International Donors and AID Beneficiaries Face Elevated Cybersecurity Threats
The promise of global connectivity to enhance developing countries’ well-being is a reality as more citizens go online and international donors and their partners improve their digital service delivery. This surge can spur economic growth, advance freedom, boost transparency, increase accountability, strengthen civil society, and empower women.
But this shift comes with serious risks that can undermine security at multiple levels (citizens, donors, implementing partners, governments, etc.). The threat inescapably points to the urgent need for enhanced end-to-end cybersecurity. This threat is exactly why foresight and risk analysts are quick to point to weak cybersecurity safeguards as one of today’s top global liabilities. A failure to focus more attention on the connections between international/humanitarian aid and cybersecurity would be a serious miscalculation with serious consequences.
Cyberthreats and Aid Delivery
The importance of cybersecurity continues to headline today’s news. Recently Microsoft, one of the world’s preeminent IT companies, reported that an elite Russian-sponsored group had hacked into the emails of its top executives and its cybersecurity staff, signaling that no entity, even an IT legend like Microsoft, is impervious to cyber intrusions. The importance of fire walls to repel cyberattacks was again front-page news when one of the largest U.S. medical care billing and payment providers, involving major hospitals, clinics, and healthcare providers, was paralyzed by a cyberattack that disrupted drugstore pharmacists from writing prescriptions and surgeons from being paid, not to mention raising grave concerns about patient medical records being compromised. The hack was orchestrated by a “ransomware-as-service” provider called BlackCat, which relies on multiple freelancers or affiliates. Country-sponsored cyberattacks are also accelerating. State-sponsored cyber-attacks from the People’s Republic of China (PRC) on the U.S. government, private sector, and critical infrastructure across the U.S., are persistent and growing, according to the latest U.S. global threat assessment. These cyberattacks represent the most direct and serious threat to U.S. national security. As a consequence, the United States and UK recently announced sanctions on China’s elite spy agency hacking units for placing malware on America’s critical infrastructure and for stealing the voting records of 40 million British citizens.
Governments, businesses, the military, and other entities that fail to harden their computer systems, servers, software, networks, data banks, and other systems face an elevated risk from hackers and others with malicious intent. Vulnerability can also come by accident when a well-intentioned user inadvertently introduces viruses and other malware. Whatever the cause for cybersecurity blind spots, easily hacked systems, unintentional privacy leaks, malign misinformation, and disinformation campaigns, these threats can hobble an enterprise and grind its operations to a halt, compromising its partners and end users.
Donor Cyber Obligations
Over the past two decades, online donor services to beneficiaries have steadily increased to include online access to banking and other financial services, the wired provisions of skills training for basic employment and upskilling opportunities, the networked sharing of best practices for farming, manufacturing, and businesses to increase productivity and profitability, and the digital provision of life-saving healthcare information including telemedicine. In short, digitalization is increasingly becoming the heartbeat for inclusive and resilient donor efforts that address poverty reduction, limit environmental and other shocks, transform lives, and strengthen governments and the private sector. Responding to COVID-19 has further highlighted the vital role of digital technologies in a highly interconnected world.
Given that developing countries are more susceptible to cyberattacks than developed ones, international donors are obligated to carefully weigh the benefits against the potential risks and vulnerabilities of digital service provision. Recent evidence, such as the UN’s Global Cybersecurity Index (GCI), which measures the legal, technical, organizational, capacity, and cooperation components of national cybersecurity plans, reveals a crucial need to address the wide cybersecurity gap between developed and developing countries.
Many donors have been slow to respond to these threats. The U.S. Agency for International Development (USAID) was one of the first to issue a digital strategy to address the implications of the growing trend to deliver aid online and the inherent risks involved. That strategy benefitted greatly from a much earlier international working group’s Principles for Digital Development, which served as a foundational template back in 2014 for the ever-expanding, complex, and risk-linked digital landscape. “Do no harm” evolved as one of the nine basic principles, inviting all donors to better anticipate and mitigate digital risks, ranging from confidentiality, to privacy, to illegal surveillance, and to outright censorship. The digital strategy foresaw the potential abuses of machine learning and artificial intelligence. It was also the jumping off point for USAID to launch its “Cyber Calvary” to provide rapid technical support to its overseas implementing partners and aid beneficiaries to harden their systems and devices to repel cyber instructions.
The Organization for Economic Cooperation and Development (OECD), which collaborates on key global policy issues among its 100+ country members, has long recognized that as international development aid becomes more digital, member countries need to develop policies that strengthen the public trust in these services. Rather than refer to cybersecurity safeguards, the OECD emphasizes the need for better “digital security” to highlight cyber’s economic and social consequences, not just technical issues that revolve around cybercrimes (for example, identity theft, ransomware attacks, software piracy) and criminal law enforcement. Developing countries’ digital security is likely to be a major topic at the upcoming U.N. General Assembly’s Summit of the Future.
