August 2022 C4DT Focus N°3

design: blaise Magnenat

Featuring interviews with: Written by Daniel Saraga

Philippe Stoll Chelsea Manning Wouter Lueks

Digital transformation specialist Network security specialist Postdoctoral researcher at the Security
at the International Committee and consultant at NYM and Privacy Engineering Laboratory, EPFL
of the Red Cross (ICRC)
 FOCUS N°3
C4DT Focus
T
he digital world is evolving
at high speed and not a day
goes by without the subject making
headlines. With targeted interviews
of international experts
and a selection of the most relevant
articles on the subject, the C4DT
Focus offers you valuable insights
into a digital topic, which was
in the news recently.
2 3
Center for Digital Trust
Housed at the Swiss Federal Institute of Technology
Lausanne (EPFL, www.epfl.ch), the Center for Digital Trust
(C4DT, c4dt.epfl.ch) brings together academy, industry,
not-for profit organizations, civil society, and policy actors
to collaborate, share insight, and to gain early access
to trust-building technologies, relying on state-of-the-
art research at EPFL. C4DT is supporting the public
sector by acting as an expert and facilitating technology
transfer, in domains such as privacy protection and
security, democracy and humanitarian assistance and
critical infrastructures.
 INTRODUCTION FOCUS N°3

Cyberwar hits
Leaks have been exposing controversial activities
by the most powerful and wealthy people. But a recent

humanitarian
cyberattack on the International Committee of the Red
Cross (ICRC) has shaken the world of humanitarian aid

organisations
when it exposed the data of 500 000 vulnerable persons
who were looking for family members in crisis and conflict
regions. A “shattering event”, says Philippe Stoll from ICRC,

The data security who explains how the organisation is responding to the new
threat landscape. Such hacks – and those seen in the war

of the most in Ukraine – can aim at disruption by “sowing confusion and

generating controversies”, analyses security consultant

vulnerable must Chelsea Manning.

be protected. The ICRC is collaborating with research institutions

to develop advanced platforms in order to protect the data

How? of the persons it helps. While biometrics databases are

a no-go for security reasons, EPFL scientists are working
on decentralised solutions to authenticate aid recipients.
“It is crucial to understand the needs of the users and
the limitations of their work environment before you start
working on a solution”, says Wouter Lueks from the SPRING
laboratory at EPFL.

