David Jessop | Action needed to address Caribbean cybersecurity
Just over a week ago Google, Facebook, Amazon, Twitter, Netflix, Visa and many more premium providers of global web services temporarily went offline.
This was because they had indirectly suffered the effects of a Distributed Denial of Service (DDoS) attack on Dyn, a largely unknown intermediary that enables web users to access the addresses of major websites.
Experts say that it may have been the biggest DDoS attack ever mounted because it brought down a key gateway, and was highly sophisticated in the way in which it sent huge volumes of data, causing Dyn's servers to deny access to its clients.
What was unusual was that the event in part was delivered through unsecured smart devices - the so-called Internet of things - including everyday items linked to the Internet like webcams, baby monitors, smart TVs and DVD players, and even fridges and central heating systems.
Apart from indicating an absence of serious thinking about security by those who design and sell such web-linked products and regulations to govern them, it demonstrated that it is now possible to indirectly shut down or disrupt essential online services.
WIDESPREAD ATTACKS
Reports in the trade press suggest that so serious have DDoS attacks in general become that more than 30 per cent are now large enough to swamp almost any business or poorly protected government.
While few Caribbean cases of DDoS or cybercrime ever become public, because of the perceived reputational damage, there are ample reports of the existence of cyberattacks, including theft from banks; the hacking of government websites in the Bahamas and St Vincent by a group claiming to be supporters of ISIS; ransomware attacks on some Caribbean tax authorities; and most recently, the publication online in interrogatable form of 1.3 million files from the Bahamas' corporate registry.
These revealed not just the lack of appropriate security within government portals, but the existence of outmoded IT systems and software with the potential, some experts suggest, to have compromised governments' internal communications. They also highlighted the region's vulnerability and the absence of local expertise or financial resource to address weaknesses, leaving others to be invited in to provide the necessary technical support and to remedy problems.
According to a joint study by the Center for Strategic Studies and McAfee published earlier this year, Latin America and the Caribbean (LAC) has become a new frontier for cyberattacks and crime at an estimated cost of around US$90 billion per year.
The Cipher Brief, a digital, security-based platform that connects the private sector with the world's leading security experts, recently noted that 12 per cent of DDoS attacks now target the LAC region and that the number is escalating. It is also the case that there has been a dramatic rise in the number of people, including tourists, with access to Internet-connected devices, potentially increasing national vulnerabilities.
Experts suggest that attacks will increasingly be directed at softer targets in locations through which funds flow for tax advantage or commercial expediency, and where tourism has become central to the stability of a national or regional economy.
While some Caribbean governments and companies have begun to recognise the threat, strikingly not enough money or time is being spent on upgrading, protecting or testing systems related to essential infrastructure, government services, banking and financial services, private-sector operations, or on securing media sites.
In addition, according to the OAS/IDB report, mistrust and an absence of authoritative information on best practices has led to an unwillingness to designate individuals in the police or military as coordinators of cybersecurity policy development, or to build public-private partnerships that might finance and build cybersecurity regimes.
As with so many matters in the Caribbean, the challenge is not in understanding the nature of the threat, but with implementation.
Although governments and a number of international agencies meeting in St Lucia in March signed off on action plan to strengthen regional co-operation in areas such as training, legislation, technical capacity and law enforcement, since then progress has been slow.
To understand the scale of the problems that need to be addressed, one only has to read the country-by-country reports in Cybersecurity: Are We Ready in Latin America and the Caribbean jointly published earlier this year by the Organisation of American States (OAS) and the Inter-American Development Bank (IDB).
It makes clear that almost all countries in the region have no overall strategy, few relevant laws, and no genuine capacity to respond to a cyberattack.
ONLY ONE PREPARED
It suggests that the only country in the anglophone Caribbean that is well prepared is Trinidad, with Jamaica not far behind. It notes that while Antigua, The Bahamas, Dominica, Haiti, and Suriname are 'in the process of articulating a potential strategy', there is no indication when they will have in place the essential components.
As for the rest of CARICOM, the report suggests that evidence of progress is scant.
In the Hispanic Caribbean, surprisingly, even the Dominican Republic, which is heavily dependent on connectivity, was deemed to be poorly prepared. In contrast, although not covered by the study, Cuba is well equipped. Having established the Universidad de las Ciencias Informaticas (UCI) in 2002, it now has some 14,000 graduates working in all areas of government and enterprise and is consequently understood to have advanced cyber-defence measures in place.
Unfortunately, there is a view in parts of the region that the Caribbean is somehow immune or unlikely to be of interest to cybercriminals, however, one only has to consider the enormous sums of money transferred regularly through the region's offshore financial centres, the commercially sensitive documents held in registries and lawyers' offices, matters of national security and criminality that all governments regularly engage with, the expansion of citizenship programmes, and the millions of daily commercial banking transactions to immediately see the dangers cybercrime poses to small nations.
The Caribbean and Latin America have a small window in which to develop strong and integrated cybersecurity networks before attackers begin to seriously explore and infiltrate what is still a largely undefended region.
As The Cipher Brief puts it: "The question is whether governments have the political will, private industry is open to working with the public sector, and citizens start taking responsibility for their own cyber security."
- David Jessop is a consultant to the Caribbean Council. david.jessop@caribbean-council.org