Virtual Risk, Tangible Harm: The Humanitarian Implications of Cyber Threats
KEY MESSAGES
-
Cyber threats are among the most critical security issues of our time. The COVID-19 pandemic has catapulted an already rapid pace of digitalization towards a true global digital transformation. More than 60 per cent of the world’s population is now online, and over a million more people join the internet each day.
Cyber threats are proliferating in tandem, with hacking attempts, data breaches, digital surveillance, and mis-/disinformation campaigns all on the rise. -
Cyber threats have not left the humanitarian sector unscathed. The digitalization of data and systems is broadening the sector’s attack surface and adding danger and complexity to humanitarian operations. The rise in reported data breaches during the pandemic, including high-profile attacks against the ICRC and USAID, show that humanitarian agencies have moved squarely into the target zone.
-
Cyber threats against humanitarian actors threaten the safety and wellbeing of those they mean to protect. When the personal and sensitive data of people affected by humanitarian crisis falls into the wrong hands, it can lead to harassment, exploitation, discrimination, and persecution. Cyber-attacks can also disrupt humanitarian operations, impede life-saving assistance, and undermine trust and confidence.
-
The humanitarian cyber-attack surface reaches far beyond the sector’s own systems and organizations. Indirect threats result from the growing digitalization and targeting of critical civilian infrastructure and essential services that people affected by or responding to humanitarian crises rely upon for survival.
Cyber threats can also damage the intangible political and social goods of information and trust, tearing at the delicate fabric of already fragile institutions. -
Humanitarian actors are insufficiently protected against cyber threats. Inadequate policies and practices, digital infrastructure, and training and oversight are only a few of the factors contributing to low cyber resilience in the sector. Few NGOs conduct trainings, monitor networks, or have a plan for cybersecurity.
Actors lack basic data security skills or awareness of risks and struggle to identify when a cyber operation against their organization has taken place. -
Data volumes have long outgrown efforts to ensure responsible management and security. Collecting data on crisis-affected people has always been fundamental to humanitarian assistance, but technology and digitalization have scaled these activities to astronomical levels. Meanwhile, efforts lag to close gaps in governance frameworks, cybersecurity capacities, and digital skills, as funding and focus concentrate on direct programme work.
-
Cybersecurity deficiencies permeate sectors on which humanitarian actors and beneficiaries rely, including healthcare, energy and power, water and sanitation, and transportation and logistics. Despite rapid digitalization, cybersecurity often remains a secondary concern, even as attacks steadily rise. Recent high-profile attacks on vendors in software supply chains have also cascaded down to humanitarian clients.
-
Humanitarian contexts are among those least prepared for cyber threats. Most have limited regulations on cybersecurity, privacy, and data protection, and lack the resources and capacities for robust safeguards or adequate responses. Historically, these contexts have been less connected and so less targeted, but growing digitalization will increase threat exposure. Crisis-affected people will face greater risk of a successful attack, and become more exposed to humanitarian harms that result.
-
Initiatives to enhance the stability and security of cyberspace are multiplying across sectors. Processes are underway in intergovernmental fora, including at the UN, as well as within the humanitarian community, at the national level, and in the private sector, civil society, and academia. Humanitarians must learn from, engage with, and take forward these initiatives and introduce new ones to advance legal, technical, organizational, capacity-building, and cooperation measures.
-
There are concrete measures that humanitarian actors and their partners can take. Individuals can maintain good cyber hygiene. Organizations can develop comprehensive cybersecurity strategies. Legislators can adopt a proactive approach to regulation. International and multistakeholder groups can promote the protection of a neutral, impartial, and independent humanitarian cyberspace. These initiatives must be supported by appropriate investment, pursued with determination, and treated holistically to maximize the safety of the online environment.
-
Cyber threats are here to stay, evolving as rapidly as digital technologies. The sector must adapt to protect humanitarian action and, more importantly, the people it serves. While businesses measure the impacts of cyber threats primarily in financial losses, humanitarian actors assess them in terms of the damage inflicted on people’s lives, health, safety, and security. These grave consequences make cyber threats a challenge that humanitarian actors cannot afford to ignore.