IRIN Gender

Conflict in Myanmar’s Rakhine State is escalating, while severe humanitarian restrictions and a sweeping internet blackout are squeezing both aid and information to a trickle, local groups warn.

Tens of thousands of people have been displaced in western Myanmar’s Rakhine State over the last year as clashes between the military and the insurgent Arakan Army trap civilians in the middle.

At least 17 students were injured last week when an artillery shell hit a school in a northern township, according to state-run media. The UN says there are near-daily reports of civilians killed or maimed, but aid access is curtailed in about half of Rakhine.

Rights groups accuse the military of committing war crimes that mirror army tactics used against insurgent groups or civilian populations on other fronts – including the military purge of more than 700,000 Rohingya from the state in 2017.

Local organisations say the conflict is reaching dangerous new heights away from public scrutiny: the government has imposed an internet blackout across nine conflict-hit townships in Rakhine and neighbouring Chin State.

“We are struggling to help civilians affected by conflict in Rakhine because of the dramatically increasing number of displaced people and a lack of access,” said Zaw Zaw Htun of the Rakhine Ethnic Congress, a humanitarian organisation based in the state capital, Sittwe.

How the conflict escalated

Fighting intensified in January 2019 after the Arakan Army, which claims to represent the state’s ethnic Rakhine population, attacked police outposts, killing 13 officers.

Following the attacks, the government vowed to crush the rebel group, labelling them as terrorists. The military has conducted so-called clearance operations in parts of Rakhine, confronting the Arakan Army near civilian areas.

Rights groups accuse the military of carrying out indiscriminate attacks, including using helicopter gunships, artillery, and mortar fire.

myanmar-rakhine-briefing_map_small.png This map shows locations in Myanmar’s Rakhine State, as well as the Rohingya refugee camps in neighbouring Bangladesh.

The Rakhine Ethnic Congress said at least 116 people have been killed and hundreds more injured over the last year – caught by mortar shelling, landmines, and other explosives.

UNICEF said there has been an alarming rise in child casualties, including a student who was gunned down outside his school in December as he and others fled the clashes. Landmines are also a growing threat in areas that were once uncontaminated: four children were killed in Buthidaung township in Rakhine’s north in January, and the state now accounts for a quarter of Myanmar’s landmine incidents, UNICEF said.

In separate reports last year, a UN rights probe and Amnesty International accused the military of indiscriminate attacks on civilians, arbitrary arrests, torture, and executions. They say some of the abuses could amount to war crimes.

The military has denied such allegations, instead blaming the Arakan Army for abusing civilians.

Both the UN and Amnesty investigations have also documented mistreatment of civilians by the Arakan Army, including abductions and forced labour.

The humanitarian fallout

Displacement estimates vary. The Rakhine Ethnic Congress says at least 106,000 people have fled the violence to displacement camps, or to live with relatives in nearby villages.

The government puts the number far lower, at 40,000, while the UN estimates 52,000 were living in 137 displacement sites as of early February – a tally based on reports from the state government and humanitarian groups.

Htun Aung Kyaw, a prominent Rakhine politician who also works with local civil society groups, said displaced civilians are living in plastic tents with inadequate hygiene, raising the risks of potentially serious illnesses like diarrhoea.

“What the government provides is next to nothing to meet what people really need.”

“Tens of thousands are in dire need of clean drinking water in most temporary displacement shelters, where water resources are drying up as the summer approaches,” said Htun Aung Kyaw, who is also a member of the Arakan National Party, which represents the ethnic Rakhine community in the state and national governments.

Displaced people receive about 300 kyats per person per day – about 21 cents – from the state government, Htun Aung Kyaw said, but it’s far short of meeting growing needs.

“Hundreds of children and especially pregnant women are suffering malnutrition due to insufficient food supply in the temporary displacement camps,” said Zaw Zaw Htun. “What the government provides is next to nothing to meet what people really need.”

Aid restrictions and internet blackouts

Humanitarian access has long been restricted in Rakhine over years of civilian crackdowns and ethnic tensions.

