COL­UMN: Ac­tion needed to ad­dress Caribbean cy­ber­se­cu­rity

Jamaica Gleaner - - BUSINESS - David Jessop is a con­sul­tant to the Caribbean Coun­cil. david.jessop@caribbean­coun­cil.org

JUST OVER a week ago Google, Face­book, Ama­zon, Twit­ter, Net­flix, Visa and many more pre­mium providers of global web ser­vices tem­po­rar­ily went off­line.

This was be­cause they had in­di­rectly suf­fered the ef­fects of a Dis­trib­uted De­nial of Ser­vice (DDoS) at­tack on Dyn, a largely un­known in­ter­me­di­ary that en­ables web users to ac­cess the ad­dresses of ma­jor web­sites.

Ex­perts say that it may have been the big­gest DDoS at­tack ever mounted be­cause it brought down a key gateway, and was highly so­phis­ti­cated in the way in which it sent huge vol­umes of data, caus­ing Dyn’s servers to deny ac­cess to its clients.

What was un­usual was that the event in part was de­liv­ered through un­se­cured smart de­vices – the so-called In­ter­net of things – in­clud­ing every­day items linked to the In­ter­net like we­b­cams, baby mon­i­tors, smart TVs and DVD play­ers, and even fridges and cen­tral heat­ing sys­tems.

Apart from in­di­cat­ing an ab­sence of se­ri­ous think­ing about se­cu­rity by those who de­sign and sell such web-linked prod­ucts and reg­u­la­tions to gov­ern them, it demon­strated that it is now pos­si­ble to in­di­rectly shut down or dis­rupt es­sen­tial on­line ser­vices.

WIDE­SPREAD AT­TACKS

Re­ports in the trade press sug­gest that so se­ri­ous have DDoS at­tacks in gen­eral be­come that more than 30 per cent are now large enough to swamp al­most any busi­ness or poorly pro­tected govern­ment.

While few Caribbean cases of DDoS or cy­ber­crime ever be­come pub­lic, be­cause of the per­ceived rep­u­ta­tional dam­age, there are am­ple re­ports of the ex­is­tence of cy­ber­at­tacks, in­clud­ing theft from banks; the hack­ing of govern­ment web­sites In this Jan­uary 28, 2015 file photo, then state min­is­ter for tech­nol­ogy Julian Robin­son dis­cusses Ja­maica’s cy­ber­se­cu­rity strat­egy with Or­ga­ni­za­tion of Amer­i­can States Cy­ber­se­cu­rity Pol­icy Spe­cial­ist Kerry-Ann Bar­rett at the launch of a cy­ber­se­cu­rity cam­paign in Kingston. Per­sonal in­ter­net con­nected de­vices have been proved vul­ner­a­ble to hack­ing, mak­ing cy­ber­se­cu­rity an even more ur­gent is­sue for the Caribbean.

in the Ba­hamas and St Vin­cent by a group claim­ing to be sup­port­ers of ISIS; ran­somware at­tacks on some Caribbean tax au­thor­i­ties; and most re­cently, the pub­li­ca­tion on­line in in­ter­ro­gat­able form of 1.3 mil­lion files from the Ba­hamas’ cor­po­rate registry.

These re­vealed not just the lack of ap­pro­pri­ate se­cu­rity within govern­ment por­tals, but the ex­is­tence of out­moded IT sys­tems and soft­ware with the po­ten­tial, some ex­perts sug­gest, to have com­pro­mised gov­ern­ments’ in­ter­nal com­mu­ni­ca­tions. They also high­lighted the re­gion’s

vul­ner­a­bil­ity and the ab­sence of lo­cal ex­per­tise or fi­nan­cial re­source to ad­dress weak­nesses, leav­ing oth­ers to be in­vited in to pro­vide the nec­es­sary tech­ni­cal sup­port and to rem­edy prob­lems.

Ac­cord­ing to a joint study by the Cen­ter for Strate­gic Stud­ies and McAfee pub­lished ear­lier this year, Latin Amer­ica and the Caribbean (LAC) has be­come a new fron­tier for cy­ber­at­tacks and crime at an es­ti­mated cost of around US$90 bil­lion per year.

The Ci­pher Brief, a dig­i­tal, se­cu­rity-based plat­form that con­nects the pri­vate sec­tor with the world’s lead­ing se­cu­rity ex­perts, re­cently noted that 12 per cent of DDoS at­tacks now tar­get the LAC re­gion and that the num­ber is es­ca­lat­ing. It is also the case that there has

been a dra­matic rise in the num­ber of peo­ple, in­clud­ing tourists, with ac­cess to In­ter­net-con­nected de­vices, po­ten­tially in­creas­ing na­tional vul­ner­a­bil­i­ties.

Ex­perts sug­gest that at­tacks will in­creas­ingly be di­rected at softer tar­gets in lo­ca­tions through which funds flow for tax ad­van­tage or com­mer­cial ex­pe­di­ency, and where tourism has be­come cen­tral to the sta­bil­ity of a na­tional or re­gional econ­omy.

While some Caribbean gov­ern­ments and com­pa­nies have be­gun to recog­nise the threat, strik­ingly not enough money or time is be­ing spent on up­grad­ing, pro­tect­ing or test­ing sys­tems re­lated to es­sen­tial in­fra­struc­ture, govern­ment

ser­vices, bank­ing and fi­nan­cial ser­vices, pri­vate-sec­tor op­er­a­tions, or on se­cur­ing me­dia sites.

In ad­di­tion, ac­cord­ing to the OAS/IDB re­port, mis­trust and an ab­sence of au­thor­i­ta­tive in­for­ma­tion on best prac­tices has led to an un­will­ing­ness to des­ig­nate in­di­vid­u­als in the po­lice or mil­i­tary as co­or­di­na­tors of cy­ber­se­cu­rity pol­icy devel­op­ment, or to build pub­lic-pri­vate part­ner­ships that might fi­nance and build cy­ber­se­cu­rity regimes.

As with so many mat­ters in the Caribbean, the chal­lenge is not in un­der­stand­ing the na­ture of the threat, but with im­ple­men­ta­tion.

Although gov­ern­ments and a num­ber of in­ter­na­tional agen­cies meet­ing in St Lu­cia in March signed off on ac­tion plan to strengthen re­gional co­op­er­a­tion in ar­eas such as train­ing, leg­is­la­tion, tech­ni­cal ca­pac­ity and law en­force­ment, since then progress has been slow.

To un­der­stand the scale of the prob­lems that need to be ad­dressed, one only has to read the coun­try-by-coun­try re­ports in Cy­ber­se­cu­rity: Are We Ready in Latin Amer­ica and the Caribbean jointly pub­lished ear­lier this year by the Or­gan­i­sa­tion of Amer­i­can States (OAS) and the In­terAmer­i­can Devel­op­ment Bank (IDB).

It makes clear that al­most all coun­tries in the re­gion have no over­all strat­egy, few rel­e­vant laws, and no genuine ca­pac­ity to re­spond to a cy­ber­at­tack.

ONLY ONE PRE­PARED

It sug­gests that the only coun­try in the an­glo­phone Caribbean that is well pre­pared is Trinidad, with Ja­maica not far be­hind. It notes that while An­tigua, The Ba­hamas, Do­minica, Haiti, and Suri­name are ‘in the process of ar­tic­u­lat­ing a po­ten­tial strat­egy’, there is no in­di­ca­tion when they will have in place the es­sen­tial com­po­nents.

As for the rest of CARICOM, the re­port sug­gests that ev­i­dence of progress is scant.

In the His­panic Caribbean, sur­pris­ingly, even the Do­mini­can Re­pub­lic, which is heav­ily de­pen­dent on con­nec­tiv­ity, was deemed to be poorly pre­pared. In con­trast, although not cov­ered by the study, Cuba is well equipped. Hav­ing estab­lished the Univer­si­dad de las Cien­cias In­for­mat­i­cas (UCI) in 2002, it now has some 14,000 grad­u­ates work­ing in all ar­eas of govern­ment and en­ter­prise and is con­se­quently un­der­stood to have ad­vanced cy­ber-de­fence mea­sures in place.

Un­for­tu­nately, there is a view in parts of the re­gion that the Caribbean is some­how im­mune or un­likely to be of in­ter­est to cy­ber­crim­i­nals, how­ever, one only has to con­sider the enor­mous sums of money trans­ferred reg­u­larly through the re­gion’s off­shore fi­nan­cial cen­tres, the com­mer­cially sen­si­tive doc­u­ments held in reg­istries and lawyers’ of­fices, mat­ters of na­tional se­cu­rity and crim­i­nal­ity that all gov­ern­ments reg­u­larly en­gage with, the ex­pan­sion of cit­i­zen­ship pro­grammes, and the mil­lions of daily com­mer­cial bank­ing trans­ac­tions to im­me­di­ately see the dan­gers cy­ber­crime poses to small na­tions.

The Caribbean and Latin Amer­ica have a small win­dow in which to de­velop strong and in­te­grated cy­ber­se­cu­rity net­works be­fore at­tack­ers be­gin to se­ri­ously ex­plore and in­fil­trate what is still a largely un­de­fended re­gion.

As The Ci­pher Brief puts it: “The ques­tion is whether gov­ern­ments have the po­lit­i­cal will, pri­vate in­dus­try is open to work­ing with the pub­lic sec­tor, and cit­i­zens start tak­ing re­spon­si­bil­ity for their own cy­ber se­cu­rity.”

I

David Jessop

THE VIEW FROM EUROPE

Newspapers in English

Newspapers from Jamaica

© PressReader. All rights reserved.