A look at why Caribbean cyber security is important, Caribbean experiences achieving cyber security, why an effective strategy is critical and the importance of an effective Information Governance strategy.
2. • 17 years ICT experience, 5 of which in Senior Professional
roles delivering major Telecommunications and
Information Security projects.
• 2008: Founding member of Information Security focused
Organizational Unit. Established digital forensics lab, had
oversight of vulnerability analysis and penetration testing,
assisted policy development process.
• M.Sc. Information Security comes from University College
London
• Information Security Advisory & ICT Programme
Management
In Brief
3. The Caribbean Is Immune…Is it?
• Feb 2014: NGC issues Invitation to prequalify document for
Audit Services citing: “Information and Communication
Technology, Systems and Controls review” and
“CYBERCrime” (Trinidad)
• Nov 2013: TSTT issues Network & Session Initiation Protocol
(SIP) Security Audit RFP. Prior news reports speak to several
mobile and bypass fraud activities (Trinidad)
• Nov 2013: Flow identifies cybersecurity as a major threat
(Jamaica)
• Mar 2012: LIME Internet infrastructure attacked (Barbados)
5. TT Parliament Website hacked, April 2012
“Greatz to admin, Your website hacked due to security
vulnerabilities, patch your website, keep it updated.
Don’t worry all your files and your database are still
here. This is a warning, what other hackers can do to
your website. Keep it in mind,”
CoD3X
6. What is Cyber Security?
Source: Adapted from ISO, ISO/IEC FCD 27032, Information technology—Security techniques—Guidelines for cybersecurity, May, 2011.
http://www.unapcict.org/ecohub/apcict-knowledge-sharing-series-cybersecurity/at_download/attachment1
7. Cybercrime & Developing Economies
McAfee Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II
• Cybercrime produces high returns at low risk and (relatively) low cost for the
hackers.
• Most cybercrime incidents go unreported. Few of the biggest cybercriminals
have been caught or even identified.
• High-income countries loss averaged 0.9% GDP & developing economies loss
averaged 0.2% of GDP
• Trend can shift as developing economies increase their access to and use of
the internet for commercial purposes and as cybercriminals continue to
refocus their activities onto mobile platforms
• Wealthier countries are more attractive targets for hackers but they also
have better defenses. Developing economies are more vulnerable.
• Strong correlations between national income levels and losses from
cybercrime since risk for cybercriminals is the same (rich or poor target)
8. Varying Levels of Caribbean Readiness
• International bodies incl. OAS, ITU, Commonwealth
Cybercrime Initiative (CCI), are ready and willing to assist,
however there seems to be a lack of corresponding urgency
or inability to receive such assistance, on behalf of Caribbean
governments. Lack of cyber security champions on board!
• There is an undertow of dissatisfaction with the model law
documents produced from EGRIP and HIPCAR exercises. This
is not only at the technical level!
• Dominica novel approach to seek guidance from CCI in
executing a Cyber-security Needs Assessment Workshop and
ensure legislative efforts and Cybercrime Strategy is in
accordance with Budapest Convention on Cybercrime.
9. Authoritative Sources of Information
• 2012: OAS, CICTE & CTU Cyber Security Framework
Very digestible providing short, medium & long-
term prioritization of recommendations towards
implementation for Caribbean
• 2014: OAS/Symantec
Cyber Security
trends &
development in 13
CARICOM states
• 2012: UNESCAP /
ACPiCT, General
Understanding of
Cyber Security
• 2011: ITU
Comprehensive
Cyber Security
National Strategy
guide
• CTO website:
National Cyber
Security strategies
from various
countries
• 2013: UNODC
Comprehensive
Study on
Cybercrime
10. CARICOM Cyber Security Impediments
Member
Recognition
Strategy,
Policy Legislation CSIRT Funding People
Capacity
Building Awareness
Ant. & Barbuda X X X X
Barbados X
Dominica X X X
Grenada X
Guyana X X X
Hati X X
Jamaica X X X
St. Kitts & Nevis
X X X
STVG
Suriname X X X X X
TTO X X X X
Distilled from: OAS/Symantec Latin American + Caribbean Cyber Security Trends, June 2014
11. • National Cyber Security Strategy (NCSS)
• Framework, Agenda, Strategy, Policy
• Legislation
• Council of Europe Budapest Convention
• Cybercrime Unit
• Digital forensics, investigations cybercrime
• CSIRT
• Collaboration, partnerships, communication within CSIRT network
• Capacity building
• Awareness
• Child protection, cyber security, phishing, email security etc
• Education
• Availability of tertiary education in area of Information Security
• Info Sharing, Incident Reporting
• Legal obligation to report incidents
• Information sharing between private sector and Government
• Statistics & Benchmarking
• International Assistance
• OAS, CTU, CICTE
• ITU, Commonwealth Secretariat, CCI, IMPACS
Common Themes in Cyber Security Development
13. Missing Components
• Lack of technical expertise (capacity building only
after the fact)
• The Cybersecuirty champion (need someone to drive
the local/regional effort)
• Intersection between Policy and Technology gap to be
filled
• Private sector involvement (lots to learn from private
sector her
14. Proposed Cyber Security NCCS Aims & Structure
Structure
1) Executive summary.
