As Russian tanks rolled across the border into Ukraine last month, war was already being waged in the digital world. Could Geneva's UN agencies and international organisations get caught up in the crossfire?
Before Russia invaded Ukraine on 24 February, the besieged country was already being bombarded by a wave of cyberattacks that Kyiv and others blamed on Moscow. On their side, Ukraine hackers wasted no time in making their own declaration of cyberwar. The Anonymous collective claimed credit for hacking Russian government websites and state television Russia Today while the government of Ukraine created a volunteer yet official cyber army, “designed to operate in the middle of a fast-moving war zone”, according to Wired.
In the meantime, cybersecurity experts are concerned about a “spillover” into other countries, and the possibility that a major cyber attack could affect systems worldwide. In Switzerland, 130 Swiss companies and communes still operate on vulnerable systems according to the National Cyber Security Centre (NCSC) and organisations that were hacked in the last months such as the ICRC, Swissport, Swisscom, property group DBS and car dealer Emile Frey are extending the country’s already staggering list of breaches.
This week, over 630 breaches were reported compared to about 370 during the same period last year, and the country reached an all-time peak with 881 cases in January’s second week. Overall, cyberattacks in Switzerland have increased by 65 per cent in 2021 compared to 2020.
“We are not aware of any increase in cyber criminal activity in connection with the war in Ukraine that could directly target Switzerland”, Pascal Lamia, deputy delegate of the NCSC, tells Geneva Solutions. “However, the cyber-threat situation is likely to change as a result of current events,” he adds.
According to Lamia, “companies that have business relations with suppliers or companies located in conflict zones should be especially cautious”, but he also believes that “all vulnerable systems are a target for cybercriminals, whether they belong to individuals, authorities, small or bigger companies”.
International Geneva no exception to the rule
The world is in short supply of cyber professionals – a deficit of talent estimated at around $3 million, according to a report by the World Economic Forum – and Switzerland is no exception. Despite being attractive for talent, the country lacks in cyber specialists and only 100 graduates per year join the workforce in Romandy, the French-speaking part of Switzerland, according to the RTS. In Geneva alone, over 90 cybersecurity-related job openings were posted within the last month.
According to NCSC’s Lamia, high-worth organisations that are more digitised than others, and that have a geopolitical importance are more “exposed to cybercriminals”. With over 40 international organisations and 750 NGOs that often depend on digital technologies to work on sensitive interventions on the ground for which billions are raised in funds, such as the current war, Geneva has many vulnerable targets. “Geneva, due to its special role on the international scene, needs to be particularly vigilant,” says Alexander Barclay, the Canton’s digital delegate.
“Geneva, due to its special role on the international scene, needs to be particularly vigilant,” says Alexander Barclay, the Canton’s digital delegate.
The latest example of this was a sophisticated cyberattack against the International Committee of the Red Cross (ICRC) servers in January, which compromised the personal data of more than 515,000 vulnerable people.
The UNHCR, which have been supporting Ukrainian refugees, “take cybersecurity extremely seriously” and pay “very close attention to recent developments” according to spokesperson Boris Cheshirkov. “In recent years, we have made significant investments in robust cybersecurity, including in the detection, prevention and mitigation of, and response to cybersecurity risks,” he says. He adds, “as the overall risk has further increased in recent days, we have continued to reinforce our security measures”, but he still doesn’t dismiss potential breaches.
According to Barclay, “beyond technical plans, each person needs to play a role in the safety and use of digital tools”. However, only one in ten NGOs train staff regularly and four in five don’t even have cybersecurity plans.
“With many international organisations, NGOs and healthcare institutions operating on limited budgets, digital security is often forsaken in favour of additional relief in the field,” says Algirde Pipikaite, cybersecurity strategy lead at the World Economic Forum.
NGOs gear up for protection
The CyberPeace Institute which trains NGO staff to be more prepared in case of cyber incidents and more resilient in the face of attacks, has assisted 20 organisations in the last six months and aims to support 100 by the end of 2022. Meanwhile, the ICRC is developing an online equivalent to its Red Cross, Red Crescent and Red Crystal emblem to safeguard civilian infrastructures. “With or without a ‘digital emblem’, we believe it is critical to have a firm consensus – in words and actions – that humanitarian data must never be attacked,” says Ewan Watson, head of public relations at the ICRC.
Importantly, cyber-attacks are governed by international humanitarian law (IHL), which calls for the protection of civilian infrastructure in an armed conflict, even if there is some contention over how it is applied.
As companies increasingly report cyber incidents, collaboration can improve and significant damage can be limited, according to the Federal Council’s proposal to render reporting breaches mandatory.
“In recent months, there has been a greater awareness of cybersecurity risks, for example affecting the humanitarian sector, after the hacking of the Restoring Family Links programme of the ICRC,” says Stéphane Duguin, chief executive officer of the CyberPeace Institute.
While the NGO has long been collecting data on cyberattacks against humanitarian NGOs, with the Ukraine war, it has begun to track cyberattacks and operations that target critical infrastructure and civilian objects.
“The tracking of cyberattacks and incidents as they become public is important in order to record these attacks and identify – where possible – the harm and risks for civilian populations. Cyberattacks affect people and risk lives,” says Duguin and calls for the sparing of humanitarian actors in Ukraine so they can “respond to the humanitarian needs of the population”.
While Switzerland took a step further in positioning itself as a cyber leader with the appointment of Florian Schütz, the federal cybersecurity delegate and head of the NCSC, as chair of the Organisation for Economic Co-operation and Development’s working party overseeing the safety of critical activities for the 38 member states, recommendations from the Cyberpeace Institute include identifying risks and reaching out for advice and support to increase cyber capabilities and resilience. “This is really important and what we advise,” says Duguin.