The security gaps in humanitarian aid systems in the age of cyber risks

Cristina: I’m an Assistant Professor of Cyber Crisis Governance. I completed my PhD in Cybersecurity Governance in 2021 in Spain. After working for a few months as a postdoctoral researcher at the Institute of Security and Global Affairs, I was offered the opportunity to focus specifically on the governance of cybercrisis. I am one of the co-PIs of the project together with Andrea, and my role is to lead the work on the cybercrisis Governance aspect. I also co-supervise the PhD candidate of the project, Chiara Anfuso, and maintain connections with the broader cybersecurity governance network. 

Andrea: I’m an Assistant Professor and my research focuses on humanitarian and disaster response. My PhD explored people’s behavior in the immediate aftermath of disasters. In 2013, I joined the international response mission with the Italian field hospital after the typhoon Haiyan in the Philippines which marked the beginning of my interest in working more in the humanitarian field. After that, I started collaborating with the WHO Emergency Medical Team initiative. In this project, I contribute with both my academic expertise and practical experience, as well as facilitating connections with practitioners and professionals in the field. 

Cristina: Andrea and I had always talked about working together, and a grant application gave us the chance to turn that into something concrete. We began by identifying research gaps that connected our areas of expertise (his on humanitarian response, and mine on cybercrisis governance). That led us to the idea of combining our perspectives in a joint project. The project was born out of a clear gap: there’s very little research on how organizations respond to cyberincidents. Most of the existing work focuses on private organisations, which makes sense, as they are often the primary targets. But I started to question whether the response strategies used by private entities can be applied to humanitarian organisations. The answer seems to be no. That’s what motivated us to explore which strategies humanitarian organisations should adopt, and how to adapt existing ones to the unique challenges they face in their specific contexts. Right now, the threat landscape is becoming more complex and continues to grow. Every organisation is a potential target. Cybercriminals exploit vulnerabilities wherever they find them and that means that no organisation is immune to cyberattacks. 

Andrea: Recently, we’ve seen a significant increase in digitalisation and the use of technology within the humanitarian sector. Nowadays for example, the presence of Artificial intelligence (AI) is rapidly growing, particularly around data analysis. While technology can improve the effectiveness of the humanitarian response, it also brings increased vulnerability to cyber-attacks. A major turning point came in 2022, when the International Committee of the Red Cross (ICRC) was targeted in a sophisticated cyber-attack that resulted in a data breach affecting over 500,000 individuals. Since then, the ICRC has intensified its focus on cybersecurity, and the topic has gained more attention across humanitarian organisations. 

Cristina: Ten years ago, private organisations also had limited awareness of the risks, and even today, there’s still a long way to go. Large organisations have made some progress, but smaller ones often struggle to recognise the danger. Sometimes, they don’t even realise when a cyber-attack has occurred, simply due to a lack of knowledge about cyberthreats. During my research in Spain, some of the hackers I interviewed told me they had reported vulnerabilities to companies, and those companies took no action. So, I’d say it’s not just humanitarian organisations that show limited concern. This seems to be a broader trend across sectors. 

Cristina: In general, I think we all need to improve when it comes to cybersecurity. We’re all connected to the internet—no one is isolated in cyberspace—so we need to build resilience across the entire digital ecosystem. If one organisation is vulnerable, others can be affected as well. A good example is the 2016 Mirai botnet attack on the DNS provider Dyn. Although the attackers didn’t target platforms like Twitter, Netflix, or Reddit directly, these services were disrupted because they relied on Dyn’s infrastructure. This shows how interdependent the digital ecosystem is.  

Andrea: Yes, and the same applies to humanitarian organisations. We see that larger organisations are now more or less protected, but there’s a growing concern when it comes to medium– and small-sized organisations. Many of them are not fully aware of the risks and often lack the tools or expertise to effectively respond to cyber–attacks. There are numerous examples of highly disruptive incidents including the spreading of false information, compromised evacuation plans, and malware interfering with response operations. These types of attacks strongly impact the entire sector. 