4 5
 INTRODUCTION FOCUS N°3
PRESS
Leak exposes Xinjiang detention camps
A consortium of fourteen media outlets published reports
based on the Xinjiang Police Files in May 2022. The leak
REVIEW
exposes the internment campaign currently on-going in
China, where an estimated 100 000 to 1 000 000 Uyghurs
and other ethnic citizen are detained in re-education camps
in the Xinjiang region. The files contain details on 23 000
detainees, 2 800 mugshots and lists of police staff and camp
guards. They were provided by a hacker who gained access to
computer systems operated by the public security bureaus of
two counties.
Chinese cyberespionage group suspected of hitting Russia
and NGOs in South-East Asia
Bronze President, a cyberespionage group based in China, is
suspected of trying to infect computer systems of Russian
officials with a malicious file. The group had been targeting
NGOs and governmental organisations in Asia. It is likely to be
sponsored by the Chinese government, or at least tolerated by it.
Aid organisation in Ukraine targeted by cyberattacks
Charities and aid organisations bringing relief in Ukraine
are being targeted by malware, according to Amazon Web
Services. Their teams “have seen new malware signatures and
activity from a number of state actors” which they monitor.
Massive leaks of Russian soldiers’ identities
The Ukrainian government published several datasets with the
details of Russian military personal, possibly leaked by hacker
collective Anonymous. One contained the name, army unit and
registration number of some 120 000 soldiers of the Russian
army – although it was not clear how relevant the list is for
the current war. A second listed some 1600 soldiers of a rifle
brigade stationed in Bucha and suspected of war crimes, and a
third one exposed details of 600 officers of the FSB, the main
successor of former KGB.
Facial recognition software used to contact the parents of
Russian soldiers
IT activists close to the Ukrainian government have contacted
the families of 582 dead Russian soldiers identified from
6 7
photographs taken by army personnel. They used a U.S. face
recognition software maintaining a database of 20 billion
images obtained on social media and other website, including
around 2 billion from VKontakte, Russia’s largest social
networking service.
Hackers Without Borders launched to protect NGOs
Founded in Geneva in the aftermath of the 2022 ICRC data
leak, the collective Hackers Without Borders provides pro bono
advice and services to NGOs, especially those active in regions
of armed conflicts. They cover prevention – such as auditing,
vulnerabilities detection, training or sharing knowledge of
hacker’s methods – and neutralization of the attackers, such as
forensic analysis and referring to law enforcement.
Four cyberattacks per week against the health sector
More than 400 incidents in 38 countries related to healthcare
have been recorded in the last two years by the CyberPeace
Institute, a Geneva-based NGO assisting humanitarian
organisations on cybersecurity issues. The impacted
organisations are active in medical manufacturing and
development, patient care, and pharmaceuticals. Each incident
had an average of 160 000 records and a 19-day impact on
operations. Close to three quarters of them resulted in exposure
or leak of the data.
Canada confirms barring Chelsea Manning from entry
The Canadian Immigration and Refugee Board confirmed
decisions taken since 2017 forbidding former whistle-blower
Chelsea Manning [see our interview p. xx] to enter the country.
The decision is based on her conviction in the U.S. related to
her providing Wikileaks in 2010 with material documenting
military and diplomatic action by the U.S. government.
 INTERVIEW FOCUS N°3
“We strive to take
The International Committee of the Red Cross (ICRC) has
been working on humanitarian data security for many
years but was recently hit by a massive hack. Philippe Stoll
of ICRC explains how the organisation is dealing with the
a pioneer role
growing cyber-risks affecting NGOs and humanitarian
organisations in conflict zones.
The ICRC announced in January 2022 that the details
in humanitarian
of more than 500 000 persons it had been helping had
been compromised. What did the event mean for the
organisation?
This has been an immense shock, but it was not entirely
data protection”
unexpected. We have been very much involved with maximising
the security of the people we help, including the digital
environment. We are very much aware that actors in conflict
zones are interested by this kind of information – for instance,
Philippe Stoll one can think of details on prisoners of war.
Still, it was shattering to realise that some people feel that they
Digital transformation specialist at the International can do such a thing. It compromised the personal information
Committee of the Red Cross (ICRC) of vulnerable people who have been looking for disappeared
family members during crises, armed conflicts or wars,
sometimes for several decades. It is hard to understand why
someone would do this.
8 9
Was it ransomware?
We have seen no sign of it. As far as we know, the data has not
been published or traded to date.
Do you have ideas about the motives and the perpetrators?
I do not wish to speculate here nor point fingers. It is crucial
for the ICRC to stay neutral, to be able to talk to all actors –
including those who might have harmed us – in both the real
and the digital worlds. This is not at all about legitimising such
actions, but about keeping open channels. We must be able to
discuss security issues for our staff and to preserve our access
to vulnerable persons. So we need to keep the possibility of
talking to the hackers to explain clearly the nature of the data,
and to plead directly to them not to publish, share or sell them.
I emphasise that an assault against the ICRC, be it physical
violence against our staff or a cyberattack, makes our work
more difficult. We had to shut down our system helping
vulnerable persons locate missing family members, resort to
intermediary measures to keep minimal service continuity, and
build back stronger the data platform. This costs time, money
and the availability of staff for other tasks. And we saw the
distress such an attack has caused when we reached out to the
persons possibly impacted.

