Abstract

In this episode, Mr Jason O’Connor, Deputy Director (North America), Global Interagency Security Forum (GISF), speaks about protecting people working in the development and humanitarian response sectors (in challenging environments) from physical violence and cyber risks. He also elaborates on how to promote proper security risk management practices and improving security of aid workers.

This podcast series is presented by Dr Alessandro Arduino, Principal Research Fellow and Dr Ameem Lutfi, Research Fellow, at the Middle East Institute, National University of Singapore.

Listen to the full podcast here:

Full Transcript:

[Alessandro Arduino]: Welcome to the 13^th episode of the Middle East Institute (NUS)’s podcast series Boots Off the Ground: Security in Transition in the Middle East and Beyond. In this series, we look at the future of warfare which will see uniformed soldiers, or boots on the ground, being replaced by private military companies, autonomous weapon systems and cyber weapons. My name is Alessandro Arduino and I will be the co-host for this series, along with my colleague Ameem Lutfi.

[Ameem Lutfi]: Thank you everyone for joining us. We’re really glad to have with us today Mr Jason O’Connor, Deputy Director (North America), Global Interagency Security Forum or GISF – an independent peer support network providing a platform to NGOs around the world to gather and disseminate good practices in security risk management to improve policy and practice.

Previously, he worked as a Global Security Advisor for World Vision International and prior to that, was involved with a range of international organisations including the United Nations peacekeeping mission and assistant mission to Kosovo, Iraq, Liberia, Cambodia, South Sudan, as well as the Organisation for Security and Co-operation in Europe (OSCE) in Kosovo and the International Organisation for Migration (IOM) in Jordan and Liberia. Thank you again for joining us, Jason.

[Alessandro Arduino]: Jason, in our previous podcasts on private military companies (PMCs) and private security companies (PSCs), we discussed a lot about both sides of the coin. On one hand, we see accountable PSCs being a driving force in protecting individuals and infrastructures in high quality areas while on the other hand, we see both PMCs and PSCs benefitting from diffused instability and uncertainty. So, from the NGOs’ angle, PSCs are seldom perceived as a necessary evil. What’s your opinion on the interaction between NGOs and PSCs?

[Jason O’Connor]: Hi Alex, thanks for having me today. When it comes to the use of private security contractors and those types of institutions or outfits, GISF has a guide called ‘Engaging Private Security Providers’ and the aim of this guide is to help our members or the NGO community determine when it is best to use such services and if they do need to use them, how to use them, processes available to assess the need and how to pick providers internally. The use of private security contractors is based off context analysis, security risk assessments and other internal processes that might exist. For some organisations, this goes against their core values and it’s not something they would use but for others, it is a necessity in order to operate in some of these challenging contexts.

It is important to consider the consequences of working with some of these providers – even if they are good, the reputational risk that’s attached to working with these types of groups has to be considered. If one of these operators was to be involved in a criminal conduct or engage in sexual exploitation and abuse, then the NGO that uses their services will be questioned. It’s important to find the right providers to work with in the different contexts we operate in.

Some of the ways we can achieve this is by using the international code of conduct for private security providers by revisiting that when determining who to work with in these areas. Each organisation needs to do their due diligence – they can do a series of background checks based on their internal processes; work with other NGOs; engage the local community to find out what the system says or if there’s any conduct with those organisations that would be detrimental and maybe even reach out to the UN or other international groups in the area doing similar project or programme work to find out what their experiences are.

On the use of armed guards, it adds even more complexity to the situation and for some organisations, like I had mentioned, this is non-negotiable as it goes against their core values and they won’t operate in an area that requires them to work with such a service.  However, in some contexts, the government may mandate the use of such services and then it becomes a challenge. I won’t mention the name of any organisation but many organisations have very deliberate processes which they exercise to determine what the right approach is. Every context is unique and organisations have to be thorough and thoughtful when such a service is involved.

[Ameem Lutfi]: Thank you firstly for joining us today and for that answer. You mentioned you work with the International Code of Conduct Association (ICOCA); we actually had Jamie Williamson as one of our guests at the start of this podcast series. I was wondering if you could just expand a little on the relationship that GISF has with ICOCA and maybe even International Organisation for Standardisation (ISO) – bodies that charter and set a code of conduct.

If I could also ask you to elaborate — one of the things Jamie mentioned was that for ICOCA, definitions of things are very important so they have a clear-cut definition of what counts as private security, for example. In your field, humanitarianism seems to be very important or the driving term — how do you guys go about defining humanitarian organisations?

[Jason O’Connor]: GISF is a partner organisation with ICOCA. I don’t believe we’re a member, I think we’re a partner (I’m new to GISF; three months on the job so I’m learning about the organisations that we collaborate with) but I could tell you about GISF — we are a peer-to-peer network of security and safety directors, managers and focal points. We are member-driven and we all operate in the same environments. For the most part, we have 126 members and all of our members are committed to the same aim – to improve safety and security outcomes.

At GISF specifically, we work to facilitate the exchange of ideas with our members and all the different stakeholders we work with and that includes member NGOs, non-member NGOs, ICOCA, UN and donors, academic institutions, research institutions and the private sector as well. All of these different partners that we work with basically aim to achieve the same thing – better outcomes in the context where we operate to reduce harm to the local communities and the populations that we serve.

Within our membership, we have incredible experience through all the different organisations that we have and the people we work with and we try to harness those varied experiences to drive change and achieve better outcomes. Some of our products are done in collaboration with groups like ICOCA and other partners.  We aim to produce evidence-based research such as guides, papers and case studies that are based on some of the information that we get from places like ICOCA. We also organise forums, workshops, roundtables and webinars with a panel of experts and speakers from ICOCA will attend such events to help provide extra material and context. It’s a collaborative effort and when it comes to the definition of humanitarian, we see it as not-for-profit activities that are aimed to improve lives and reduce suffering.

[Alessandro Arduino]: Jason, you mentioned that you have been in this job for just three months but I know you have been involved in the security arena for a while. Previously, you’ve worked with World Vision International as a Global Security Advisor and in training. You have two decades of experience working with the UN peacekeeping assistant mission in Kosovo, Iraq, Liberia, Cambodia, South Sudan, Jordan; I think, basically you just missed Afghanistan and Syria.

Could you briefly trace your work trajectory and how you landed in GISF? In this respect, do you perceive any substantial difference between traditional and humanitarian risk management?

[Jason O’Connor]: Thanks Alex. Yes, it’s been an interesting trajectory, to say the least. It started when I left the military after serving there for five years. A couple years reserve, three years in the Regular Force in Canada and after that, I decided to go overseas and through some networking I did — I worked in some projects for three years with a project company that did some work in peacekeeping environments in the Balkans — I saw what all the international organisations were up to, and I took a keen interest in those activities. I did my networking, was able to apply and finally got a job with the OSCE in Kosovo where I worked on election security in the beginning.

That led to a job in the UN and I ended up at the headquarters — not such a glamorous job, but it was a great job — and I did it in the uniform security division in New York. It wasn’t my end goal but it was a very great experience in the couple of years that I was there but my aim was to return to the field again so I got the opportunity to go to Iraq as part of the response team that went to Baghdad after the explosion at the Canal Hotel on 19 August 2003—that was a pretty horrific day—I had a lot of friends there in that building at the time and I was very keen on responding to help my colleagues have the opportunity to leave, so we could take over for them. That led to a series of different peacekeeping missions from there and I didn’t go back to the headquarters, I wanted to stay in the field and had lots of great experiences working at all these different places that you have mentioned. It somewhat grows on you, for sure, and it’s something that you either love or hate.  It was a great experience for me to be in the field for so many years and eventually, I had a family.

It’s not conducive for the family to always be in a field environment though so I was lucky enough to find a position with World Vision for the last five and a half years which was just perfect timing actually, but that led to an appreciation of the NGO sector because working in the UN — it’s quite different from how NGO security works (which we’re going to talk about in a second). The opportunity to work with GISF came up after that and it was an exciting one for me so I couldn’t turn it down. So that’s how I’m at GISF now and very excited to be here; it’s a great team.