Cristina: Certainly. Humanitarian organizations face a wide range of cyberthreats due to their growing digital presence and the sensitive nature of their work. These threats include direct cyberattacks like phishing, ransomware, and DDoS attacks, but also more complex risks like data co-option and surveillance. The data they collect (such as medical or biometric information) can be exploited by state or non-state actors for political or military purposes, sometimes putting entire communities at risk. On top of that, misinformation and disinformation campaigns on social media can severely damage their credibility and even endanger staff in the field. These aren’t just technical challenges; they affect the ability of humanitarian actors to operate safely and effectively. 

Andrea: I think so, but again, it’s a matter of resources. When we talk about small organisations, we’re often referring to organisations made up of just a few people. They may be willing to make changes, but they simply lack the necessary resources.  

Cristina: We’ve conducted a literature review of all the available research on current cyberthreats, challenges, and strategies in the humanitarian sector. In the next phase, we’ll focus on what humanitarian organisations need to effectively respond to cyberincidents. 

Andrea: If I can add something—we’re still in the phase of exploring the problem. There’s also a general reluctance to make cyberincidents public because of the risk of reputational damage. That leads to a limited number of reported cases. We want to create a safe environment where NGOs can openly share their problems and concerns. That’s one of the reasons we’re working with KUNO for the event in May. 

Cristina: One of the ways we plan to do this is by organizing events like the symposium, but we don’t want it to be a one-off. Ideally, it will evolve into a recurring platform where we can share our findings annually and get feedback. We want to stay connected to the community and avoid being researchers who are distant from the field. Alongside academic publications and conference presentations, we’re also committed to producing policy-oriented reports that translate our results into more accessible and practical insights for organizations. We’ll actively engage with humanitarian actors throughout the research process—not just at the end—by participating in sector-specific conferences, events, and ongoing dialogue. 

Andrea: Exactly. We want to actively engage with the organisation in the sector, work with them, we want to support them and to share with them the results we obtain over the coming years. 

Cristina: The first challenge is raising awareness of the problem. Many organisations don’t see an immediate need to act. Both the humanitarian community and society at large often don’t fully grasp the importance of this project. Another challenge is how to measure what we want to measure. We need collaboration with humanitarian organisations because we want to deliver outcomes that are useful for them. But to get there, we need their trust. Without their involvement, we don’t have a project. 

Andrea: I was just about to say the same. Our main priority now is to reach humanitarian organisations, which is why we are very happy about our collaboration with KUNO. It’s an important step in building connections with the sector here in the Netherlands. 

Cristina: It will help humanitarian organisations protect the data they hold. They’ll also be more confident in handling that data securely, which can help avoid double victimisation.  

Andrea: We want to contribute to that effort. The final aim is to provide organisations with actionable strategies that can improve their operations and ensure better safety for the people they serve.  

Cristina: We’re currently designing two empirical studies. One focuses on cyber crisis response, and the other explores crisis communication. These are our current two main areas of focus, but we’re still in the design phase and will share more details once the plans are finalised. For now, as said before, we really need collaboration from humanitarian organisations. We have five more years for this project, so there will be adaptations and changes along the way. 

Andrea: This is very much a work in progress, and this is a project we both care deeply about. The more we learn and explore, the more fascinating the topic becomes. It’s evolving quickly. We started just a year ago, and already we are seeing the sector grow, with more and more people getting involved. That’s why it’s difficult to stick to a fixed plan. We want to stay flexible and, most importantly, to listen directly to organisations about what they truly need. That’s really the essence of this project, to provide support and solutions.    

Cristina: Yes, we’re planning keynotes that will address the cyber threats humanitarian organisations are currently facing. We’ve invited speakers with hands-on experience in data protection to share their insights. The core of the event will be a series of interactive discussions where participants can openly explore the challenges the sector is dealing with. We aim to focus not only on the threats themselves but also on the capabilities organisations need to prevent, prepare for, and respond to cybersecurity incidents. Participants can expect a meaningful, collaborative event, where there’s space to exchange knowledge and hear from a diverse range of voices in the field. 

Andrea: We will also have a roundtable discussion where we’d like participants to share their thoughts. Our goal is to listen to the participants so we can better understand their needs and follow up on the key points that emerge from the conversation. 

Are you interested in joining the symposium on cybersecurity in May? Visit this webpage for more information. Please contact us if you require more information.

Read more about Cristina here
Read more about Andrea here

Date: 25th of April 2025
Author: Marianne van Elst-Sijtsma