No ethics among cybercriminals
Why? They have sensitive data on vulnerable people and often a low level of cyber security. “They are being attacked from all directions, becoming targets of both criminals and state actors”, says Stéphane Duguin, CEO of the CyberPeace Institute. “If you are a criminal, you do this for the money. As soon as there is a crisis or a disaster, NGOs suddenly are very rich, because of all the donations. That’s when cybercriminals prevent them from working by launching a ransomware attack. They don’t care who they attack and sometimes they don’t even have a clue who they attack. There is no ethics among cybercriminals.”
NGOs are amongst the most targeted. “Why? Because they are holding very sensitive data, for instance about refugees in Ukraine or food security in Afghanistan. Those data can be very valuable”, Duguin explains. Such cyber attacks have disastrous consequences. For example, in case of a ransomware attack, an entire computer network can be shut down until the ransom money has been paid. Most NGOs are afraid the public will stop donating if such an attack becomes public and it gets known that aid donations are funding criminals.
0Attacks in the news
Some cyber attacks, however, do make the news. For instance the cyber attack that hit the International Red Cross (ICRC) in January 2022. Hackers managed to steal the personal data and confidential information of 515.000 vulnerable people. In 2020, NGO Roots of Peace, transforming mines to vines with local people in Afghanistan, was tricked into wiring 1.34 million US Dollars to a Chinese bank account. The cybercriminals impersonated the CEO, leaving the NGO ashamed and devastated.
NGO supporting NGOs
For two decades Duguin has fought cybercrime at Europol in The Hague. He led the creation of the European Cybercrime Centre and the major international counter cybercrime, terrorism and hybrid threats operations, investigating threat actors deploying cyberattacks, illegal content and disinformation techniques. He was recruited in 2019 by the CyberPeace Institute, which provides free cybersecurity assistance for the most vulnerable organizations. Like an NGO supporting NGOs.
The institute brings together partners, experts and volunteers to help humanitarian and development NGOs prepare for, defend against and recover from cyberattacks. It collaborates with cybersecurity and technology partners to develop an understanding of the cybersecurity threat landscape of vulnerable communities. It provides advanced warning of threats to reduce their impact and harm, and informs policymakers and authorities, urging them to regulate cyber security and hold criminals accountable.
High risk of losing lives
The CyberPeace Institute was founded in 2019 by both philanthropic and corporate organizations: the William & Flora Hewlett Foundation, Mastercard, Microsoft and the Ford Foundation. It is based in Geneva, and has people stationed in its office in The Hague. It started with helping the healthcare sector.
Since June 2020 the institute recorded over 500 incidents in healthcare, mostly disruptive cyberattacks and ransomware, with potentially devastating consequences to the people being treated. In lots of countries healthcare is delivered by NGOs. That’s why the institute started looking at the vulnerability of NGOs. “Our core focus now is on humanitarian organizations, because if they are under attack, the risk of losing lives is very high. At the same time they have a very low level of cybersecurity”, Duguin states. Today, the CyberPeace Institute is helping almost 200 NGOs build their cyber resilience and fend off cyberattacks.
Corporate volunteers helping NGOs
To do this, the institute created the CyberPeace Builders. This programme gathers cybersecurity experts from the private sector, to offer their skills and to work as volunteers with NGOs around the world. So far 656 volunteers from 44 companies have put in 1.126 hours to help 167 NGOs.
Duguin: “At the CyberPeace Institute there are only 30 of us and we want to help NGO’s by the thousands. NGOs can access all kinds of tools for cybersecurity, but they are missing the workforce to do so. On the other hand a lot of private sector companies hire cybersecurity experts who are more than happy to do more. We created a programme that mixes both. We sign contracts with their companies for a couple of volunteering hours, which we can allocate directly tot NGOs. Our objective is to help 1000 NGOs by the end of 2025.”
ONE Conference: Europe’s prime cybersecurity event
To expand the programme, the CyberPeace Institute is looking at The Hague. As the ‘International City of Peace and Justice’, The Hague has a long-standing tradition of protecting the rule of law. That’s why The Hague is hosting and organizing the annual Cybersecurity Week with ONE Conference as Europe’s prime cybersecurity event. This year’s Cybersecurity week was from 2 till 5 October. This week many activities will take place and the event attracts cybersecurity professionals from all over the world. The municipality helps local organizations with their cybersecurity on a very hands-on an effective level at the municipality of The Hague itself.
Cyber Secure The Hague: Cybersecurity for NGOs
To help more NGOs become cybersecure, the CyberPeace Institute has been working with The Hague Humanity Hub, the Dutch Institute for Vulnerability Disclosure (DIVD) and the global Computer Security Incident Response Team (CSIRT.global) in a cybersecurity project for NGOs, co-funded by the City of The Hague: Cyber Secure The Hague: Cybersecurity for NGOs. The programme started with giving free training, tools and advice to 10 NGOs, to help them become more cyber resilient. Today at the ONE conference, it was announced that the programme will be open to over 200 humanitarian NGOs in The Hague and its wider region. They can all join the CyberPeace Builders programme for free.
“We want to help NGOs in The Hague and we want to attract the interest of Dutch companies. That’s why we decided to start our first CyberPeace Builders chapter outside of Geneva here in The Hague”, Duguin says.
0