Information security in a war zone: How the Red Cross protects its data

How do you secure sensitive information in a war zone if you’re the International Committee of the Red Cross (ICRC)? Founded in 1863, the Red Cross faces serious information security threats as it continues its mission to provide humanitarian aid in conflict zones, to visit detainees in prison, and to help re-unite refugee families driven from their homes.

Both spies and criminals have motive to compromise that sensitive information, perhaps to abduct, imprison, torture, or murder political dissidents. Dealing with these threats in the digital age is a hard problem the Red Cross is working to solve, a new report by researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland concludes.

The solution to that security problem means avoiding fetishizing technology and instead looking at security tools in the legal and organizational context in which the Red Cross operates, a lesson all organizations stand to learn. “It’s not just about technology in isolation,” Stevens Le Blond, one of the EPFL researchers, says, “but about the practical factors the ICRC faces on a day-to-day basis.”

The Red Cross has a unique threat model, though, and a unique organizational structure. Most countries around the world have a Red Cross society. National societies are bound to operate under local law, including complying with court orders to turn over data. The ICRC, however, may not be compelled by local authorities to turn over humanitarian data.

“The ICRC is the only international organization that benefits from the non-disclosure privilege,” Le Blond says. “It cannot be legally compelled to disclose information collected in an exclusively humanitarian capacity.”

“Of course, local authorities have an incentive, for some of them, at least, to try to get access to data that they might not be able to get legally,” Le Blond adds. “And, of course, this is applicable to all sorts of attackers.”

Many nation-state attackers have no scruples about hacking and spying on organizations like the Red Cross. As the Snowden documents revealed, The UK’s GCHQ spied mercilessly on Amnesty International, without so much as an apology. It’s a fair conjecture that if the UK has no ethical qualms about spying on Amnesty, many nation-state intelligence agencies in the world want to hack the Red Cross.

The best defense the Red Cross has against such nation-state attacks is the embarrassment it would cause the guilty party if exposed. The challenge of proving you’ve been hacked by a sophisticated nation-state attacker, however, makes this defense difficult.

Inviolability of premises

Unlike the national Red Cross societies, the ICRC enjoys what is known as “inviolability of premises.” Akin to embassies that enjoy diplomatic immunity, no nation with whom the ICRC has a bilateral agreement may invade ICRC premises without explicit prior consent.

In meatspace, it’s pretty obvious when soldiers break down your door and riffle through your filing cabinet. The challenge the ICRC faces today is detecting and responding to nation-states violating that agreement and entering their digital premises without permission. A sophisticated attacker might leave little to no trace on ICRC systems, and the Red Cross does not enjoy the deep security bench of, say, an Apple or a Google.

As a result, the ICRC continues to rely heavily on paper and compartmentalizes information as much as possible. “The best they can do is to use paper forms,” Le Blond says, “and to anonymize as much personally identifying information as possible, and to avoid, or to mitigate, retribution in case the paper forms are stolen or lost.”

When the Red Cross visits a detainee in prison, for example, they are rarely allowed to bring any electronics with them. The Red Cross official might conduct an interview in which a detainee describes inhumane treatment in the prison. Ensuring that the prison is unable to identify who reported the abuse is critical to prevent the prison authorities from exacting revenge.

Sharing this data in useful ways then becomes much more difficult, especially with the local Red Cross societies.

Can technology solve a legal problem?

The ICRC struggles to balance the utility of the data it collects with its sensitivity. Because local Red Cross societies could be compelled by local law to turn over sensitive data, the ICRC often does not share sensitive data with local societies in countries with poor data protection laws.

“The ICRC must train local staff that is potentially more susceptible to coercion [court order, physical threats] because they don’t benefit from P&I (privilege and immunity), or they are a citizen of the country, unlike those employed by the Swiss headquarters and have Swiss nationality,” Le Blond says.

The solution, he conjectures, is technology that helps field workers mitigate the risk of coercion and gives early warning to the ICRC of any unauthorized data disclosure.

Le Blond gives the example of the migration crisis in Europe, when refugees fled North Africa for Western Europe. “In doing so they crossed dozens of jurisdictions where the ICRC, as well as the national societies, are collecting data in order to reunite families and friends,” he says. “But the delegations that are within Europe are reluctant to share that data with those outside Europe that have weak data protection laws, and you wind up with a segregation of data that cannot be reconciled.”

The future of information security at the Red Cross

Ensuring the security of the humanitarian data is not only critical to keeping vulnerable people safe, but also to ensuring the future viability of the Red Cross as a trusted, neutral party, Vincent Graf, ICT innovation officer at the ICRC, tells CSO.

“Perception is more complex to understand,” Graf says. “We talk to everybody, all parties in a conflict. We’re going to talk to NATO but also Syrian forces. We talk to all parties. That’s how we do impartiality.”

“But this requires trust,” he emphasizes. “And we are extremely proud to say that we believe that there’s nobody better placed than us to talk to every side than us, the trust that’s been built over 150 years allows us to speak to everyone, everywhere.”

The consequences of damaging that trust would be incredibly harmful to the effectiveness of the Red Cross. “Imagine if all this information is released publicly,” a source identified as P23 told the EPFL researchers. “The authorities will not trust us anymore, nor will the people. In fact, we won’t be able to work anymore. If someone can access all this data, the damage will be so huge because, what will be the perception in other countries where ICRC works?”

Securing that information involves not only enforcing policies and procedures that compartmentalize data to resist coercion by local authorities, but also developing new technical solutions to make secure communications and data processing more robust, the researchers concluded. Existing solutions such as Signal and Tor are not sufficient to guarantee secure, anonymous communications for ICRC staff distributed around the world. EPFL is pursuing funding to prototype new security and privacy tools and hopes that the resulting tools will benefit other humanitarian organizations, and even journalists, after they’ve been battle-tested by the ICRC.

“The threat model is broad and includes malicious actors interested in data that is collected exclusively for humanitarian purposes and could be abused for criminality or intelligence purposes or you name it,” Le Blond says. “So, we start with the worst case and then potentially generalize it so that [new tools] are also useful for other at-risk organizations.”