Fotos: Fred Merz

Protec­ting people in cyberspace

Cyber security leads to cyber peace.

There is still insuf­fi­ci­ent aware­ness of the fact that even non-govern­men­tal orga­ni­sa­ti­ons (NGOs) are targets of cyber­at­tacks. Fran­ce­sca Bosco (Senior Advi­sor Stra­tegy and Part­ner­ships) of the Cyber­Peace Insti­tute explains how they can change that, and why huma­ni­ta­rian NGOs are targe­ted by cyber criminals.

The Cyber­Peace Insti­tute was set up in 2019. What exactly drove you to do it?

The health­care sector, alre­ady under extreme pres­sure to meet the needs caused by the Covid-19 pande­mic, faced cyber­at­tacks and thre­ats that under­mi­ned the sector’s ability to successfully respond to people’s health­care needs. Criti­cal infra­struc­ture was being targe­ted to an incre­asing extent. These were attacks on the effi­ci­ent func­tio­ning of our society: a combi­na­tion of a process that was alre­ady going on and an escala­tion in the public eye. The Cyber­Peace Insti­tute was estab­lished in Geneva, Switz­er­land, as a neutral non-govern­men­tal orga­ni­sa­tion (NGO), with the objec­tive of limi­ting the harm caused by the attacks, to support vulnerable commu­ni­ties and to promote respon­si­ble beha­viour in cyber­space. Escala­ting cyber­at­tacks not only affect hard­ware, but threa­ten people’s lives and endan­ger access to basic services – such as healthcare.

Who is behind the institute?

The insti­tute star­ted with seed funding support from the private sector and foun­da­ti­ons, inclu­ding Micro­soft, Master­card and the William and Flora Hewlett Foundation. 

The name is unusual for an insti­tute that deals mainly with data secu­rity. Do you see your­sel­ves as a peace organisation?

It is precis­ely this inte­gra­ted approach that inspi­red me and many others who work for the Cyber­Peace Insti­tute. Acting as a peace orga­ni­sa­tion and simul­ta­neously deve­lo­ping a compre­hen­sive analy­ti­cal approach to cyber­se­cu­rity crea­tes a double chall­enge. We follow the funda­men­tal prin­ci­ples of posi­tive cyber peace.

What are those principles?

To us, peace means more than just the absence of conflict. It also means the proac­tive, forward-thin­king preven­tion of possi­ble flash­points. If we consider that cyber­space is invol­ved in almost all aspects of our exis­tence, we realise that it entails just as many fasci­na­ting possi­bi­li­ties as pitfalls. That’s why we have chosen the inte­gra­ted approach. It was clear from the start that although cyber­space holds dangers, it’s also an oppor­tu­nity, offe­ring secu­rity when used appro­pria­tely. When provi­ding our services, we are vigi­lant about preser­ving human dignity and equality. We ensure that cyber­at­tacks do not threa­ten human lives.

So it is a peace organisation.

Yes, we are a peace orga­ni­sa­tion, and a very active one at that. A lot is chan­ging at the moment. We have deci­ded on a very concrete and prac­ti­cal approach: we inves­ti­gate, we assist and we campaign.

What does that mean exactly?

We support vulnerable commu­ni­ties, such as NGOs that work in huma­ni­ta­rian and deve­lo­p­ment sectors. We rese­arch and analyse, and on that basis we provide infor­ma­tion to poli­ti­ci­ans in the count­ries concer­ned. And we anti­ci­pate events, such as disrup­tive tech­no­logy, that could threa­ten vulnerable communities. 

‘Cyber peace entails just as many fasci­na­ting possi­bi­li­ties as deep pitfalls.’

Fran­ce­sca BOSCO,
Senior Advi­sor Stra­tegy and Part­ner­ships, Cyber­Peace Institute

How many count­ries do you operate in? And how many employees are working on this issue?

