Wednesday, November 30, 2011

UN Server Hacked

The hacker group TeaMp0isoN (Team Poison) compromised a United Nations Development Program server and released a collection of email addresses, names and passwords to the Internet today. BBC news story is here. The list of the accounts, as originally posted by the hackers, is here.

UNDP is downplaying the security breach, saying the server was old and didn't contain current information. This is rather disingenuous, as surveys have shown most people use the same password over and over again for various accounts. If you worked or work for UNDP, it would be prudent to check the above link to see if any of your login information was compromised. There are also email accounts for people from the Organisation for Economic Co-operation and Development (OECD), the World Health Organisation (WHO), the UK's Office for National Statistics (ONS), other UN agencies, and a variety of governments and organizations.

If you're on the rather lengthy list and have used your password elsewhere, now is a good time to start changing passwords before someone accesses your other accounts (if they already haven't).

The server hack is bad news, but equally as bad is the poor password security practices of the majority of users (first name as password, no password used, less than 6 character password, all lower case password, etc.). This is a big fail for the IT staff in not ensuring strong passwords are used (a simple and automated process), a big fail for managers if they didn't educate staff and have policies about using strong passwords, and a big fail for users who should know better.


Wednesday, November 23, 2011


If you read my post on Dieter Rams, you might correctly guess that design philosophy and theory influences my approach to NGO safety and security. Industrial design has changed quite a bit since Rams' time and is no longer just about conceiving and creating products. Designers are branching out into organizational and service design, and using their skills to tackle complex social issues.

One of the best Web resources on design is Core77, the Net's oldest online magazine; it's been around since 1995. You'll find lots of interesting and informative news stories and articles with some very insightful essays by "names" in the design world.

If you're still thinking that design is only for creative types and really doesn't apply to the humanitarian space, there have been a flurry of Core77 articles over the past month that may change your mind.

Dave Seliger wrote a four part series entitled "Redesigning International Disaster Response." Part I - The Players, Part II - The Challenges, Part III - Looking to the US Military, and Part IV - Current Innovation.

Panthea Lee also kicked off a seven part series aptly named "The Messy Art of Saving the World" that will focus on design in the context of development work.

This is good stuff. Check it out. Expand your brain and start thinking outside the conventional humanitarian security box.


Tuesday, November 22, 2011

Question of the day

Does your organization have staff members who are disabled (having a physical or mental condition that limits movements, senses, or activities)? If so, do your safety and security policies, procedures, and training take this into account?


Sunday, November 20, 2011

If Dieter Rams Did Security

You’ve probably never heard of Dieter Rams. He’s not a security guy and to the best of my knowledge he never worked for a humanitarian organization. But there's a good chance you know his work.

Rams was the head product designer for Braun from 1961 to 1995. He designed coffee makers, clocks, radios, razors, tooth brushes, and a host of other consumer products for the German company. His functional and aesthetic designs won him many awards and accolades. He also inspired several generations of industrial designers, including Apple’s Jonathan Ive, who credited Rams’ design philosophy for such iconic products as the iPod, iPhone, and post-1997 desktop and laptop Macintoshes.

Rams came up with 10 principles of good design that are widely taught in universities and are adhered to by product designers who appreciate his "less, but better" approach. Interestingly enough, these same principles can be applied outside of design to other disciplines - including humanitarian safety and security.

Here's my own take on adapting Rams' 10 principles for good design to the practice of NGO security (I’ve switched out the word “security” for his original “design" and added a bit of commentary).

Good security is innovative - Many NGOs fall victim to the “that’s the way we always do it around here” syndrome. Good security practitioners are intellectually curious, and look outside the humanitarian space, and even the broader security field, for new ways of better reducing risk. Innovation should constantly be sought, with an eye kept out for complacency so you can avoid it at all cost.