It struck me that the ICRC has communicated quite
transparently, including some preliminary analysis of
the exploit.
We have a strong culture of transparency and accountability.
This is linked to the responsibility we have towards the
people we protect. We have worked hard to inform the
impacted persons about the leak via public campaigns, or
individually, depending on the legislations. The national Red
Cross and Red Crescent Societies play an important role, as
they know well the population they have been helping.
How does the ICRC manage the new risks created by
digitisation?
We have been taking this topic very seriously. First, we
have seen a growing demand in the field. People in crisis
situations have digital needs: how to get internet access,
save official documents, find lost email addresses, etc.
These activities can be risky – merely using the internet
leaves traces – so we assist them in doing it safely. Second,
the ICT tools used by our staff raise safety and privacy
issues.
The cyber-risks might be similar to those in other industries,
but the consequences are very different. If you live in a
peaceful a lawful country, you might be angered when
finding out you have been geolocalized by a company or by
the government, but in practice nobody will threaten you. It
is very different in a conflict zone, where a government or
a rebel group learning details about your whereabouts can
become a matter of life and death for you.
One paramount rule for the ICRC is to do everything we can
to minimise the risk to the persons we help, so we must
take cybersecurity extremely seriously. We also aim at
being a role model, or at least taking a pioneer role, as most
humanitarian organisations lack the resources to explore
solutions to cyber-risks. We have many people working
on these issues, defining strategies, writing guidelines or
working with IT specialists, governments and lawyers to
ensure the data we collect is protected.
We published for instance a detailed handbook about data
protection in a humanitarian context, including new trends
such as the blockchain. We also propose an immersive,
interactive online training to help staff grasp concretely
the possible consequences of mundane actions such as
sending documents via unencrypted email or sharing them
online, using a cybercafé, or keeping confidential information
on a USB stick.
10
INTERVIEW FOCUS N°3
Respecting cyber hygiene is often cumbersome and not
always appreciated by staff.
We have a very long experience and culture of protecting
both our personnel and the aid recipients, so there is
generally a good acceptance of rules designed to minimise
cyber-risks. My colleagues understand why we do it, and
accept the procedures pretty well, even when they are
not ergonomic or fast. None of us wants to be possibly
responsible for endangering the life of the people we are
helping.
What is the ICRC’s vision to protect humanitarian data?
First, we want to exercise full control over the data we collect
and shield them from both unlawful and lawful access. For
instance, no State can request access to data stored on
our servers on premises in Switzerland, as they benefit from
immunities. This means also using technologies that do
not give access to third parties, but it is increasingly difficult
not to use external software and cloud solutions. This is
particularly tricky as they have been designed for countries
at peace, not at war. We are working with universities
to develop solutions beyond off-the-shelf products.
Another goal is to use an independent cloud, to avoid the
dependency on providers and their own legal obligations, for
You often compared the real and digital worlds. But
example in case of international economic sanctions or legal
hackers can come from anywhere and might not even be
actions.
involved in the conflict, contrary to a belligerent on the
Second, all the signatories of the Geneva Convention (all
ground.
States, Ed.) have adopted our 2019 resolution to contribute
Indeed, this is a challenge. The main difficulty is to link online
to the protection of humanitarian data used for restoring
attacks with offline impact. This is abstract and most people do
family links. Our objective is to extend it in 2023 to all data
not understand the consequences of a cyberattack. It is not like
collected for humanitarian purposes, such as those on food
the bombing of a hospital, where the way it affects people is
distribution or health provision.
immediately visible.
You are working on a digital emblem for humanitarian
data. What is it?
The goal of the emblem is to identify and protect
humanitarian data and servers, in the same way our
official emblems – the Red Cross and the Red Crescent
– identify and protect our staff and infrastructure on the
ground. We are collaborating with universities on the
technical aspects. The second dimension is legal, namely
developing a framework that recognises the unique nature
of humanitarian data and ensures their protection via a
digital emblem. The third is operational and concerns
its deployment. That said, we are aware that identifying
humanitarian data could increase their visibility and thereby
the risks of cyberattacks, so the pros and cons must be
carefully weighed.
11
 INTERVIEW FOCUS N°3
“Data leaks can
be disruption
operations”
Chelsea Manning
Network security specialist
and consultant at NYM
Hacking personal details of humanitarian organisations or
military personnel has often little direct use, says Chelsea
Manning. It rather aims at disrupting operations and
creating controversies, explains the former whistle-blower
and U.S. Army intelligence analyst.
According to the ICRC, the hack of their data on 500
000 vulnerable persons was compatible with an attack
launched by a country or a state-like actor. Do you concur?
It had all the hallmarks of a state, or at least of a state-
sponsored actor working on behalf of a government. Its
complexity reminds of the 2015 hack the U.S. Office of
Personnel Management with the stealing of the records of 20
million federal employees and contractors. These differ from
usual hacks, which are more dependent on bad luck or the
exploit of a big loophole.
What can be the goal of getting such data?
I view it as fifth-generation warfare, namely non-lethal actions
such as misinformation or propaganda. A hack, even if complex,
is relatively cheap when compared to an operation with secret
services personnel. You can understand it as a disruption
operation made far from the actual battlefield. The goal of
such hacks is usually to muddy the water, create a negative
impact, sow confusion and generate controversies so that
the authorities must invest energy and time in reacting to the
aftermath of the hack. One can see it also in the meddling of
Russia in Brexit, the U.S. presidential elections or far-right parties
in Europe. In the case of the ICRC hack, the goal could be to
weaken the organisation in regions where it is not welcome, or
disrupt the Western nations, which are the organisation’s main
supporters.
Many data leaks have been about wealthy persons
offshoring their finances or normal citizen using internet
services. Here it concerns the most vulnerable of us, such
as war prisoners or civilians suffering from armed conflicts.
This hack seems especially amoral.
It is terrible, this is clear. Now, if you allow me to talk from an
analytical perspective: it is not so clear that the persons whose
data have been leaked will be directly suffering from it. In
such hacks, the information is very often not published, or not
really used. Also, such leaks can get quickly drowned by new
information. And the longer time elapses after the leak, the more
buried it becomes. Like sediments at the bottom of the ocean,
information gets fossilised over time.
Ukrainian media have leaked several datasets of Russian
soldiers, including one of a unit allegedly in Bucha during
the suspected war crimes. What role can such leaks play in
warfare?
It is hard to assess. It is similar in nature to what I was describing
above as fifth-generation warfare: creating instability amongst
the other belligerent. In the case of Bucha, of course, it could
have relevance should an international court charge army
personnel for war crimes.
 INTERVIEW FOCUS N°3