Our network is global, stret­ching across 120 count­ries. Our team consists of 27 full-time employees from 12 count­ries, 50% of whom are women. We are proud of that. This diver­sity is one of our grea­test strengths, espe­ci­ally when you consider that we are working towards cyber peace. It means that we combine a really wide range of skills in the field of cyber secu­rity with very diffe­rent backgrounds.

From our head­quar­ters in Geneva, Switz­er­land, we work closely with our Cyber­Peace Buil­ders regio­nal advi­sors in Nairobi (Kenya) and Bogotá (Colom­bia). At the moment, we are provi­ding direct support to NGOs in 120 count­ries. These NGOs also operate inter­na­tio­nally – a factor that consider­a­bly increa­ses our impact. It’s our aim to take our work all over the world. 

Which foun­da­ti­ons and asso­cia­ti­ons are parti­cu­larly under threat?

That’s an inte­res­t­ing ques­tion – and not an easy one. As our expe­ri­ence shows, it depends on a variety of factors and situa­tions and the circum­s­tances of the orga­ni­sa­ti­ons them­sel­ves. During the pande­mic, we iden­ti­fied the health sector as being one of the most vulnerable. This is a typi­cal exam­ple. At the moment, we are focu­sing on civil society orga­ni­sa­ti­ons and those with a huma­ni­ta­rian background.

Why these areas in particular?

Huma­ni­ta­rian orga­ni­sa­ti­ons have incre­asingly come to rely on infor­ma­tion tech­no­logy. In prin­ci­ple, that’s a good thing, because it allows them to increase their reach and means they can deli­ver criti­cal services to people in urgent need. The new tech­no­logy offers wonderful oppor­tu­ni­ties, but at the same time these orga­ni­sa­ti­ons become a bigger target. It then beco­mes vital for their survi­val to look beyond the possi­bi­lity of physi­cal attacks and consider protec­tion of their data too. This is about the soft­ware that they need. An important point is that cyber­at­tacks can also have physi­cal conse­quen­ces. I’m thin­king in parti­cu­lar about huma­ni­ta­rian orga­ni­sa­ti­ons; what they do online – for instance, on social media – can have major reper­cus­sions in the real world.

The ICRC (Inter­na­tio­nal Commit­tee of the Red Cross) expe­ri­en­ced an attack a year ago…

Yes, that was a wake-up call for the inter­na­tio­nal commu­nity. Highly sensi­tive perso­nal data, rela­ted to its family links programme, was stolen. The trans­pa­rency that the ICRC demons­tra­ted in publi­shing infor­ma­tion about the disrup­tion caused by the cyber­at­tack is important because people’s lives are affec­ted. The harm that such attacks cause is imme­a­sura­ble and will have an impact for deca­des to come. The attack on the ICRC made media head­lines, yet it is not alone.

Why is data belon­ging to huma­ni­ta­rian orga­ni­sa­ti­ons so attrac­tive to cyber criminals?

Huma­ni­ta­rian NGOs are no stran­ger to the growing trend of cyber­at­tacks; they are often the victim of attacks targe­ting the criti­cal services they offer to vulnerable commu­ni­ties throug­hout the world. Cyber­at­tacks against huma­ni­ta­rian orga­ni­sa­ti­ons may be carried out in order to disrupt their ability to carry out their acti­vi­ties, to access the data held on bene­fi­ci­a­ries and other stake­hol­ders, or to steal funds or data and infor­ma­tion; e.g. CEO fraud. And also to spread mali­cious infor­ma­tion and poli­ti­cally moti­va­ted messa­ges through web defa­ce­ment, hijack and misuse iden­ti­ties, mani­pu­late stolen data as part of disin­for­ma­tion campaigns, and/or hold the orga­ni­sa­tion to scru­tiny due to iden­ti­fied vulnerabi­li­ties in its cyber­se­cu­rity. The huma­ni­ta­rian sector raises more than USD 30 billion annu­ally in order to deli­ver program­mes to bring assis­tance and protec­tion to people. Cyni­cally, cyber­at­ta­ckers proba­bly see this as a lucra­tive busi­ness oppor­tu­nity: NGOs are seen as low risk and high reward. Low risk as they are an easy target from a tech­ni­cal perspec­tive, and rela­tively high reward because of the funds atta­ckers may be able to access through ransom demands, frau­du­lent trans­fers, etc. 

