Hostname: page-component-cd9895bd7-dzt6s Total loading time: 0 Render date: 2024-12-27T10:05:35.221Z Has data issue: false hasContentIssue false

Hacking humanitarians: Defining the cyber perimeter and developing a cyber security strategy for international humanitarian organizations in digital transformation

Published online by Cambridge University Press:  18 March 2021

Abstract

Digitalization and new technologies have an increasingly important role in today's humanitarian activities. As humanitarian organizations become more active in and reliant on new and digital technologies, they evolve from being simple bystanders to being fully fledged stakeholders in cyberspace, vulnerable to adverse cyber operations that could impact on their capacity to protect and assist people affected by armed conflict or other situations of violence.

This shift makes it essential for humanitarian organizations to understand and properly map their resulting cyber perimeter. Humanitarian organizations can protect themselves and their activities by devising appropriate cyber strategies for the digital environment. Clearly defining the digital boundaries within which they carry out operations lays the groundwork for humanitarian organizations to develop a strategy to support and protect humanitarian action in the digital environment, channel available resources to where they are most needed, and understand the areas in which their operational dialogue and working modalities need to be adapted for cyberspace.

The purpose of this article is to identify the unique problems facing international humanitarian organizations operating in cyberspace and to suggest ways to address them. More specifically, the article identifies the key elements that an international humanitarian organization should consider in developing a cyber security strategy. Throughout, the International Committee of the Red Cross and its specificities are used as an example to illustrate the problems identified and the possible ways to address them.

Type
Cyber operations and warfare
Copyright
Copyright © The Author(s), 2021. Published by Cambridge University Press on behalf of the ICRC.

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

*

The opinions and views expressed in this article are the author's own and do not necessarily represent those of the ICRC. The author is grateful to Bruno Demeyere, Kubo Mačák, Tilman Rodenhäuser, Andrea Raab, Eve La Haye, Gilles Cerutti, Delphine Van Solinge, Pierrick Devidal, Vincent Graf Narbel, Fabien Leimgruber, Martin Schuepp, Adrian Perrig, Sai Sathyanarayanan Venkatesh and Saman Rejali for their valuable feedback on an earlier draft. All errors are the author's own.

Some of the topics considered in this article first appeared as part of a series of blog articles on the ICRC's Humanitarian Law and Policy Blog: see Massimo Marelli, “Hacking Humanitarians: Moving Towards a Human Cybersecurity Strategy”, 16 January 2020, available at: https://blogs.icrc.org/law-and-policy/2020/01/16/hacking-humanitarians-cybersecurity-strategy/; Massimo Marelli and Adrian Perrig, “Hacking Humanitarians: Mapping the Cyber Environment and Threat Landscape”, 7 May 2020, available at: https://blogs.icrc.org/law-and-policy/2020/05/07/hacking-humanitarians-mapping-cyber-environment/; Massimo Marelli and Martin Schüepp, “Hacking Humanitarians: Operational Dialogue and Cyberspace”, 4 June 2020, available at: https://blogs.icrc.org/law-and-policy/2020/06/04/hacking-humanitarians-dialogue-cyberspace/.

References

1 See Anja Kaspersen and Charlotte Lindsey-Curtet, “The Digital Transformation of the Humanitarian Sector”, Humanitarian Law and Policy Blog, 5 December 2016, available at: https://blogs.icrc.org/law-and-policy/2016/12/05/digital-transformation-humanitarian-sector/ (all internet references were accessed in January 2021).

2 This article's scope of analysis is restricted to international humanitarian organizations – i.e., organizations that have international organization or equivalent status and that have a humanitarian mandate. This does not include non-governmental organizations. The major difference between international humanitarian organizations and non-governmental organizations, for the purposes of this analysis, is the extent to which an international humanitarian organization enjoys privileges and immunities to ensure that it can perform its mandate in full independence. The existence and work of international humanitarian organizations is central to the functioning of the international community, and the international community relies on international humanitarian organizations to take care of tasks which individual States or groups of States cannot achieve alone. This makes international humanitarian organizations very relevant, but at the same time, potentially very vulnerable as cyber targets. However, the specific status they enjoy, and their privileges and immunities, can provide important safeguards for the protection of the organization if properly applied in a cyber environment.

3 See International Committee of the Red Cross (ICRC), in collaboration with The Engine Room and Block Party, Humanitarian Futures for Messaging Apps: Understanding the Opportunities and Risks for Humanitarian Action, January 2017, available at: www.icrc.org/en/publication/humanitarian-futures-messaging-apps.

4 See A. Kaspersen and C. Lindsey-Curtet, above note 1.

5 See David Kilcullen, Out of the Mountains: The Coming Age of the Urban Guerrilla, Oxford University Press, Oxford, 2015, available at: www.kilcullenstrategic.com/out-of-the-mountains/.

6 See Kristin Bergtora Sandvik, Katja Lindskov Jacobsen and Sean Martin McDonald, “Do No Harm: A Taxonomy of the Challenges of Humanitarian Experimentation”, International Review of the Red Cross, Vol. 99, No. 904, 2017.

