Monthly Archives

May 2017

May 08
0

Minimising Public WiFi Risk

By | Book/Literature Reviews and Standards, Travel Safety and Duty of Care | No Comments

For those of us living itinerant lives, constant connectivity while moving within and in-between countries is a necessity. We love our Free WiFi. Among friends and colleagues we discuss and recommend the relative merits of cafes and restaurants partially according to how reliable is their free WiFi. Whether adding the finishing touches to the final written pieces of the contract just completed, transferring funds in between accounts to pay bills or onward flight tickets, emailing back and forth on a piece of work or a contact yet to be gained, or simply remaining in touch with family and friends, near constant email connectivity is essential to the modern professional within the Humanitarian and Development sectors.

But another truism is that most of this work is rarely conducted at ‘home’. Indeed, for those of us who base in places like Bali and Thailand, our office while ‘in between contracts’ is an obliging café where we do our work. These home base locations, or temporary ports of call may have poor 4G or 3G connectivity. While in transit in hotels and airports we are grateful to find a free WiFi connection somewhere. It may not be fast, but it is enough to get stuff done.

But it is safe?

The Harvard Business Review have been the most recent in a long line of articles advising us against the use of public WiFi. I have summarised and expanded on their points below. They are right to warn us. They quote a Verizon cyber security report describing how ‘Man in the Middle’ and ‘Evil Twin’ attacks have been identified in an increasing number of hotels and public places, especially in Asia. These are useful to extract login and password data, steal information from laptops and other devices, and/or lay the ground work for a far more elaborate and costly identity theft.

What Can We Do About It?

Because I live in Indonesia where there is relatively cheap internet packages available on pre-paid phones, I minimise the risk of public WiFi access by not using it and tethering my phone instead. And when I must connect to a public WiFi connection, I do so via a VPN. I would recommend a paid one. I use Zen, but there are many more on the market, Please see here a recent review of Zen that compares it to others currently on the market. Please note I am not endorsing this product. But if it is simple enough for me to use then anyone can.

Another must is an easy to use Password Manager. Personally I use KeepAss (think, ‘Keep your arse safe’) and the password hygiene greatly reduces the risk of Man in the Middle and Evil Twin attacks. But there are many others on the market. Do your research to ensure the database is encrypted and it can be easily backed up to a USB and printed hardcopy (for secure storage elsewhere). Remember, in a man in the middle attack the thief is logging your key strokes to get your login and password details. If the password is an easy to remember one you use everywhere, like the name of your first pet, with Upper and Lower, numbers (eg, ‘Blacky123’) and the username is your email address you can be guaranteed that this combo will be tested on banks, Facebook, LinkedIn and other places where your identity and personal information can be hijacked. But if your password is Pj67$tHyfg&90dessTmb* it is clear in the mind of the thief that this is not a password you use for every site you access; you are using a password manager and there is no point attempting to apply that username/password combo on other sites.

How do these tools manage Risk? The VPN or WiFi avoidance method (ie, by tethering to your phone’s internet connection) greatly reduces the likelihood of being compromised by a thief. However, if compromised, the password manager will ensure that whatever Username/Password combo you use for the compromised site is not repeated for other sites thus containing the breach.

Other basic and easy to implement precautions include switching off your Bluetooth and WiFi when not in use so they do not randomly connect to a network without you noticing, and using two-factor identification for sensitive sites like email and banking sites.

To summarise the tips given by the Harvard Business Review to both reduce both the likelihood and impact of this threat:

  • Avoidance. Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites.
  • Mask. Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted
  • Complicate. Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in
  • Verify. Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses
  • Switch Off. Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots
  • Pay Attention. Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data
  • Avoid. Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
  • Obscure. Use a password manager, and get into the habit of changing passwords regularly

This is not rocket science. Merely the 21st century version of locking valuables away in the hotel safe, not carrying all your cash and cards in the one place, not visibly flaunting wealth, and not changing cash on the black market.

