The latest cyber-hack of USAID appears to be aimed specifically at international development, humanitarian, and human rights agencies.
This attack is the latest in an increasing trend for threat actors to target nonprofits. Most nonprofits are not resourced to withstand this level of attack and, when they are breached and fall victim to such attacks, the effects are felt by the world’s most vulnerable people, and can be life threatening. In the short term we need an emergency response to support nonprofits and urgently scale up their capabilities, and in the medium term we need to activate the necessary conditions for sustainability for nonprofit’s cyber-defense so they can continue their vital work.
The NetHope community is collectively calling for an urgent focus on the poor state of information security (cybersecurity) resourcing within the nonprofit sector.
This includes a renewed urgency on how programs are funded to ensure a robust cybersecurity framework is always in place. We call on funders and nonprofits to join us to address the systemic reasons for this “race to the bottom” that encourages nonprofits bidding for funding to frequently leave out important cybersecurity costs. When program designs must fund cybersecurity and data protection costs through overhead (indirect costs), it can lead to starving cybersecurity and data protection functions at a time when such investment is needed to counter increasingly sophisticated actors and targeted threats. When these functions fail, the effects are mostly felt by the world’s most vulnerable people, thereby exacerbating already large and complex world problems, increasing digital divides, and potentially leading to loss of life.
We ask you to pledge with us…
- …that attacks on vulnerable people’s data are treated with the same grave condemnation as attacks on their persons. In the age of digital identities, digital access to services, and digital targeting, these cyberattacks can have profound, life-risking impact.
- …that program and grant funding mechanisms (both in the application, review, and award processes) specifically call out and require cybersecurity and data protection to be a funded direct cost that can have no negative impact on proposal cost comparison.
- …that cybersecurity and data protection activities are considered mandatory for well-designed programmatic interventions and (just like monitoring and evaluation) are consistently applied as core necessities for every program.
In the short term
Considering this specific attack, which constitutes an immediate and serious threat, NetHope Members are working together to defend and remediate against these malicious actors and their effects in the short term. Collectively, NetHope Members have outlined critical actions all nonprofits must take urgently, which can be distilled as follows and require executive aircover and sponsorship.
- Visibly prioritize your digital security.
Appoint a cybersecurity lead with enough seniority and accountability to raise these risks (and the required mitigation actions) to the highest level in your organization. These threats are increasing in magnitude, frequency, and sophistication. They have reached the level of potential existential threat to unprepared nonprofits. Without this senior level sponsorship, your nonprofit is likely to underestimate the scale of these risks – to your brand, your operations, and to your stakeholders and beneficiaries.
- Protect your identities.
Use multifactor authentication for everything. We expect to use multifactor authentication to verify our identity for our personal banking, and it should be the de facto standard for all applications in your work life too. This additional step may be seen as ‘annoying’ to some, so it can take executive buy-in and sponsorship to convey the urgency and nonnegotiable nature of the issue.
- Protect your devices and applications.
Know your landscape. You cannot protect what you don’t know exists. Nonprofits must urgently invest in device management solutions (called Unified Endpoint Management (UEM) platforms). It is only with this capability that you can build resiliency into your ecosystem, deploy quick fixes, or mitigate against hacks and threats nimbly enough.
- Resource doing the basics often and well.
Because it is now possible to manage your people logging-in (from step 2) and your devices (from step 3), you can do the rest of the basics that mitigate most of the threats to your organizations, and thus keep your data safe. For example, routine tasks that are nonnegotiable include patching/updating your systems and applications, having up-to-date antivirus on all devices, and securing your email.
Sophisticated cyberattacks are increasingly being perpetrated against nonprofits. Many of these attacks are launched by nation state actors, with the likely goals of espionage, reconnaissance, building out targeting profiles, and establishing long-term strategic footholds. In many cases the agencies that seek to protect the world’s most vulnerable people are specifically targeted for information that will result in greater vulnerabilities for these people. For example, recent events suggest that refugee identity data is being targeted because it is an easy route to identity fraud. Thus, we see that the agencies most at risk are the very ones that advocate for the world’s most vulnerable, expose human rights abuses, monitor elections, and in other ways hold duty bearers to account. The needed emergency response, to be fought in the digital realm, requires immediate increased resourcing and prioritization for digital protection, active threat hunting, and potential remediation activities. It is very likely that nation-state threat actors have already compromised nonprofits without their knowledge.
Cybersecurity challenges in the nonprofit sector
Most humanitarian organizations struggle to resource technology in an effective and transformative manner, let alone build a robust cybersecurity program on top of (or despite) their digital program. This struggle only increases when the nonprofit organization structure is inherently porous/distributed, for example in models that rely on implementing partners, government agencies, and volunteers to successfully deliver programs. In situations like these, cybersecurity presents a different puzzle than it does for traditional companies that have stronger and more predictable boundaries of interaction, as well as more conservative and hierarchical decision-making structures. Harder still is integration of cybersecurity risk into a broader program approach – especially for actors working in conflict zones or nonprofits/agencies that meet the increasing number of sophisticated state actors with offensive cyber programs.
Some donors are already realizing that cybersecurity should be part of their program agenda. USAID's recent exploration of cybersecurity as a fundable area is a notable move in the right direction. But there has never been a better time for a well-funded, cross-agency endeavor to make the ecosystem safer and more robust – or to take a firm stand on the law and ethics of attacking humanitarian actors. In the short term we call on our donors and tech partners to step up to help us address this specific threat – fast. In the longer term we need to leverage this springboard to unpack and address some of the harder challenges related to cybersecurity
The world’s most vulnerable people
A comprehensive, cross-agency collaborative cybersecurity effort could provide huge humanitarian benefit at a time of unprecedented humanitarian need (exacerbated by Covid-19) and when many nonprofits are already stretched to breaking point in responding to humanitarian crises. Nonprofits deliver essential services when governments are not able to do so, serving as a last resort for billions of people globally. Thus, when malicious actors succeed in bringing them down, the impacts are not just financial (as would be the case in most corporations): the world’s most vulnerable people lose access to food, water, and vital health services. We have learned (anecdotally) that some data has even been used to facilitate loss of life.
The interests of other actors in the ecosystem
A more robust collective nonprofit cybersecurity strategy is likely to directly align with the national interests of host/domestic governments for North American and European NGOs. The vast majority of NetHope's nonprofit Members receive funding from their respective states’ development agencies or foreign ministries. Threats realized in nonprofits will hamper their ability to fulfill donor contracts and the outcomes to which donor and host governments aspire, let alone worldwide priorities like the Sustainable Development Goals.
Excerpt from “Another Nobelium Cyberattack” published by Microsoft here:
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network. You can read more about the technical aspects of these attacks in this blog post from the Microsoft Threat Intelligence Center (MSTIC).”
For more information, please contact NetHope on behalf of its global Members:
Filed Under: Uncategorized