7 See Policinski, Ellen and Kuzmanovic, Jovana, “Protracted Conflicts: The Enduring Legacy of Endless War”, International Review of the Red Cross, Vol. 101, No. 912, 2019, p. 965CrossRefGoogle Scholar.

8 On data protection in humanitarian action, see Christopher Kuner and Massimo Marelli (eds), Handbook on Data Protection in Humanitarian Action, 2nd ed., ICRC, Geneva, 2020, available at: https://shop.icrc.org/handbook-on-data-protection-in-humanitarian-action-print-en. On the implications of metadata generation through third-party interactions in delivering humanitarian programmes, see Tina Bouffet and Massimo Marelli, “The Price of Virtual Proximity: How Humanitarian Organizations’ Digital Trails can Put People at Risk”, Humanitarian Law and Policy Blog, 7 December 2018, available at: https://blogs.icrc.org/law-and-policy/2018/12/07/price-virtual-proximity-how-humanitarian-organizations-digital-trails-put-people-risk/. On of the use of biometric data by the ICRC, see Ben Hayes and Massimo Marelli, “Facilitating Innovation, Ensuring Protection: The ICRC Biometrics Policy”, Humanitarian Law and Policy Blog, 18 October 2019, available at: https://blogs.icrc.org/law-and-policy/2019/10/18/innovation-protection-icrc-biometrics-policy/.

9 See ICRC, ICRC Strategy 2019–2022, Geneva, September 2018, available at: www.icrc.org/en/publication/4354-icrc-strategy-2019-2022.

10 See ICRC, The Potential Human Cost of Cyber Operations, Geneva, 29 May 2019, available at: www.icrc.org/en/document/potential-human-cost-cyber-operations.

11 See, for example, “Big Data, Migration and Human Mobility”, Migration Data Portal, available at: https://migrationdataportal.org/themes/big-data-migration-and-human-mobility.

12 See, for example, ICRC, “Rewards and Risks in Humanitarian AI: An Example”, Inspired, 6 September 2019, available at: https://blogs.icrc.org/inspired/2019/09/06/humanitarian-artificial-intelligence/.

13 See Els Debuf, “Tools to Do the Job: The ICRC's Legal Status, Privileges and Immunities”, International Review of the Red Cross, Vol. 97, No. 897/898, 2016, available at: https://international-review.icrc.org/articles/tools-do-job-icrcs-legal-status-privileges-and-immunities.

14 See ICRC, “Fundamental Principles”, available at: www.icrc.org/en/fundamental-principles.

15 See Statutes of the International Red Cross and Red Crescent Movement, adopted by the 25th International Conference of the Red Cross, Geneva, 1986 (amended 1995, 2006), available at: www.icrc.org/en/doc/resources/documents/misc/statutes-movement-220506.htm.

16 See ICRC, “What We Do”, available at: www.icrc.org/en/what-we-do.

17 See “Resolution on Privacy and International Humanitarian Action”, 37th International Conference of Data Protection and Privacy Commissioners, Amsterdam, 27 October 2015, available at: http://globalprivacyassembly.org/wp-content/uploads/2015/02/Resolution-on-Privacy-and-International-Humanitarian-Action.pdf.

18 See ICRC, “Restoring Family Links while Respecting Privacy, Including as it Relates to Personal Data Protection”, 33IC/19/R4, Resolution 4 adopted at the 33rd International Conference of the Red Cross and Red Crescent, Geneva, 9–12 December 2019, available at: https://rcrcconference.org/app/uploads/2019/12/33IC-R4-RFL-_CLEAN_ADOPTED_en.pdf.

19 See ICRC, “Confidentiality Q&A”, 15 January 2018, available at: www.icrc.org/en/document/confidentiality-q.

20 See E. Debuf, above note 13.

21 See Philippe Dind, “Security in ICRC Field Operations”, Secure 02, Finnish Red Cross, June 2002, p. 27, available at: www.icrc.org/en/doc/assets/files/other/secure02_dind.pdf.

22 See Michael Nieles, Kelley Dempsey and Victoria Yan Pilliterri, An Introduction to Information Security, NIST Special Publication 800-12, National Institute of Standards and Technology, June 2017, available at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf.

23 See, for example, C. Currier, “The NSA Plan to Find Osama Bin Laden by Hiding Tracking Devices in Medical Supplies”, The Intercept, 21 May 2015, available at: https://theintercept.com/2015/05/21/nsa-plan-find-osama-bin-laden-infiltrating-medical-supply-chain/.

24 See, for example, Bill Gertz, “Cybercom: Big Data Theft at OPM, Private Networks Is New Trend in Cyber-Attacks”, Washington Free Beacon, 27 July 2015, available at: https://freebeacon.com/national-security/cybercom-big-data-theft-at-opm-private-networks-is-new-trend-in-cyber-attacks/.

25 For a description of the public cloud and why it can be an important asset to leverage, see Microsoft, “What Are Public, Private, and Hybrid Clouds?”, available at: https://azure.microsoft.com/en-us/overview/what-are-private-public-hybrid-clouds/.