electricity consumption, but I am not convinced that they will

It is not clear whether the leaked information is accurate. enable solutions in the short time. I am aware it is not a popular
Does it actually matter if the goal is mainly do seed opinion, but I really think that we are still in the very early stage
controversies? of blockchain applications. It is their first iteration, and in my
Indeed, the veracity of the info is not necessarily of the utmost opinion, a lot of their potential has been squandered through
importance, as we are drowning anyway in real information as scams and get-rich-quick schemes. Currently, I see it as a
well as in fake news. For the time being, it is hard to see clearly neo yuppie culture for 21st century Gordon Gekkos. There is
what is happening in the cyberbattle of the Ukraine war, as there potential, but I expect it will realise in a decade rather than in
are many disparate actors with different interests. The dust is years.
still up in the air and it has to settle first. We are still in the fog of
war. Going back to the Ukraine war: there were cyberattacks on
infrastructure, but not as many as expected, right?
Who can be behind these hacks? Ukrainian military or Yes. The impact of disrupting a hospital or power plant in peace
hackers? International hackers? The group Anonymous? time is much, much more visible than during a war where so
Hard to say. It’s a conflict zone, so state actors or state- many of them are being bombed anyway. It is often cheaper to
sponsored actors might be involved, of course. fire a cruise missile on a target than to hack it. Bombs still work.
Many specialists view cyberattacks as a weapon for peacetime
You have been a soldier yourself. Do you think details on rather than for wartime. It provides a way for state actors to
soldiers should be protected by the Geneva Conventions? engage with each other without getting on the battlefield.
As usual in war: it depends on whose side you are… You will
consider such a leak as being OK if it comes from your side,
and as a terrible thing if it is from the opposite one. I would say
it is more or less within the standard rules of engagement,
as the concerned soldiers will probably not directly suffer
from the leaks once back in Russia. I do not think it amounts
to humiliation or torture, which are forbidden by the Geneva
Conventions. In a war’s context, I think such leaks are not as
significant as people thought they could be. It is yet another
information added to the sediment pile… It is a bit like spam and
scam emails. You receive so many of them every day that you
quickly become immune to them.

How do you view the role of fake news?

They are very cheap to fabricate and might be even more
efficient than genuine news, because you have to spend more
energy and resources evaluating and filtering them. I think the
ability to verify information, its credibility and accuracy, is going to
become more and more valuable and, consequently, expensive.
The key is not anymore to have access to information or even
to analyse it, but more and more to find information that is
verifiable.

