BY DAVID JESSOP — Cyber-security incidents are on the rise: According to Pricewaterhouse Cooper’s Global State of Information Security Survey 2015, attacks rose internationally by 48 per cent in 2014 resulting in huge remedial and reputational costs to the companies and governments affected.
Despite this, the Caribbean remains woefully unprepared, with governments and parts of the private sector declining to take the matter seriously until being subjected to an attack.
The danger was borne out earlier this year when St Vincent and The Bahamas saw their government websites taken over by those claiming to support militant groups fighting in the Middle East.
These attacks might seem like matters of little consequence, but they are far from it.
They revealed not just the lack of appropriate security within government portals, but also the existence of outmoded IT systems and software with the potential, some experts suggest, to have compromised these government’s internal communications. They also demonstrated the potential vulnerability that many –if not most — Caribbean states have to a cyber attack on critical infrastructure. Additionally they highlighted the absence of local expertise or financial resource to address these weaknesses, leading the US and others to be invited to provide the necessary technical support and advice to remedy problems.
A growing threat: The events followed earlier reports of attacks on Jamaican government sites in 2014, in a number of OECS nations in 2012, and on sensitive government servers in Trinidad and the Dominican Republic, as well as on a number of significant Caribbean companies.
In trying to address what is a growing global threat, some governments and companies are being proactive. Following the St Vincent attack, for example, the St Lucia government has said it is strengthening its cyber-security and is encouraging collaboration at a national, regional and international level. The Bahamas has said that it recognises the need for professional monitoring. Jamaica is utilising international technical assistance, developing a national cyber security strategy, and has established a cyber incident response team, in addition to drafting relevant laws.
Despite this, anyone who takes the time to read the full 2014 and 2015 reports on the subject produced by the Organisation of American States (OAS) cannot help but conclude that the region has a very long way to go, or that for the majority, the pace of the response is slow. Moreover, the OAS April 2015 ‘Report on Cybersecurity and Critical Infrastructure in the Americas’ makes clear that the threat is moving on and attacks on critical infrastructure increasingly represent a serious new vulnerability for the region.
This means that everything from government’s databases and email communications, to national commercial banking and financial systems, to the control of the energy supply and other utilities, are now subject to attack from cyber-criminals seeking financial gain or those undertaking hostile political acts.
A growing problem: In the executive summary of its 2015 report, the OAS notes that almost all countries in the Latin American and Caribbean region now recognise that attacks targeting infrastructure represent a clear danger, are increasing in frequency, and their sophistication is dramatically evolving.
However, it concludes that a tipping point looms: ‘As attacks continue or worsen in frequency and sophistication and focus not just on disrupting critical infrastructure but also compromising key information that could be used in the future, defenders may soon find themselves short in terms of the support necessary to stave off threats. The lack of funding and an unmet desire for government leadership in this area leaves defenders feeling increasingly left on their own’.
This column, at intervals over the last four years, has suggested that Caribbean governments and companies need to take much more seriously the threat posed by cyber attack and cyber crime, citing evidence that suggests that the region was increasingly subject to attack.
However, as the OAS has indicated, the issue is now taking on dimensions that go beyond previous breaches of national security, criminal activity or malicious behaviour.
Possible solutions: As governments encourage the growth of digitised, knowledge-based, services-oriented economies in which e-government and connectivity are used to drive productivity and growth, national cyber security needs to be seen as a core cost for governments (despite tight budgets) and just as important as physical security.
Recent developments also demonstrate that there has to be closer public sector-private sector cooperation than is usually seen in the Caribbean, to develop systems and secure forms of information exchange, as cyber security touches both the viability of nations and individual enterprises.
Programmes need to be specifically aimed at the banking, finance and tourism sectors, which are particularly vulnerable, in that damage caused can have an adverse reputational and economic effect for years to come on a brand or a product
There needs to be a rapid growth in trusted Caribbean companies with an outreach to international expertise able to undertake vulnerability assessments, penetration testing, compliance and security awareness training.
The issue should also become the subject of broader inter-regional, hemispheric and international co-operation as the threat crosses all boundaries.
When it comes to the law, few Caribbean nations have any, let alone modern legislation against electronic crimes. All Caribbean jurisdictions need the necessary legislation, regulations or infrastructure to address cyber-crimes, making it punishable to violate a network. It also remains far from clear whether regional law enforcement agencies have the legal cover to co-operate with external government agencies in this area, given that most cyber crimes are extraterritorial.
Experts suggest that future attacks will increasingly be directed to softer targets in locations through which huge sums of money flow electronically for tax efficiency or advantage, such as those areas with infrastructure links to the United States and Europe, and in regions where the success of a sector such as tourism is central to the stability of a national or regional economy.
As events in St Vincent and The Bahamas earlier this year demonstrate, the nature of cyber attacks is changing. Cyber-defence is no longer an issue only for developed countries.