Seriously, nobody gives a sh*t about information security
Michael Kleinman poses the question:
how best to secure sensitive information and communications in the field. A post which could just as easily be titled “how to try and keep the Sudanese Government (or insert other oppressive regime) from reading everything on your computer.”
It’s no secret – here at humanitarian.info, we believe that the humanitarian community is criminally negligent when it comes to protecting its information, particularly when it comes to beneficiary information. Dear NGO: although the Sudanese government is wading through your computer files right now, it probably had access to them even while you were still in the country, usually by applying pressure to your national staff to co-operate, so it’s a bit late to start complaining.
Still, there are solutions: Michael points to NGO Security in a Box, a product which I have no hesitation in endorsing, so download it today and use it immediately. You might also want to check out the McCumber Cube as a useful analytical tool, and get your IT and security staff sitting around the same table for once. How else can you start?
- Encryption. GnuPGP is free – why not use it on documents and communications that you wouldn’t like the secret police to see? Even Windows can manage PGP encryption, although you’ll probably need to budget for it.
- Anonymisation. There are some great resources for activist bloggers – start with the Handbook for Cyberdissidents, the chapter Technical Ways to Get Around Censorship to help you shield key communications.
- Physical partition. Keep sensitive data – for example, personal information about beneficiaries – physically and digitally separate from non-sensitive data. Why not make different staff responsible for different datasets?
- Backup. At least two backups of all vital data – one onsite, one offsite, preferably both updated daily. Go and do it now. You can use services like DropBox to synch across machines.
- Geek out, and work entirely from a portable USB stick that never leaves your key-chain.
There’s literally hundreds of steps that you can take to inform yourself and improve digital security for yourself and your organisation, but I’m comfortable saying that most international NGOs working in Sudan weren’t doing any of them. I’m ranting again, aren’t I? I’ll go and lie down.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Amen to that. I think it’s a combination of the same rush to operate that leaves physical by the wayside too, and a belief that info security is somehow un-transparent.
Alanna
25 Mar 09 at 7:39
Please don’t get me started about physical security in Sudan.
Paul Currion
25 Mar 09 at 7:40
[...] – Paul Currion, as usual, has a fantastic example of this kind of thing from Sudan, posted mere hours before this one! Well done Paul and thanks for the link! Possibly related [...]
Political net attacks on the rise «
25 Mar 09 at 10:08
Paul, great detailed post on the problems and solutions of IT security in the field. Thanks for bringing this to our attention.
We’re thinking right along the same lines because before I read your article, I posted a similar piece on the HFP Blog, here.
Although I soft-spun the problem in my post, presented more as a news update with an intriguing question, I think you’re assessment of “criminal negligence” is well said.
It’s only a matter of time until we see a Russia or a Pakistan completely wipe out the address books, contact lists, and documents of a major aid organisation, with crippling effect.
I wonder what the flash appeal for that would look like?
Noah
25 Mar 09 at 10:11
I hate to rain on the parade but I thought I should point out that Window’s encryption methods are some of the most heavily regulated in the industry. Exporting a Windows box to Sudan can land you in hot water with the BIS, the US agency which oversees all exports. Although there are exemptions in place for most of the players exporting to Sudan I would strongly reading the fine print.
GnuPGP should fall under the ‘publicly disseminated’ category which leaves it lightly regulated. These regulations are one reason I pushed Ubuntu as an alternative. I know some agencies have spent a lot of time figuring out which hardware and software systems are the best fit for each country.
While I am all for encryption it tends to breed suspicion and can even draw the attention of individuals that were previously not interested in your gear. Better to run things in the clear whenever possible.
Jon Thompson
25 Mar 09 at 15:46
I’ll always ask for a slice of Ubuntu at dinner time, but on the other hand not everybody needs to worry about US export regulations (not even INGOs, who often have partner organisations that they can procure through).
As you know, I am for radical transparency in the humanitarian sector except where beneficiary, staff and partner privacy and security is concerned. Given the attitude of the Sudanese government towards those three groups, I think pretty much anything on the books falls into that category?
Paul Currion
25 Mar 09 at 19:02
Paul-
Unfortunately even the partners are subject to US jurisdiction as far as the US is concerned. A lot of in-house counsel spend their hours whittling these regs into pill shaped forms so that Ops can even take a shot at digesting them. And as far as the money is concerned there is a whole other branch of gov’t that tracks the transactions.
Security is always an issue in every site so it’s best to operate with the mindset that everything will eventually be seized. Besides, I am not sure what we could tell them that they don’t already know. Often times we’re playing catch up.
What am I missing? Whose data was seized in Darfur and what was the outcome?
Jon Thompson
26 Mar 09 at 2:54
Jon – that’s true, but I know at least two US-based organisations that are circumventing the regulations in exactly this way on the assumption that the US government isn’t going to risk public wrath by prosecuting a non-profit working to “save Darfur”.
I’m working on the assumption (supported by anecdotal reports) that the Sudanese government has been using this opportunity to have a good shuffle through the offices of those NGOs that have been expelled. I’m sure that our lists of community leaders could come in very useful to them, for example.
Paul Currion
26 Mar 09 at 8:42
Paul-
Unfortunately, that assumption doesn’t fly far with the BIS according to the BIS folks I’ve spoken to. There is a certain amount of understanding shown for aid agencies but that does not mitigate the need for those agencies to practice due diligence. I would bet that their procurement teams are still running their product (EIN) numbers through some sort of screen like eCustoms. In any event the Sudan exemption that was granted a few years back makes it less of a hassle to export to the country.
When I worked in South Sudan where ‘go bags’ were the norm we had a set of emergency close down protocols that took all of 30 seconds. Your day to day activities always included steps that insured you could immediately adhere to those protocols with only a moment’s notice. Unfortunately, I’ve seen plenty of folks that don’t run a tight ship and that get jammed for it.
Encryption is good but ensuring that it doesn’t violate donor country laws, host country laws and is properly implemented could prove a monstrous task, especially that last one. Better to just to drag your laptop and thumb drive with you.
Jon Thompson
26 Mar 09 at 16:42
In the end, we come back to the same thing: the weakest link in security is the human link (deliberate pun). The laptop / thumb drive combo makes sense – everybody hot desking? But we still have the problem of centralised data, whether it’s in digital or paper format.
Paul Currion
26 Mar 09 at 16:54
True. Best to settle for a 50 gallon drum and some kerosene before heading to the airport.
Jon Thompson
26 Mar 09 at 22:59
I’ll bring the zippo.
Paul Currion
26 Mar 09 at 23:09