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.
May 01
0

Trading Development for Security: A Faustian Pact

By | Travel Safety and Duty of Care, Updates from the Field | No Comments

The author did three contracts in Afghanistan in Security Risk Management roles. One for the UN, one for a Faith Based INGO and the other for a government owned development organisation. Opinions expressed below are his alone and do not derive from official policy of his former organisations.

Weaponising Development Assistance

The situation is not close to normalising in Syria. Well in advance of whatever tenuous peace will be agreed upon eventually, we can be nearly certain there will be ongoing state and non-state interference. It will remain a hazardous place for INGO staff, and will continue to be viewed as a source of potential extremists keen to inflict damage in European, American, Australian etc cities. In a triumph of hope over experience, it can be reasonably predicted that the usual suspects (USAID, DFID, EU, DFAT, CIDA) will be throwing vast sums at development organisations to ‘do stuff’ in Syria with a view to reducing the security threat back home and perhaps even encouraging refugees to return to their homes.

The ultimate strategic risk management failure of the last two decades within the Humanitarian and Development sectors is the mis-allocation of aid spending towards security objectives, with the willing participation of INGOs, the UN and for-profits. The evidence is clear from Iraq and Afghanistan (and other smaller, lower profile examples) that when one funds development projects for security objectives, one achieves neither development nor security. Are we going to learn the lessons from the past, or enter into Faustian Pacts all over again in Syria?

A Pact with the Devil (a deal with the Devil or a Faustian bargain), is an agreement with Evil, in the form of the Devil, often (as in the story of Faust) with the paradoxical intention of achieving a higher Good that is otherwise obstructed. The nature of an agreement is a risky accommodation, so at the crux of objections to such a thing are questions–what has the person making the agreement traded to the Devil; can the person avoid being trapped or corrupted; does the agreement strengthen the Devil; is the greater Good compromised, and still unachievable?

Faust’s pact with Mephisto (about 1840), by Julius Nisle.

These failures are expensive. As this report from 2013 describes, the situation was no better in Iraq (noting this was written before the advent of ISIL/ISIS) and evaluates the wastage at US$60b. When wastage is rounded off to the nearest billion, AND there is barely any improvement in development AND the security situation is demonstratively worse, tax-payers would be forgiven for succumbing to populist appeals to slash aid budgets. And it is now 2017 – those numbers would be much higher by now.

Implementing for the government donors were UN/INGO/for-profit/faith-based and government owned development organisations implementing the ‘Build’ phase of now discredited COIN (Counter-Insurgency) strategy; namely Shape, Clear, Hold, Build. Organisations were achieving multiples of their usual global turn-over in Afghanistan alone. Hundreds of smaller organisations were created to hastily implement projects for USAID, DFID, AUSAID, CIDA etc etc. The sector professionalised and grew, careers were made, and organisations greatly expanded. While the money flowed Iraq and Afghanistan were becoming more secure and developed. The Faustian Pact held.

But it did not last, and look at where Syria and Iraq are now. How are INGOs perceived now compared to before 2003? To paraphase Sarah Palin, ‘How’s that impartiality and neutrality stuff going?

With the benefit of hindsight it is easy to criticise the organisations responsible for taking the money and tipping so much fuel onto the fires of Afghanistan and Iraq. But now we know better. As a result of poor risk assessments, poor planning and greed, the sector has a serious credibility crisis. Concepts of neutrality and impartiality are almost gone and now we must think ahead to how donors will understand the problem in Syria. What will belligerent donor governments do next? How much will they spend?

Why do major donor governments do this, and what does this mean for the rest of us?

Governments – or at least the well-intentioned apparatchiks working within them – are not malicious. They honestly believe a ‘Whole of Government’ or ‘Comprehensive Approach’ to complex problems  will reduce duplication, provide clearer policy formation and result in a higher impact. Better ‘bang for the buck’. And because fewer and fewer OECD governments actually do anything, much of the implementation for the aid component is outsourced to for-profit or not-for-profit humanitarian and development organisations. In their minds it is a clear win-win. So we can’t always just blame the bureaucrats and let off the hook the seasoned veterans in the humanitarian and development sectors who willingly went along with it.

