James Eaton-Lee, head of information security and data protection officer at Oxfam, discusses the cyber threats and challenges facing third sector organisations tackling poverty, equality and democratic disempowerment.
PrivSec: What are the main cyber security challenges facing the sector at present? Are there discrete challenges that mean that you have to work differently to other sectors?
James Eaton-Lee (JEL): We work in a lot of different threat contexts with different sets of challenges. We probably have a broader range of threat actors than a purely commercial retail organisation might, so the kind of controls that you might implement in a commercial organisation of a similar size don’t necessarily work.
We also have financial constraints. We have no choice to dig deep into a slush fund to fund particular security controls, we have to be mindful of getting value from what is effectively public money, either from our institutional donors or individuals, whoever they are, who give us money or who shop with us.
We’re accountable for making best use of that and ensuring that as much of it as possible goes to the place that they primarily wanted it to go – which is benefiting people who are in poverty.
That makes the judgement about value for money in funding security controls, offices, salaries, vehicles, internet connectivity, a different sort of judgement to the kind you make in the private sector. We have to be much clearer, for example, when we invest in complex technological solutions to security problems that it is the best possible use of Oxfam’s money. In practice, the budgets that we have are much smaller than you would have in a private sector organisation.
The model also is very porous. The number of interfaces we have in terms of human interactions, suppliers, business processes, cloud systems or integrations is much larger than in some organisations. Keeping track of those assets, making sure that you’re engaged in the right conversations with the right business stakeholders, is a challenge.
And some of the kinds of work that we do have different security challenges to most systems or business processes that you would have outside of the third sector. Going back to cash and voucher assistance, for example, we operate a lot of digital processes working with vulnerable, disempowered populations in contexts where there’s low regulation.
There’s a huge power imbalance between organisations and individuals; far larger than you would have, for example, selling a debit card to a customer in the UK.
You combine that with scale and the lack of regulation, and there are a different set of challenges and problems where many of the same tools, tools like European privacy law or good cyber security practice are adaptive, but the challenges are slightly different.
PrivSec: Can you talk about the kind of threat actors that you’re safeguarding against?
JEL: There are a whole range. All organisations are attacked by criminals, by people who are malicious or curious. But the world is an increasingly hostile place, and there are a variety of groups whose aim is to disrupt processes which are democratic and empowering. It’s not quite the same thing as your traditional kid in bedroom interested in defacing our website.
The contexts that we work in vary hugely. There are some very stable places where the work that we’re doing is long term and people are reasonably empowered, but some are spaces that are very fragile, that have recently gone through civil wars, where there’s ongoing disruption that involves armed state and non-state actors.
Many of our humanitarian colleagues on a daily basis are crossing over checkpoints between contested areas and spaces where just getting access to deliver programming is difficult. And that produces a very different risk and threat landscape to, for example, the retail environment in the UK, where the concerns are primarily about the flow of money within a space that’s otherwise reasonably safe for the people that are shopping.
PrivSec: Looking forward, over the next 12 months or so, what are the main challenges that you’ll be planning for on the cybersecurity side? What are the issues on your radar?
JEL: All development actors, all charities, are struggling at the moment in terms of their cash flow. A combination of economics and coronavirus have made a very challenging environment to fundraise in.
People are, entirely understandably, much more conservative about giving when their jobs are at risk and the climate around them is uncertain. And those difficult judgements that we have to make as technology or cybersecurity professionals about which controls are the right ones and which are cost effective become harder.
Like many development actors, we’re also going through a period of strategic change in which we look at how and where we operate and what our structure is. Inevitably, those sorts of changes on an organisational level prompt cybersecurity challenges, because there are new kinds of work that we want to be able to do that are technology enabled, like the rise in cash and voucher assistance, which requires really strong capability in a specific tech industry vertical. But then, our style of working will require that consultative model, which works across porous boundaries, which works with partners, to be much stronger. And many of our donors are increasingly interested in other kinds of technologically enabled programming.
The other thing that we’re seeing across some of the countries that we work is that the root causes of poverty and inequality are differently enabled. In some contexts, that means a lack of access to technology causes divisions within society and people are unable to
get internet access to exercise the right to employment or to access traditional or non-traditional banking systems. There’s often a gendered element to the lack of access to digital technology, and there’s also often a cyber security element, because the behaviour of groups of people in disrupting systems or preventing access to tech platforms – the rise of censorship, or legal frameworks which are, in some cases, cyber security or data protection legal frameworks which restrict freedom of speech – can have an effect which is unequal.
So there’s a facet of both privacy and cyber security which is ensuring that, in intervening or supporting in whatever context that we’re in, we don’t introduce risk, but there’s also an element of poverty, of inequality, which is digitally enabled, which involves privacy and cyber security risk and where, in order to be able to support communities, we need to use tools and interact with concepts from these worlds.
We have an increasing number of country teams who are looking at the digital landscape as part of their work, and part of our role is supporting that.