Today, eight of Rakhine’s 17 townships are off limits – or severely restricted – to most aid groups, according to the UN’s humanitarian aid coordination arm, OCHA.

In a statement to The New Humanitarian, the UN in Myanmar said numerous critical, life-saving programmes in these townships have been suspended or are subject to unpredictable interruptions, affecting tens of thousands of people.

In January, the US-based International Rescue Committee said it had ended a food and livelihood programme helping 56,000 people in two townships because the state government had barred them from working for the previous year.

”The permanent withdrawal of this support will exacerbate the needs of rural communities and slow their recovery from the ongoing conflict,” the IRC said in a statement.

*/

Read more → In a Myanmar village, a bamboo fence separates Rohingya and Rakhine neighbours

While aid access constricts, so too does the flow of information. Earlier this month, the government ordered telecom companies to shut down mobile internet in five townships, re-imposing a blackout that first began last June.

Local journalists and aid groups say the internet shutdown has made it strikingly difficult to get crucial information about conflict casualties and humanitarian needs.

Phadu Tun Aung, an editor at the Development Media Group, a local outlet based in Sittwe, said social media platforms like Facebook Messenger were a vital tool to source first-hand information. Now there are long delays especially when trying to get photos or videos, which must be copied and transferred by hand.

“We were not able to report news on civilian casualties,” Phadu Tun Aung said, citing a recent story in which villagers were injured in Rathedaung, a northern township. The news took more than a day to arrive.

“Many farmers, including my son, were detained by the military and tortured last year in June and now they are in prison for simply going to the paddy field.”

“This internet shutdown has added another level of challenges on top of the already existing humanitarian crisis,” he said.

Small local aid groups that rely on social media to solicit donations from the Rakhine diaspora have also been hit, said U San Htwe, a member of a community organisation in Sittwe.

Long-term worries: Food, education, and aid dependency

There are fears the conflict could trigger a wider food crisis. Local groups have reported that some 6,000 hectares of cropland were unharvested during last year’s May to October farming season due to fear of landmines, crossfire, and arbitrary arrests, according to Htun Aung Kyaw.

Maung Hla Thein, a farmer from Mrauk U township, north of Sittwe, told TNH in a phone interview that rice production in his area had dropped by about two thirds compared to a normal year.

“Many farmers, including my son, were detained by the military and tortured last year in June and now they are in prison for simply going to the paddy field,” Maung Hla Thein said. “Now, no one wants to risk their lives trying to cultivate rice.”

These trends could see the conflict spiral into a longer-term emergency, said Laura Haigh, an Amnesty International researcher.

“If people can’t get to places they rely on for their livelihoods, it’ll become beyond just a food security issue,” Haigh said. “They will increasingly rely on aid and assistance.”

“We want to be able to determine our own future and development of our region as well as to protect our own people.”

Zaw Zaw Htun of the Rakhine Ethnic Congress said that frequent displacement, the absence of teachers in conflict areas, and security fears have also forced many children to miss school.

Yanghee Lee, the UN’s outgoing special rapporteur for human rights in Myanmar, told TNH that the military has reportedly commandeered schools, using them to interrogate civilians in a bid to unearth suspected insurgents.

The bigger picture: long-held grievances and ethnic tensions

The military crackdown against the Arakan Army is one of the newest battlegrounds in a country that has multiple ongoing conflicts dating back decades.

Drawing support from the mainly Buddhist ethnic Rakhine community, the Arakan Army was formed in 2009 in an alliance with the Kachin Independence Army – a separate ethnic armed group headquartered in Kachin State along the country’s northeast borderlands.

“We want to be able to determine our own future and development of our region as well as to protect our own people,” Twan Mrat Naing, the commander-in-chief of the Arakan Army, told TNH in a recent interview.

*/

Read more → The uphill battle to forge peace in Myanmar's Rakhine State

The Rakhine are one of 135 officially recognised ethnicities in a wildly diverse country. Most Rakhine share the same Buddhist religion as the majority Bamar, who dominate political life in Myanmar. But the Rakhine see their state as one of the country’s most impoverished and neglected, which has fuelled resentment.

