New threats to Caribbean cyber security

Cyber-security incidents continue to rise. Accordingto PwC’s Global State ofInformation Security Survey 2015, attacksrose internationally by 48 per cent in 2014 resulting in huge remedial andreputational costs to the companies and governments concerned.

Despite this, the Caribbean remains woefullyunprepared with governmentsand parts of the private sector declining to take the matter seriously untilsubject to an attack.

Thedanger was borne out earlier this year when St Vincent and The Bahamas saw theirgovernment websites taken over by those claiming to support militant groups fightingin the Middle East.

Theseattacks, while seemingly matters of little consequence were far from it. Theyrevealed not just the lack of appropriate security within government portals,but the existence of outmoded IT systems and software with the potential, someexperts suggest, to have compromised government’s internal communications. Theyalso demonstrated the potential vulnerability many if not most Caribbean stateshave to a cyber attack on critical infrastructure. Additionally they highlightedthe absence of local expertise or financial resource to address weaknesses, leadingthe US and others to be invited to provide the necessary technical support andadvice to remedy problems.

The eventsfollowed earlier reports of attacks on Jamaican government sites in 2014, in anumber of OECS nations in 2012, and on sensitive government servers in Trinidadand the Dominican Republic, as well as on a number of significant Caribbeancompanies.

Intrying to address what is a growing global threat, some governments andcompanies are being proactive. Following the St Vincent attack, for example,the St Lucia government has said it is strengthening its cyber-security and isencouraging collaboration at a national, regional and international level. The Bahamas has said that it recognisesthe need for professional monitoring, and Jamaica is utilisinginternational technical assistance, is developing a national cyber security strategy,has established a cyber incident response team, and has drafted relevant laws.

Despite this, anyone who takes the time to read thefull 2014 and 2015 reports on the subject produced by the Organisation ofAmerican States (OAS) cannot help but form the view that the region has a very longway to go, or that forthe majority, the pace of the response is slow. Moreover, the OAS’s April2015 ‘Report on Cyber security and critical infrastructure in the Americas’ makesclear that the threat is moving on and attacks on critical infrastructure increasinglyrepresent a serious new vulnerability for the region.

By this what is meant is that everything from government’sdatabases and email communications, through national commercial banking andfinancial systems, to the control of the energy supply and other utilities, andcommunications at a national and dedicated level, are now subject to attackfrom cybercriminals seeking financial gain or by those undertaking hostile politicalacts.

In the executive summary of its 2015 report the OAS notesthat almost all countries in the Latin American and Caribbean region now recognisethat attacks targeting infrastructure represent a clear danger, are increasingin frequency, and their sophistication is dramatically evolving.

However, it concludes that a tipping point looms: ‘Asattacks continue or worsen in frequency and sophistication and focus not juston disrupting critical infrastructure but also compromising key informationthat could be used in the future, defenders may soon find themselves short interms of the support necessary to stave off threats. The lack of funding and anunmet desire for government leadership in this area leaves defenders feelingincreasingly left on their own’.

This column, at intervals over the last four years, hassuggested thatCaribbean Governments and companies need to take much more seriously the threatposed by cyber attack and cyber crime, citing evidence that suggests that theregion was increasingly subject to attack.

However,as the OAS has indicated, the issue is now taking on dimensions that go beyondprevious breaches of national security, criminal activity or maliciousbehaviour.

Asgovernments encourage the growth of digitised knowledge-based,services-oriented economies in which e.government and connectivity are used todrive productivity and growth, the suggestion is that despite hardpressed budgets, national cyber security needs to be seen as a core cost forgovernments and just as important as physical security.

Recent developments also demonstrate that there has tobe closer public sector-private sector co-operation of a kind not usual in muchof the Caribbean, to develop systems and secure forms of information exchangeas cyber security touches both the viability of nations and individualenterprises.

Programmesneed to be instituted specifically aimed at the banking, finance and tourismsectors which are particularly vulnerable from the perspective that damagecaused can have an adverse reputational and economic effect for years to comeon a brand or a product

There needs to be a rapid growth in trusted Caribbeancompanies with an outreach to international expertise able to undertakevulnerability assessments, penetration testing, compliance and securityawareness training.

Theissue should also become the subject of broader inter-regional, hemispheric andinternational co-operation as the threat crosses all boundaries.

When it comes to the law, few Caribbean nations haveany, let alone modern legislation against electronic crimes. All Caribbeanjurisdictions need the necessary legislation, regulations or infrastructure to address cybercrimes making it punishable toviolate a network. It is also remains far from clear whether regional lawenforcement agencies have the legal cover to co-operate with externalgovernment agencies in this area, given that most cyber crimes areextraterritorial.

Expertssuggest that future attacks will increasingly be directed to softer targets in locationsthrough which huge sums of money flow electronically for tax efficiency oradvantage, those areas with infrastructure links to the United States andEurope, and at regions where the success of a sector such as tourism is centralto the stability of a national or regional economy.

As events in St Vincent and The Bahamas earlier thisyear demonstrate, the natureof cyber attacks is changing. Cyber defence is no longer an issue only fordeveloped countries.

DavidJessop is a consultant to the Caribbean Council and can be contacted at

david.jessop@caribbean-council.org

Previouscolumns can be found at www.caribbean-council.org