The Coming Crisis: Humanitarian Cybersecurity and the Russia/Ukraine Conflict

As I write this, the world is holding its breath, wondering what will happen next as the tensions between Russia and Ukraine continue to escalate. While we all hope that diplomacy will defuse the tension and prevent a further escalation of the ongoing conflict between Russia and Ukraine that began in 2014, humanitarian organizations should nevertheless be prepared for that escalation. Based on what we have seen in other conflicts in recent years, humanitarians should be prepared to respond to digital threats and impacts related to a broad escalation of "hybrid warfare" between combatants in Eastern Europe.

"Hybrid warfare" is a term to describe a form of modern warfare that blends conventional warfare, irregular warfare, cyber warfare and other political influencing and disinformation activities as part of an interlinked strategy. As of right now, nearly 100,000 soldiers from Russia are on the borders of Ukraine in both Russia and Belarus. Western governments have stated that they believe an attack could come at any time. UK chief of defense staff Adm. Tony Radakin has recently stated that "the significance of the worst scenarios interns of a full invasion of Ukraine would be on a scale not seen in Europe since World War II."

While the political, diplomatic and military implications are beyond the scope of this article, I wanted to some attention on how humanitarian data systems, ICT and other digital infrastructure may be affected by an escalating conflict, and to propose immediate action steps that humanitarian organizations should undertake right now to prepare for a future conflict.

Hybrid War Will Not Ignore Humanitarians

While the humanitarian principles of humanity, neutrality and independence have provided protection and legitimacy for humanitarian action in conflict, we also know that humanitarians and the vulnerable people they serve increasingly often come under digital attack during crisis situations:

• In 2015, NetHope and Cisco documented advanced, state-sponsored malware on the laptops of the World Food Program on the ground during the active rescue phase of the Nepal Earthquake.
• Wifi networks deployed with advanced intrusion prevention capabilities to support Syrian refugees in Europe were routinely stopping more than 80,000 malicious events per week during 2015-2016, most of which were related to Android malware.
• More recently, in June of 2021 it was announced that Russian-based hackers had compromised the email system of USAID, leading to a targeting of over 150 NGOs and civil-society organizations.
• And of course, in January of 2022 came word from ICRC that the data of more than 500,000 vulnerable people separated by conflict and crisis had been stolen by unknown parties in a 'sophisticated' breach.

The implications of digital attacks against humanitarian organizations and the people that they serve can be very serious - from the theft of finances and identity, to disrupting life-saving humanitarian work, to enabling targeted killing, violence and other grave harm.

Why would humanitarians be targeted in a possible Ukraine/Russia conflict? Despite its values of neutrality, humanitarian action is often seen as inherently political, and we have seen humanitarian organizations in Syria being targeted for broad disinformation campaigns to delegitimize their humanitarian work. Delegitimizing and contesting the narrative of humanitarian action seeks to control the governance of aid, seeing to sow doubts in the eyes of potential donors, and suspicion among the beneficiary communities on the ground. Further, humanitarian organizations are often among the first on the ground to document instances of war crimes, such as the use of prohibited weapons, or the targeting of civilians or protected facilities such as hospitals. These and other reasons provide ample motivation for targeting humanitarians, as much as we deplore such actions.

Digital intrusions and disinformation are borderless

Modern conflicts don't just take place in a physical battle space - they take place online too. Disruptions of critical infrastructure and essential lifelines such as water systems, transport systems and healthcare are well documented. Indeed, the original Russian incursion into Ukraine in 2014 was timed with a digital attack on Ukraine's power grid. Disinformation and manipulation of information narratives is very prevalent on social media related to the ongoing conflict within the Tigray region in Ethiopia.

In a possible escalation of the crisis in Ukraine, it is reasonable to assume that digital attacks will happen against humanitarian organizations operating on the ground inside of Ukraine, but also include intrusions against these same humanitarian organizations at the headquarters or back-office level in North America, Europe, or elsewhere where they may physically exist. It is just as easy to hack a system physically near to you and it's only a few more milliseconds of latency to attack a system on the other side of the planet.

Humanitarians must ready themselves now.

While one hopes that there is no escalated conflict (the world is complicated enough as it is right now without an additional war in Europe), it is urgent that humanitarian organizations who have interests and operations related to the conflict in Ukraine should harden infrastructures now to mitigate digital risk, prepare to respond to incidents and maximize the organization's resiliency against any digital threat.

• Ensure all systems and infrastructure are current on patches, anti-malware updates, etc.
• Ensure that all remote access, all system and network superuser or privileged access requires two-factor authentication.
• Verify that technologies and plans to detect suspicious activity are up-to-date and that roles and responsibilities for incident response are well-communicated.
• Establish a crisis response team that includes a main point of contact for suspicious cybersecurity incidents, which includes roles for the technology team, program teams, communications/media relations, donor/partner relations, legal and business continuity teams.
• For organizations who are operating on the ground in Ukraine, ensure that there is a linkage between the physical security plan and the digital security plan, so that if there is a degradation of the physical security of the humanitarian mission, that critical data assets remain secure. Likewise, ensure there is coordination between the organization's media and messaging arms and data protection teams in the event of "blended" hacking & disinformation campaign, as happened to the Democratic Party in the United States in 2016.
• For humanitarian organizations who are working with Ukrainian implementation partners or other local entities, that all network and communications traffic between the organizations is monitored for unusual activity.
• Verify business continuity measures are in place so that if there is a digital attack, that humanitarian program officers can continue to do their essential lifesaving work in a potentially degraded environment.
• Confirm that critical backup systems are tested and verified for rapid restoration in the event that a destructive attack or ransomware is introduced into the humanitarian organization.
• Ensure good data protection, retention and data minimization practices are in place for any data collection of civilians or other vulnerable people to minimize the potential harms against those individuals should data fall into the wrong hands.
• Finally, ensure that incident detection, response and business continuity plans are regularly practiced in table-top exercises or other appropriate simulations to ensure that all participants are familiar with their responsibilities and communications paths prior to a real-world event occurring. For humanitarians, these simulations should incorporate both field-based and headquarters-based threat scenarios.
• Additionally, for Salesforce customers, we recently published this guide to data protection in crisis environments.

Hope For the Best, But...

While we all hope that the ongoing conflict in Ukraine does not escalate, humanitarians should be preparing now for that escalation anyway. Humanitarian organizations that will respond to any future conflict will come under digital attacks, and those attacks whether from intrusion, disinformation, or any other method will respect no borders or frameworks of international humanitarian law. Humanitarian organizations must take active steps now to minimize the risk to their operations and to the lives of the aid workers and beneficiaries under their protection, and ensure their mechanisms for detection, response and resiliency are ready to go at a moment's notice.

We would all hope that combatants and other digital threat actors would respect the role of humanitarians and not target these organizations and their data. But we must never assume that they will.

We must prepare. Now.