Balthasar Staehelin, ICRC Digital Transformation and Data director
Today we have touched on pandemic outbreaks, the political and economic response to them, and how this has accelerated the adoption of new technologies. Some of this is good news for populations affected by violence or armed conflict. Humanitarian organizations have an increased digital footprint with new opportunities to become more efficient and accountable. At the same time, with new digital technologies come risks for the humanitarian sector and the people we aim to protect and serve. As humanitarian organizations increasingly rely on the collection and processing of highly sensitive, personal data, they can become vulnerable to adverse cyber operations that could impact the people that need us most.
Today, looking at emerging digital risks, I will focus on three key dimensions: full control over data, data integrity, and data availability.
First, humanitarian organizations must keep full control over data as a pillar of humanitarian action and limit the access of data to intended users only.
This is an increasing challenge when using biometrics to give people access to humanitarian services. Data collected can include information that could be sought after for use beyond its initial humanitarian objective. This is the case, for instance, when a humanitarian organization is forced to provide data to a government or when a third party gets access to sensitive information through metadata collection. We must ensure that the data collected is used as it was intended – for humanitarian purposes only. This issue is not an add-on. It is a core element to trusted humanitarian action.
The recent International Conference of the Red Cross and Red Crescent Movement has debated that issue last December. It has adopted a resolution on the Restoring of Family Links which contains interesting language to this effect and ensures that data collected is used exclusively for humanitarian purposes.
Second, Humanitarian organizations must ensure the integrity of data.
This again goes back to the issue of trust. The reputation of a humanitarian organization relies on its ability to maintain trust. In the case of a cyber-attack against its data integrity, humanitarian organizations could subsequently be wrongly steered into prioritizing certain affected populations over others, operating in particular areas over others, or otherwise manipulated in ways that could be detrimental to affected populations, or to the neutrality, impartiality, and independence of their action.
Imagine, for a moment, that a database of unaccompanied children is hacked and data on the name of these children's parents is modified. People come forward pretending to be their parents and because of this hack are properly verified as parents. These children could end up forced into child labor or targeted because of their ethnic origins. We cannot allow this to happen and must address the growing threat of the modification of humanitarian data.
Lastly, on availability: we must ensure timely and reliable access to information and digital services.
Humanitarian organizations like the ICRC are increasingly offering digital services to affected populations. For instance, in the case of the ICRC, we are currently working on a digital humanitarian platform that provides digital services to affected populations. As we provide critical services such as a document vault or information as aid, any cyber operation affecting the availability of these services will have humanitarian consequences.
To mitigate these risks, we need:
1. Stakeholders gathered here to work together on standards that at their core include the three points just addressed: full control over data, data integrity and data availability.
2. A responsible and thoughtful approach to technologies, and not just a race to the most cost-effective technology. Technologies must be deployed based on thorough assessment of their impact and with adequately established safeguards.
To support these efforts, the ICRC and the Brussels Privacy Hub recently launched the second edition of the Handbook on Data Protection in Humanitarian Action. The Handbook provides ways to assess the responsible use of new technologies, conduct risk analysis, and responsibly balance technology opportunities and potential risks. The guide looks at data analytics, blockchain, digital identity, drones, machine learning, cloud computing, artificial intelligence, weaponization of information on social media and more.
3. And finally, we need governments and external third-party stakeholders to guarantee the protection of a digital humanitarian space, coupled with the focus and determination of internal stakeholders to genuinely preserve the independence, impartiality and neutrality of international humanitarian organizations in cyberspace. Without this, international humanitarian organizations will be pushed into accepting solutions that are unsuitable for the work they are mandated to carry out.