The result is a dramatic contraction of humanitarian space. As Laurent Saillard argues well;

Most NGOs and UN agencies forgot or refused to even consider that they were in fact actively participating in the implementation of the Counter-Insurgency Strategy supported by the coalition, and that this could be the main cause of the increasing challenges their were facing. It was easier to blame armed actors for their involvement in activities traditionally implemented by aid agencies than to look critically at what the aid community had become in the Afghan context. The underlying issue had in fact little to do with the involvement of armed actors in aid delivery. On the contrary, it was the new role of the aid community and its ambiguous – not to say schizophrenic – behaviour that were responsible for how humanitarian actors in the country were now being perceived.

Don’t misunderstand me – not every donor inspired project in a complex environment is necessarily a [very] slow motion train wreck waiting to happen. There is wheat among the chaff and it is here and at this point that INGO/UN/Development organisation staff, staff families, the general public, private donors and above all beneficiaries need to retain their faith in the senior leadership group of their organisation to approach the ‘funding opportunity’ carefully.

Before committing the organisation to its next extended period of safe rooms, HEAT trainings, car-bombs, burn-out and organisational reputation shredding, the board and senior management must ask themselves a few questions. Among many others:

  • What is the Humanitarian or Development (not security/political) problem for which the proposed intervention is a solution?
  • Is the proposed Project SMART*?
  • Are we good at operating in complex emergencies?
  • Let’s pause to remind ourselves of our Mission, Mandate and Values, and ask: do the proposed project delivery methodology and outcomes conform?
  • Who has an interest in project success, and who has an interest in project failure?
  • Is the proposed donor a belligerent in any conflict, and does this project support their security objectives?

*Specific – target a specific area for improvement.
Measurable – quantify or at least suggest an indicator of progress.
Achievable – state what results can realistically be achieved, given available resources.
Responsible – specify who will do it.
Time-related – specify when the result(s) can be achieved.

Two Challenges: Rising Aid Skepticism and Rebuilding Syria

With aid budgets everywhere under ever more scrutiny, and the politics within donor nations moving towards populism, the ‘Aid Industry’, or the ‘Aid-Industrial Complex’ must look deep within itself to maintain its popular legitimacy and viability. Humanitarian and development professionals can no longer rely upon a steady stream of funding for a sector that is supposed to be working towards its own redundancy. It clearly isn’t.

Secondly, it is a matter of time that the situation will evolve in Syria so that it will be considered safe enough for the larger INGOs and UN Agencies to set up offices, locate expat staff there full time, and throw themselves into the humanitarian, development, economic, cultural and environmental catastrophe that is Syria. We all wish them and the Syrian people well in what will be a long and challenging task. The bulk of the millions they will be receiving will be donor funds from the usual donor nations and multi-lateral organisations with an eye to political outcomes associated with mass migration and terrorism. We know this.

This is not necessarily a bad thing. Organisations need to start preparing for the inevitable Faustian Pact now in order to be ready for the quick risk assessments that must be conducted prior to accepting donor funds from belligerent nations in Syria. SMART, once again:

  • Specific – Not a generally worded motherhood statement describing all and nailing down nothing. What exactly must the project achieve?
  • Measurable – Would a terror incident back in the home country reflect poorly on project outcomes? If local projects are successfully implemented, and refugees keep moving, is the project a failure?
  • Achievable – Are the time, scope and costs allocated for this project realistic
  • Responsible – Do we have the skills, and are we shouldering responsibility for outcomes for political and security outcomes?
  • Time-related – When will the project be finished, and what does ‘finished’ look like?

Many projects will be well designed and employ donor funds to unambiguously work with host communities to rebuild shattered lives. The Projects will be SMART, be preceded by comprehensive Risk Assessments with Mission, Mandate and Values at the core, and have a defined end-point. Others will not.

We hope the senior management of government donor organisations learn from recent history and resist the clarion call for ‘Whole of Government’ responses this time around. And if they fail we entrust the senior leadership of the larger humanitarian and development organisations to approach ‘opportunities’ to ‘fill the pipeline’ in Syria with a Risk Management approach. Millions depend on you to get it right.

 

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.