26 See, for example, Dutch Ministry of Justice, DPIA Office 365 ProPlus Version 1905: Data Protection Impact Assessment on the Processing of Diagnostic Data, June 2019, available at: www.government.nl/documents/publications/2019/07/22/dpia-office-365-proplus-version-1905.

27 See Microsoft, “What Is Cloud Computing? A Beginner's Guide”, available at: https://azure.microsoft.com/en-us/overview/what-is-cloud-computing/.

28 See US Department of Justice (DoJ), “CLOUD Act Resources”, available at: www.justice.gov/dag/cloudact.

29 See C. Kuner and M. Marelli (eds), above note 8, Chap. 16.3.5.

30 See Berhan Taye and Sage Cheng, “The State of Internet Shutdowns”, Access Now, 8 July 2019, available at: www.accessnow.org/the-state-of-internet-shutdowns-in-2018/.

31 See, for example, Bill Marczak and John Scott-Railton, “The Million Dollar Dissident: NSO Group's iPhone Zero-Days Used against a UAE Human Rights Defender”, Citizen Lab, 24 August 2016, available at: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/.

32 See, for example, ICT Switzerland, “Supply Chain Security”, available at: https://ictswitzerland.ch/en/topics/cyber-security/supply-chain/.

33 See Fabio Bergamin, “Open-Source Microprocessor”, ETH Zürich, 30 March 2016, available at: https://ethz.ch/en/news-and-events/eth-news/news/2016/03/open-source-microprocessor.html.

34 See Markus Gross, “A Booting Computer Is as Vulnerable as a Newborn Baby”, ETH Zürich, 5 November 2019, available at: https://ethz.ch/en/news-and-events/eth-news/news/2019/11/project-opentitan.html.

35 See Microsoft, “Government Security Program”, available at: www.microsoft.com/en-us/securityengineering/gsp.

36 See e-Estonia, “Estonia to Open the World's First Data Embassy in Luxembourg”, available at: https://e-estonia.com/estonia-to-open-the-worlds-first-data-embassy-in-luxembourg/.

37 For a reference to the US State Department's position supporting such application of privileges and immunities of States, see Implementation of the Virtual Data Embassy Solution: Summary Report of the Research Project on Public Cloud Usage for Government, Conducted by Estonian Ministry of Economic Affairs and Communications and Microsoft Corporation, 2015, p. 14, n. 12, available at: https://tinyurl.com/3rucylfy.

38 See Microsoft, “Confidential Computing”, available at: www.microsoft.com/en-us/research/theme/confidential-computing/.

39 See Andy Greenberg, “Hacker Lexicon: What Is Homomorphic Encryption?”, Wired, 11 March 2014, available at: www.wired.com/2014/11/hacker-lexicon-homomorphic-encryption/.

40 See DoJ, above note 28.

41 See, for example, Julia Carrie Wong, “US, UK and Australia Urge Facebook to Create Backdoor Access to Encrypted Messages”, The Guardian, 4 October 2019, available at: www.theguardian.com/technology/2019/oct/03/facebook-surveillance-us-uk-australia-backdoor-encryption.

42 ICRC and Swiss Federal Council, “Accord entre le Conseil fédéral suisse et le Comité international de la Croix-Rouge en vue de déterminer le statut juridique du Comité en Suisse”, 19 March 1993, available at: www.fedlex.admin.ch/eli/cc/1993/1504_1504_1504/fr#sidebarLink.

43 See “Scenario 04: A State's Failure to Assist an International Organization”, in Kubo Mačák, Tomáš Minárik and Taťána Jančárková (eds), Cyber Law Toolkit, available at: https://tinyurl.com/3m4nm6nv.

44 See, for example, Michael N. Schmitt and Liis Vihul (eds), Tallinn Manual 2.0 on International Law Applicable to Cyber Operations, 2nd ed., Cambridge University Press, Cambridge, 2017, available at: https://ccdcoe.org/research/tallinn-manual/.

45 See French Ministry of Defence, International Law Applied to Operations in Cyberspace, 2019, available at: www.defense.gouv.fr/content/download/567648/9770527/file/international+law+applied+to+operations+in+cyberspace.pdf.

46 See Group of Friends of the Protection of Civilians in Armed Conflict, statement submitted to the UN Security Council Arria-Formula Meeting on Cyber-Attacks against Critical Infrastructure, New York, 26 August 2020, available at: www.eda.admin.ch/dam/mission-new-york/en/speeches-to-the-un/2020/20200826-new-york-POC-GoF%20PoC%20statement_E.pdf. “The trust of the people they serve is the currency of humanitarian organizations. This trust is a precondition for humanitarian action. Therefore, we, as Members [sic] States, must create an environment, including a safe information infrastructure that allows humanitarian organizations to successfully carry out their mandate. The Resolution on Restoring Family Links adopted at the 33rd International Conference of the Red Cross and Red Crescent in 2019 constitutes an important step in this direction.”

47 See ICRC, “Dialogue with Weapon Bearers”, available at: www.icrc.org/en/what-we-do/building-respect-ihl/dialogue-weapon-bearers.

48 See ENISA, “What Is ‘State of the Art’ in IT Security?”, 7 February 2019, available at: www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security.