2) Introduction.
3) Strategic national vision on cyber security.
4) Relationship of the NCSS with other strategies, both national and international, and
existing legal frameworks.
5) Guidance principles.
6) Relationship with other strategies, both national and international, and existing legal
frameworks.
7) Cyber security objective(s), preferably one to four.
8) Outline of the tactical action lines.
9) Glossary, preferably based on an international harmonised set of definitions.
10) [Optional] Annex. Envisioned operational activities defined in a SMART way
Aims
1) To align the whole of government
2)To coherently focus and coordinate public and private planning and to convey the
envisioned roles, responsibilities and relationships between all stakeholders
3) To convey one’s national intent to other nations and stakeholders.
Luiijf, Eric, Kim Besseling, and Patrick De Graaf. "Nineteen national cyber security strategies." International journal of critical infrastructures 9, no. 1 (2013): 3-31.
15. Noteworthy NCSS Vision, Objectives & Principles
Nation Statement
Vision
Estonia
Advocates international cooperation and supports the
enhancement of cyber security in other countries
8 nations
Economic prosperity of the digital society including AUS, GER, UK,
IND , JPN , UGA
Objective
France
Stated ambition to become a world power in cyber security and
maintain information superiority within cyberspace
Japan
Explicitly recognizes the need for agile adaption to new and
upcoming cyber security threats including IPv6, appliances & cloud
computing
UK
Use of intelligence on adverse actors to disrupt cyber crime and to
reduce the motivation and capabilities of cyberspace adversaries
Guiding
Principles
8 nations Civil liberties and other (inter)national democratic core values
8 nations Cooperation and public-private partnerships (PPP)
All nations explicitly address protection of their own CIs including
the government’s own ICT (except Uganda)
All nations but mention plan to develop a cyber security awareness
programme. (except South Africa)
Luiijf, Eric, Kim Besseling, and Patrick De Graaf. "Nineteen national cyber security strategies." International journal of critical infrastructures 9, no. 1 (2013): 3-31.
16. TT Cybercrime Bill 2014, §23 "Offence by body
corporate"
Where a body corporate commits an offence under
this Act and the Court is satisfied that a director,
manager, secretary or other similar officer of the body
corporate, or any person who purports to act in such capacity–
(a) connived in or consented to the commission
of the offence; or
(b) failed to exercise due diligence to prevent the
commission of the offence,
the director, manager, secretary or other similar officer or
person purporting to act in that capacity also commits the
offence.
17. Information Security
Governance Required
• This now places responsibility and
accountability on an individual within the
organization to ensure that said
organizations’ ICT infrastructure, processes
and people do not pose a threat to the public
network and its constituents which also
includes “critical infrastructure” elements.
19. Securing People and Processes
• Information Security must become part of Risk Management
strategy.
• Senior/Executive management must have oversight and be
responsible for the Information Security Governance.
• Information Security must be properly aligned with
organizational structure and organizational behaviour.
• Information Security specific roles
• Change user behaviours to foster culture of Information
Security.
20. Securing People and Processes
• Information Security at design stage of project’s System
Development Life Cycle
• Continuous awareness of the evolution of external (and
internal) threats.
• When incidents do occur proper escalation procedures and
remediation efforts need to be put in place.
• Controls and response in accordance with International
Information Security standards such as ISO 27001 (2013).
(less IP in lesser developed, better accounting in high inc) (banks deny attacks, lesser developed nations do not collect data ).
Other CTO website: National Cyber Security strategies from various countries
Advanced re cybercrime: UNODC Comprehensive Study on Cybercrime (Draft—February 2013)