Sergey Nivens - Stock.Adobe.com
CyberPeace Institute helps NGOs improve their security resilience
Adrien Ogée of the CyberPeace Institute talks about his work supporting NGOs and humanitarian organisations, and how the security community at large can help protect the world’s most vulnerable people
The son of a Brazilian immigrant to France, Adrien Ogée reflects on how the migrant experience kindled in him a desire to transcend national borders and address imbalance in the world – something that in his work for the CyberPeace Institute, a non-governmental organisation (NGO) devoted to supporting its fellow NGOs and humanitarian organisations, he now gets to do full time.
“My mum had a hard time as an immigrant,” he says. “Some of the asymmetries that she felt, those that I faced, and those that we face together because of our family history, pushed me towards a cyber career to try to readdress some of those asymmetries, which are quite prominent in cyber space.”
Ogée became a telecoms and systems engineer and worked for a time in the private sector in Belgium, before joining the French national cyber security agency ANSSI, when it was established in 2010. But it wasn’t enough.
“I felt constrained by France’s national borders,” he says. “I wanted to have deep impact in the cyber ecosystem and to pursue that at a higher level, so I went to work for the European Union, but yet again I felt somewhat constrained by European borders, because as we know cyber doesn’t know any borders.”
From there, he moved to a global role at the World Economic Forum (WEF), still working on security matters, and it was there that he first became aware of the work of the Geneva-headquartered CyberPeace Institute, established in September 2019.
The Institute’s mission felt very compelling to Ogée because it seemed like it could allow him to finally work to readdress imbalance in the world. Of course, when it comes to imbalance and global injustice, NGOs and humanitarian organisations are well and truly on the front lines, working on behalf of some of the most vulnerable people in the world.
Who is vulnerable?
But vulnerable can be a loaded term. What does it mean, and to whom should it be applied? “It’s a big question, right?” says Ogée. “Who do you consider vulnerable? Who do you not consider vulnerable? We like to think about it in terms of any non-profit activity around looking to protect or further human life.”
Clearly, the term includes victims of natural disasters and climate breakdown, asylum seekers and refugees from repressive regimes and conflict, but it can also mean people living in wealthy countries who depend on medical and social services, domestic violence shelters, or food banks to be able to get on with their lives.
“There are over a billion people who depend critically on NGOs for services that we take for granted coming from either the state or the private sector that we have very easy access to,” says Ogée. “When these people get their access to clean water, to food, to shelter disrupted because the NGO they depend on was hit by a cyber attack, the consequences for them are sometimes life and death.
“It’s those types of groups that are we trying work with, and a key reason for that as well is because we profoundly think that those groups should just not be attacked online. There is no reason for them to be attacked. And if we’re not able to protect them, what does that say about our industry? What does it say about cyber security professionals, what does it say about the internet that we’ve all created that we’re all using?”
“There cannot be cyber peace when those who should not be attacked are attacked”
Adrien Ogée, CyberPeace Institute
The CyberPeace Institute aims to draw a connection between the attacks that vulnerable groups face and the broader state of cyber peace. “There cannot be cyber peace when those who should not be attacked are attacked,” says Ogée.
That is not to suggest at all that any organisation or person should be attacked, but NGOs need special attention because they hold a special position in the cyber ecosystem. They are generally small organisations that cannot afford the security expertise of a bank or an industrial conglomerate, and by the nature of their work, they are incredibly high-profile and can attract powerful enemies.
This makes them particularly vulnerable, says Ogée. “NGOs fundraise an average of a trillion US dollars annually, which is of interest to financially motivated cyber criminals, but they are also targeted for interests that sometimes contrast with the interests of governments,” he says.
“They are targeted by states that do not necessarily look at stealing their money, but at getting access to sensitive data they may have against refugees, for instance, as happened to the International Committee of the Red Cross [ICRC] earlier this year. Or they may have particular information about where certain journalists or human rights defenders are currently located in the world to be able to snatch them.
“And looking at what’s happening right now in Ukraine, sometimes NGOs are also targeted for the very operations they provide – the critical support they offer to some vulnerable communities.”
Three pillars of peace
The core mission of the CyberPeace Institute is to bring about cyber peace through three core services:
- Through supporting NGOs in assisting vulnerable communities directly.
