The International Committee of the Red Cross (ICRC) has, for the first time, published rules of engagement for civilian hackers involved in conflicts.
Meanwhile, the CyberPeace Institute announced at the One Conference in The Hague, Netherlands, that it would now provide the city’s 200 plus NGOs (non-governmental organisations) with free cybersecurity support to help them in the case of a cyber-attack.
The cybersecurity initiatives follow the increased targeting of NGOs since the War in the Ukraine, as well as recent prominent humanitarian disasters.
According to Stéphane Duguin, CEO of the CyberPeace Institute, NGOs are increasingly being targeted because they often have poor cybersecurity as well as a large amount of sensitive data on vulnerable individuals.
“They are being attacked from all directions, becoming targets of both criminals and state actors,” he says.
“If you are a criminal, you do this for the money. As soon as there is a crisis or a disaster, NGOs suddenly are very rich, because of all the donations.
“That’s when cybercriminals prevent them from working by launching a ransomware attack. They don’t care who they attack and sometimes they don’t even have a clue who they attack. There is no ethics among cybercriminals.”
To help more NGOs become cybersecure, the CyberPeace Institute has been working with The Hague Humanity Hub, the Dutch Institute for Vulnerability Disclosure (DIVD) and the global Computer Security Incident Response Team (CSIRT.global).
The programme started with giving free training, tools and advice to 10 NGOs, to help them become more cyber resilient.
However, it was announced at the ONE conference that the programme will be open to over 200 humanitarian NGOs in The Hague and its wider region. They can all join the CyberPeace Builders programme for free.
Adds Mr. Jan van Zanen, Mayor of The Hague:
“For more than a century now, we have been the city of peace and justice. The home of international institutions surrounded by an extensive network of businesses and organizations. This unique collection of organizations and institutions raises security issues.
“The urgency of this issue is something I experience daily. Non-governmental organizations, businesses and people must learn to deal with the opportunities and threats brought by digitalization. As a city, we are therefore launching a cybersecurity program for NGOs.”
Increasing cyber attacks
There have been an increasing number of cyber attacks on NGOs in recent years. For instance in January 2022 there was a cyber attack that hit the International Red Cross (ICRC) where hackers managed to steal the personal data and confidential information of 515,000 vulnerable people while in 2020, NGO Roots of Piece, which transforms mines to vines with local people in Afghanistan, was tricked into wiring 1.34 million US Dollars to a Chinese bank account.
Today the ICRC has, for the first time, published rules of engagement for civilian hackers involved in conflicts. The eight rules include bans on hospital attacks, hacking tools that spread uncontrollably and threats that engender terror among civilians.
Based on international humanitarian law, the rules are:
- Do not direct cyber-attacks against civilian objects
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
- When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
- Do not conduct any cyber-operation against medical and humanitarian facilities
- Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
- Do not make threats of violence to spread terror among the civilian population
- Do not incite violations of international humanitarian law
- Comply with these rules even if the enemy does not
However, some cyber-gangs told BBC News they plan to ignore them. A high-profile member of the Anonymous collective told BBC News it had “always operated based on several principles, including rules cited by the ICRC,” but had now lost faith in the organisation and would not be following its new rules.