How do you secure sensitive information in a war zone if you’re the International Committee of the Red Cross (ICRC)? Founded in 1863, the Red Cross faces serious information security threats as it continues its mission to provide humanitarian aid in conflict zones, to visit detainees in prison, and to help re-unite refugee families driven from their homes.
Both spies and criminals have motive to compromise that sensitive information, perhaps to abduct, imprison, torture, or murder political dissidents. Dealing with these threats in the digital age is a hard problem the Red Cross is working to solve, a new report by researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland concludes.
The solution to that security problem means avoiding fetishizing technology and instead looking at security tools in the legal and organizational context in which the Red Cross operates, a lesson all organizations stand to learn. “It’s not just about technology in isolation,” Stevens Le Blond, one of the EPFL researchers, says, “but about the practical factors the ICRC faces on a day-to-day basis.”
The Red Cross has a unique threat model, though, and a unique organizational structure. Most countries around the world have a Red Cross society. National societies are bound to operate under local law, including complying with court orders to turn over data. The ICRC, however, may not be compelled by local authorities to turn over humanitarian data.
“The ICRC is the only international organization that benefits from the non-disclosure privilege,” Le Blond says. “It cannot be legally compelled to disclose information collected in an exclusively humanitarian capacity.”