Can blockchain technologies help authenticate

information, despite their massive energy use?
Protocols such as proof-of-stake will massively decrease their

14 15
 INTERVIEW FOCUS N°3
“Properly define what
is the problem before
you start working
on a solution”
Wouter Lueks
Postdoctoral researcher at the Security and
Privacy Engineering Laboratory, EPFL How can you authenticate aid recipients without storing
their details? EPFL computer scientist Wouter Lueks
is developing privacy-preserving systems for the
International Committee of the Red Cross.
Why is identification so important in a humanitarian
context?
We in the West tend to forget that many people around the
world do not possess an ID card because they have lost it or
never got one. Some authorities refuse to issue documents to
certain population groups to avoid legitimising their presence.
Humanitarian organisations must make sure that their aid –
such as food or health services – reaches those most in need,
but this process is not always perfect. Aid theft can occur
if someone impersonates a legitimate recipient in order to
receive their aid. There is also a risk of duplicate distribution
where an individual registers several times to receive more aid
than they are supposed to get. I am not judging such situations:
if you have lost all your possessions and must provide for a
hungry family, you might be tempted to get twice the food if you
see an opportunity.
There is also a growing pressure from donors supporting
humanitarian organisations for increased accountability and
processes to prevent fraud. This seems like a legitimate
demand, but satisfying it might intensify the collection of
vulnerable people’s data. And humanitarian organisations, such
as the International Committee of the Red Cross (ICRC), take
protecting the privacy of the people they help very seriously.
What are the dangers of humanitarian data leaks?
Data should only be available for the intended use, in this case,
providing aid to vulnerable people. If it is leaked, it might be
employed in a totally different context. Think for instance of
immigration authorities, which could automatically tag refugees
coming from certain regions, or of people who worked with the
U.S. army in Afghanistan and whose data might have fallen in the
hands of the Taliban.
One direction that humanitarian organisations are exploring
to increase accountability is using biometrics – physical
characteristics such as fingerprints, iris scans or the vein
patterns of the hand or forearm – to identify aid recipients.
Biometrics are very hard to duplicate, but the big drawback is
that resetting a leaked biometric ID is impossible, as one simply
cannot get a new set of fingerprints,
In addition, aid recipients might not be in a position to give
informed consent to the use of their biometrics. Not only
because they might lack the awareness of the related risks,
but also because no one is really free to choose when needing
food to survive. This is why the ICRC has a very strict rule: never
create any central database with biometric data.
 INTERVIEW FOCUS N°3

What solution are you developing with the ICRC?
We are designing systems for aid distributions that provide
accountability while protecting privacy. One avenue we are
pursuing is based on a smart card that stores biometrics
information. The latter can then be verified in a decentralised
manner at the distribution point, without the need of a central
database storing sensitive data. This removes the risk of a
hack that would compromise the biometrics of thousands of
aid recipients. Physical smart cards can be stolen, true, but
obviously not on the same scale.
A second proposal is to work with smartphones. This could work
in a region like Ukraine, but certainly not in many places where
electronic devices are not widespread.
How does the accountability part work?
We found out that detailed transaction records are not
necessary to prevent fraud. For instance, the number of aid
packages correctly distributed in one region within a given
period can be recorded without names or specific times.
Auditing aid distribution is about balancing the books: checking
if the amount of aid delivered corresponds to the amount of aid
requested by the population.
In our system, the smart card signs anonymised transactions.
These provide an unfakeable record of the goods that were
distributed, allowing audits without leaking personal data.
What other insights did you get?
That the time needed for an ID check matters on the ground. A
simple printed list with recipients can be a safe method from a
privacy perspective, but it can take a few minutes to use. This
can create a line of a hundred persons, which might attract the
attention of authorities or rebel groups who do not welcome the
work of the ICRC in their region. Speed is therefore important for
safety reasons.
How far are you in the process?
We have the cryptographic design and mathematical proofs.
The next step is to circle back to the ICRC and validate it. When
designing a system, you always make choices. They might
challenge us to make different choices.
Many other industries would have use for systems allowing
to audit transactions without compromising privacy.
Yes, but I am not sure that our system could be readily adapted
to another environment. Because the specifics and the context
of an application really do matter, especially regarding privacy.
This is why so many designs allowing for easy generalisation in
other contexts are often not really privacy-preserving. We want
to do better.

So you need technology that works not only here at EPFL,

but also in the field.
Exactly. This is why we spend really a lot of time discussing
with the people who need a solution and are going to use it. We
have been meeting regularly with ICRC staff: delegates working
in the field, program managers, data protection officials … I am
incredibly grateful for their time and I have only admiration for
them and for their work.
These discussions make up a very important stage in building
an application. You have to really understand the needs and
limitations related to the environment they will be used in. We
quickly realised that any solution based on exchanging data will
not work in regions where internet access is lacking, slow or
unstable. You need to listen very carefully, but also ask critical
questions to get to the bottom of things. The most important is
to define properly what is the problem to solve before you start
working on a solution.

18 19