“Under the civilian government and the military regimes, Rakhine has become one of the poorest,” said Aye Chan, a Rakhine historian based in Yangon. “No wonder there is an armed resistance when an ethnic group’s grievances are ignored by the government.”

The military crackdown against the Arakan Army comes as Myanmar faces growing pressure, including allegations of genocide at the International Court of Justice, to account for the military purge and generations of discrimination against Rakhine State’s Rohingya population.

Communal violence erupted between the Rakhine and the mainly Muslim Rohingya communities in 2012. Though there was violence on both sides, only the Rohingya face state-imposed segregation. The government pushed some 120,000 Rohingya into squalid, barricaded camps outside Sittwe, and apartheid-like conditions remain for Rohingya elsewhere in the state.

eh/il/ag

• Myanmar

‘No one wants to risk their lives trying to cultivate rice.’ Briefing: The growing emergency on Myanmar’s newest battleground Esther Htusan News Conflict Food Human Rights WAYNESBORO United States IRIN Asia Myanmar Conflict The uphill battle to forge peace in Myanmar's Rakhine State In a Myanmar village, a bamboo fence separates Rohingya and Rakhine neighbours Landmines fuel migrant exodus in Myanmar’s north In northern Myanmar, a long-forgotten conflict flares out of view Slideshow: Myanmar's conflict resources

India’s northeast state of Assam is on the front lines of a citizenship clash that has already pushed some two million people to the brink of statelessness.

Mass protests have flared across parts of India since mid-December, when lawmakers passed controversial citizenship law changes that critics say are designed to exclude Muslims. The amendment opens up citizenship to religious minorities from nearby countries – but not to Muslims.

Demonstrations erupted in Assam before quickly spreading to other Indian cities. At least 31 people have been killed in police crackdowns, including five in Assam.

The protesters’ grievances are diverse, but at the heart of the demonstrations is a divisive question: who has the right to be a citizen of India?

The government says the law is aimed at protecting persecuted minorities from Pakistan, Afghanistan, and Bangladesh. But many see it as the latest push to exclude India’s more-than 170 million Muslims – and dismantle the country’s secularist principles.

“The government has made it clear that they don’t want Muslims to live in this country.”

Under Prime Minister Narendra Modi and his ruling Bharatiya Janata Party, critics say the government has enacted policies aimed at reshaping the multicultural country along Hindu nationalist lines.

Last August, nearly two million people in Assam – many of them Muslim – were excluded from the state’s citizenship rolls in a separate process meant to weed out illegal immigrants. Now, those left off the list face the prospects of appealing their cases before courts known as “foreigners' tribunals”, losing their citizenship, and being detained in a network of detention centres built for people who are declared illegal migrants.

Assam’s verification scheme, officially known as the National Register of Citizens, has drawn parallels to Myanmar’s treatment of its Rohingya minority, who were stripped of citizenship and basic rights over generations.

Modi has rejected calls to axe India’s citizenship amendment; a prominent government minister has also pledged to replicate Assam’s citizenship count nationwide by 2024. Activists fear both the exclusionary law and the NRC will be used in tandem to target Muslims.

“The law provides immunity to all the religious communities in India other than Muslims,” said Aman Wadud, a lawyer who provides free legal aid to people fighting for citizenship in Assam. “If the government brings in the NRC [across the country], it will be only Muslims running around for documents to prove they’re citizens.”

Assam is a window into how this could evolve. The Assamese majority here generally supports the NRC, seeing the Bengali-speaking Muslim minority as foreigners settling on their land. But they also oppose the revamped citizenship law, worried it will lead to more immigration – among Muslims, Hindus, or people of any faith.

protesters-university-india-citizenship.jpg Ahmer Khan/TNH Protesters at Cotton University in Guwahati rally against changes to India’s citizenship law.

“For us, it has never been an issue of religion,” said Lurinjyoti Gogoi, general secretary of the All Assam Students’ Union, an influential body that has led the protests in Assam.

“We are under threat of becoming a minority in our own land,” he said.

