Mon | Oct 2, 2023

David Jessop | New threats to Caribbean cyber security

Published:Friday | August 14, 2015 | 3:00 PM

Cybersecurity incidents continue to rise. According to PwC's Global State of Information Security Survey 2015, attacks rose internationally by 48 per cent in 2014, resulting in huge remedial and reputational costs to the companies and governments concerned.

Despite this, the Caribbean remains woefully unprepared with governments and parts of the private sector declining to take the matter seriously until subject to an attack.

The danger was borne out earlier this year when St Vincent & the Grenadines and The Bahamas saw their government websites taken over by those claiming to support militant groups fighting in the Middle East.

These attacks, while seemingly matters of little consequence, were far from it. They revealed not just the lack of appropriate security within government portals, but the existence of outmoded IT systems and software with the potential, some experts suggest, to have compromised government's internal communications.

They also demonstrated the potential vulnerability many, if not most Caribbean states, have to a cyber attack on critical infrastructure.

Additionally, they highlighted the absence of local expertise or financial resource to address weaknesses, leading to the US and others being invited to provide the necessary technical support and advice to remedy problems.

The events followed earlier reports of attacks on Jamaican government sites in 2014, in a number of OECS (Organization of Eastern Caribbean States) nations in 2012, and on sensitive government servers in Trinidad and the Dominican Republic, as well as on a number of significant Caribbean companies.

In trying to address what is a growing global threat, some governments and companies are being proactive. Following the St Vincent attack, for example, the St Lucia government has said it is strengthening its cyber-security and is encouraging collaboration at the national, regional and international levels.

The Bahamas has said that it recognises the need for professional monitoring, and Jamaica is utilising international technical assistance, is developing a national cybersecurity strategy, has established a cyber incident response team, and has drafted relevant laws.

Despite this, anyone who takes the time to read the full 2014 and 2015 reports on the subject produced by the Organisation of American States (OAS) cannot help but form the view that the region has a very long way to go, or that for the majority, the pace of the response is slow.

Moreover, the OAS's April 2015 'Report on Cybersecurity and Critical Infrastructure in the Americas' makes clear that the threat is expanding and attacks on critical infrastructure increasingly represent a serious new vulnerability for the region.

By this, what is meant is that everything - from government's databases and email communications, through national commercial banking and financial systems, to the control of the energy supply and other utilities, and communications at a national and dedicated level - is now subject to attack from cyber criminals seeking financial gain or by those undertaking hostile political acts.

In the executive summary of its 2015 report, the OAS notes that almost all countries in the Latin American and Caribbean region now recognise that attacks targeting infrastructure represent a clear danger, are increasing in frequency, and their sophistication is dramatically evolving.

However, it concludes that a tipping point looms.

"As attacks continue or worsen in frequency and sophistication, and focus not just on disrupting critical infrastructure, but also compromising key information that could be used in the future, defenders may soon find themselves short in terms of the support necessary to stave off threats. The lack of funding and an unmet desire for government leadership in this area leaves defenders feeling increasingly left on their own," the report said.

This column, at intervals over the last four years, has suggested that Caribbean governments and companies need to take much more seriously the threat posed by cyber attack and cyber crime, citing evidence that suggests that the region was increasingly subject to attack.

However, as the OAS has indicated, the issue is now taking on dimensions that go beyond previous breaches of national security, criminal activity or malicious behaviour.

As governments encourage the growth of digitised, knowledge-based, service-oriented economies in which government and connectivity are used to drive productivity and growth, the suggestion is that despite hard-pressed budgets, national cybersecurity needs to be seen as a core cost for governments and just as important as physical security.

Recent developments also demonstrate that there has to be closer public sector-private sector cooperation of a kind not usual in much of the Caribbean, to develop systems and secure forms of information exchange as cybersecurity touches both the viability of nations and individual enterprises.

Programmes need to be instituted, specifically aimed at the banking, finance and tourism sectors, which are particularly vulnerable from the perspective that damage caused can have an adverse reputational and economic effect for years to come on a brand or a product.

There needs to be rapid growth in trusted Caribbean companies with an outreach to international expertise able to undertake vulnerability assessments, penetration testing, compliance and security-awareness training.

The issue should also become the subject of broader inter-regional, hemispheric and international cooperation, as the threat crosses all boundaries.

When it comes to the law, few Caribbean nations have any, let alone modern legislation against electronic crimes. All Caribbean jurisdictions need the necessary legislation, regulations or infrastructure to address cyber crimes, making it punishable to violate a network.

It also remains far from clear whether regional law-enforcement agencies have the legal cover to cooperate with external government agencies in this area, given that most cyber crimes are extraterritorial.

Experts suggest that future attacks will increasingly be directed to softer targets in locations through which huge sums of money flow electronically for tax efficiency or advantage, those areas with infrastructure links to the United States and Europe, and at regions where the success of a sector such as tourism is central to the stability of a national or regional economy.

As events in St Vincent and The Bahamas earlier this year demonstrate, the nature of cyber attacks is changing. Cyber defence is no longer an issue only for developed countries.

n David Jessop is a consultant to the Caribbean Council.