Cyber-attacks: what are the risks for aid agencies? – Guide for expats in Switzerland
Healthy bank accounts and cyber vulnerabilities make humanitarian organizations a risk, but cyber attacks on them also have real humanitarian consequences.
Every day, the ICRC’s Restoring Family Links program reunites an average of 12 missing persons with their families. These are people who have been separated by war or natural disaster. The search for the missing has been an extremely important part of the work of the Red Cross for more than a century. My own great-grandmother discovered the fate of her husband, who was missing in action during the First World War, thanks to the Red Cross.
But on January 19 this year, the Restoring Family Links website was abruptly taken offline after suffering, according to an ICRC statement, a “sophisticated cybersecurity attack”. The attack, the statement said, “compromised the personal data and confidential information of more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster. , missing persons and their families, and persons in custody”.
Who would do such a thing? And why? What can be gained by illegally acquiring the data of very vulnerable people? This is the subject of this week’s Inside Geneva podcast, where I had the honor of being able to interview the ICRC’s data protection officer, Massimo Marelli, and Stéphane Duguin, CEO of the CyberPeace Institute in Geneva, an organization which supports aid agencies in their cybersecurity.
Many of us, when we hear about cyberattacks, almost automatically think of targets like the military or large financial institutions. Few of us would consider humanitarian organizations to be prime targets, but for Duguin the attack on the ICRC came as no surprise.
As Duguin tells Inside Geneva, the humanitarian sector raises billions of dollars a year, and any organization with the money is at risk of being targeted by cybercriminals and their ransomware. Added to this risk, according to Stéphane, is that “only one in ten NGOs regularly train their staff in cybersecurity, three out of four do not monitor the network and four out of five do not have a cybersecurity plan”.
So, does a combination of healthy bank accounts and a certain naivety make humanitarian organizations easy, low-risk targets? Maybe, but that still doesn’t really explain what happened at the ICRC. It’s a huge organization, with, according to Marelli, very good data protection – without it the attack might never have been detected in the first place.
At the time of writing, the ICRC has not received any ransom demands for the stolen data, and there are no indications that the data is being sold on the dark web. The attacker’s identity remains a mystery, but what Marelli knows for certain is that it was a “very sophisticated” attack.
In the absence of any information, the only thing the ICRC can do is upgrade its system to hopefully close the computer flaws that allowed the attack, and hope the attackers have moral scruples to use the data they stole.
“This information is not data,” he told Inside Geneva. “It’s not an organization…it’s actually people. It is an attack on people who already live with the anguish of being separated from family members and loved ones. It is an attack on their dignity, it is an attack on their privacy.
Duguin agrees. “Attacking the humanitarian sector is not something virtual,” he explained. “It’s not machines attacking machines, it’s water, sanitation, it’s food security, it’s health.”
But Duguin isn’t particularly optimistic about the success of appealing to the best nature of cybercriminals. At the height of the pandemic, he told us, there was a daily attack on healthcare systems, despite promises, made by known cyber attackers themselves, that healthcare would remain off limits for the global health emergency.
Restore trust and be honest
So what can aid organizations do to protect themselves? Like other prime targets such as banks or governments, they may find themselves catching up with increasingly smart cybercrime. But Duguin still urges all NGOs to prepare “because an attack is not a maybe, it’s a certainty”.
The other key element, on which Duguin and Marelli agree, is to be completely open once a cyberattack has taken place. Unlike the United Nations, which remained silent for quite a long time after its offices in Geneva and Vienna suffered a cyberattack in 2019, the ICRC issued a statement as soon as it learned what had happened, and the followed by updates. The 515,000 people whose data has been compromised are being contacted to inform them of the attack and what the ICRC is doing about it.
Such openness is essential, Marelli believes, to maintain the trust of vulnerable people who must share often sensitive information with the ICRC in an attempt to locate missing loved ones.
It could also, our analyst Daniel Warner told Inside Geneva, help boost support for aid agencies. Since the attack, which sparked widespread outrage, the ICRC has received multiple offers of support from governments and the tech industry.
“The ICRC is not just any humanitarian organization,” he says. “They are guardians of the Geneva Conventions, so an attack on them is something special.”