Convinced that the NRC exclusion numbers are flawed – that there are even more undocumented foreigners – Gogoi and others are demanding that the government hold a new citizenship count in Assam.

For many Muslims here, the threat of yet another NRC, paired with December’s citizenship law changes, has added to fears of renewed harassment and disenfranchisement.

The government has yet to finalise August’s original NRC list, leaving many Muslims here in a state of limbo – unsure of their rights, and fearful any new citizenship overhaul will leave them even worse off than they are now.

Rejected citizens prepare to face tribunals

In Dula Gaon, a mainly Muslim village about 85 kilometres west of Guwahati, rice farmer Abbas Ali is debating what to do.

He and his entire family were excluded from the NRC citizenship list in August, even though his family has lived here for generations.

Like many of Assam’s Muslims, Ali had actually supported the citizenship check: he saw it as a chance to prove he belongs, and to end the social stigma that has kept his family on the margins.

“I have never doubted my nationality. I have farmed these lands for all my life,” he said, pointing to the small patch of land beside his home. “Before me, my father did the same.”

The 64-year-old has heard the calls for a new NRC, but he fears the same result.

“The government has made it clear that they don't want Muslims to live in this country,” he said. “So why should we go through this ordeal again? They just want to declare us foreigners.”

Instead, Ali plans on arguing his case before the notorious foreigners' tribunals, which have operated in Assam for decades through previous rounds of citizenship challenges.

READ MORE: Ethnic tensions in Assam

Anti-foreigner sentiment runs deep in Assam, fuelled by the belief that the region’s distinct culture and language must be protected.

Bengali-speaking minorities arrived in Assam in the 1800s under British colonial rule. The population grew over the last century, accentuated by an influx of refugees moving across borders after partition in 1947, and of people fleeing violence during the 1971 war for independence to the south in Bangladesh, until then known as East Pakistan.

Ethnic tensions have turned violent in Assam: in 1983, machete-wielding men killed an estimated 1,800 people in Nellie, a mostly Bengali Muslim area.

In 1985, following a six-year protest movement, the All Assam Students’ Union signed a deal with the Indian government, which agreed to identify and deport foreigners who entered Assam after 1971. The Assam Accord became the basis for the electoral verifications and citizenship checks that have followed.

Many here are in the same situation: about 30 percent of the village were also left off the citizenship registry. In the wider Barpeta district, home to at least 1.7 million people, 13 percent were not included, according to government figures.

Sopiul Haq, 49, a landless farmer in an adjoining district, faces a peculiar dilemma: his 17-year-old son, Yousef, was excluded, but the rest of his family were declared citizens.

“They thought Muslims won't be able to prove their citizenship, but we had all the documents,” he said.

Like Ali, Haq said he would rather borrow money for his son’s defence in a foreigners' tribunal than face another citizenship count.

“I'm worried my entire family will be left out of the list,” he said.

 

But rights groups say the quasi-judicial foreigners' tribunals are built to reject Bengali-speakers seen as immigrants, rather than offer a fair hearing.

“Riddled with bias, prejudices, and arbitrary decision-making, they pass vague orders rendering people stateless,” Amnesty International said in a November report.

Debasmita Ghosh, director of the Guwahati chapter of India’s Human Rights Law Network, said people facing the tribunals are often ruled foreigners for minor technicalities or misplaced documents, which can be common in flood-prone Assam.

Assam’s ubiquitous border police, set up solely to flag potential foreigners, can also send cases to the tribunals. It’s a system prone to abuse, Ghosh said, citing a case where a roadside tea vendor faced the tribunal after refusing to serve free food to a frequent customer.

“The tea vendor and his family were held in a detention centre for eight years,” said Ghosh. “It was only after we took up the case in the high court that he was declared an Indian in 2018.”

Detention fears

Over the years, Assam’s tribunals have declared more than 129,000 people to be foreigners, while 114,000 were judged to be Indian citizens, according to government data.

But deportations are rare: Amnesty says only four people have ever been deported after the rulings.

