Action needed to address Caribbean cyber security
Just over a week ago Google, Facebook, Amazon,Twitter, Netflix, Visa and many more premium providers of global web services, temporarilywent offline. This was because they had indirectly suffered the effects of a DistributedDenial of Service (DDoS) attack on Dyn, a largely unknown intermediary thatenables web users to access the addresses of major web sites.
Experts say that it may have been thebiggest DDoS attack ever mounted, because it brought down a key gateway, and washighly sophisticated in the way in which sent huge volumes of data, causing Dyn’sservers to deny access to its clients.
What was unusual was that the event inpart was delivered through insecure smart devices – the so-called internet ofthings – including everyday items linked to the internet like web cams, babymonitors, smart TVs and dvd players, and even fridges and central heatingsystems.
Apart from indicating an absence ofserious thinking about security by those who design and sell such web linked productsand regulations to govern them, it demonstrated that it is now possible to indirectlyshut down or disrupt essential on-line services.
Reports in the trade press suggest thatso serious have DDoS attacks in general become, that more than 30 per cent are nowlarge enough to swamp almost any business or poorly protected government.
While few Caribbean cases of DDoS orcyber-crime ever become public, because of the perceived reputational damage,there are ample reports of the existence of cyber-attacks, including theft frombanks; the hacking of government websites in the Bahamas and St Vincent by agroup claiming to be supporters of ISIS; ransomware attacks on some Caribbeantax authorities; and most recently, the publication online in interrogatableform of 1.3m files from the Bahamas’ corporate registry.
These revealed not just the lack ofappropriate security within government portals, but the existence of outmodedIT systems and software with the potential, some experts suggest, to havecompromised government’s internal communications. They also highlighted the region’svulnerability, and the absence of local expertise or financial resource toaddress weaknesses, leaving others to be invited in to provide the necessarytechnical support and to remedy problems.
According to a joint study by the Centerfor Strategic Studies and McAfee published earlier this year, Latin America andthe Caribbean (LAC) has become a new frontier for cyber-attacks and crime at anestimated cost of around US$90 billion per year.
The Cipher Brief, a digital,security-based platform that connects the private sector with the world’sleading security experts, recently noted that twelve per cent of DDoS attacks nowtarget the LAC region, and that the number is escalating. It is also the casethat there has been a dramatic rise in the number of people, including tourists,with access to Internet-connected devices, potentially increasing nationalvulnerabilities.
Experts suggest attacks willincreasingly be directed at softer targets in locations through which fundsflow for tax advantage or commercial expediency, and where tourism has becomecentral to the stability of a national or regional economy.
While some Caribbean governments andcompanies have begun to recognise the threat, strikingly not enough money ortime is being spent on upgrading, protecting or testing systems related toessential infrastructure, government services, banking and financial services,private sector operations, or on securing media sites.
In addition, according to the OAS/IDBreport, mistrust and an absence of authoritative information on best practicehas led to an unwillingness todesignate individuals in the police or military as coordinators ofcybersecurity policy development, or to build public-private partnerships thatmight finance and build cyber security regimes.
As with so many matters in the Caribbean,the challenge is not in understanding the nature of the threat, but withimplementation.
Although governments and a number ofinternational agencies meeting in St Lucia in March signed-off on action planto strengthen regional co-operation in areas such as training, legislation,technical capacity and law enforcement, since then progress has been slow.
To understand the scale of the problemsthat need to be addressed one only has to read the country by country reportsin ‘Cybersecurity Are We Ready in Latin America and the Caribbean’ jointly publishedearlier this year by the Organisation of American States (OAS) and theInter-American Development Bank (IDB).
It makes clear that almost all countriesin the region have no overall strategy, few relevant laws and no genuine capacityto respond to a cyber-attack.
It suggests that the only country in theAnglophone Caribbean that is well prepared is Trinidad, with Jamaica not farbehind. It notes that while Antigua, TheBahamas, Dominica, Haiti, and Suriname, are ‘in the process of articulating apotential strategy’, there is no indication when they will have in place theessential components. As for the rest of CARICOM, the report suggest that evidenceof progress is scant.
In the Hispanic Caribbean, surprisingly,even the Dominican Republic which is heavily dependent on connectivity, wasdeemed to be poorly prepared. In contrast, although not covered by the study,Cuba is well equipped. Having established the Universidad de las CienciasInformáticas (UCI) in 2002, it now has some 14,000 graduates working in allareas of government and enterprise, and is consequently understood to have advancedcyber defence measures in place.
Unfortunately, there is a view in partsof the region that the Caribbean is somehow immune or unlikely to be ofinterest to cyber criminals. However, one only has to consider the enormoussums of money transferred regularly through the region’s offshore financial centres,the commercially sensitive documents held in registries and lawyer’s offices, mattersof national security and criminality that all governments regularly engage with,the expansion of citizenship programmes, and the millions of daily commercial bankingtransactions, to immediately see the dangers cybercrime poses to small nations.
The Caribbean and Latin America have asmall window in which to develop strong and integrated cybersecurity networksbefore attackers begin seriously to explore and infiltrate what is still alargely undefended region. As The Cipher Report puts it: ‘The question iswhether governments have the political will, private industry is open toworking with the public sector, and citizens start taking responsibility fortheir own cyber security’.
DavidJessop is a consultant to the Caribbean Council and can be contacted at [email protected]
Previouscolumns be found at www.caribbean-council.org