Good security makes a product useful - In this principle, Rams espoused that form follows function (usability should come before appearance). From a safety and security standpoint, this means ensuring that what you do is in fact useful for staff. All too often there's a tendency to implement policies and procedures, make recommendations, and give trainings without much thought given to the implications and whether it is indeed useful.

Good security is aesthetic - When it comes to safety and security, I don’t believe enough attention is paid to aesthetics. Simple things like using legible type faces and sizes in a report, minimizing the amount of text and number of bullet items in a PowerPoint presentation, ensuring a hazard warning in an office is large enough and easy to understand. You don't need to be an artist or graphic designer to think aesthetically; most everyone naturally recognizes good design. People appreciate aesthetics and it catches their attention; probably because there is so much bad design in the world.

Good security makes a product understandable - It’s essential that people know the reasons why security policies and procedures are put in place. If staff doesn't understand why you ask them to do something, there's less chance of compliance. There's also less of a chance of them creatively problem solving if they need to because they don't have a basic level of understanding about a threat or vulnerability.

Good security is unobtrusive - Ideally, safety and security should be part of an organization's culture and blend into the background. This principle also applies to maintaining a low profile for staff, vehicles, and office facilities in some contexts.

Good security is honest - Security for security's sake is not honest. For example, many security professionals feel that the TSA's airport passenger screening process does little to truly reduce a terrorist threat and is more "security theater" than anything else. Practicing good and honest security means always being frank and candid about issues with management and staff members.

Good security is long lasting - Good security seeks to be sustainable. That means weaving it throughout an organization's culture so safety and security practices aren't seen as separate but instead are viewed as part of the whole.

Good security is thorough down to the last detail - There’s an old Japanese saying that goes, “Matters of small concern should be treated seriously.” Pay attention to details! It's usually a cascading series of small events that eventually lead up to a serious incident.

Good security is environmentally friendly - I’ve only met a few security practitioners who think about environmental impact. People don't ask questions like: What’s the carbon footprint of international travel (can meetings or assessments be done virtually)? What happens to plastic water bottles after they’re used? Does it make more sense to use rechargeable batteries in a guard’s flashlight rather than disposable ones? Is a PDF version of a security manual just as effective as a printed one? Degrading the environment leads to human suffering. If you work for a humanitarian organization it doesn't make sense to be doing things that contribute to the problem.

Good security is as little security as possible - This principle has a Zen quality to it. You should be striving for Goldilocks "just right" security, which is just enough to get the job effectively done. It’s easy to go overboard (or underboard) on safety and security, depending on the situation, and you should always be mindful of that tendency.

For a great interview with Dieter Rams, not about security, including photos of his work, go here.


Saturday, November 12, 2011

U.S. Military Presence Increasing in Africa

The Guardian has an article about the U.S. military providing counter-insurgency training to Nigeria to combat the growing threat of the radical Muslim group, Boko Haram. The excellent Confused Eagle blog, which provides commentary and analysis on USG doings in Africa, has further details.

So let's see now. Last month it was announced 100 U.S. advisors were heading to Uganda to help deal with the Lord's Resistance Army (LRA). Past U.S. involvement fighting the LRA hasn't been exactly stellar. Three years ago the U.S. Africa Command helped plan Operation Lightning Thunder, a large-scale attack on LRA camps. Due to a lack of coordination between Ugandan ground and air forces, the raids failed, and hundreds of civilians were killed as enraged LRA units went into hiding.

Over in Kenya, the U.S. has been training the Kenyan military for quite some time. Border incursions by al-Shabab are almost certainly prompting covert U.S. special operations missions against the Somali Islamist group. U.S. drones, cruise missiles, and helicopters have already been used against targets in Somalia during the past four years.

Then don't forget about Camp Lemonnier, a large American base in Djibouti. And those new drone bases in Ethiopia and Seychelles that the Washington Post reported in September.