Instead, non-citizens face a life without basic rights, at risk of arrest and detainment in controversial detention camps. There are currently more than 1,000 people in six detention centres in Assam, and the government is promising to build more.

detention-centre-goalpara.jpg Ahmer Khan/TNH A detention centre under construction in Goalpara district is meant to hold 3,000 people. Many of the construction workers at the site are minority Muslims.

Construction is underway on one of these facilities near Goalpara, west of Guwahati. Down a narrow road flanked by palm trees and vast fields, workers have erected barracks-style structures surrounded by an imposing concrete wall.

“I hope my children will never have to go through this.”

Farmer Shah Ali spent three years in a place like this. Declared a so-called “doubtful voter” under a previous drive to root out non-citizens, he was sent to a detention centre in 2016. The 44-year-old was set free in December following a Supreme Court ruling ordering the state to release detainees after three years.

“I still can't believe I'm back with my family,” he said, speaking slowly while staring at the river flowing past his home. “I had given up hope of seeing this place again in my life.”

Ali described cramped cells with no toilet, shared with dozens of detainees. “It was horrible,” he said. “I hope my children will never have to go through this.”

But Moiful Nissa, 60, fears that’s where she’ll end up. Also declared a “doubtful voter”, Nissa lost her case at a tribunal a few months ago, despite having all the required documents.

After living her entire life in Assam, the grandmother is now a foreigner in the eyes of the law.

“Every time I close my eyes, I get nightmares of policemen dragging me out of my home,” she said.

ab-ak/il/ag

• India

‘It will be only Muslims running around for documents to prove they’re citizens.’ Behind India’s citizenship clash, fear and uncertainty for two million in limbo Adnan Bhat Ahmer Khan News feature Human Rights Politics and Economics GUWAHATI India IRIN Asia India Human Rights

*/

The UN did not publicly disclose a major hacking attack into its IT systems in Europe – a decision that potentially put staff, other organisations, and individuals at risk, according to data protection advocates.

*/ */

On 30 August 2019, IT officials working at the UN’s Geneva offices issued an alert to their tech teams about a hacking incident:

'We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant.'

The complex cyber attack on UN networks in Geneva and Vienna had started more than a month earlier but was only just being fully uncovered.

At a glance: Key findings

• Hackers broke into dozens of UN servers starting in July 2019.
• A senior UN IT official called the incident a “major meltdown”.
• Staff records, health insurance, and commercial contract data were compromised.
• Staff were asked to change their passwords but not told about the breach.
• Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
• The attack might have been avoided with a simple patch to fix a software bug.
• Systems in Geneva and Vienna used by thousands of staff were compromised.
• A UN spokesperson says the attack triggered a rebuild of multiple systems.
• UN officials warned of major vulnerabilities years ago.

Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached, according to a confidential UN report obtained by The New Humanitarian. The breach is one of the largest ever known to have affected the world body.

The cyber attack – unreported until TNH’s investigation – started mid-July, according to the report. Dated 20 September, the report flags vulnerabilities, describes containment efforts, and includes a section titled: “Still counting our casualties”.

The incident amounted to a “major meltdown”, according to a senior UN IT official familiar with the fallout, who spoke to TNH on condition of anonymity. This official provided TNH with the August 2019 alert above and several other alerts related to the breach.

In response to questions from TNH, the UN confirmed it had kept the breach quiet.

“The attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric, who classified it as “serious”. “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”

“You can’t be a global governance body and not be accountable for holding yourself to a professional standard.”

Staff were asked to change their passwords, but were not told of the large breach or that some of their personal data may have been compromised. The “core infrastructure” affected included systems for user and password management, system controls, and security firewalls.

No matter what exactly was exposed, the decision not to notify all the people or organisations whose data may have been compromised – including UN staff – risks damaging trust in the UN as an institution, and so its effectiveness, according to human rights and privacy analysts.

Sean McDonald, a lawyer and specialist in the use of IT in international development, reviewed the report for TNH and said failing to notify others meant the UN either had “a fundamental misread of the seriousness of what’s just happened, or it is a professionally irresponsible way to handle an issue of that magnitude”.

“You can’t be a global governance body and not be accountable for holding yourself to a professional standard,” he said.

