From confidential data on detainees to sensitive information on people fleeing violence, the humanitarian cyber environment presents a number of entry points for threats that could derail operations. Security-related needs in the government and private sector are often analyzed through the ‘confidentiality, integrity, and availability’ triad, yet this ‘classic’ analysis still needs to be tailored to international humanitarian organizations and their specific security threats arising from jurisdictional considerations.

Confidentiality: limiting access to intended users only

Over the course of its work, a humanitarian organization can find itself with sole access to areas and people affected by armed conflict or other situations of violence. As a result, it may face threats by a party trying to access sensitive data relating to specific individuals or populations linked to or of the same ethnic origin or national or political affiliation as their enemies. Health information may indicate, for example, a medical condition that is linked to a high value target.

‘Big data theft’ is also an important challenge to maintaining confidentiality. These may be aimed at collecting as many large data sets as possible to correlate, analyze, and then profile individuals of interest to the adversary. Such individuals may include beneficiaries of humanitarian action or other interlocutors of the organization’s neutral and impartial dialogue, and could be put under targeted surveillance and possibly used to inform conflict-related actions. This concern may relate to large data sets, including metadata (that is, data about data) held by both humanitarian organizations themselves or their third-party service providers – such as telephone companies or financial institutions – that may generate and use this data in the framework of humanitarian programs such as mobile cash transfers.

Collaboration with or engagement of third-party technology providers to process data is therefore extremely significant for any confidentiality analysis. International humanitarian organizations can benefit from certain privileges and immunities regarding the data they collect, including inviolability of correspondence and archives. Where that is the case, no authority can, under the relevant domestic law, seek to access data they hold, thereby preserving the confidentiality of the data held by the organization. It is very important that similar protections are recognized for cases where a third-party service provider processes data for the organization. A lack of guarantee in this regard would constitute a very significant threat to the organization’s ability to keep sensitive data confidential.

To understand how processing data through a third-party service provider can pose a threat to the data security of an international humanitarian organization, it is necessary to have a clear appreciation of the application of the principle of sovereignty[1] in cyberspace. This requires, in particular, an analysis of how states consider and enforce their jurisdiction over technology providers, infrastructure supporting data flows, and data flows themselves, whether on their territory or outside.

A digitalization of the scale and magnitude of the humanitarian sector, however, is not possible without leveraging the public cloud for at least part of its services. Technology companies are pushing software and storage to the public cloud, and are rapidly abandoning support for non-cloud-based alternatives. Moreover, certain tools maximizing information through, for example, artificial intelligence, may be procured and deployed more efficiently on public clouds.

Because of this, the non-cloud-based model involving solutions held, managed, and supported on the physical premises of the organization, traditionally favored by security-conscious organizations, is becoming harder to sustain over the medium term. Even software that is procured as an on-premise solution today is likely to be linked to public cloud applications and/or sharing diagnostic or telemetry data across jurisdictions.[2] This means that data collected and generated by an organization will most likely be processed at some point by third party technology providers, making it harder for an organization to leverage its privileges and immunities to keep such data confidential.

There is a growing urgency for humanitarian organizations to carefully analyze this area and find solutions that are suitable for their sensitive and essential work. Yet ensuring the protection of privileges and immunities in a public cloud environment is extremely challenging for two main reasons: first, the specific architectural features of public cloud solutions, and second, legislation allowing authorities to access data generated and/or stored outside of their territory, such as the US CLOUD Act, and other equivalent legislation elsewhere. CLOUD Act-type legislation and impact are spreading fast around the world, due primarily to two factors: other countries replicating the Act in order to assert jurisdictional control over data, and agreements between the USA and third countries, under the CLOUD Act itself, allowing both parties to seek access to data under one another’s jurisdictional control.

Integrity: new technology brings new challenges

An important test of integrity comes with the increased use by humanitarian organizations of artificial intelligence and machine learning in supporting decision making and situational awareness. This trend raises the risk that third parties may tamper with the accuracy and integrity of data used to train algorithms and develop models, as well as datasets used for the analysis, thereby interfering with the outcome of the analysis and decision-making.

Humanitarian organizations may, consequently, be steered into wrongly prioritizing certain affected populations over others, operating in particular areas over others, or otherwise manipulated in ways that may be detrimental to affected populations, or to the neutrality, impartiality, and independence of their action. While the manipulation of data used by humanitarian organizations in their relief operations during armed conflict is, in certain circumstances, prohibited under international humanitarian law, relying on the law alone is insufficient for humanitarian organizations.

Availability: ensuring digital access

Concerns regarding availability, or the timely and reliable access to and use of information, involve situations in which the humanitarian organization offers digital services to affected populations. This can happen in a situation in which digital proximity is successfully deployed to complement physical proximity, or in a situation in which physical access is impossible and digital access is used instead.