From a humanitarian security perspective, this expansion makes me uneasy. U.S. and Western military actions in Iraq and Afghanistan didn't exactly win hearts and minds, and in the process, many Western NGOs and their staffs were put at greater risk. If your organization is doing work in Africa, you should be paying attention to any early signs of local fall-out from U.S. military actions; and adjusting your security measures accordingly. While acceptance is a powerful strategy, history has shown it can be trumped by perceived guilt through association.


Sunday, November 06, 2011

DigitalGlobe FirstWatch

I'm a self-admitted geospatial junky. I've always had a thing for maps, aerial photos, and satellite imagery and feel that anyone practicing humanitarian safety and security should have a basic grasp of common geospatial tools such as GPS, Google Earth and ArcGIS (as well as old-fashioned paper maps and a compass).

One of the big players in the commercial geospatial business is DigitalGlobe. The US-based company has a number of its own high-resolution imaging satellites in orbit; if you've ever used Google Earth, you've seen some of their satellite imagery.

DigitalGlobe has long worked with the humanitarian community, providing digital images for relief and emergency work through its FirstLook service. A couple of weeks ago the company added a new service to its product portfolio called FirstWatch.

FirstWatch provides rapid analysis and reporting. When a natural or man-made disaster occurs, DigitalGlobe begins collecting new imagery from the affected region. The company's analysts then review the images, and within hours after the event occurs, produce reports that give an initial and accurate sense of the disaster's magnitude. Evidence of structural damage, infrastructure failures, changes to the topography, flood water depth and other potentially life-threatening elements are identified. This information allows organizations and agencies to quickly assess the situation and formulate response strategies and plans.

I can't emphasize enough the importance of good analysis. You can have the most up-to-date, real-time imagery available, but if you don't know how to fully interpret what you see, its value is greatly diminished. Imagery analysis is both an art and a science, and following a large-scale, critical event, you want a trained analyst examining the data and telling you what it means so you can make good decisions. It's nice to see DigitalGlobe offering this capability, as this skill set is typically not found within NGOs.

Most humanitarian organizations are averse to using the term "intelligence" because of perceived connotations with government spying. Semantic sensitivity aside, if you start using satellite imagery you'll undoubtedly run across the acronym GEOINT. That stands for "geospatial intelligence," which is a hot buzzword in government and corporate circles these days.


Wednesday, November 02, 2011

Interview: Christine Persaud on Gender and NGO Security

Gender issues in humanitarian safety and security tends to be overlooked by many organizations and practitioners. One of the leading voices in this area is Canadian security advisor Christine Persaud. Christine started her humanitarian community career nearly ten years ago, with Médecins Sans Frontières in Chechnya and Daghestan. Since then she has worked internationally, providing consultation and training on a range of safety and security issues for large non-profit organizations and government agencies (American Red Cross, CARE, CIDA, Save the Children, and USAID, to name a few). In this interview, she shares some of her experiences and insights on gender and the practice of humanitarian security.

I appreciate you taking the time to chat, Christine.

Thank you for the invitation. Before we get started though, I'd like to reference two definitions from the Inter-Agency Standing Committee's (IASC) Gender Handbook.

Gender refers to the social differences between females and males throughout the life cycle that are learned, and though deeply rooted in every culture, are changeable over time, and have wide variations both within and between cultures. "Gender," along with class and race, determines the roles, power and resources for females and males in any culture.

Gender-based violence (GBV) is an umbrella term for any harmful act that is perpetrated against a person’s will and that is based on socially ascribed (gender) differences between females and males. The nature and extent of specific types of GBV vary across cultures, countries and regions. Examples include sexual violence, including sexual exploitation/abuse and forced prostitution; domestic violence; trafficking; forced/early marriage; harmful traditional practices such as female genital mutilation; honour killings; and widow inheritance.

That's good for level setting, thanks. So my first question is, as a female, what have your biggest challenges been in performing NGO security work?

Safety and security work, NGO or otherwise, remains mostly a male-dominated field — usually because of the gender roles perceived to be associated with security management. This sometimes creates, as you may imagine, gender-related challenges. Some individuals see females as weaker and as an easier target for criticism of their work and recommendations. These same individuals tend to second-guess women, regardless of their skills and experience. This is difficult because right away, there is a sense that a woman must prove something to validate herself and gain acceptance as a female safety and security advisor.