One promising approach for donors and other organizations to assess digital risks is to include the threat along with other known ones in a process called enterprise risk management (ERM). ERM, along with scenario planning, uncovers risk’s root causes which then drive an organization-wide risk mitigation plan. For international donors, including digital risks as a major threat necessitates a new, heightened awareness. When they fail to maintain digital security awareness, they undermine the donor’s digital safety, its implementing partners, and beneficiaries.
Developing Countries’ Cybersecurity Cooperation
Developing countries with weak cybersecurity safeguards are increasingly becoming easy targets for cyberattacks, so donors must double down on their efforts to safely deliver development assistance and humanitarian aid. Two noteworthy cybersecurity cooperation efforts follow:
- Digital Connectivity and Cybersecurity Partnership. Chaired by the State Department and the U.S. Agency for international Development (USAID), DCCP with a dozen U.S. departments and agencies, works with partner developing countries and their private sector to build a “an open, interoperable, reliable and secure digital economy”. DCCP’s innovative projects include their Digital Asia Accelerator Support program which targets small businesses to become more digitally aware and cyber-safe, ProICT which provides devoted experts in key country ministries to co-design, development, and implement secure ICT policies, and the Cross-Border Privacy Rules (CBPR) project which focuses on building capacity and improved environments for Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Rules System (CBPRs). DCCP-assisted countries include Jamaica, India, Cambodia, Mongolia, Timor-Leste, the Philippines, and others.
- Cybersecurity Multi-Donor Trust Fund. Part of World Bank’s broader Digital Development Partnership (DDP), the Trust Fund targets low- and middle-income countries to foster the development of “global knowledge on cybersecurity solutions” that can address shortcomings in country and sector-specific information and communication technology (ICT) infrastructure. The Trust Fund provides cyber technical assistance and country staff training, along with cyber maturity assessments modeling which examines, for a critical economic sector, any glitches in cybersecurity practices, capabilities, or resources. It also recommends steps for greater cybersecurity resilience.
Looking Ahead
The online provision of aid will continue to increase in the next decade, but donors are unlikely by themselves to harden the critical cybersecurity infrastructure of the countries they engage and the beneficiaries they are trying to reach. Private-public partnerships will be needed to make major progress. Beyond traditional online aid, cyberthreats may also undermine donor efforts at conflict prevention and stabilization by degrading critical digital infrastructure and information systems that citizens depend upon for a timely, accurate picture of government policies, programs, and activities. And cyberthreats can weaken lawful elections, human rights, and an independent media, undermining a vibrant civil society’s role as a bulwark to authoritarianism.
What more can donors do? Donors can increase funding for a range of cybersecurity initiatives from raising organizational awareness of cybersecurity risks and developing fixes, to providing additional training for in-house staff on cybersecurity best practices, to building/strengthening the cybersecurity skill sets of program designers and implementers, NGOs, and other development partner organizations, along with increased country-level assistance to facilitate the development of the legal framework, regulations, and standards for a resilient cybersecurity ecosystem. These actions will not happen overnight, but they will go a long way to foster a safer, more secure digital environment for all.
And finally, some good news on cybersecurity, namely, the growth of service-oriented global job opportunities. Training aid beneficiaries on cybersecurity awareness and the latest techniques that enhance their own digital security may better position them for service-oriented “jobs on the rise” in their own country, which some development experts see as the next wave of non-manufacturing jobs to chip away at poverty.
Steve Gale serves on the New Security Beat’s 2024 Editorial Advisory Board. He is a Strategic Advisor at Global Foresight Strategies, and former Senior Foresight Advisor at USAID. He served as the U.S. Representative, and later as the Chair, of the OECD/DAC Friends of Foresight. A frequent foresight keynote speaker and blogger, he is also the author of an award-winning book on futures.
Sources: Applied Clinical Informatics, Carnegie Endowment for International Peace,, Cross Border Privacy Rules System, DigitalPrinciples.org, Euractiv, Harvard Kennedy School, ITU Publications, KPMG, KrebsonSecurity.com, OECD, Office of the Director of National Intelligence, The New York Times, The World Bank, United Nations Department of Economic and Social Affairs Capacity Development, UN News, USAID, Woodrow Wilson International Center for Scholars, World Economic Forum, World Future Council.
Photo credit: Young men discussing some business plans to be executed on farmland, courtesy of vic josh/Shuttertock.com.