Fri | Jun 18, 2021

David Jessop | Cybersecurity an unavoidable priority

Published:Sunday | May 9, 2021 | 12:09 AM

If the pandemic has demonstrated anything it is that much-improved Internet connectivity, reliability, and security have become unavoidable priorities for the Caribbean.

Since March of last year when governments, enterprise, and much of the world all but closed their doors to transacting business in person, the region has only been able to function because of the relative ubiquity of the Internet and the ability to operate online.

Although much of the region has high levels of connectivity – the website Internet World Stats indicates a 60.1 per cent penetration rate last year for the region as a whole – the rate is notably much lower in Haiti, and surprisingly, parts of the French-speaking Caribbean.

However, this is not to say that providers across the region have systems able to provide the coverage, stability, or speed required to allow the Caribbean to compete globally or to support the services industries that might make more competitive a geographically fragmented region remote from its major markets.

COVID has more than made the case for regional economic recovery to focus in part on building the infrastructure for affordable 5G coverage, and the speed, capacity, and connectivity required to spur efficiency, diversification, and better governance.

While the geopolitical debate will continue to rage over who is going to provide and fund Caribbean 5G services, just as important is the growing global cybersecurity threat from a range of hostile actors.

Understandably, Caribbean governments and businesses do not discuss in detail the nature of the provisions they have made or are planning to protect critical infrastructure, banking, and financial systems, key sectors and larger enterprises, let alone national security.

However, the rising level of potential threat to Caribbean governments and commerce and the need for every nation in the region to develop much stronger cyber defence capabilities is apparent in the increasing number of references in the statements and communiqués that follow regional and international meetings.

Of these, the most explicit mention came after this year’s virtual UK-Caribbean Forum. A communiqué recognised the critical role cyberspace plays in the economic, social, cultural, and political life of the region, noting ministers’ emphasis on the importance of protecting critical national infrastructure and the need for an ‘effective and proportionate’ domestic response. An action plan made clear that Britain will support Caribbean capacity building and provide practical help to Caribbean agencies making use of the United Kingdom’s widely acknowledged advanced cyber expertise and capabilities.

That the threat in a Caribbean context is real and actually reputationally damaging should by now be beyond doubt.

In February, it became clear that Jamaica had suffered a massive data breach that exposed the immigration and COVID-19 records of hundreds of thousands of people from North America, Europe, and elsewhere who had used its Jamcovid19 app.

Whether this resulted in the exfiltration of such information for malicious use is unclear, but it was a wake-up call. Prime Minister Andrew Holness subsequently insisted that plans for building cyber resilience in Jamaica must be accelerated. This would, he said, result in the construction of “a robust governance framework and infrastructure for cybersecurity” within ‘Plan Secure Jamaica’.

This involves the development of a new national cybersecurity strategy, the creation of a new cyber academy, inter-agency cooperation, external support, and establishing a cross-government cyber analysis team. Separately, other ministers have acknowledged that the country is undertaking with Israeli support the development of cyber-systems for ‘constant monitoring’, legislative changes, and a training component for the military.

Jamaica’s aim is to ensure that all GOJ websites and networks are compliant with international standards and best practice, an approach that coincides with increasing instances of malicious cyber-attacks directed at governments and private entities worldwide.

Of these, the most staggering example has been the revelation that the US government, NATO, the European Parliament, and about 16,000 other government and large-company systems worldwide were compromised in December 2019 through the hacking, principally of a network management system, Orion, using a product from SolarWinds.

The supply-chain attack, which went undetected for over a year, appears to have provided access in ways that are reportedly still proving hard to discover because of the sophistication of the hacker’s methods of entry and exit.

So serious has the breach been that apart from imposing new sanctions on Russia, the alleged perpetrator – Washington says it is “highly confident”’ that state-linked hacker ‘Cozy Bear’ was behind the “broad-scope cyber espionage campaign” – it is expected that US President Biden will shortly sign a new cyber executive order. This will establish a basis for corporate reporting of cyber breaches, the systematic investigation of cyber events, and establish standards for software development.

Notwithstanding, cybersecurity should not be seen as just an issue for governments.

A recent PwC Global CEO Survey found that among Caribbean CEOs, 67 per cent said that the issue was their leading concern, with many pointing to a significant increase in incidents in 2020, including ransomware attacks. Fifty per cent reported increased spending of 10 per cent or more in response.

Because of the overriding economic implications now and for the future, ensuring regular security audits, penetration testing, and forensic investigations involving both local and international partners should be seen as a joint public-private responsibility.

As ransomware attacks on UK hospitals and schools, cyber-related attempts at poisoning the water supply in Florida, and the threats and blackmail against large companies such as Sony Pictures all demonstrate, no one is immune from risk, whether an attack comes from terrorists, organised crime, or a malicious state actor.

This is the time when every Caribbean government and their agencies and regional businesses should be thinking about how they respond jointly to the increasing threat.

They need to be more pre-emptively aware of their vulnerability, the implications for a regionally connected digital society, and the need to for robust legislation that also ensures the protection of an individual’s rights and the use of their data.

- David Jessop is a consultant to the Caribbean Council. Email: To access previous columns, visit: