Cybersecurity will take center stage in the United States Agency for International Development’s first-ever digital strategy, slated for release early next year.
“Moving forward this is going to be a significant change in how we do business,” said Michelle Parker, senior policy advisor for USAID’s Center for Digital Development. “For everything digital, we now need to think about how do we secure information and how do we protect the privacy of our beneficiaries.”
Parker said that USAID, which provides assistance to civilians in poor and developing countries, is looking for its contractors to lay out the types of technology they plan to use if awarded a project. USAID also wants the contractors to describe the risks associated with introducing those technologies and how the company and USAID can work to mitigate the risk.
“We’re just asking our partners ... to be a lot more thoughtful about when we’re saying ‘technology’ — what does that mean?” Parker said.
USAID will also start evaluating contractors’ C-suite to evaluate if companies are taking information security and data privacy seriously. USAID wants to know if companies have a chief information officer, chief information security officer and chief data officer.
“That’s the kind of thing we’re going to start elevating and having conversations around, because we do think that protecting the data and securing it is incredibly important, said Parker.
The international aid agency also wants to evaluate what technical capacity it needs to develop internally to help government and non-government organizations build strong cybersecurity and data privacy in nations it helps around the globe. USAID also has to grapple with which data privacy standards to use, because Europe’s data privacy restrictions are significantly stronger than the United States. For cybersecurity, it’s deciding whether to use standards established by the Commerce Department’s National Institute of Standards and Technology or the Swiss-based International Organization for Standardization.
Parker said that USAID is meeting “regularly” with several agencies, such as the Departments of State and Homeland Security, to decide which frameworks to require or strongly recommend.
The cybersecurity measures being considered by USAID are necessary for the protection of its partners abroad, Parker said, several of which operate in countries with hostile governments. Parker pointed specifically to Nicaragua, where she was stationed last year before evacuating, and the government-launched cyberattacks against many of its partners.
“The attacks are tied to silencing, censorship and to surveillance,” said Parker. “So the question becomes, what are we going to be doing to protect ourselves against that? For USAID’s enterprise, we’re fine ... I’m quite frankly much more worried about our partners and the beneficiaries.”