USAID hack is ‘wakeup call’ for aid industry on cybersecurity

2021-06-07T14:10:55+10:00 June 7th, 2021|
This article appeared on Devex:

A cyberattack that mimicked the U.S. Agency for International Development’s email marketing account to target development and humanitarian organizations last week could be a “watershed moment” for the sector to prioritize information security, experts told Devex.

While aid groups have been targeted in the past, this is the largest and most coordinated public attack on organizations in the sector. It raises questions about how prepared the aid industry is to respond and how it can mitigate risk, experts said.

“Even USAID got hacked and that is a wakeup call for all of us,” said Dianna Langley, senior director of engagement at NetHope, a technology-focused global consortium of nonprofit organizations. That a large U.S. government agency with ample security resources can be subjected to this kind of attack shows just how vulnerable other aid organizations can be, she explained.

“It’s an arms race and we’re completely outgunned.”

— Diana Langley,  senior director of engagement, NetHope

The attack, carried out by Russian hackers three weeks before President Joe Biden is set to meet Russian President Vladimir Putin in Geneva, sent organizations scrambling to determine their potential exposure. It has also illuminated the challenges the sector faces when it comes to cybersecurity. While aid organizations have long maintained teams to manage physical security for staff, many are still trying to build systems to keep their data secure.

“This is just the latest in a string [of attacks] … they’re coming quicker and are more intense. We’re just barely recovering from one when the next one starts,” Langley said.

The attacks are also growing more sophisticated: “It’s an arms race and we’re completely outgunned,” she said.

Cybersecurity is underfunded and often under-prioritized in the aid sector, experts told Devex, and this latest in a series of attacks should prompt leadership and donors to think differently about the threat. The risks are real, as sensitive data about the locations of aid workers, refugees, dissidents, or others could be revealed, potentially endangering people’s lives.

What happened

Using the mass-mailing service Constant Contact to pretend it was USAID, a person or group called Nobelium targeted about 3,000 accounts at more than 150 organizations in what Microsoft termed a “malicious” email campaign. At least a quarter is involved in international development, human rights, and humanitarian work.

Nobelium is a “threat actor” originating in Russia and is responsible for other attacks, including the SolarWinds hack that targeted the U.S. government last year, according to Microsoft.

This kind of breach could compromise beneficiary information, staff data, and more, but it is difficult to determine at this point what the attack’s intentions were and what level of access the hacker may have obtained.

A breach this large typically takes time — dozens or hundreds of days — to detect, said James Eaton-Lee, head of information security and data protection officer at Oxfam, which was notified Friday that it could be at risk.

The attack was made public last week by Microsoft, which said it “initially observed and tracked” the campaign since January 2021 and that it evolved before escalating on May 25.

This particular phishing attempt was particularly sophisticated and would have been nearly impossible to identify as a threat just by looking at it, Langley said. It also used a “trusted actor” — USAID — which funds most of the targeted organizations, to camouflage the attack.

The response

Many NGOs have been scrambling to identify any risks and respond since Microsoft notified them on Friday that they may have been targeted.

“We have been working since we found out to ensure that our own systems are resilient and we can respond to anything we need to,” Eaton-Lee said.

Oxfam “is not in a position to comment publicly” on whether it has detected anything, he said. Teams there have been looking for compromised files and to see which websites were accessed and emails were received.

Catholic Relief Services found out early Friday morning that it was likely targeted and activated its “incident response apparatus”: It appointed a point person, informed staff, and started looking for where systems might be vulnerable or breached, said Joel Urbanowicz, director of digital workplace services at CRS.

“At the moment we’re not aware it resulted in a breach,” he said, adding that the organization is operating under the assumption it was targeted and its investigation isn’t over.

While CRS and Oxfam are both large international NGOs with cybersecurity experts on staff, many of their smaller peers do not have the same resources, protocols, or ability to respond.

“The real concern here is if organizations aren’t aware and don’t have the means to assess whether their systems have been compromised,” said Stuart Campo, team lead for data responsibility at the United Nations Office for the Coordination of Humanitarian Affairs.

It shouldn’t be assumed that organizations have the “competency, capacity, and capability” to assess the impact on their systems and then secure them so that they can no longer be accessed, he added.

NetHope is working with its members to get information out there about the attack and how to respond, offering training, and working with Microsoft to get licenses for products, including those that detect malware and could help in the response, Langley said.

While this is important for the immediate response if aid organizations — and the sector — are not also thinking about the long term, they will fail to “build the resilience” they need for the next time, she said.

And she’s sure that next time will come. These incidents are increasing in frequency, with one barely over when the next begins. NetHope’s members experience spear phishing attempts and their effects regularly, and in the past two years at least four organizations were hit with big ransomware attacks, she said.

“How do we staff up our capability to work with donor communities to make sure they are funding this in the work we are doing so we’re not trying to scrounge pennies out of the couch to do this without it being directly funded?”

— Joel Urbanowicz, director of digital workplace services, Catholic Relief Services

A need for investment

Organizations in the aid sector are “critically underfunded” when it comes to dealing with this increasing threat, even as they are increasingly targeted, “because we speak truth to power,” Langley said.

The lack of funding has made it hard for many organizations to hire the necessary staff and implement the plans they need to respond, experts said.

For organizations relying on grants that don’t have access to unrestricted funding, it can be especially difficult — not least because cybersecurity is an expensive field.

Funders need to start viewing cybersecurity as critical to aid operations, several cybersecurity experts in the aid industry told Devex. They should provide grants to help organizations get up to speed, build teams, and develop response mechanisms to cybersecurity threats — and should also include a line item for cybersecurity as part of program costs, much as they do for monitoring and evaluation, Langley said.

That funding is critical because organizations need to invest in cybersecurity in advance of these moments of crisis — because complex risk requires a well-governed structure to manage a response, Eaton-Lee said. This type of breach requires a “reasonably high-tech response” that looks across a range of digital systems for indicators of compromise. It can be a time-consuming process even for organizations that have the systems, he said.

“How do we staff up our capability to work with donor communities to make sure they are funding this in the work we are doing so we’re not trying to scrounge pennies out of the couch to do this without it being directly funded?” Urbanowicz said.

Even if organizations get the funding, hiring skilled professionals is likely to be a challenge — as there is tremendous demand for cybersecurity skills and too few people to fill open positions. Add to that the likely lower salary in the not-for-profit sector, and it is particularly challenging, Urbanowicz said.

The fact that humanitarian and development organizations were directly targeted raises “serious questions” about how and whether principles of international humanitarian law — which protect humanitarian actors — might apply to cyberspace as well, Eaton-Lee said.

“We need more multilateral consensus and funding about the funding issue and on policy,” he said.

There needs to be a new governing framework for the online space that protects nonprofits, Langley said. These attacks can make it much harder for organizations to work in digital spaces safely, can exacerbate the digital divide, and threaten the most efficient ways to provide services, she said.

“Nonprofits are often the last bastion of protection of people’s information in the digital sphere. When we are threatened in that sphere our work can’t happen,” Langley said.

Attacks like this can also severely damage trust in the aid sector, Campo said.

“That perception is almost as, if not more, problematic than what actually happened,” he said.