Informed by TNH about the contents of the report, David Kaye, the UN’s special rapporteur on freedom of expression, said the UN has a special responsibility to secure its sensitive data and inform those affected, a position he articulated in a 2015 study on digital security.

The UN’s diplomatic status gives it “immunity from every form of legal process”, and it is – unlike most US and European firms – under no legal obligation to report the breach to a regulator or the public. It is also not subject to Freedom of Information requests.

The lack of reporting stems from a “cover-up culture”, the UN IT official said: “This breach might impact many actors... there is a responsibility to proceed and report.”

What’s the damage?

The breach affected dozens of servers in three separate locations: the UN Office at Vienna; the UN Office at Geneva; and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva. These servers hold a range of data, including personal information about staff.

Asked who was notified about the attack, Dujarric mentioned that only internal IT teams and the chiefs of the UN Office at Geneva and the UN Office at Vienna had been informed.

What data was copied and downloaded elsewhere is unclear.

Asked what was copied by the intruders, Dujarric replied: “As part of the compromised infrastructure, lists of user accounts would have been exposed.”

The report, however, lists 10 other “infrastructure components” that were compromised, including printing, antivirus, and the human resources system.

Have a great idea for an investigation? Click here.

Loading…

Dujarric confirmed “it was possible for the intruders to view data on the compromised server” in the Vienna office. The same was true for the OHCHR servers in Geneva but they only contained “non-sensitive” dummy information, he said. A spokesperson for the OHCHR said that its 'Active Directory' listing of internal users was also extracted by the intruders.

Dujarric did not elaborate about the third affected network: the UN Office at Geneva.

Asked if the incident was now fully contained, the UN spokesperson replied: “Multiple workshops and assessments have been conducted to verify that the exploited vulnerabilities have been mitigated.”

The senior UN IT official said much more data was stolen than the UN implied. Estimating that some 400 GB of data was downloaded, the official said the UN’s answers downplayed the level of the breach. The “user lists” were key to the network and “once you’ve got privileged access, you’ve got into everything”, they said.

The UN is a natural target for state-sponsored hacking, but news about major breaches is rare, as is firm attribution about who is responsible.

The UN IT official said the 2019 hack was deeper and more significant than an incident in 2016, when hackers – allegedly from the Chinese government-linked group dubbed Emissary Panda – gained access to the records of about 2,000 staff at the UN’s aviation agency, according to the Canadian Broadcasting Corporation.

Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report seen by TNH implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organisations communicating with and doing business with the UN.

The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office. According to the report, the breach also grabbed “active directories”, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.

The report, prepared by the UN Office at Geneva in the midst of containment efforts, suggests the cyber attack most seriously affected their office, which houses 1,600 staff working in a range of political and development units, including Syria peace talks, the humanitarian coordination office (OCHA), and the Economic Commission for Europe.

“There is no evidence that the attack affected further locations, nor any other agencies,” Dujarric added.

A digital “forensics” company and Microsoft have been involved in the clean-up effort, according to the IT official.

READ MORE: → Selected UN cybersecurity incidents, 2019-2020

2019

• February: Canadian media exposes UN aviation agency attempt to cover up 2016 hack.
• February: Security firm reveals targeted phishing campaign on UN in North Korea.
• July-August: UN offices in Vienna and Geneva accessed by unknown hackers.
• September: UNICEF accidentally circulates 8,000 names and email addresses of a training site.
• October: The UN pension fund system announces it was hacked, but says its systems were fixed without loss of data.
• October: Security firm Lookout reveals multiple UN agencies, NGOs, and the Red Cross targeted in similar North Korea-related phishing scheme that started in March.
• September: The French cybersecurity authority ANSSI says the UN was targeted in a widespread campaign to gather login details from diplomatic targets.
• December: Microsoft court papers describe another North Korea-related phishing operation targeting UN and others by a group dubbed “Thallium”.