When it comes to traditional versus humanitarian security, I think the number one difference – that I’ve come to realise in the last five years – is that NGO security and safety managers, or NGOs in general, operate off the principle of acceptance. This principle requires these organisations to reduce threats by engaging with the community and all the different stakeholders who are relevant in the spaces that they operate in. We aim to seek approval with the local populations that we serve and all the stakeholders, where reasonable. It’s not, of course, going to be across the board as we know, because we still have a lot of different incidents around the world but our aim is to engage (through acceptance with those populations) to lower the threats, so that we can continue to deliver programmes to those communities.

Some of the other key differences — when you think about traditional security risk management, if you think about embassies, for example, or some of the major installations we have in certain countries, you think about physical security. That has a lot of boundaries, concentric layers of security and the five Ds: Detect, Deny, Delay, Deter and Defend. These strategies are not entirely applicable to the NGO model, especially when you consider that we operate off acceptance. Nearly all NGO staff are field-based so a bunker-based mentality just doesn’t work.

Hence, our humanitarian security risk management is heavily dependent on like I mentioned before, acceptance. We still engage in some of the other processes like context risk analysis, security risk assessments and we do have context risk ratings where we look at the areas that we operate in. We try to come up with methods to assess risks through the security risk assessment process; identify threats, develop mitigation measures so that we can try to balance that out but it’s lots of planning and tons of collaboration and to be fair, requires a lot of creativity. We can’t just reject the programming. We have to find ways to get to the field to deliver so it requires constant monitoring and engagement with all of our partners to get it right.

[Ameem Lutfi]: If I could ask you to expand a little more on this comparison, what you have  spoken about; you’ve worked with the UN and now you’ve shifted the to the NGO sector — how do both of them compare? Specifically, I was wondering if you could answer this question in regards to the part of the world that we, here at the Middle East Institute (NUS), are very involved with — mainly the Middle East and North Africa, which are known to be high-risk areas. In your opinion, are the NGOs, that you suggest don’t have the bunker mentality, still very cautious of the various risks involved in these areas?

[Jason O’Connor]: Yes, they’re very cautious; I mean, it weighs heavy on every single security and safety manager I know. One of the big differences that I may not have mentioned when we talk about these areas where we work — especially between the UN and maybe the private sector —is the budget. In traditional security risk management, especially in the corporate sector, in the UN and many of the UN agencies, they’re better-funded. Maybe some of my colleagues from those areas would argue otherwise but from what I’ve seen in my experiences, that’s the case – we were working with much smaller budgets. Those budget constraints make it a little bit difficult to achieve full staffing especially for security and safety managers and the personnel you might need to have in place. It’s harder to conduct training that’s necessary to be able to send people to these places and it also makes it difficult to procure the right equipment – not the best sort but the most suitable, in some cases.

Another difference is that security risk management for the private sector seems to be a cornerstone, or more inclusive in the business continuity approach for corporations than it would be for the NGO sector. Managers in some of these corporate sector security teams have stricter guidelines to adhere to and there’s key performance indicators that are associated with these tasks that might be a result of the litigation culture that exists there – where they can be brought to court a little bit easier than NGOs (although there have been some court cases instances in the NGO community).

I can see that as one of the differences maybe, but NGO security managers are quite creative and they do an incredible job of keeping their staff and programmes safe, with what they have. The ability to adapt in those areas that you’ve mentioned is crucial, of course, but a lot of the NGOs that work in those environments have mature security risk management programmes in place already. They’ve been there, they might have turnover but they’ve typically been operating there for quite a while so they’ve got years of experience — at least institutional years of experience — and lots of established relationships with many different stakeholders in those environments which helps facilitate good humanitarian risk management as well.

Nonetheless, these areas we talked about — they present some unique security risks so again, it requires lots of planning, contacts analysis, security risk assessments, contingency planning and of course, training. When I was working with World Vision, a lot of what we do is preparing our staff for these environments so that they’re better prepared to respond to emergencies. However, none of this happens without sufficient funding and at GISF, we actually have a paper on this; it’s called The Cost of Security Risk Management (SRM) for NGOs and it’s pretty important to be able to communicate this to your organisation as a safety and security manager and it’s important for all the stakeholders to understand the cost of security.

[Alessandro Arduino]: I am very intrigued about what you just mentioned – the bunker mentality versus the flexibility and creativity from NGOs. Also, you mentioned funding is quite a big problem. Rest assured that in other areas of the world and the one I’m spending most of my time studying about – the Chinese private security sector — one of the first few grievances of the Chinese PSCs is the fact that funding for security is the last item on the budget from state-owned enterprises to Chinese private enterprises; so I think funding is quite a diffused problem.

Another key aspect you just mentioned is training – you said that security risk management planning is a process and there is a need for a multidisciplinary approach. Your organisation, specifically, provides a very effective and in my personal opinion, very well-received toolkit: Security To Go, — would you briefly present this tool and some application case studies too?

[Jason O’Connor]: Let me explain the tool first – we have lots of different tools on the GISF site and one of them is Security To Go. Like you mentioned, it’s an excellent 14-module guide that helps those working in humanitarian programmes identify key security needs. It’s meant to help organisations establish risk management systems in emergency settings so it’s not necessarily a top-to-bottom, comprehensive security risk management guide but it is applicable in all settings for international organisations or locally-run organisations. One of the modules in that guide is about engaging with security providers so it addresses a lot of key issues and I’ve spoken to a lot of smaller NGOs that have told me they’ve used it repeatedly in different contexts so it’s a go-to guide for them.

Another guide that’s quite similar but much more comprehensive is our Security Risk Management (SRM), a guide for smaller NGOs, although to be fair, I think it’s relevant for any size. It’s more comprehensive and can be used to establish a stronger security risk management programme and it goes from top to bottom. The Security To Go guide doesn’t necessarily get into full organisational security risk management systems but for the SRM guide, it gets into the framework of accountability and helps you establish the upper echelon of those programmes that help solidify security risk management as a function of the organisation, so that they can operate in all the different challenging environments that we work in.

[Ameem Lutfi]: I have a quick follow-up question to that – beyond providing these toolkits, is one of GISF’s roles to connect NGOs to security service providers as well? If that is the case — or even if you are suggesting best practices to NGOs in choosing service riders — how do you go about doing that in high-risk areas where there might not be many security service companies willing to go there?

Earlier, we were having a discussion about Eric Prince, his Blackwater company and the report about his involvement in the Libyan civil war. When such news gets published about certain security providers, what protocols or what kind of actions can you take in assuaging the NGO sectors that might be involved in partnering with them?

[Jason O’Connor]: That’s a great question and there’s no doubt that there are serious risks attached to engaging with these kinds of actors. I was in Baghdad in 2003 and in Jordan after that and I saw lots of such stories surface in the very beginning and it’s a serious challenge, like we said as there are massive reputational risks attached to those types of services. I don’t think a lack of those services is going to be seen as an acceptable excuse to engage with them, just for the purpose of staying and delivering programmes to those populations.

These groups are known to be in breach of ICOCA standards or basic humanitarian practices that don’t align with the core values of the organisations that engage their services and I don’t think there’s going to be any acceptable excuse for those organisations if things go wrong; it’s not going to work out. You have to do your due diligence by doing background checks and you have to talk to different stakeholders to find out if this is adequate. Yes, it’s a serious risk but in some cases like we have already mentioned, it might be mandated by the local government and that makes it that much more challenging.

In those cases, if they decide to accept those risks, go into the programming and accept those services from these groups, then they’re going to have to stay on top of it and be very aware of the daily activities.  They also have to make sure there is some sort of monitoring and maybe a complaint hotline or so that they can provide for the local population, so that there’s a feedback mechanism available to those communities. If things do go wrong, those local communities can reach out to that NGO and inform them.

[Ameem Lutfi]: Can I just do a small follow up question on that – I grew up in Pakistan and one of the issues with the NGO sector was that there was always these rumours and conspiracies of them being involved in secretive operations and that they’re undercover agents of some sort which often puts NGOs at very high risk situations. I’m guessing when you have security service providers working for NGOs —and these people are armed — that risk becomes heightened. How do you deal with this specific risk of NGOs being considered as secret agents or spies, how does that work?

[Jason O’Connor]: That’s another great point and to be fair, half my neighbours think the same of me and it is something that you have to treat with the respect it deserves. To be fair, I might find it laughable but at the end of the day, if we’re operating in those environments, we have to take those types of perceptions seriously. I think some of the activities that we do —for example, I’ve spoken about actor mapping and stakeholder analysis, those types of activities — if someone gets a hold of a sheet of paper that we were using to do an exercise to find out who we should be engaging with, they might think we were taking notes of all the different groups. That’s not the case but we still have to be cognisant of the fact that that’s the perception. Maybe using handheld radios is another situation where we might think it could be taken out of context. There are a lot of things that humanitarians or anybody in those environments do — when they don’t come from there, they’re regarded as suspicious. In order to overcome such things, it’s a multi-faceted approach [used] to work towards achieving a better outcome.

One of them is engaging with the population; local communities; the stakeholders that might hold those perceptions and being very transparent about what we have, what we do and what our methods are. Also, training to build awareness among staff members who are deployed to these areas and even local staff members, national staff members that we work with and local partners — we have to train and build awareness that some of our activities are perceived to be this way. We can’t just dismiss it and laugh it off It is serious and sometimes, it can have very serious repercussions so we have to factor it into our acceptance approach when we’re trying to achieve acceptance. We have to understand that some of those perceptions from the local community might be, like you said, that there’s an intel situation there but intel-gathering, working for foreign parties — it’s antithetical to what we stand for as humanitarians so it doesn’t happen.  However, that doesn’t mean we shouldn’t take it seriously.

[Alessandro Arduino]: Thank you, Jason, for this answer. I think we can go on to talk about perception and the role of intelligence for daily security and intelligence gathering for a third party, as  we have been basically focusing our discussion on physical security. I would like to move to an important part of security — that is cyberspace and it’s increasing, not only in the news, but it’s an increasing problem even for a NGO operating abroad. If you look at the part of the world where we are based in, here in Singapore, private military security companies, let’s say with the exception of anti-piracy, looks like a very faraway issue. Nevertheless, cybersecurity is becoming a growing concern especially considering the prominence of Singapore as a financial and technological hub in East Asia.

Last year, not only did Covid-19 remind us of the importance of personal hygiene, but also the extreme importance of digital hygiene.  I say this because Covid-19 showcased the centrality of IT and its own internal fragility. From an aid work perspective, what does GISF suggest as a digital security risk mitigation process for NGOs? We can start with the problems of hacking, ransomware and then look at the safety of NGO’s communication and the communication channels that they can be targeted by unscrupulous regimes, criminal organisations, or even terrorists.

[Jason O’Connor]: Yes, this is a huge issue, Alex and digital and physical security certainly overlap. They’re not the same, of course, and in fact, with many organisations, they actually sit with different chiefs or different directors in different departments but they definitely overlap.  I see a lot of my former colleagues working in the private sector handling digital security for some of the organisations they work with so there’s definitely an overlap, although we’re not experts in the digital realm, the safety and security managers need to address this and it needs to be incorporated and considered in their policies and training.

The guides on device etiquette will still come from IT and they will release most of the training so most NGOs and just about everybody these days, have internal IT training to help people be aware of ransomware phishing attacks and the likes of it. That’s done on a yearly basis for the most part but we have to still consider how we couple it with the training that we deliver within the main safety and security component.

Another consideration is the tech, the devices that we use in the field — we have to consider what’s required and what can put you at risk. Even the use of SAT phones in some areas can get you arrested, frankly, so it’s something to be considered. Travelling with devices is also becoming much more of a challenge — it has been for years, actually. Maybe in the last decade we’ve seen a spike in the types of arrests or denied entry for people going to certain countries based on how they might deny the customs and border patrol agents access to their cell phones or their laptops and so, these things are to be considered when travelling abroad.

Some of the unintended consequences of our response to those is to try to travel with white devices or clean devices etc. just to make sure we don’t take our private material with us when we travel to some contexts. That of course raises suspicion as well, when you when you show up with a device that has nothing on it so that can get you locked up.