If affected populations rely on the availability of digital services from humanitarian organizations for their livelihood or for humanitarian protection, any cyber operation affecting the availability of these services will have humanitarian consequences. In these cases, cyber operations affecting the availability of (digital) humanitarian services, like distributed denial of service (DDOS) operations or operations involving ransomware, raise very serious humanitarian concerns and are therefore, in certain circumstances, prohibited by international humanitarian law.

Humanitarian organizations should also consider the risk of internet shutdowns and their implications for the capacity to deliver or access digital humanitarian services. As highlighted by Human Rights Watch in a recent report, shutting down or restricting access to the internet can have deadly consequences during a health crisis such as the COVID-19 pandemic. The SCION next-generation secure Internet architecture represents an approach to provide high-assurance and high-availability Internet communication by preventing network-based attacks.

The specificities of supply chain security

Specific challenges are presented in ensuring the security of the supply chain for the procurement of hardware and software products. This means, for example, that no backdoors are present in the hardware or software procured and used by the humanitarian organization to deliver digital humanitarian services and/or to operate its systems. As far as hardware is concerned, while it may be possible for organizations to invest effectively in the security of some key components of the hardware it procures, it may still be unrealistic to achieve security of all the components it requires.

A comprehensive strategy to address supply chain security concerns may need to be developed by the organization. Such a strategy would need to cover a combination of elements, such as open-source hardware components, procurement practices, usage awareness and practices (such as staff training but also minimization of capacities to the purpose) and partnerships with academia on solutions to monitor performance of hardware to detect possible anomalies linked to a compromised piece of hardware. As far as software is concerned, some companies may provide access to source code to countries and international organizations, to enable auditing and verification that no back doors are present.

Although an international organization may seek access to such programs, this may not be a solution available with all suppliers. In addition, even if the organization did have access to the source code, it may not have the means to effectively review all the lines of code of the software procured and as such ensure its own protection. Again, a comprehensive strategy to address this area may need to involve partnerships with academia, governments, industry, or NGOs focusing on cybersecurity that may have more resources or be better equipped to audit code, or to pool resources with other international organizations.

Legal protections: available, but insufficient

The humanitarian activities of international humanitarian organizations benefit from a number of safeguards and protections under international and domestic law. International organizations such as the ICRC, for example, normally enjoy protection of their communications and inviolability of their data and archives.

In practice, however, legal protections alone are, unfortunately, insufficient to ensure exclusive control by an organization over its data. Three aspects are of particular concern in this sense. First, surveillance practices may disregard recognized privileges and immunities or other applicable rules of international law. Second, even when surveillance practices are not intended to disregard them, data traffic may nonetheless be caught and intercepted as part of large scale/bulk data collection. Third, data of an organization may be hosted and processed through commercial technology providers and, consequently, they may not be easily segregated and distinguishable from the data of other customers, who do not enjoy the same protections.

It follows that an organization aiming at establishing exclusive control over its data needs to act on two different levels: the legal level, guaranteeing that no third actor has a legitimate claim to its data and that it is effectively protected against incursions and attacks; and the technical and organizational level, with specific measures aimed at ensuring secure data flows, hosting, and processing. As highlighted above, these may not, at present, be available from the market, and may need to be procured as part of research and development partnerships with academia and other partners, to be then converted into sustainable solutions. Considering costs and available resources, it may be necessary for international humanitarian organizations to pool resources with other organizations with similar mandate and status, particularly to ensure the conversion of the research and development work into sustainable, deployable tools.

Conclusion

An international humanitarian organization going through a process of digital transformation and aiming to offer digital services directly to beneficiaries faces numerous novel questions. They need to consider unique and specific technical solutions, such as the creation of a ‘digital humanitarian space’ along the model of a ‘sovereign cloud’ or a ‘digital embassy’. These do not currently exist as part of a commercial offering, primarily because technology and technology commercial offerings develop based on the demands of the majority of customers, who, unlike international humanitarian organizations, are not entitled to privileges and immunities from jurisdictional control of at least one state.

Partnerships with academia and industry are an important part of this effort. However, they are not, alone, sufficient. What is essential is wider political will on the part of external stakeholders to guarantee the protection of a digital humanitarian space, coupled with the awareness, knowledge, focus and determination of internal stakeholders to genuinely preserve the independence, impartiality and neutrality of international humanitarian organizations in cyberspace. Without this, international humanitarian organizations will inevitably be pushed into accepting solutions that are unsuitable for the work they are mandated to carry out.

[1] Ordinarily, under public international law, sovereignty is understood as “[i]ndependence [of a State] in regard to a portion of the globe”, i.e. “the right to exercise therein, to the exclusion of any other State, the functions of a State” (Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).)

[2] See, for example: Dutch Ministry of Justice “DPIA Office 365 ProPlus version 1905” (June 2019).

See also

• Massimo Marelli, Hacking Humanitarians: moving towards a humanitarian cybersecurity strategy, January 16, 2020
• Tilman Rodenhäuser, Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations, March 16, 2020
• Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections? April 2, 2020
• Lukasz Olejnik & Tilman Rodenhäuser, Malware: A selection of essential cyber notions and concepts, May 23, 2019