Updates from the Field

Information Security – Responsibility and Accountability

By | Training, Updates from the Field | No Comments

On behalf of all those involved in security generally, and information security in particular, may I be the first to say, ‘thankyou very much’ to those Members of the British Parliament who insist on using weak passwords contrary to best practice. If true, you provide yet another example for us to use in our presentations and training on the topic. But if these initial indications are correct, and British MPs have compromised their own and their Nation’s security by not following simple instructions, will they be sacked? Where will the buck stop?

Photo courtesy of The Guardian

[British MPs have also given Western citizens another reason to doubt their governments when in the context of debates on data retention these governments seek to reassure their citizens their information is safe with the government. But this is the subject of a different post.]

Who Did It?

Of course everyone is pointing their fingers at the Russians and North Koreans. I have my money on a spotted youth operating out of Dad’s shed taking a break from trading Bitcoins to have a crack at the Houses of Parliament – just because he can. I amuse myself by believing British Members of Parliament exercise more discipline when using public WiFi after reading my post on the topic here, and let their guard down in the office. They probably think someone else is looking after their security for them.

This would be a distraction. Even if it was a foreign government, it is their role to spy on the UK government, as it is Britain’s to spy on others. Accordingly it is the role of British MPs to both do their bit for collective security and set an example for others by not getting caught with their pants down.

Your Emails are More Interesting Than You Think

More seriously, for those in the Humanitarian and Development sectors delivering essential programming support in areas riven with conflict; Somalia, the cholera response in Yemen, the vast numbers of displaced across West Africa (Boko Haram being just one of many causes), Afghanistan, and any kind of humanitarian programming in Syria or Iraq there is a lot of interest in your email accounts and servers to parties to the conflict.

How much money are you spending? Where does it come from? If doing remote programming in Syria, who are the local staff you are employing? How and how much are you paying them? What information are they providing? All of this information and more is contained in the email traffic of Country Directors, Heads of Programming, Heads of Finance, Security Focal Points and others.

We are reminded that security is everyone’s business, and this is especially the case for information security. The days of believing you can just ‘do your job’ and leave safety to the driver, security stuff to the security bloke and IT stuff to the IT guy are long gone. We all must work together.

Responsibility and Accountability

It is early days in this British investigation. Let us assume the smoking gun is pointing in the right direction and the accountability for this vulnerability remains with MPs failing to follow simple procedures. Will the British Prime Minister do us all a favour and immediately sack or severely sanction those MPs who have put their own and their nation’s security at risk by being lazy?

What a great example that would be!

(Main photo courtesy of MapAction operating in Tacloban after the 2013 hurricane.)

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Trading Development for Security: A Faustian Pact

By | Travel Safety and Duty of Care, Updates from the Field | No Comments

The author did three contracts in Afghanistan in Security Risk Management roles. One for the UN, one for a Faith Based INGO and the other for a government owned development organisation. Opinions expressed below are his alone and do not derive from official policy of his former organisations.

Weaponising Development Assistance

The situation is not close to normalising in Syria. Well in advance of whatever tenuous peace will be agreed upon eventually, we can be nearly certain there will be ongoing state and non-state interference. It will remain a hazardous place for INGO staff, and will continue to be viewed as a source of potential extremists keen to inflict damage in European, American, Australian etc cities. In a triumph of hope over experience, it can be reasonably predicted that the usual suspects (USAID, DFID, EU, DFAT, CIDA) will be throwing vast sums at development organisations to ‘do stuff’ in Syria with a view to reducing the security threat back home and perhaps even encouraging refugees to return to their homes.

The ultimate strategic risk management failure of the last two decades within the Humanitarian and Development sectors is the mis-allocation of aid spending towards security objectives, with the willing participation of INGOs, the UN and for-profits. The evidence is clear from Iraq and Afghanistan (and other smaller, lower profile examples) that when one funds development projects for security objectives, one achieves neither development nor security. Are we going to learn the lessons from the past, or enter into Faustian Pacts all over again in Syria?

A Pact with the Devil (a deal with the Devil or a Faustian bargain), is an agreement with Evil, in the form of the Devil, often (as in the story of Faust) with the paradoxical intention of achieving a higher Good that is otherwise obstructed. The nature of an agreement is a risky accommodation, so at the crux of objections to such a thing are questions–what has the person making the agreement traded to the Devil; can the person avoid being trapped or corrupted; does the agreement strengthen the Devil; is the greater Good compromised, and still unachievable?

Faust’s pact with Mephisto (about 1840), by Julius Nisle.

These failures are expensive. As this report from 2013 describes, the situation was no better in Iraq (noting this was written before the advent of ISIL/ISIS) and evaluates the wastage at US$60b. When wastage is rounded off to the nearest billion, AND there is barely any improvement in development AND the security situation is demonstratively worse, tax-payers would be forgiven for succumbing to populist appeals to slash aid budgets. And it is now 2017 – those numbers would be much higher by now.

Implementing for the government donors were UN/INGO/for-profit/faith-based and government owned development organisations implementing the ‘Build’ phase of now discredited COIN (Counter-Insurgency) strategy; namely Shape, Clear, Hold, Build. Organisations were achieving multiples of their usual global turn-over in Afghanistan alone. Hundreds of smaller organisations were created to hastily implement projects for USAID, DFID, AUSAID, CIDA etc etc. The sector professionalised and grew, careers were made, and organisations greatly expanded. While the money flowed Iraq and Afghanistan were becoming more secure and developed. The Faustian Pact held.

But it did not last, and look at where Syria and Iraq are now. How are INGOs perceived now compared to before 2003? To paraphase Sarah Palin, ‘How’s that impartiality and neutrality stuff going?

