As humanitarian organizations become more active in and reliant upon new technologies and the digital domain, they evolve from simple bystanders to full-fledged stakeholders in cyberspace – able to build on the advantages of new technologies but also vulnerable to adverse cyber operations that can impact their capacity to protect and assist people affected by violence or armed conflict. The 2020 cyberattack on SolarWinds, a major US information technology company, demonstrated the chaos a hack can cause by targeting digital supply chain components. What does the hack mean for the humanitarian cyberspace, and what can we learn from it? Massimo Marelli, ICRC’s Head of Data Protection Office, draws out some possible lessons and the way forward by exploring the notion of ‘digital sovereignty’.

 

Even in 2020, with a news cycle overwhelmed by a deadly pandemic, climate disasters and political turmoil, the cyberattack on SolarWinds was a big deal. Foreign hackers used the attack on SolarWinds, a major US information technology (IT) company, to spy on private companies – such as FireEye, the elite cybersecurity firm that exposed the breach – as well as top government agencies, including the Department of Homeland Security and Treasury Department.

By injecting malware into SolarWinds’ software system, which is used widely by companies to manage their IT, the hack demonstrated the massive scale that an adversary can achieve by targeting digital supply chain components. While it primarily targeted in-house infrastructure, the hack also tried to exploit large-scale cloud providers such as Microsoft, whose president Brad Smith reported that more than 80% of the victims targeted were non-governmental organizations.

Humanitarian security in the cyberspace

In the humanitarian sector, the reaction to cyberattacks such as the SolarWinds hack is often defeatist: if the most renowned government agencies and security companies cannot protect themselves from surveillance, is it even worth if for a humanitarian organization to try to protect itself? Another common reaction is to lean even more on cyber security ‘professionals’ and ‘hyperscalers’ equipped with significant resources and skilled workforces to securing information. These two types of reactions, however, miss an important point: security is not an absolute concept and it depends on the vulnerabilities, threats, assets, and opportunities that each organization has.

For instance, the ‘security assets’ of an organization like the ICRC include the recognition of a specific mandate under international law to pursue its exclusively humanitarian mission, and the trust and acceptance generated by its principles of neutrality, impartiality and independence, as well as operating modalities based on confidentiality and bilateral confidential dialogue. The ICRC is used to letting these principles and operating modalities shape its approach to its own security in the physical world, and also needs to adjust how to transpose this principled approach to the cyber world.

Getting caught in the cyber crossfire

SolarWinds is merely the latest signal of what is currently unfolding in cyberspace: a competition between the ‘great powers’. David Kilcullen and others have analyzed this power struggle, including in cyberspace, stressing that what is at stake is not a series of isolated, one-off cyber incidents of criminal nature, but a worldwide and increasingly strategic use of cyberspace to assert influence, and dominance, by global powers.

Any international humanitarian organization that operates in a complex and volatile conflict environment on the basis of neutrality, impartiality, and independence, must remain alert to these geo-political dynamics, since they have an impact on the physical world in which they operate. As a result, such organizations should ground their planning in a robust strategy that captures the implications of this great powers’ competition. As it has been seen in previous posts in this series, what works for a multinational corporation may not necessarily work for an international humanitarian organization.

Against the backdrop of these global tensions among the major cyber powers, using the same digital supply chain as one of the key stakeholders and counting on the security it provides brings a humanitarian organization dangerously close to the physical world parallel of positioning offices within or near a military base. Even if the perception of the organization’s neutrality, impartiality, and independence is not affected, it could find itself caught in the crossfire if the military base is attacked, simply because of its proximity to the target.

While examining the threats from this angle may not necessarily cover all possible types of potential attackers (from bored kids on a school break to elite cyber criminals), it does provide an important additional perspective on protection opportunities from possible cyberattacks by States, State-sponsored groups, or non-State armed groups. Arguably these are the more powerful, and well-resourced, type of attackers.

Are there any alternatives to using the same supply chain and being caught in the ‘cross fire’?

Not yet, not for the entire stack of technology supporting the humanitarian cyber infrastructure, from hardware, to software, to networks, and beyond. Work is ongoing in relation to different layers of supply chain to introduce more capacity to ‘verify and trust’, for instance by capitalizing on open source solutions in software and hardware, which could eventually provide a solution. Realistically, however, we are still far away from an ‘easy switch’ to these solutions ‘across the stack’.

Even in the absence of an easy solution, the question remains an important one. The reaction to such attacks should therefore be to ask: how can we manage and mitigate our dependency on these supply chain systems that put us in such vulnerable positions in the first place? In developing this analysis and searching for potential solutions, two key concepts emerge: ‘data sovereignty’ and ‘digital sovereignty’.

‘Data sovereignty’ and ‘digital sovereignty’

Borrowing loosely from the notion under international law of territorial sovereignty of a State[1], we use the term ‘data sovereignty’ to indicate that a State (or an international organization, as derived from its privileges and immunities[2]) can exercise full control over the data it processes which are not in the public domain to the exclusion of any other entity. In other words, no other State may, through legal means, seek and obtain data of the ‘data sovereign’.

While ‘data sovereignty’ is important, it is insufficient alone and needs to be complemented by a more developed and nuanced strategic approach, which includes something that can be referred to as ‘digital sovereignty’, a concept that is difficult to define but hints to a notion of ‘sovereign’ control that also covers digital infrastructure such as cabling, switches, routers and networks, as well as hardware and software supply chains. The concept does not necessarily mean that a State (or an international organization) can produce or have total control over all of the above; considering the level of dependency and interconnectedness of cyberspace today this may well be beyond the reach of even the most powerful stakeholders in cyberspace who have strategically been investing enormous resources trying to achieve precisely this.

Because of this, some could even question the usefulness of ‘digital sovereignty’ as a term, preferring to refer to notions of ‘digital in/dependence’. What ‘digital sovereignty’ does require, therefore, is the capacity of asserting some level of control and assurance of independence in the choice and use of these tools and infrastructures; in other words, a capacity to manage ‘digital dependencies’ or over-dependencies.

The purpose of developing a cybersecurity strategy should include to look beyond today and tomorrow, into areas of possible investment, disinvestment, organizational changes and partnerships, with a clear vision of the landscape in which the organization may find itself in five to ten years. Any strategic decision taking an organization further away from the ability to protect itself from cyber harm is a poor one. Conversely, any decision that brings the organization closer to where it believes it needs to be in the long term, according to its unique security assets, is one that better enables the organization to deliver on its mandate and mission.

What is required, therefore, is a careful strategy around ‘digital sovereignty’, intended, as discussed above, as a careful and deliberate management of ‘digital dependencies’ and ‘overdependencies’. Such a strategy could involve investment in moving the cursor towards reducing dependencies to the extent possible and meaningful, and evolve in an incremental way in this direction over time.

[1] See Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928): “[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State”.

[2] We say the notion of sovereignty is borrowed loosely because international organizations do not technically enjoy sovereignty, and the entitlement to enjoy ‘exclusive control’ over data, in so far as they are concerned, derives from the privileges and immunities they enjoy, including inviolability of correspondence and archives and immunity from jurisdiction. As it has been discussed in the previous parts of this series, this can be sought by a combination of legal, technical, and organisational measures. See Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).

See also