Since there are more male security workers than females, I am sometimes greeted with skepticism by field staff (men and women both). On these occasions it takes effort to have others recognize who I am. Usually, once they get to know me, they open up and become incredibly receptive and realize I am fully competent to do the job. But, I should never feel the pressure of having to prove myself in the first place.

Of course sometimes cultural nuances are present and there are certain situations that are considered off limits for a female security advisor. I try to recognize this ahead of time and work accordingly. I never want to cause harm because of my presence.

While I don't want to stereotype, what differences do you see in how female humanitarian security practitioners do their jobs compared to their male counterparts?

There aren't many female security practitioners like myself who deploy to conduct security assessments. You will more often find women as security desk officers, researchers or trainers. There is a role and importance for all. Women who perform security in the field such as Beverly Aisha Toomer, have really worked hard and devoted themselves to the job and have assumed incredible roles in security management. I really appreciate their approach, experience and commitment.

As for the differences between male and female approaches, I can only speak for myself and say that in theory, there shouldn’t be too much difference. The notion of cultivating acceptance and interfacing/connecting with various actors is very important to me. I think being a female has enabled me to have more access to the most vulnerable groups — humanitarian personnel and beneficiaries. I also don't want to stereotype but I do wonder if women use more intuition, discussion and consultation — although I have some male colleagues who are very sensitive and intuitive.

Gender is often overlooked in humanitarian organization security practices. Could you explain why we need to be more aware of gender when it comes to security planning?

Gender can make individuals further vulnerable and it must be considered in security planning. Gender Based Violence is pervasive all over the world in all cultures and societies. Some types of programming could and do cause greater harm to vulnerable staff and beneficiaries in situations where they are put at risk. In humanitarian organization security, this point is often not well considered and gender barriers to reporting and acknowledging increased risk exposure may be pushed away because of fear.

It is also important to understand and accept the cultural and religious gender issues that are imperative to each individual staff member. For example, there was a situation in Darfur, where a female Muslim national staff was made to share a house with male staff at a field office location. This woman was not from the area, and living with male personnel brought shame and insecurity in the eyes of the community and to herself. The organization's Country Director had complete disregard for the situation and in planning to better accommodate the needs of many of its national female staff; including providing better security systems at residences. In this case budget took precedence over fundamental respect for religious cultural and gender roles. Another area of concern includes the dynamics of sexual exploitation and abuse perpetrated by aid workers against beneficiaries and often by international male staff members upon national female staff.

We must consider the fact that staff members are from all over the world and each has their own notion of gender roles. This variation in even basic comprehension of what constitutes Gender Based Violence (GBV) can seriously exacerbate situations and sensitivities.

I recall doing an office evacuation drill once where the women's traditional clothing really impacted their ability to quickly exit the building. I'm embarrassed to say, it didn't even occur to me that would be an issue. Have you had any security experiences where something gender-specific surprised you?

I remember a case in Sri Lanka where an NGO’s female staff members were being sexually harassed every time they passed an SLA checkpoint. This harassment was even worse when they were driving motorbikes. Getting around in motorbikes was the primary transportation means for this NGO. Unfortunately, none of female staff had communicated they were being subjected to daily harassment and sometimes even assault. I was surprised and fortunate that they opened up to me about these incidents during a focus group discussion. This had been going on for some time but they never mentioned it to management. This highlights two issues: lack of incident reporting and the fact that program delivery increased their exposure to GBV. Once apprised, I facilitated ways to avoid future incidents.

You've worked in a number of different countries, including many conflict zones. As a whole, do you think women staff members look at safety and security differently than their male co-workers?

