There is still insufficient awareness of the fact that even non-governmental organisations (NGOs) are targets of cyberattacks. Francesca Bosco (Senior Advisor Strategy and Partnerships) of theCyberPeace Institute explains how they can change that, and why humanitarian NGOs are targeted by cyber criminals.
The CyberPeace Institute was set up in 2019. What exactly drove you to do it?
The healthcare sector, already under extreme pressure to meet the needs caused by the Covid-19 pandemic, faced cyberattacks and threats that undermined the sector’s ability to successfully respond to people’s healthcare needs. Critical infrastructure was being targeted to an increasing extent. These were attacks on the efficient functioning of our society: a combination of a process that was already going on and an escalation in the public eye. The CyberPeace Institute was established in Geneva, Switzerland, as a neutral non-governmental organisation (NGO), with the objective of limiting the harm caused by the attacks, to support vulnerable communities and to promote responsible behaviour in cyberspace. Escalating cyberattacks not only affect hardware, but threaten people’s lives and endanger access to basic services – such as healthcare.
Who is behind the institute?
The institute started with seed funding support from the private sector and foundations, including Microsoft, Mastercard and the William and Flora Hewlett Foundation.
The name is unusual for an institute that deals mainly with data security. Do you see yourselves as a peace organisation?
It is precisely this integrated approach that inspired me and many others who work for the CyberPeace Institute. Acting as a peace organisation and simultaneously developing a comprehensive analytical approach to cybersecurity creates a double challenge. We follow the fundamental principles of positive cyber peace.
What are those principles?
To us, peace means more than just the absence of conflict. It also means the proactive, forward-thinking prevention of possible flashpoints. If we consider that cyberspace is involved in almost all aspects of our existence, we realise that it entails just as many fascinating possibilities as pitfalls. That’s why we have chosen the integrated approach. It was clear from the start that although cyberspace holds dangers, it’s also an opportunity, offering security when used appropriately. When providing our services, we are vigilant about preserving human dignity and equality. We ensure that cyberattacks do not threaten human lives.
So it is a peace organisation.
Yes, we are a peace organisation, and a very active one at that. A lot is changing at the moment. We have decided on a very concrete and practical approach: we investigate, we assist and we campaign.
What does that mean exactly?
We support vulnerable communities, such as NGOs that work in humanitarian and development sectors. We research and analyse, and on that basis we provide information to politicians in the countries concerned. And we anticipate events, such as disruptive technology, that could threaten vulnerable communities.
‘Cyber peace entails just as many fascinating possibilities as deep pitfalls.’
Francesca BOSCO, Senior Advisor Strategy and Partnerships, CyberPeace Institute
How many countries do you operate in? And how many employees are working on this issue?
Our network is global, stretching across 120 countries. Our team consists of 27 full-time employees from 12 countries, 50% of whom are women. We are proud of that. This diversity is one of our greatest strengths, especially when you consider that we are working towards cyber peace. It means that we combine a really wide range of skills in the field of cyber security with very different backgrounds.
From our headquarters in Geneva, Switzerland, we work closely with our CyberPeace Builders regional advisors in Nairobi (Kenya) and Bogotá (Colombia). At the moment, we are providing direct support to NGOs in 120 countries. These NGOs also operate internationally – a factor that considerably increases our impact. It’s our aim to take our work all over the world.
Which foundations and associations are particularly under threat?
That’s an interesting question – and not an easy one. As our experience shows, it depends on a variety of factors and situations and the circumstances of the organisations themselves. During the pandemic, we identified the health sector as being one of the most vulnerable. This is a typical example. At the moment, we are focusing on civil society organisations and those with a humanitarian background.
Why these areas in particular?
Humanitarian organisations have increasingly come to rely on information technology. In principle, that’s a good thing, because it allows them to increase their reach and means they can deliver critical services to people in urgent need. The new technology offers wonderful opportunities, but at the same time these organisations become a bigger target. It then becomes vital for their survival to look beyond the possibility of physical attacks and consider protection of their data too. This is about the software that they need. An important point is that cyberattacks can also have physical consequences. I’m thinking in particular about humanitarian organisations; what they do online – for instance, on social media – can have major repercussions in the real world.
The ICRC (International Committee of the Red Cross) experienced an attack a year ago…
Yes, that was a wake-up call for the international community. Highly sensitive personal data, related to its family links programme, was stolen. The transparency that the ICRC demonstrated in publishing information about the disruption caused by the cyberattack is important because people’s lives are affected. The harm that such attacks cause is immeasurable and will have an impact for decades to come. The attack on the ICRC made media headlines, yet it is not alone.
Why is data belonging to humanitarian organisations so attractive to cyber criminals?
Humanitarian NGOs are no stranger to the growing trend of cyberattacks; they are often the victim of attacks targeting the critical services they offer to vulnerable communities throughout the world. Cyberattacks against humanitarian organisations may be carried out in order to disrupt their ability to carry out their activities, to access the data held on beneficiaries and other stakeholders, or to steal funds or data and information; e.g. CEO fraud. And also to spread malicious information and politically motivated messages through web defacement, hijack and misuse identities, manipulate stolen data as part of disinformation campaigns, and/or hold the organisation to scrutiny due to identified vulnerabilities in its cybersecurity. The humanitarian sector raises more than USD 30 billion annually in order to deliver programmes to bring assistance and protection to people. Cynically, cyberattackers probably see this as a lucrative business opportunity: NGOs are seen as low risk and high reward. Low risk as they are an easy target from a technical perspective, and relatively high reward because of the funds attackers may be able to access through ransom demands, fraudulent transfers, etc.
