Protecting Victims of Conflict in Cyberspace
Guest Blogger: Ian Thornton-Trump CD, Chief Information Security Officer, Cyjax Ltd & Advisor, Swisscross Foundation.
Casualties are an inevitable part of war and conflict. Frequently, civilian casualties in conflict are the consequence of accidental or collateral damage between warring factions, but they may also result from direct confrontation between two opposing sides. This is the world where vulnerable populations find themselves - where a landmine from a previous or current conflict causes injury, or a stray mortar round from a poorly maintained weapon system results in suffering amongst innocent people.
In the midst of conflict, humanitarian organizations navigate operations between opposing sides, remaining impartial and providing humanitarian needs including healthcare to the war wounded against a volatile and vulnerable backdrop.
This is a dangerous undertaking. According to USAID statistics, in 2020 there were 283 incidents in relation to aid workers, 484 aid worker victims, 117 were killed and 125 were kidnap victims. Adding to the issues of personal safety, humanitarian missions must also find ways to secure communications and the protection of sensitive personal data of their patients and the victims of war.
Patient data can be very valuable to cybercriminals looking to make money from a humanitarian organization after a breach or from an intelligence perspective. Time, date, location, and type of injury in some cases could be evidence of a war crime or atrocity committed. This data becomes even more sensitive due to the circumstances under which it has been collected – the act of collection could bring the humanitarian organization into direct conflict with parties interested in the data. This patient data is increasingly found in Electronic Patient Records (EPR).
But there is a problem. EPRs are vulnerable to attack both domestically and abroad. Unfortunately, vendor-supplied systems are far too reliant on customer-implementation, compensating security controls with dependencies on legacy software and hardware which can be riddled with vulnerabilities. This, combined with some vendors’ careless disregard towards the current best practices of data protection – encryption of data at rest and transit - presents a tempting opportunity for a malicious actor, on either side of the conflict to gain access to highly sensitive data.
Some humanitarian organizations understand the threat they face against their EPR systems and are taking mitigating action. A humanitarian organization on a mission to care for casualties of war which fails to maintain robust security on sensitive data puts all future operations at risk. The threat model is simple to understand. For humanitarian organizations one of the single most important principles is impartiality, which can only be achieved by protecting the data of all sides - possible combatants and civilian victims - as robustly as possible against any hostile actors. Unauthorized disclosure of sensitive information may call into question the impartiality of the organizations in country missions.
But the threat does not stop at the EPR system. Cybercriminals with access to the humanitarian organization’s support systems can go far beyond access to sensitive patient-related data. They can access email communications and logistical support systems, potentially causing havoc and limiting or altogether preventing humanitarian services.
Email communications, social media accounts, mobile device security and online collaboration systems must be safeguarded with robust security through use of the best practices. Nation state-backed offensive cyber-attacks are the threat model organization needs to prepare for. Network Infiltration, data exfiltration, data manipulation and data destruction are all part of the tool kit which could be deployed against a humanitarian mission.
It is not inaccurate to say that a humanitarian organization’s cyber-attack surface is no different from that used by any other organization. But there are unique factors they face due to the nature of the humanitarian mission - the hostility of the environment and the sensitive data they may hold. The reality is an organization could be perceived as a tempting target by cybercriminals looking to exploit the data or use it to advance their own agendas.
Just as patient care is always at the forefront of an organization’s mission, humanitarian actors in order to mitigate cyber threats, must create a strong and healthy cybersecurity culture which protects and benefits a humanitarian mission.
About the Author:
Ian Thornton-Trump CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cyber security analyst/consultant for multi-national insurance, banking and regional healthcare verticals. Today, as Chief Information Security Officer for Cyjax Ltd. (UK) & Chief Technical Officer of Octopi Managed Services Inc. (Canada), Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cyber security consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations. In his spare time, he teaches courses for CompTIA, is an adjunct faculty member of the London Graduate School and owns a recording and live streaming studio in London, UK.
Link to https://cyjax.com
Link to https://octopitech.com
Disclaimer: The opinions expressed within the content are solely the author's and do not necessarily reflect the opinions and beliefs of the Swisscross website or its affiliates.