It’s just another situation where we have to be incredibly thoughtful and understand the legal implications and also understand where we’re traveling to, what the perceptions are there and what the expected behaviours are. There’s also the social media element to this – how we behave on social media as there’s all kinds of implications of the digital security here. From the GISF perspective, we try to aid our members by putting together guides and training on this so we have several different publications to assist our members in addition to what they probably have internally.

We have communications technology and humanitarian delivery, within the Security To Go guide,  a module on digital security and we also partnered with DisasterReady on a security risk management toolkit on digital security.; All those guides can be found on GISF.ngo and there’re a lot of other materials there as well but  like you said, it’s a massive challenge and there’s lots of training out there [on our site] for all of our partners — members and non-members — to use for their benefit.

[Ameem Lutfi]: Thank you so much for that response. Finding the balance between some of these things that you’re talking about — it can’t be an easy project and maybe that makes it very interesting, at least intellectually, in trying to figure out and play with the puzzles. In the end, I want to ask you a question and put you in a bit of a spot and ask you to sort of finish up in the air by asking you what we’ve been asking all of our guests – In your opinion, what will the future of risk and security management in a complex environment look like in the coming 30 years? Perhaps, you can answer this in regard to security management in the NGO sector specifically.

[Jason O’Connor]: Within the NGO sector, specifically the next 30 years; I mean, if I judge it on the last 10 years, it’s quite interesting but there’s a lot of different issues that can be looked at from now, that are already headed in a very challenging direction. We have lots of risk multipliers like climate change, population growth outbreaks, the pandemic now of course, that’s demonstrated how challenging it can be once we get cut off from travel and we can’t be in those areas to deliver, extremism is on the rise and we have geopolitical influences shifting in the areas that we operate in now, which is going to create some challenges in the years to come.

With that geopolitical influence, there’s shifts in the way that some of these countries operate, in some of the environments we operate in —a country that may not even be authoritarian by nature but they’re adopting new technology and practices that can be viewed as somewhat authoritarian; lots of surveillance happening around the world in different places and this is going to make access to humanitarian spaces a lot more difficult.

I mentioned outbreaks but if you think about Covid-19, we’ve seen an acceleration of working with local partners and there’s a lot of fallout there that we have to be considerate of and it requires a thoughtful approach for any NGO that is working with local partners. There’s a transfer risk happening there so we have to make sure that that’s done in a thoughtful and responsible way so that we don’t abandon our duty of care while using local partners to implement the programmes in those contexts so to that end, we have a guide.   A timely guide, actually, releasing on 15 April which will  help organisations work with local partners and help them assess how they should handle the transfer of risk to make sure that the duty of care is being addressed without putting local partners in a situation or predicament that’s dangerous or unacceptable.

To be fair to the last point we just touched on, I think most of the change we’re going to see,  almost all that impact is going to come from the digital security sector. We need to be ahead of the curve on this; we see what’s happening now with blockchain — there’s quite a few documents out there on blockchain and how that can be applied to humanitarian spaces. We need to build a digital security culture into our security risk management practices to ensure that we adopt the right tools and practices to be proactive as much as we possibly can, rather than be reactive because that’s what we see now. If you look at blockchain technology in the financial sector, regulators can’t keep up with it and that’s fine —there’s a certain impact there but when it comes to safety and security, we don’t want to be caught off guard when it’s going to result in our staff members or the communities that we serve being impacted in a very negative way.

[Alessandro Arduino]: Thank you very much, Jason. When you began your answer on looking at the next 30 years, you scared me a little as you mentioned that it’s going to be interesting. I think you know that in Asia, especially in East Asia, one of the common curses is “may you live in interesting times” and I think with 2020, we’ve got enough interesting times already. Once again, Jason, thank you very much for being with us today and also allow me to thank all the Middle East Institute (NUS) staff without whom this podcast would not have been possible.

In our next podcast with Professor Joshua Reno — an anthropologist with a very peculiar expertise on military waste — we are going to discuss the negative spillover of military waste, not only on earth but also in space. Thank you to all our listeners for being with us today.

[Jason O’Connor]: Thank you Alex and Ameem.