GISF Executive Director, Jon Novakovic, recently joined a UN panel to discuss the use of technology for security risk management. His comments are published here to spark further conversation on the risks of our growing reliance on technology.
GISF at the fourth Annual United Nations Security Symposium
Last month, I had the pleasure of being invited to speak at the United Nations Security Symposium in Geneva. A key event in the global security calendar, it brings together experts from the UN, NGOs, academia, the private sector and more.
The theme of this year’s event was ‘Innovative and Tech-Enabled Security Risk Management’. I spoke on a panel related to ‘The Role of Technology in Anticipating, Planning and Responding to Security Threats’.
While much of the panel was focused on the opportunities of technology, I offered some words of caution. In the humanitarian sector, many of us have observed the temptation to solve problems with shiny new tech products. But sometimes this headlong approach towards the latest technology can create new, unknown risks. So, this is what my comments on the panel reflected, and below is an extract from my full remarks.
The risks of dependence and reliance on technology
When talking about technology in the security sector, I find it’s useful to connect it back to our own lives.
We all use technology every day – without even thinking about it. Take our smartphones, for instance. For many of us, these are not only devices to communicate with people around the world. They are also our personal organisers – telling us what to do every moment of the day. And they are our navigation systems – telling us how to get there.
I am sure we have all felt the panic of misplacing our phone or unexpectedly running out of battery. It’s in those brief moments that we realise how lost we would be without these little devices.
In the world of security, the stakes are much higher. So, just as we need to have backups in our own lives to curb our smartphone dependence, we need to be equally vigilant when introducing new technologies to our security operations.
Some tasks we can outsource to the phone. But for others we may need to decide that the phone’s not appropriate. Sometimes an app on our phone, intended to make a part of our life easier, inadvertently exposes us to trouble in the future.
As my fellow panellists have outlined, technology has many potential applications for anticipating, planning and responding to security threats. While the benefits are huge, I want make a case for caution and diligence whenever we implement new technologies in the security space – particularly when it comes to overreliance, and creating new vulnerabilities. If we go ‘all in’ on one solution, without fully understanding the implications, then we haven’t mitigated risk. We have simply traded a known risk for unknown risks.
Anticipating security threats with technology
Under the theme of ‘anticipation’ we have seen a rise in the use of ‘big data’ in recent years to inform predictive models for security risk management.
Just to confirm that I am not a luddite on this matter, I previously worked as an NGO’s Global Manager of Crisis Analysis. Using forecasting algorithms, the team got to the point where they could forecast the likelihood of Syrian pilots being active over an area, and deploy convoys much more safely. What made it really effective was not just the computing power, but that the data scientists were sat in the same room as local analysts and aid workers. In other words, there was constant collaboration and correction.
This was a great success story. But to achieve this success, we as an NGO had become reliant on the tech of a big, well-known data analytics company. And it was a company that started to develop a complicated reputation due to some of their other clients.
So, we had mitigated some risks. But in doing so, we’d also exposed ourselves to potential reputational risks, which can quickly translate to physical risks. Eventually, we had to part ways with that supplier.
Luckily, we didn’t fall into the trap of overreliance in that particular case. But we did create a new vulnerability. And there were other projects where we were probably too data-focused.
So, in terms of anticipation, tech is a magnificent force multiplier. But it’s only ever one part of the equation.
What do our staff say? What do our local partners say? These are vital questions that cannot be answered by data alone. And that’s before we even get into hidden biases within data and analysis.
What do we do if the private company wants to change its pricing? What if you have a Starlink situation? Over-reliance is an ever-present issue.
The presence of ‘big tech’ in the humanitarian space
Hopefully some of what I’ve said so far has hammered home the point about integrating new technologies into sensitive, mission critical, security processes. Every time we introduce a new digital product to help mitigate a threat, the likelihood is that product is supplied, or powered by, a third party, for-profit company. There are very few humanitarian or development organisations with the capacity to develop these capabilities. And actually, in turn, the company you’re now dependent on for a product, is also likely dependent on other tech companies further up the supply chain.
This year AccessNow published results of an investigation that revealed at least 220 tech companies are engaged in more than 50 major humanitarian partnerships or initiatives. Further analysis by AccessNow revealed that these partnerships are increasingly consolidating into fewer hands.
Most humanitarian organisations will share their technology supply chain with government agencies, with defence companies, with banks. If they are a target, we become collateral damage.
So, by introducing digital products into our work, we create new vulnerabilities. We are exposed in new areas. Most importantly, because tech suppliers are third parties (and sometimes third parties of third parties) we do not have a lot of control over how those risks are being managed.
Data breaches, denial of services – these are not risks for the IT department. More and more, we see how these cyber risks manifest as physical risks and physical incidents, with humanitarians and human rights workers targeted using stolen information. I’m aware, and you are probably aware, of events like these happening across the humanitarian sector.
But we don’t talk about it. Because if or when your organisation has to stand up and announce that they have lost control of the data of beneficiaries, this breeds mistrust in the community. And now you have another risk to manage. There are many pathways for digital risk to manifest as physical risk.
In a digitally-driven world, how can we protect ourselves?
So, what do you need to do to protect yourself from these risks? First, simply be aware of them. Acknowledge the reality. Have people in your organisation who understand the reality. Be aware that, as with any action, introducing technology into your security management approach brings the risk of unintended consequences. Be aware of new vulnerabilities. Do not be tempted to introduce a shiny new tool because you think it will impress a donor, to the detriment of an approach that was already working fine.
Secondly – and this requires a lot more effort – within your organisation, break down those walls between the security department and the IT department. Because this isn’t just about the application of tech in security programming. It’s about the integration of tech across all programming.
At the Global Interagency Security Forum, we have looked at this. We’ve spoken with the organisations who are already doing it. It’s possible. You can read about it on our website. You need people and teams with the technical expertise to take an interdisciplinary approach to the use of technology, to look at solutions and challenges from all angles. Bring them together, because then you will have the people who can ask the right questions, and more importantly answer them.
Be cautious, but don’t abandon technology
If I can offer some final words, I would just say that none of my warnings today should be taken as a call to abandon technology. We are all immensely grateful for the support it provides. We just need to be aware of the risks and to mitigate them.
Just as I don’t want you to throw technology out of your security programmes, you can also rest assured that I don’t want you to throw away your smartphones. But I think we can all agree these little devices can have some negative impacts, as well as the benefits they provide – just like all technologies.
The views and opinions expressed in this article are solely those of the author and do not represent the views or position of the author’s employers.
About the author
Jon Novakovic is the Executive Director of the Global Interagency Security Forum (GISF). He assumed the position in March 2023.
For any questions, comments or suggestions, please feel free to contact the GISF team at info@gisf.ngo.
Banner image: Luis Gomes (via Pexels)
Featured image: United Nations 2024
Related:
Humanitarian Security in an Age of Uncertainty: the intersection of digital and physical risks
GISF is launching a new research project on the topic of security in a digital world, aiming to explore the ways in which security risk management (SRM) in the aid sector is changing in response to the opportunities and risks stemming from the evolving digital world. As part of the…
Find the Gaps, Fill the Gaps: reflections on GISF’s journey and our vision for the future
After one year in post, GISF Executive Director, Jon Novakovic, provides his reflections on the organisation's transition to independence and what it means for the future of NGO security risk management.