By James Eaton-Lee, NetHope Chief Information Security Officer
Thinking about the potentially adverse impact of digital is neither unfamiliar nor new; warnings that the “gentle revolution of electronic brains” digitizing our lives might amplify oppression have been a continuous and growing drumbeat beginning at the advent of the computer revolution.
Today, from newspaper headlines to popular culture and fiction, the drumbeat has hit a crescendo. Narratives of subversion, misuse, and compromise of digital data are as familiar as those emphasizing transformative investment, regulation, or policing - particularly as humanitarians.
We know, in fact, that civil society is now being directly and broadly targeted by government and other actors who harness intrusive technology, such as the NSO Group Pegasus tool, from undiscriminating and sophisticated commercial marketplaces whose criminal variants price kits for crippling business with ransomware at as little as $66.
In its 2022 Digital Defense Report, Microsoft identified NGOs and Think Tanks as the second most targeted sector globally; we know too there has been direct targeting of humanitarian organizations in 2021/22 including breaches of ICRC and USAID systems used to target other INGOs.
In her plenary speech at the 2022 NetHope Global Summit, Wendy Nather, head of Advisory CISOs for CISCO, highlighted the need for a collective approach to this growing threat. Channeling the metaphor of two hikers faced with an irate bear, one ready to outrun his counterpart, Nather says in cybersecurity it’s no longer enough to for organizations to solely focus on themselves.
"Thanks to scaling of attacks and automation, there’s more than enough bear to go around. [...] I think we should be moving towards acknowledging that if someone gets hit with a cyber-attack it affects all of us."
– Wendy Nather, head of Advisory CISOs for CISCO
With worldwide cybersecurity spending set to grow by 11 percent in 2023, few NGOs are growing or investing with the needed parity. From global skills shortages to a skittish insurance market whose leaders suggested in a Financial Times article, “Cyber-attacks [are] set to become uninsurable”, the problem for INGOs is only growing. NetHope data suggests that 59% of large humanitarian and development actors believe that their own cybersecurity and information security practice is underfunded, and 65% believe it is inadequately managed.*
With little or no ‘sector-wide’ or collective funding – and little alignment on what this should look like – (I)NGO leaders face challenging questions – from where to invest, how to make difficult compromises between program cost and ‘back-office cost’, and even where to begin.
“The cast of actors supporting nonprofits is huge - and all have a role,” says Dianna Langley, NetHope COO. “But even consuming support is hard for under-resourced nonprofits, and 'one size fits all' solutions that aren't contextualized can do more harm than good. That's why it's critical to limit any further stress on the scarce resources and abilities these NGOs do have."
"We have to work together to not fracture the landscape further, but instead build cohesive platforms and joined up offerings amongst the actors, both in the private and public sector."
– Dianna Langley, NetHope COO
NetHope is supporting its over 65 Members via the Digital Protection Program, a cybersecurity program run by and on behalf of the global humanitarian, development, and conservation ecosystem, and generously supported by Cisco, Okta, USAID, DAI, and others.
NetHope’s Digital Protection Program has four mutually reinforcing components, underpinned by an advocacy program:
Since our program’s inception in July 2022, NetHope (with the generous support of Cisco, Okta, Box, USAID and others) has helped its global-scale INGO Members to improve their cybersecurity programs, by tackling challenges as broad as Incident Response, Infosec Strategy, Governance, Multi-Jurisdictional issues, Cybersecurity team building, and Zero Trust Architecture. We have achieved this by direct consultative dial-a-CISO as well as offering scholarships to industry standard training. In September 2022, we began directly training 73 people from NetHope Member organizations in partnership with the SANS Institute – a partner with 30 years of cybersecurity training experience. Together we are helping staff in more than 40 NGOs and 27 countries build foundational cybersecurity skills, gain a recognized industry certification, and build community to further nurture their expertise over time.
In response to the alarming growth of cyberthreats, in September NetHope CEO Lance Pierce announced our intention to create a Global Humanitarian Information Sharing Analysis (ISAC), the first of its kind for the humanitarian sector. The ISAC was launched with the support of early public and private coalition partners, and continues to seek broad international support, as the design and implementation progress.
With support from USAID, Cisco, and Okta, in October of 2022 we ran a multi-stakeholder design workshop for ISAC - running a two-hour session with more than 20 organizations based on two simulated incidents, with a multidisciplinary team of experts from the Center for Internet Security (who run the MS-ISAC and EI-ISAC), Cambridge Global Advisors, and NetHope.
The workshop and design process for the Global Humanitarian ISAC aims to build trust and include all the right voices, ensuring this long-term home for humanitarian collective defense is community-led and sustainable.
In 2023, we will continue to deepen our work on these four components– delivering the support our Members requested via our 2022 State of Cybersecurity survey, benchmarking Members against the CIS Framework, delivering the first round of grant-making via the Digital Protection Grant Program, and stepping up our advocacy game.
As humanitarians, we have a complex ecosystem, pieces of which are being targeted by sophisticated attackers funded and motivated to undermine and disrupt our work – and cause direct harm. We can’t wait for a perfect solution, but we’ll only prevail if we’re thoughtful and inclusive – addressing root causes and bringing the ecosystem along with us long-term.
That's why an approach rooted in wide and deep community engagement using a “systems thinking approach,” is critical if we want to achieve our objective – supporting humanitarian, conservation, and development actors to achieve their primary missions safely & ethically.
We are being thoughtful in sourcing expertise and as we move towards a Global Humanitarian ISAC, involving a diverse range of stakeholders to get the technical, funding, and governance architecture right. There is no other way we will achieve our goals, retain trust, and have sustainable collective defence.
There are a number of ways to engage with NetHope’s Digital Protection Program and ISAC:
Together NetHope Members spend $26 billion a year helping people and planet, and thus deliver more than 60% of all annual international, nongovernmental aid. They impact the lives of 1.2 billion people and reach into more than 190 countries for the benefit of humanity and the ecosystems we live in. Now, their missions are in peril.
It will require a collective effort to combat these growing and dangerous cybersecurity threats. NetHope has spent more than 20 years building trust and collaborating on solutions with the international nonprofit sector and technology partners and we believe our community is well positioned to take on this challenge.
To learn more about NetHope’s Digital Protection program and join this effort, please contact: James Eaton-Lee.
*NetHope State of CyberSecurity in Members, 2022