- Through documenting harms done to vulnerable communities with a view to moving public debate on cyber away from policy, economic and military agendas to centre how cyber attacks impact human life.
- Through pressurising those who are empowered to effect change to do so.
For an NGO that reaches out to the Institute for support, the most immediately useful service it provides is the first of these.
“We have a volunteer initiative called the CyberPeace Builders, which basically connects these engineers to cyber security professionals from the private sector,” says Ogée. “For NGOs that sometimes have a hard time finding resources to attract and retain those experts, this is a bridge to capacity.
“These experts can do anything from running quick pen tests to assess vulnerabilities, to providing general security assessments, to giving advice on cyber insurance or data protection practice. It’s very material help, which we use to bring NGOs on a journey towards better cyber resilience. We are trying to elevate the level of cyber security maturity through that volunteer programme, so NGOs get protected from 90% of the threats.”
State interference
The other 10% of threats are considered rather more difficult to defend against because they fall into the category of nation state-sponsored activity, advanced persistent threat (APT) groups, and straight-up espionage. NGOs can be incredibly vulnerable to this type of activity, but it can’t really be addressed through a volunteer programme.
“I’m not going to tell you that the team we have – the Institute has 30 people, more or less – is going to be able to defend against APT capabilities,” says Ogée. “But what we can do is document the harms that are done by state actors.
“Our methods are not to go head-to-head with a government, but to document what is happening, make the information available, and bring that to multi-stakeholder processes in forums, whether it be at the UN, the Paris Peace Forum and other international forums, where we can discuss these issues so that those who are empowered to further investigate them and those who have the power to effect change have the right data to do so.”
Arguably, the most impactful security story of 2022 is the parallel cyber war that has developed alongside Russia’s invasion of Ukraine, which prompted a flurry of work at the CyberPeace Institute, particularly in terms of documenting harms and connecting with decision-makers.
“There has been a lot of emphasis on our analytical work to document all the harms done there, but we also have NGOs in our network that are currently in Ukraine and are facing attacks, so we are providing active support and analysis on the cyber side of the conflict,” says Ogée.
Ogée is understandably wary of drawing any premature conclusions from the ongoing conflict, and is warier still of making bold statements that could pour fuel on the fire. “We’re doing the best we can to empower those that can effect change while not trying to escalate the situation further,” he says. “There are lots of policy considerations that we will make and we will learn from what is happening.”
One source of concern that the Institute is considering is the impact of the so-called Ukraine IT Army, a hacktivist network aiding Ukraine’s defence and hacking back against Russian targets.
Ogée is concerned that this network could be penetrated by Russian operatives to subvert its mission or give Moscow justification to escalate the war, but also that the conventions of warfare do not account for hacktivism. For example, is a volunteer hacker for Ukraine treated as a combatant? And if so, what implications might this have for the states where they live if one of them triggers a destructive attack on a key piece of critical infrastructure?
How to get involved
Cyber professionals who are interested in volunteering for the Cyber PeaceBuilders can contact the CyberPeace Institute directly and are strongly encouraged to do so.
“Our programme has been developed with their needs in mind – we have a value propsosition for our volunteers,” says Ogée. “We are intentional about making sure they can fit volunteering into their schedule. The missions that we scope for our volunteers take between one and four hours. It’s never going to be a month-long engagement – that’s something that’s not doable with a day job.
“We train them as well – there is a lot of training they can take to learn more about humanitarian activity and digital colonialism, and some topics that are of great interest to NGOs and sometimes not enough discussed in cyber security circles, so there is also an upskilling component.
“It’s also just a great community of cyber security professionals. They get to meet experts from other countries, build their network and, most importantly, put a smile on someone’s face when they have an engagement with an NGO and see the difference they can make.”
Ogée, who earlier this year ran a session at DEFCON in Las Vegas about the Institute’s growing network of volunteers, says he sees a growing appetite among cyber professionals to give back. “It’s great for me and for our industry – it’s a real sign of maturity in the industry as well,” he says.
“I'm seeing a lot more companies invest in social impact programmes that have a cyber security side, which is great because the cyber industry has sometimes invested in CSR [corporate social responsibility] efforts that were disconnected from the core mission.
“But now I see that they are trying to reconnect that, so if anything, I’m thankful and optimistic about the future and the role that the private sector and the tech industry can play when it comes to de-escalating incidents in cyber space. I would encourage more companies to do that.”