In general, and to varying degrees, I have found some men can be slightly more cavalier about security simply because they haven’t experienced gender inequality and the increase in vulnerability to GBV. This attitude could also come from the cultural norm that men are assumed to be protectors and shouldn't show weakness or fear. In other situations, women take greater personal risks in deciding to work for humanitarian agencies and can easily become targets (especially in very strict contexts where females are oppressed). However, at the end of the day, it comes down to the individual and his or her acceptance and understanding of security.

From your experience, which countries have a high risk of sexual assault among female humanitarian aid workers?

GBV is driven by context — society, culture and religion. Staff members may suffer GBV but most often, do so in their own private lives, often hidden from others, especially co-workers. I cannot say for sure which countries have a higher risk of rape or sexual assault. The statistics don't really matter as sexual assault — as we all know — is hugely under-reported. You can just assume it is prevalent everywhere.

I don’t know why, but there is one situation that has always pre-occupied my mind and that is how the conditions in Banda Aceh deteriorated over time. With an influx of foreigners in an otherwise closed area before the Tsunami, some of the local men had pre-conceived ideas of what western women were like. During the later phases of emergency response and reconstruction there were increasing incidents of harassment, assault and rape against international female staff and female staff from Jakarta. I myself experienced sexually inappropriate comments and advances. What was also starting to happen, was the increased exercising of Sharia law (in response to exposure to western culture). This became a factor that lead to an alarming increase of incidents of GBV against local female staff working for INGOs. This is a very specific example of the impact of presence and of the gender-specific risks that exist and need to be anticipated.

What are some ways to mitigate the risks?

Better security risk assessment and analysis, for one. Acknowledging that different gender groups have different needs and vulnerabilities depending on the specific context. Taking the time to talk and look deeper into day-to-day situations that may put others at further risk is important. This should be understood for both security management (staff security) and program design (beneficiary security). We tend to prioritize the flashy threats such as kidnapping or terrorist attacks. But in reality, life threatening GBV incidents are more frequent. We also want to assert that standard operating procedures and contingency planning are gender neutral. But that's not the case. In order to better reduce risk, we must consider the nature of gender-specific risks and vulnerabilities within specific situations. Specifically, we can achieve this through having a balanced perspective reflected in security assessments which identify context-specific gender risks. The goal is better mainstreaming gender in security management. We also need to promote compliance of agency-wide internal policies of intolerance to all GBV.

When we talk about gender security issues, there's a tendency to focus GBV. What other issues should we be aware of?

We should be aware of sexual exploitation and abuse, intimidation, inappropriate sexual comments, gender inequality and inequity in work and pay. We need to be aware of how our programming and operations can put certain individuals further at risk. And finally, although it often is associated with GBV, we should be aware of supporting personnel who are suffering from domestic abuse.

What can humanitarian organizations be doing better in terms of gender-related security?

Start right from needs assessment and program design — consult with women and girls — consider how programming and carrying out programming may increase vulnerability. We need to listen better and not assume. We need more opportunity to address gender and security without fear of it as a taboo subject.

What advice can you give male humanitarian workers to become more aware of and sensitive to gender-related security issues?

Try to be more compassionate in understanding that women and girls sometimes encounter more challenges in all aspects of their lives. This is situation dependent of course, and I am generalizing. But try to see things from their perspective and then anticipate what may pose more of a challenge and risk. It really comes down to treating all persons, men, women, boys and girls, with the dignity and gender equality they deserve.

Any closing thoughts?

I would really like to stress the following messages. Gender specific threats relate to and concern both women and men. All of the assessment, considerations and planning we do must address both gender groups and their exposure to risk. This can be complex as gender roles are very context dependent, being defined by such factors as individual behavior perceptions, accepted levels of interaction between males and females, association with Western NGOs, and cultural expectations. In addition to this deeper understanding, there are practical measures. Incident reporting data should include gender and be accounted for in analysis. Gender-specific risk should be incorporated into training. We are not doing as good of a job incorporating gender into security management as we do with other issues. But I believe with greater awareness we can change that.