Olivia Williams, a security specialist at Bramble Hub partner Apache iX (a small consultancy firm that we recently wrote about here), did not set out to become an expert in InfoSec (information security). In fact, after graduating in Italian and French, she was unsure what to do next, and eventually found herself working in current affairs at the BBC in London. It was there, working with the technology broadcaster Aleks Krotoski amongst others, that highlighted to her the value and world-changing power of digital technology.

Olivia – who happily admits she is not a city person - eventually tired of London, and in any case began wanting to use her skills in a way that would help people “in a more direct way”. With that goal in mind, she began to apply for jobs at emergency response organisations, and secured a role with an international emergency shelter NGO as a videographer.

Working in the humanitarian sector

“Before I knew it, I was being sent to all sorts of places – Malawi, Nepal, the Philippines. In 2015, I was sent to northern Iraq to help conduct vulnerability assessments and document beneficiary personal stories in refugee camps. During one operation during that deployment at an unofficial displaced persons camp in Iraq close to Mosul, it became clear that personal data and the inherent power it holds is exploitable and is frequently exploited. Being so close to the conflict-affected territories across that region made securing beneficiary data a vital topic of conversation, yet the humanitarian sector, particularly then, was not prioritizing data security and the necessary conversations were not really being had”.

Unofficial displaced persons camp, Iraqi Kurdistan © Olivia Williams

The intertwined topics of data security and data privacy were raised once again during a deployment to Malawi where Olivia assisted with the distribution of solar lights and filmed beneficiary stories for her NGO, as well as shooting content for Shark Tank [the US equivalent of Dragon’s Den]. “The Shark Tank team insisted we gain written consent from everyone we filmed, but I had to ask myself – how can we truly be gaining people’s consent if they couldn’t read the consent form, couldn’t write and in any case the consent form was written in English – a language no one in that particular village spoke. At that moment I felt, like I had before, that I was part of the exploitation problem”. It was this experience that led Olivia towards her Ph.D., which examined the realities of data security and data privacy in aid situations.

“protocols set by HQ don’t take into account the challenges of being somewhere with only 2G internet and one hour of electricity”

— Emergency field worker

“Based on experiences like this, where there was a lack of genuine consent, I became uncomfortable videoing people. I would take names and ages and explain as much as possible and often work through translators/interpreters, but I felt that, perhaps, people were just saying yes because they felt obliged. We gathered information about people – name, date of birth, ethnicity, political affiliation, religion etc. but we’d never had a discussion about how to protect these people’s data, nor could we explain to people exactly how their data would be used, stored or shared. I instinctively felt that privacy was important, and at that point I was doing the little I knew how to do to protect people’s data - hide an SD card under my mattress or under my insole. I wondered, “were my experiences an anomaly and was anybody having conversations about this issue?”

The human side of security

So, Olivia put forward a Ph.D. proposal and was offered a scholarship at American University in Washington D.C. with the aim of examining the following points:

What do aid agencies say they’re doing to protect data?
What do aid workers say that they do to protect data?
How are beneficiaries harmed by the differences between these two datasets?

Indeed, Olivia found numerous discrepancies between the two datasets. Of the 182 aid workers that she surveyed, most said that they ‘weren’t sure’ when she asked them to respond to the statement ‘NGOs are targeted by cyber threat actors’. “We have this prevailing and outdated idea that aid work is globally understood to be philanthropic, with good people doing good things. But increasingly, aid workers and the organizations they work for are viewed as political vehicles, so there’s a disconnect between the humanitarian world’s understanding of what it represents and the reality of what it represents to others. Many aid organisations lack the usual data security checks and balances for several reasons: for example, because of the emergency contexts in which they work which make enforcing policies and protocols very difficult, and due to high staff turnovers.”

Olivia’s survey also indicated that aid workers had a minimal understanding of cyber-attacks, and only a minority could define ideas like spear-phishing or eavesdropping attacks. This is particularly concerning given the emerging research showing that aid workers are specifically targeted. One response to Olivia’s study said “... our NGO was actively targeted by Russia, China, and Iranian cyber armies... we were informed of this by the FBI... it never occurred to [the management team] that maybe others who had things stored on their laptops… did not know how to [protect their data].”

Many aid workers found they were unprepared for the field environment. One respondent indicated that “... protocols set by HQ don't take into account the challenges of being somewhere with only 2G internet and one hour of electricity’ and ‘if the protocols are designed in a way that make frontline workers jobs harder, they're going to get ignored or circumvented”.

Another of the study’s findings showed that many aid workers used their own devices to collect data; and that among these people, only a very small minority deleted data once it was no longer needed. While most people would protect their digital devices using a PIN or other protection mechanism, more traditional devices – such as cameras and voice recorders were rarely protected. Since conducting her study, Olivia has found that encrypted SD cards are still rarely used.

How does this apply to the Defence sector?

Olivia’s work in the aid sector seems a long way from her role as a security specialist for Apache iX, which specialises in the UK national security sector. How is her Ph.D. work relevant in her current role? “I learned about the centrality of human behaviour in security, and the human predisposition to circumvent policies. Human activity and decision-making are still central to any organisation’s operations and approaching the cyber and InfoSec problem from a human-centric standpoint gives me a good awareness of security issues. My subsequent doctorate training in advanced cyber security methods also gave me the depth and breadth of knowledge to approach and interrogate any InfoSec problem. The expert and author Bruce Schneier put it well when he said: ‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’”. Not to be satisfied with one Ph.D., Olivia is now working on her second: a study of information sharing between humanitarian organisations and intelligence agencies – an area that she describes as an ethical minefield.

What was it that drew Olivia to Apache iX? “I wanted to work in Defence and gain some very specific professional experience and I get to work on some pretty cool things... but I can’t say what they are! I’m very lucky as I’ve got great colleagues and work for a company who have brought together a team of people who aren’t judged solely by their Defence credentials but because they think differently, and that’s celebrated and encouraged. It’s a good place to be”.