Escalating cyber security up the political agenda
In the final day of the CTU-organised 10th Ministerial Seminar, the discussions sought to galvanise Caribbean countries to more decisive action on cyber security.
Wednesday, 30 May, day 2 and the last day of the 10th Ministerial Strategic Seminar, hosted by the Caribbean Telecommunications Union (CTU), focussed almost exclusively on cyber security, which the organisation believes is a critical issue yet to be decisively addressed in the region. Moreover, the experts in our three-part series on cyber security and threats (who were from Barbados, Jamaica and Trinidad and Tobago), all corroborated this view that cyber crime is highly prevalent in the Caribbean. Hence Wednesday’s session sought not only to highlight the current situation, but also to provide some strategies that countries could explore and implement.
The danger is real and very sophisticated
To kick off the day’s proceedings, the attendees, who comprised primarily Caribbean Ministers with responsibility for telecoms and/or ICT, and public and private sector technocrats, got some insight into current challenges and frameworks in the OAS and UK, from representatives from CICTE (Inter-American Committee against Terrorism) and SOCA (Serious Organised Crime Agency), respectively. A key point of note from Andrew Auld, Cyber Intelligence Manager at SOCA, is the fact that the advances in technology and the Internet is causing cyber crime to become more organised and structured. For example he noted that many of the more successful cyber crime groups have established hierarchical structures to oversee and vet the quality of the coding that is being prepared by its members, who are all anonymous (See Figure 1). Mr. Auld also highlighted that cyber crime has become commoditised. For example, it is possible to purchase online bulk data on compromised credit cards, to off the shelf and custom designed malware and attack systems.
In a panel discussion that followed, Gregory Richardson of 1337 “Leet” Networks Inc. sought to disabuse Caribbean governments of the frequently made argument that due to their countries’ small size and relative insignificance, they were under the radar of cyber criminals. He thus emphasised the disconnect that exists between the extensive marketing and promotion that those very same countries do to facilitate trade and investment (e.g. in tourism), while still believing that they can maintain some degree of obscurity.
Similarly, John Curran of the American Registry of Internet Number (ARIN) noted that the absence of structures to address cyber crime and security could place countries in the untenable position of not only being subject to attacks, but also the source of attacks. However, taking the argument further, Mr. Richardson indicated that as a region, and as individual states, the Caribbean could be used as pivot (or jump-off) points to attack our strategic or key trading partners, such as the US, UK, Canada and Europe.
What can countries do moving forward?
However, in the midst of the concern and urgency the participating experts were expressing, Hon. Carolyn Seepersad-Bachan, CTU President and Minister for Public Administration in Trinidad and Tobago, proffered an explanation into the challenges governments might be facing in addressing cyber security. The perceived lack of focus on cyber security by many governments might be due, in large part, to its crosscutting nature and a fragmentation of effort from several ministries with overlapping responsibilities for cyber security. For example, in addition to telecoms and ICT ministries, which could be separate agencies, ministries of national security, public administration and law enforcement may also have a mandate to tackle cyber security. The Hon. Minster therefore suggested that countries could benefit from centralising the responsibility and resources for cyber security, which would provide a more coherent and coordinated framework through which to act.
Throughout the day, many of the featured speakers highlighted a number of opportunities available to countries in the region, along with insights that could be considered or implemented when advancing their cyber security agenda. They included:
- Acceding to the Declaration of St. Philip. The Declaration of St. Philip, Barbados, on “Caribbean Collaboration on Cyber Security”, was prepared in December 2011 at the 9th Ministerial Strategic Seminar, as a commitment by CTU Member States for a clear and coordinated regional strategy on cyber security. Countries present at the December seminar agreed to the two-page Declaration, but many of those that were absent are yet to sign the document.
- Revisiting the HIPCAR model legislation. With the support of the International Telecommunications Union, the Caribbean Community (CARICOM) established the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) project to enhance competitiveness among its Member States. Under the project, model policy guidelines and legislation on cyber crime have been finalised, but as at this week’s seminar, only Grenada had launched national consultation on the document.
- Developing and implementing a cyber-defence strategy. Bob Woodcock, of Packet Clearing House (PCH), outlined a integrated Caribbean strategy for establishing a national and regional cyber defence, which comprised three key points:
- Know and control your borders on the Internet, which means have complete knowledge of your virtual terrain, i.e. all of elements of your system, since cyber adversaries hide in the nook and crannies of your system which are unknown to you
- Be self-reliant within your virtual borders, which requires a shift to more localised resources. They would include establishing national and/or regional Internet Exchange Points (IXPs), web-hosting facilities, root nameservers, top level doman (TLD) nameservers, etc. Hence the Caribbean can become more self sufficient and independent of international resources for all aspects of Internet connectivity.
- Establish trust relationships, which would include creating and maintaining Community Emergency response Teams (CERTs) along with linkages to ISPs, law enforcement, other governments, etc.
- Learning from the example of others. In a talk on the basics of network security, Pedro Paixao, of Fortinet, a global leader in network security appliances and unified threat management, highlighted the cyber security experience of Estonia. Estonia, with a population of 1.3 million – smaller than Trinidad and Tobago, Jamaica, Puerto Rico, the Dominican Republic, Haiti and Cuba – experienced a denial of service (DoS) attack that started on 27 April 2007, and lasted for 2 weeks. The attack was focussed primarily on banks, Parliament, government ministries, the media and the press, which made them not only them inaccessible but effectively ground the country to a halt. However, in the aftermath of that attack, Estonia has become a leader in incident response, cyber security and recovery, and a model for other countries.
- Recognising that security is about trade-offs. In the same talk on network security, Pedro Paixao of Fortinet also stressed the importance of recognising that trade-offs that inherently exist when addressing security. For example, to implement a proper cyber security system will not only require time, money and expertise, but also new protocols, practises and rigorous vigilance, along with other adjustments.
- Taking advantage of available opportunities. Finally, due to the considerable attention that is being paid to cyber crime and cyber security, there are a number of resources and channels for support that are becoming increasingly available to the region. For example, to conclude his talk, Bob Woodcock committed PCH to provide the following services to CTU Member States that desire “to make the Internet faster, more efficient, more reliable, and less expensive within its borders, while strengthening its cybersecurity posture and self-sufficiency…”:
- One or more root nameservers
- ccTLD nameservers for more than one hundred countries
- gTLD nameservers for multiple generic Top Level Domains
- Anycast DNS service for Hostʼs own ccTLD
- DNSSEC support for Hostʼs ccTLD, as well as any centrally-administered second-level domains
- Support for any Internet Exchange Points within Hostʼs country as may be requested
- Training and advice in national-level cybersecurity as may be requested (Source: PCH)
Additionally, countries can take advantage of the support available through the CTU, such as, expertise and other forms of assistance to which it has access. To that end, the organisation is reportedly in the process of establishing a series of strategic partnerships with other organisations. The most recent of those alliances has been with the COMNET Foundation for ICT Development, for which a Memorandum of Understanding was signed on 30 May.
Logo courtesy of the CTU.