2020

• January: According to Cofense, this phishing campaign on 600 UN email addresses had a fake message from Norwegian diplomats.

cybersecurity-hacking-un-human-rights-data-breach-geneva-united-nations_3.jpg Ben Parker/TNH The Geneva UN Office of the High Commissioner for Human Rights “faces regular cyber attack attempts,” its spokesperson said. Breach of trust

For human rights activists, state-based hacking and online spying is a persistent threat that can lead to arrests or intimidation.

A spokesperson for OHCHR said via email: “OHCHR faces regular cyber attack attempts, and we are constantly monitoring to safeguard the integrity of our computer systems and the data they hold.”

“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures.”

Mohammed al-Maskati, a Bahraini human rights activist who has worked alongside OHCHR, said the incident and its handling may make some organisations hesitant to share information.

“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures,” he said.

Victims and activists can face surveillance and eavesdropping, imprisonment, and even torture by their governments in reprisal for working with the UN’s human rights office, according to the OHCHR’s own report.

Attempted cyber attacks against the UN are occasionally revealed by technology firms. Microsoft, for example, told a US court last year that North Korea-linked hackers were trying to gather login details of UN officials, in a practice known as phishing.

If sensitive data has fallen into the wrong hands, individuals and organisations should be given a chance to tighten up their personal security and adjust their plans, said al-Maskati, the Middle East digital protection coordinator for NGO Front Line Defenders.

Furthermore, if personal information was accessed, the UN’s approach would appear to go against its advice to others.

“Enterprises should notify their customers once they become aware of personal data breaches that may have affected their rights,” according to a major UN report: ‘The right to privacy in the digital age’.

In many countries, government departments, corporations, and non-profits whose systems have been hacked are required to report the breaches to authorities.

In the EU, for example, the General Data Protection Regulation (GDPR) requires that any individual put at “high risk” by a security breach should be informed without delay, as should the national regulator.

Researcher Linnet Taylor, associate professor at Tilburg Law School, said a desire to sweep bad news under the carpet is “normal in every sector – which is why we make laws to prevent it”.

Taylor, who studies the use of data by international organisations, said the UN sits "outside the framework of laws developed around the world to deal with this problem, and [has] therefore not had to develop processes for transparency about breaches”.

“Expecting any large and powerful organisation to self-regulate and behave perfectly ethically is not realistic,” she added.

Keeping the incident under wraps could undermine trust in the UN’s work, said Gus Hosein, executive director of Privacy International, after reading the report obtained by TNH.

“Financial institutions, hospitals, and even intelligence agencies have all had breaches in recent years – and we only know this because they informed us,” said Hosein. “There are at least consequences to their failures.”

Too little, too late?

Over recent years, the UN has been trying to tighten up its cybersecurity, after an “unacceptable level of risk” was recognised by an audit in 2012. A new strategy adopted in 2013 promised “urgent action” to improve network security and to monitor intrusions.

Kaye, the UN special rapporteur on freedom of expression, told TNH he would find a breach “shocking but not surprising”, adding that, in his view, the UN should have invested more in cybersecurity at the OHCHR given the “high stakes for victims and advocates”.

Under its IT czar, Atefeh Riazi, the UN has slimmed the numbers of data centres, websites, and applications it runs, updating email, security, and other infrastructure. It has also moved more systems from in-house to commercial providers and the Cloud.

The reforms involved some 4,000 IT staff, nearly 600 locations, and some $1.7 billion of annual spending across the UN’s secretariat and field missions. But progress was mixed, according to a 2018 review. An audit found that a project to check the security of 1,462 UN websites and applications flopped: only one website had been properly assessed.

Dujarric said the UN had “implemented a comprehensive containment, mitigation and recovery plan” in response to this latest hacking incident. “This included rebuilding significant elements of the infrastructure, and replacement of keys and credentials,” he said.

Dujarric said a UN cybersecurity action plan had been endorsed in December 2019. “Additional technical and procedural controls have been implemented to further strengthen information security for the affected offices,” he added.

cybersecurity-hacking-un-human-rights-data-breach-geneva-united-nations_2.jpg Ben Parker/TNH Posters about cyber security in the office of the UN Special Envoy for Yemen in Amman, Jordan, 9 January 2020. READ MORE: → How they did it

The attack began thanks to a basic error. Hackers were able to get into a server in Vienna because its software had not been updated. The severe flaw in the Microsoft SharePoint system allows an attacker to bypass the login process and issue system-level commands. After it was discovered by security researchers, Microsoft provided a fix on 25 April.

