeks to protect and assist.
An international humanitarian organization going through a process of digital transformation and aiming to offer digital services directly to beneficiaries faces a range of questions that are extremely novel. These range from the legal, organizational, and technical to operational and relate to issues that are transversal and highly interdependent. None of these questions have, at present, clear answers.
Defining the cyber-perimeter
An essential step for humanitarian organizations shifting from bystander to active stakeholder in cyberspace is to understand and properly map out its cyber-perimeter. Clearly defining the digital boundaries within which they carry out operations lays the groundwork for humanitarian organizations to develop a strategy to support and protect humanitarian action in a digital environment, channel available resources to where they are most needed, remain effective in their relationship with host countries and other stakeholders in cyber geopolitics, and understand the areas in which their operational dialogue and working modalities need to be adapted for cyberspace.
An international humanitarian organization’s cyber-perimeter can be analyzed based on several elements. First, the organization needs to be clear on what it wants to do in a digital environment, and what its digital humanitarian operations look like. In the case of the ICRC, offering digital services directly to beneficiaries is at the core of the recently adopted ICRC Information Environment Strategy and is an important component of the ICRC Strategy 2019-2022. An important objective of the ICRC is also linked to leveraging data, both data generated as part of its digital growth, but also data generated, acquired and/or available externally.
Second, the organization should examine its identity, mandate and modus operandi and how these elements relate to its digital operations. The ICRC, unlike humanitarian organizations that operate through implementing partners, requires direct proximity with populations affected by armed conflict and other situations of violence, as well as a physical presence in the areas where those affected populations are located.
An essential precondition for this level of access is trust, from people affected by violence and from parties to the conflict or actors in other situations of violence. Trust is established with affected people by guaranteeing that any engagement between them and the ICRC will be exclusively humanitarian, and that information gathered about them and stored digitally will only be used for humanitarian purposes and not shared with or accessible to third parties. Trust is established with parties to the conflict and actors in other situations of violence by guaranteeing that the work of the organization is neutral, impartial, independent, and exclusively humanitarian, and that collected data will remain confidential and inaccessible to ‘the other side’, law enforcement or the public.
Thirdly, the cyber environment must be scanned for challenges and threats that a humanitarian organization could face in their work. Individuals or groups may seek access to sensitive data on specific individuals, their enemies, or populations linked to or of the same ethnic origin or national or political affiliation as their enemies. Health information may indicate, for example, a medical condition that is linked to a high value target.
Collaboration with or engagement of third-party technology service providers to handle or process data, as discussed below, is also extremely significant for the discussion on confidentiality. It is key for an international humanitarian organization, especially one like the ICRC, to ensure that the data it collects under its mandate are and remain at all times under its exclusive control, and that no authority can, by due process, legitimately seek access to data held by the organization, whether directly or through third-party processors.
Developing a cybersecurity strategy
Once a humanitarian organization carries out an in-depth analysis of its cyber-perimeter, based on its status, mandate, and working modalities, it needs to formulate a clear cybersecurity strategy informing its stance in cyberspace as well as its decisions to prioritize investment areas and allocate resources. Such a strategy should set out: 1) the legal protections it needs to seek out; 2) the technical protection to which it is entitled for its data; and 3) the operational dialogue to employ and the stakeholders with whom it needs to engage.
The independence an international organization requires to implement its mandate fully and effectively is generally safeguarded in headquarters, status or host state agreements. These provide for a series of privileges and immunities for the organization and its staff, including, for example, immunity from judicial or administrative process for the organization, its property, assets, and its staff, and inviolability of premises, property and assets, correspondence and archives. These privileges and immunities, developed as a legal concept in a pre-internet era, may need to be adapted, and clarifications may be required as to their interpretation and application in a digital environment.
In particular, it is important to clarify the application of these privileges and immunities to include data (in transit or at rest) stored and processed not only by the humanitarian organization directly, but by a third-party service provider or separate organization. This should include data that is hosted or otherwise processed by third-party technology providers on behalf of the organization, as well as the servers and networks used by the organization, regardless of whether they belong to the organization or to a third-party service provider.
In cases where the humanitarian organization processes data through third-party technology providers, such as a cloud solution provider, the organization would then need to ensure that any clarifications between itself and the host state should also be reflected in the contractual arrangements with the technology company itself, to ensure that the company commits to applying them and staff is prepared to give effect to them.
The legal measures described above are primarily aimed at ensuring an organization’s independence. Indeed, safeguarding the inviolability of an organization’s data vis-à-vis the host state plays an important role in ensuring that the organization can carry out its mandate effectively – and, in the case of the ICRC, also in line with its fundamental principles. Specifically, the legal measures described above are primarily aimed at ensuring that no state authority can, lawfully and by exercise of due process, access the data of the organization in question.
In this sense, it is important to stress that solutions which are often described as very secure, and accepted as such in highly regulated industries characterized by high sensitivity of data and confidentiality requirements (such as the banking industry), may nonetheless be totally inadequate for use by an international organization, since they may still contemplate ways for organizations to be obliged to hand over data to states or be subject to encryption backdoor legal requirements.
Considering the potentially high costs and limited available resources, it may be necessary for international humanitarian organizations to pool resources with other organizations with similar mandates and status to conduct research and development on securing data flows, hosting and processing and ensure that findings from such research are converted into sustainable solutions.
As discussed above, an organization like the ICRC establishes its presence and work on the basis of acceptance and the trust that derives from its neutrality, impartiality, and independence, its exclusively humanitarian objectives, and its confidential approach. In this sense, being able to establish bilateral, confidential dialogue with all stakeholders, irrespective of whether they are state or non-state actors, or whether they are accepted as lawful groups or not, is an essential requirement to carrying out a humanitarian mandate.
These are the features that shape the dialogue a humanitarian organization needs to have, fundamental and foundational principles that should extend naturally to activities in the cyber realm.
Thinking ahead of the curve
In addition to a cybersecurity strategy developed on these bases, international humanitarian organizations need to consider unique and specific technical solutions to their specificities, such as the creation of a ‘digital humanitarian space’ following the model of a ‘sovereign cloud’ or a ‘digital embassy.’ These do not currently exist as a commercial offering, primarily because technology develops based on the demands of the majority of customers who, unlike international humanitarian organizations, are not entitled to rely on privileges and immunities from jurisdictional control of at least one state.
Partnerships with academia and industry are an important part of this effort. However, they are not, alone, sufficient. What is instead essential is a) wider political will on the part of external stakeholders to guarantee the protection of a digital humanitarian space, b) the awareness, knowledge, focus and determination of internal stakeholders to genuinely preserve the independence, impartiality and neutrality of international humanitarian organizations in cyberspace, and c) a better understanding of how international humanitarian law protects humanitarian organizations in cyberspace. Without this, international humanitarian organizations will inevitably be pushed into accepting solutions that are unsuitable for the work they are mandated to carry out.
Other posts in the Human Costs of Cyber series
- Intro to blog series on human costs of cyber operations, May 23, 2019
- Cyber operations and international humanitarian law: five key points, Laurent Gisel and Tilman Rodenhauser, November 28, 2019
- Digital risks for populations in armed conflict: Five key gaps the humanitarian sector should address, Delphine van Solinge, June 12, 2019
- Malware: A selection of essential cyber notions and concepts, Lukasz Olejnik & Tilman Rodenhäuser
- Potential human costs of cyber operations—Key ICRC takeaways from discussion with tech experts, Laurent Gisel, Lukasz Olejnik
- ICRC Report: The potential human cost of cyber operations, 29 May 2019