Are there further examples?

Yes, unfort­u­na­tely. In summer 2021, cyber crimi­nals hija­cked the Insta­gram account of The Union for Inter­na­tio­nal Cancer Control (UICC). On World Cancer Day 2021, the crimi­nals sent out a phis­hing email with false complaints. Many of the account’s follo­wers thought the message came from the charity. And, two days later, the crimi­nals cont­ac­ted the orga­ni­sa­tion, declared that they had taken over the account and deman­ded a ransom. The UICC repres­ents the inte­rests of the cancer commu­nity; its main concern is ensu­ring fair access to check-ups and preven­tive measu­res. The crimi­nals chan­ged the email address, pass­word and phone number linked to the account and disab­led it. It took UICC seve­ral weeks to regain access to its Insta­gram account.

How much damage was done?

First, the UICC could no longer use its Insta­gram account and so lost all its follo­wers. Second, poten­tial donors became less incli­ned to trust it – that’s a long-term conse­quence that should not be ignored.

What else is stolen data used for?

Stolen data is used to extort money, and, as I mentio­ned, for disin­for­ma­tion campaigns. Cyber crimi­nals gain direct access to their victims via phis­hing attacks in order to cause them harm. This often means that online data belon­ging to bene­fi­ci­a­ries of the orga­ni­sa­tion is stolen to be sold on to other crimi­nals, or very perso­nal data is traded; for exam­ple, details of acti­vists and jour­na­lists who conduct rese­arch in a poli­ti­cal context. That can become really dangerous.

Where is this data traded?

On the dark­net, where there’s a market for stolen iden­ti­ties. It’s very hard to quan­tify the extent of it, as hardly any data exists, which is a major problem. That’s why we at the Cyber­Peace Insti­tute are working on a method of provi­ding orga­ni­sa­ti­ons with infor­ma­tion on the true extent of the possi­ble long-term damage. When an attack takes place, many people think only of the imme­diate fall-out, without conside­ring the possi­ble scale of the damage. How much data has effec­tively been stolen? How high are the costs beyond the imme­diate harm caused? Because the effect of the long-term costs is diffi­cult to quantify.

‘NGOs often fall victim to attacks targe­ting criti­cal services.’

Fran­ce­sca BOSCO

What should be done in the event of an attack?

The inci­dent should be repor­ted to the autho­ri­ties imme­dia­tely. I realise that can be diffi­cult. Victims of cyber attacks often fail to tell the autho­ri­ties out of shame, or they simply don’t know what to do or who to tell. I’ve worked in the field of cyber crime since 2006 and one of the biggest problems has always been the fact that cyber inci­dents are very rarely docu­men­ted. This lack of data makes it hard to record the inci­dents consis­t­ently. Luckily, many count­ries now have a depart­ment that deals with cyber crime and tries to docu­ment inci­dents. This is, of course, possi­ble thanks only to the tech­no­logy we have today. What the autho­ri­ties do not do so much is moni­tor cyber­space and provide support with data recovery.

What speci­fic measu­res would you advise a foun­da­tion with limi­ted resour­ces, and perhaps no employees, to put in place to protect itself?