According to UN policy, IT staff should have installed the update – or “patch” – within a month. Dujarric, the UN spokesperson, confirmed that had not happened.

From that starting point, the hackers navigated within the UN’s networks, reaching the UN Office at Geneva on 15 July and the OHCHR headquarters later that month.

Given the number of SharePoint sites in large institutions, security researcher Kevin Beaumont had predicted in May: “I think this will be one of the biggest [vulnerabilities] in years.” After reviewing the UN report, he said “Organisations need to urgently review their patching of this SharePoint vulnerability, as it represents an open window at many organisations worldwide still.”

Once inside the UN’s network, attackers gained domain administrator access to affected offices, staffed by 4,000 people, and compromised at least 42 servers in Geneva and Vienna, according to the report. Another 25 servers may have also been affected. Although like-for-like comparisons are inexact, the total could represent five percent of the UN’s total number of 679 servers, according to a 2017 global inventory.

The vulnerability known as “CVE-2019-0604” has been exploited to attack Middle Eastern governments and US municipalities, according to cybersecurity researchers and the FBI.

Who was behind the attack?

At the request of TNH, cybersecurity researcher Kevin Beaumont reviewed the report and said the attack “has the hallmarks of a sophisticated threat actor”.

“Threat actors” can run from a disgruntled employee to a superpower’s intelligence operation, as described in this Canadian government briefing. “Nation-states are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination,” it explains.

Long a target of spies and hackers – even by its own account, the UN has often been subjected to highly sophisticated attacks, both on- and off-line. WikiLeaks documents, for example, detailed US attempts to gather the DNA of the UN’s top official.

In this case, the UN said it didn’t have enough information to attribute responsibility for the attack.

Analysts and human rights groups say this attack highlights the threats the institution faces, and a need to tighten up its cybersecurity given the growing volume, range, and sensitivity of the data it holds.

Taylor, the data researcher, questioned the appropriateness of diplomatic immunity.

“The UN has privileges and immunities only in relation to its mission,” she said. “They are supposed to guard it from political challenges.” In the case of a data breach, she added, “it is hard to imagine how the privileges and immunities might come into play.”

Hosein, the executive director of Privacy International, hoped revelations about the incident and the way it was handled might have a salutary effect on UN cybersecurity.

“If there are no consequences for the [UN] agencies for failures like these, they will build more problematic systems, and there will be more breaches, and nobody will ever know,” he said.

For Taylor, if such incidents continue to be covered up, things may not improve. “Without transparency,” she said, “no one will be motivated to push for change.”

bp/pd/ag

Have a great idea for an investigation? Click here.

Loading…

“If there are no consequences for the [UN] agencies for failures like these … there will be more breaches.” EXCLUSIVE: The cyber attack the UN tried to keep under wraps Ben Parker Investigations Aid and Policy Human Rights <p><strong>About this investigation:</strong><br><em> While researching cybersecurity last November, we came across a confidential report about the UN. Networks and databases had been severely compromised – and almost no one we spoke to had heard about it. This article about that attack adds to The New Humanitarian’s <a href="http://www.thenewhumanitarian.org/in-depth/humanitarian-technology">previous coverage on humanitarian data.</a> We look at how the UN got hacked and how it handled this breach, raising questions about the UN’s responsibilities in data protection and its diplomatic privileges.</em></p> GENEVA IRIN Europe Switzerland Global Swiss DOI aid policy Aid and Policy EXCLUSIVE: Audit exposes UN food agency’s poor data-handling New UN deal with data mining firm Palantir raises protection concerns Aid agencies rethink personal data as new EU rules loom Head to Head: Biometrics and Aid Humanitarian data breaches: the real scandal is our collective inaction Irresponsible data? The risks of registering the Rohingya