“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” – Article 12, Universal Declaration of Human Rights
Humanitarian organizations – NGOs, governments and organs of the United Nations system – are increasingly challenged to adopt new Information and Communications Technologies (ICT) to execute the core humanitarian mission. Traditional ways of gathering and disseminating data and information – paper forms, offline spreadsheets or other forms of collection struggle to keep up with the tremendous workload the humanitarian community is under. As such, many of these organizations are moving towards digitization – that is, “taking manual or offline business processes and converting them to online, networked, computer-supported processes.”
Along with this transformation in the use of technology and information comes with new risks. As these organizations successfully move to new ways of doing business, they become dependent upon the integrity of the technology underpinning those systems. It is therefore natural that the humanitarian community start to consider the information security risks inherent in their ICT dependencies. This isn’t any different than the security challenges any enterprise business has to face.
Beyond the inherent need for information security that exists in any “digitized” organization, I argue that the humanitarian community has a special Obligation to Protect which compels strong information security, data protection and privacy responses based on the core mission of humanitarian organizations and the Humanitarian Principles as established in United Nations General Assembly Resolutions 46/182 and 58/114.
Humanitarianism in the Age of Cyber-Warfare
Humanitarian responses to modern disasters, conflicts, and other crises are incredibly technology dependent. From Ebola to Haiti to Syria, crisis responders and aid workers rely upon computers, tablets, smartphones, and all manner of technologies to get the job done. With increasing use of emerging technologies such as cloud-based solutions, UAVs, and data analytics, humanitarians are better able to get the aid to where it is needed in more efficient, cost-effective ways. Emerging applications also complicate the kinds of information that are being entrusted to the community: “Humanitarians are also collecting entirely new types of information, such as bank accounts and financial data for cash programming, and biometrics, such as fingerprints and iris scans, in Kenya, South Sudan, Malawi and elsewhere.”
These essential digital dependencies can also prove to be a tempting target for organized crime, hackers, or sophisticated combatants. The increasingly large amount of sensitive data being collected by the humanitarian community often outstrips the ability for organizations to effectively identify and mitigate infosec/data protection/privacy risks. In my unofficial survey of major international humanitarian NGOs, of the 30 organizations I surveyed, only about four or five had dedicated information security headcount, and even in those organizations the ability to influence the security of data being used by country offices or out in the field was extremely limited.
High Vulnerability Meets Low Capacity
The humanitarian community therefore finds itself in the unenviable place of having a high degree of vulnerability to security threats, but a low capacity to address those threats. Unlike businesses or governments where various security standards exist and can be audited against (such as ISO 27001:2013, PCI or NIST 800-53) there are no existing standards for humanitarian information security. The three standards I just referred to are widely used, but lack a grounding in humanitarian principles that are essential to the organizations in our community.
The need for security won’t be driven from beneficiaries, however. Imagine a hypothetical scenario of a refugee family fleeing a war or disaster arriving at a camp run by an international aid organization. At the entrance to the camp is an aid worker with a laptop who is requiring all arrivals to register into a database. No refugee will respond to this request by demanding assurance as to whether the data will be encrypted or protected against theft. In this transaction, the refugee lacks agency to advocate for appropriate information security controls — if one wants a place for their family to sleep tonight and eat, one will most likely hand over whatever information is being requested.
Contrast this to my rights as a consumer in the United States or Europe – if Amazon (for example) were to lose my credit card or other sensitive PII to a hacker, there are laws that define what responsibilities fall to Amazon, and what remedies are available to me. None of this currently exists in the humanitarian space.
Protecting the Vulnerable is What We Do
Humanitarian organizations long ago defined and adopted the humanitarian principles as universal values:
- Humanity: Human suffering must be addressed wherever it is found. The purpose of humanitarian action is to protect life and health and ensure respect for human beings.
- Neutrality: Humanitarian actors must not take sides in hostilities or engage in controversies of a political, racial, religious or ideological nature.
- Impartiality: Humanitarian action must be carried out on the basis of need alone, giving priority to the most urgent cases of distress and making no distinctions on the basis of nationality, race, gender, religious belief, class or political opinions.
- Independence: Humanitarian action must be autonomous from the political, economic, military or other objectives that any actor may hold with regard to areas where humanitarian action is being implemented.
The Obligation to Protect is consistent with these principles: Organizations that have the mission of addressing human suffering and protecting vulnerable people from further harm in the physical space – assuring basic physical security along with food, shelter, medical care and other essential human needs – also have an equivlent duty to protect people from digital harm, whether it’s identity theft, financial fraud, or physical harm resulting from the loss of confidentiality, integrity or availability of humanitarian ICT systems.
First, Do No Harm
The precautionary principle of “do no harm” should be the underlying touchpoint of all humanitarian ICT efforts. It requires technologists and humanitarians alike to consider the risks of all technology use and to work to minimize such risks to aid workers, donors and most importantly beneficiary populations. In short, information security is essential to the humanitarian ICT mission because compromise puts the core mission and rationale of humanitarian action at risk.
Conclusion: Information Security is Inherent in the Mission
Humanitarian action is increasingly dependent upon ICT. In the absence of legislation and standards within the community, humanitarian organizations must recognize the Obligation to Protect as it applies to information security, data protection and privacy as an essential part of the humanitarian mission. All humanitarian actors – whether they work for a humanitarian agency, are crowd-sourced volunteers on the Internet, or from the private sector – must be educated on the Obligation to Protect and how all parties must ensure appropriate and secure use of ICT and datasets.
Aid workers and beneficiary populations are often among the most vulnerable people on earth — they exist in crisis, with little or no ability to identify and minimize risk on their own. The goal of good security should be to minimize the risk that they will be further victimized by electronic malfeasance.
What do you think is the best way to drive information security into the humanitarian community, let me know in the comments below!
“Applying Humanitarian Principles to Current Uses of Information Communication Technologies: Gaps in Doctrine and Challenges to Practice“, Harvard Humanitarian Initiative, July 2015