The Cyber­Peace Buil­ders programme was set up to provide support to NGOs. It is a world­wide network of cyber secu­rity experts. This is some­thing that civil orga­ni­sa­ti­ons really need, since they often do not have enough staff, or they lack local staff with the requi­site skills or they simply do not have the budget. And in some cases NGOs are not allo­wed to use dona­ti­ons for this purpose. There is a huge willing­ness to help among the members of the cyber secu­rity commu­nity. The Cyber­Peace Buil­ders is a volun­teer programme popu­la­ted by experts who work for private compa­nies. For NGOs, this service is free and they can ask for help at any time. What we cannot do yet is provide emer­gency assis­tance. We help the NGOs in terms of preven­tion and to improve their cyber skills. After an attack, we support them in their jour­ney back to ever­y­day life in the digi­tal world. When the Huma­ni­ta­rian Cyber­se­cu­rity Center (HCC) is up and running, as of 27 Febru­ary 2023, the faci­lity to offer emer­gency assis­tance will be available.

What are the bene­fits of incre­asing cyber security?

It is very important that even the smal­lest orga­ni­sa­ti­ons dedi­cate some time to work on their cyber resi­li­ence. We enhance their aware­ness of the need to build up their capa­city and skills in this area themselves.

How do you raise aware­ness of this?

One of the first things we show the leader­ship team is how multi-factor veri­fi­ca­tion (MFA) or a pass­word mana­ger works. It’s simple and effec­tive. The important thing here is that the entire orga­ni­sa­tion uses these measu­res, not simply the IT personnel.

‘It’s important that even the smal­lest of orga­ni­sa­ti­ons take time to address their cyber resilience.’

Fran­ce­sca BOSCO

What else is needed to make the cyber world a safer place?

It’s not only the NGOs that have to expand their know­ledge. Their patrons and donors must also deve­lop an under­stan­ding of the dangers of the inter­net. Ideally, they should provide finan­cial support to the NGOs in order to deve­lop their cyber­se­cu­rity, because it takes invest­ment to deve­lop a secu­rity-conscious culture. Unfort­u­na­tely, this is not yet common know­ledge. Most people think that if you have anti­vi­rus soft­ware, then you are all set. The tech­ni­cal service forms only a frac­tion of the protec­tion that’s needed. Good protec­tion consists of a variety of compon­ents. And that’s exactly why we are really driving the Center forward, so that we can make all these compon­ents available.

Who takes advan­tage of your services?

Needs vary greatly depen­ding on the region. That’s why we have regio­nal advi­sors in Africa and Latin America. Our target is to support more than 100 NGOs by the end of 2022. Curr­ently, we support 59 in Switz­er­land, and it’s a wide range of orga­ni­sa­ti­ons. Some are from the health­care sector, some in huma­ni­ta­rian deve­lo­p­ment coope­ra­tion and some that deal with children’s rights and violence against women. And some want to remain anonymous.

You have achie­ved your first target. What are your next steps?

We want to combine our strengths in order to support the sector with a type of plat­form where compa­nies, orga­ni­sa­ti­ons and private indi­vi­du­als can come toge­ther to provide help. We also aim to deve­lop a plat­form where attacks on civil orga­ni­sa­ti­ons can be tracked, visua­li­sed and archi­ved. We want to use this to support those who are active in the huma­ni­ta­rian sector. And we want to help these orga­ni­sa­ti­ons bols­ter their resi­li­ence. We under­stand the need for emer­gency assis­tance, but we do not want to create depen­den­cies. That’s why we upskill those affec­ted and help them increase their exper­tise, so that they can better defend themselves.

  1. The article high­lights the lucra­tive target cyber atta­ckers see in NGOs due to their access to funds and rela­tive tech­ni­cal vulnerabi­lity. This makes them prime targets for ransom­ware demands, frau­du­lent trans­fers, and data brea­ches. Your blog proved to be an abso­lute gem! It gave me valuable insights and made the seemingly complex a breeze of under­stan­ding. Thanks for making lear­ning so enjoya­ble and enlightening.

Your email address will not be published. Required fields are marked *

StiftungSchweiz is committed to enabling a modern philanthropy that unites and excites people and has maximum impact with minimal time and effort.

Follow StiftungSchweiz on