Are there further examples?
Yes, unfortunately. In summer 2021, cyber criminals hijacked the Instagram account of The Union for International Cancer Control (UICC). On World Cancer Day 2021, the criminals sent out a phishing email with false complaints. Many of the account’s followers thought the message came from the charity. And, two days later, the criminals contacted the organisation, declared that they had taken over the account and demanded a ransom. The UICC represents the interests of the cancer community; its main concern is ensuring fair access to check-ups and preventive measures. The criminals changed the email address, password and phone number linked to the account and disabled it. It took UICC several weeks to regain access to its Instagram account.
How much damage was done?
First, the UICC could no longer use its Instagram account and so lost all its followers. Second, potential donors became less inclined to trust it – that’s a long-term consequence that should not be ignored.
What else is stolen data used for?
Stolen data is used to extort money, and, as I mentioned, for disinformation campaigns. Cyber criminals gain direct access to their victims via phishing attacks in order to cause them harm. This often means that online data belonging to beneficiaries of the organisation is stolen to be sold on to other criminals, or very personal data is traded; for example, details of activists and journalists who conduct research in a political context. That can become really dangerous.
Where is this data traded?
On the darknet, where there’s a market for stolen identities. It’s very hard to quantify the extent of it, as hardly any data exists, which is a major problem. That’s why we at the CyberPeace Institute are working on a method of providing organisations with information on the true extent of the possible long-term damage. When an attack takes place, many people think only of the immediate fall-out, without considering the possible scale of the damage. How much data has effectively been stolen? How high are the costs beyond the immediate harm caused? Because the effect of the long-term costs is difficult to quantify.
‘NGOs often fall victim to attacks targeting critical services.’
What should be done in the event of an attack?
The incident should be reported to the authorities immediately. I realise that can be difficult. Victims of cyber attacks often fail to tell the authorities out of shame, or they simply don’t know what to do or who to tell. I’ve worked in the field of cyber crime since 2006 and one of the biggest problems has always been the fact that cyber incidents are very rarely documented. This lack of data makes it hard to record the incidents consistently. Luckily, many countries now have a department that deals with cyber crime and tries to document incidents. This is, of course, possible thanks only to the technology we have today. What the authorities do not do so much is monitor cyberspace and provide support with data recovery.
What specific measures would you advise a foundation with limited resources, and perhaps no employees, to put in place to protect itself?
The CyberPeace Builders programme was set up to provide support to NGOs. It is a worldwide network of cyber security experts. This is something that civil organisations really need, since they often do not have enough staff, or they lack local staff with the requisite skills or they simply do not have the budget. And in some cases NGOs are not allowed to use donations for this purpose. There is a huge willingness to help among the members of the cyber security community. The CyberPeace Builders is a volunteer programme populated by experts who work for private companies. For NGOs, this service is free and they can ask for help at any time. What we cannot do yet is provide emergency assistance. We help the NGOs in terms of prevention and to improve their cyber skills. After an attack, we support them in their journey back to everyday life in the digital world. When the Humanitarian Cybersecurity Center (HCC) is up and running, as of 27 February 2023, the facility to offer emergency assistance will be available.
What are the benefits of increasing cyber security?
It is very important that even the smallest organisations dedicate some time to work on their cyber resilience. We enhance their awareness of the need to build up their capacity and skills in this area themselves.
How do you raise awareness of this?
One of the first things we show the leadership team is how multi-factor verification (MFA) or a password manager works. It’s simple and effective. The important thing here is that the entire organisation uses these measures, not simply the IT personnel.
‘It’s important that even the smallest of organisations take time to address their cyber resilience.’
What else is needed to make the cyber world a safer place?
It’s not only the NGOs that have to expand their knowledge. Their patrons and donors must also develop an understanding of the dangers of the internet. Ideally, they should provide financial support to the NGOs in order to develop their cybersecurity, because it takes investment to develop a security-conscious culture. Unfortunately, this is not yet common knowledge. Most people think that if you have antivirus software, then you are all set. The technical service forms only a fraction of the protection that’s needed. Good protection consists of a variety of components. And that’s exactly why we are really driving the Center forward, so that we can make all these components available.
Who takes advantage of your services?
Needs vary greatly depending on the region. That’s why we have regional advisors in Africa and Latin America. Our target is to support more than 100 NGOs by the end of 2022. Currently, we support 59 in Switzerland, and it’s a wide range of organisations. Some are from the healthcare sector, some in humanitarian development cooperation and some that deal with children’s rights and violence against women. And some want to remain anonymous.
You have achieved your first target. What are your next steps?
We want to combine our strengths in order to support the sector with a type of platform where companies, organisations and private individuals can come together to provide help. We also aim to develop a platform where attacks on civil organisations can be tracked, visualised and archived. We want to use this to support those who are active in the humanitarian sector. And we want to help these organisations bolster their resilience. We understand the need for emergency assistance, but we do not want to create dependencies. That’s why we upskill those affected and help them increase their expertise, so that they can better defend themselves.