With the benefit of hindsight it is easy to criticise the organisations responsible for taking the money and tipping so much fuel onto the fires of Afghanistan and Iraq. But now we know better. As a result of poor risk assessments, poor planning and greed, the sector has a serious credibility crisis. Concepts of neutrality and impartiality are almost gone and now we must think ahead to how donors will understand the problem in Syria. What will belligerent donor governments do next? How much will they spend?

Why do major donor governments do this, and what does this mean for the rest of us?

Governments – or at least the well-intentioned apparatchiks working within them – are not malicious. They honestly believe a ‘Whole of Government’ or ‘Comprehensive Approach’ to complex problems  will reduce duplication, provide clearer policy formation and result in a higher impact. Better ‘bang for the buck’. And because fewer and fewer OECD governments actually do anything, much of the implementation for the aid component is outsourced to for-profit or not-for-profit humanitarian and development organisations. In their minds it is a clear win-win. So we can’t always just blame the bureaucrats and let off the hook the seasoned veterans in the humanitarian and development sectors who willingly went along with it.

The result is a dramatic contraction of humanitarian space. As Laurent Saillard argues well;

Most NGOs and UN agencies forgot or refused to even consider that they were in fact actively participating in the implementation of the Counter-Insurgency Strategy supported by the coalition, and that this could be the main cause of the increasing challenges their were facing. It was easier to blame armed actors for their involvement in activities traditionally implemented by aid agencies than to look critically at what the aid community had become in the Afghan context. The underlying issue had in fact little to do with the involvement of armed actors in aid delivery. On the contrary, it was the new role of the aid community and its ambiguous – not to say schizophrenic – behaviour that were responsible for how humanitarian actors in the country were now being perceived.

Don’t misunderstand me – not every donor inspired project in a complex environment is necessarily a [very] slow motion train wreck waiting to happen. There is wheat among the chaff and it is here and at this point that INGO/UN/Development organisation staff, staff families, the general public, private donors and above all beneficiaries need to retain their faith in the senior leadership group of their organisation to approach the ‘funding opportunity’ carefully.

Before committing the organisation to its next extended period of safe rooms, HEAT trainings, car-bombs, burn-out and organisational reputation shredding, the board and senior management must ask themselves a few questions. Among many others:

  • What is the Humanitarian or Development (not security/political) problem for which the proposed intervention is a solution?
  • Is the proposed Project SMART*?
  • Are we good at operating in complex emergencies?
  • Let’s pause to remind ourselves of our Mission, Mandate and Values, and ask: do the proposed project delivery methodology and outcomes conform?
  • Who has an interest in project success, and who has an interest in project failure?
  • Is the proposed donor a belligerent in any conflict, and does this project support their security objectives?

*Specific – target a specific area for improvement.
Measurable – quantify or at least suggest an indicator of progress.
Achievable – state what results can realistically be achieved, given available resources.
Responsible – specify who will do it.
Time-related – specify when the result(s) can be achieved.

Two Challenges: Rising Aid Skepticism and Rebuilding Syria

With aid budgets everywhere under ever more scrutiny, and the politics within donor nations moving towards populism, the ‘Aid Industry’, or the ‘Aid-Industrial Complex’ must look deep within itself to maintain its popular legitimacy and viability. Humanitarian and development professionals can no longer rely upon a steady stream of funding for a sector that is supposed to be working towards its own redundancy. It clearly isn’t.

Secondly, it is a matter of time that the situation will evolve in Syria so that it will be considered safe enough for the larger INGOs and UN Agencies to set up offices, locate expat staff there full time, and throw themselves into the humanitarian, development, economic, cultural and environmental catastrophe that is Syria. We all wish them and the Syrian people well in what will be a long and challenging task. The bulk of the millions they will be receiving will be donor funds from the usual donor nations and multi-lateral organisations with an eye to political outcomes associated with mass migration and terrorism. We know this.

This is not necessarily a bad thing. Organisations need to start preparing for the inevitable Faustian Pact now in order to be ready for the quick risk assessments that must be conducted prior to accepting donor funds from belligerent nations in Syria. SMART, once again:

  • Specific – Not a generally worded motherhood statement describing all and nailing down nothing. What exactly must the project achieve?
  • Measurable – Would a terror incident back in the home country reflect poorly on project outcomes? If local projects are successfully implemented, and refugees keep moving, is the project a failure?
  • Achievable – Are the time, scope and costs allocated for this project realistic
  • Responsible – Do we have the skills, and are we shouldering responsibility for outcomes for political and security outcomes?
  • Time-related – When will the project be finished, and what does ‘finished’ look like?

Many projects will be well designed and employ donor funds to unambiguously work with host communities to rebuild shattered lives. The Projects will be SMART, be preceded by comprehensive Risk Assessments with Mission, Mandate and Values at the core, and have a defined end-point. Others will not.

We hope the senior management of government donor organisations learn from recent history and resist the clarion call for ‘Whole of Government’ responses this time around. And if they fail we entrust the senior leadership of the larger humanitarian and development organisations to approach ‘opportunities’ to ‘fill the pipeline’ in Syria with a Risk Management approach. Millions depend on you to get it right.


If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Duty of Care

By | Travel Safety and Duty of Care, Updates from the Field | No Comments

Update March 28, 2017: The United Nations peacekeeping mission in the Democratic Republic of Congo, MONUSCO, confirmed on March 28, 2017, that the bodies of Zaida Catalán, a Swede, and Michael Sharp, an American, were found by UN peacekeepers near Bunkonde in Kasai Central province on March 27.