Cyber crime: what can we in the Caribbean do about it?
The 8th Caribbean Internet Governance Forum has just concluded in Saint Lucia. We revisit the discussion on cyber crime in the Caribbean
The Caribbean Internet Governance Forum (CIGF) is in its eighth year and was held in Saint Lucia on 29—30 August. Organised by the Caribbean Telecommunications Union (CTU), the Forum facilitates an annual review of Caribbean Internet Governance Framework, which was initially prepared in 2009. Typically, the agenda also includes discussions on key Internet Governance (IG) issues and developments in the region. This year was no different. Two of the subjects highlighted and for which action from Caribbean governments was being advocated, were cyber security and Internet Exchange Points (IXPs). This post, the first of at least four on this year’s CIGF, summarises the talk given on cyber crime in the Caribbean. The CTU promises to publish the presentations on its website next week.
Key discussion points
Long-time CTU collaborator, Gregory Richardson, Chief Executive Officer of 1337 Leet Networks, Inc., gave a rousing presentation on “Cyber crime in the Caribbean”. In establishing a context for his talk, Richardson highlighted that the largest cyber crime department in the United States Secret Service focuses on the Caribbean. Additionally, the United States, Canada and other developed countries have been investing millions in the Caribbean to support improvement of our cyber defences, in the hope of minimising the incidents to which they might be exposed. Nevertheless cyber crime in the Caribbean is still on the rise. Furthermore, the profits from cyber crime are widely held to exceed that of generated from cocaine, marijuana, heroin (the illegal drug trade) combined! Hence it is exceedingly lucrative and is poised to grow even more into the foreseeable future.
Having gotten participants’ attention with that introduction, Richardson then focussed on what could be done to improve the Caribbean region’s success in combating cyber crime. The four points he described, which are outlined below, require commitment and resolve from both the private and public sectors:
1. A cultural and mental shift to exercise vigilance with respect to cyber security is essential. Far too often, too much is taken for granted in the area of network security. For example, we overestimate the capabilities of network security facilities, such as firewalls and antiviruses. We believe (among other things) that:
- they can do far more that they actually can
- they require minimal intervention and management, and
- if those facilities do not detect a threat, we are have not been compromised.
However, Richardson disabused participants of that perception, noting that the protection offered by antiviruses and firewalls is always months behind the cyber criminals and their ingenuity. We are always playing catch up!
2. We must establish a framework for cross border collaboration to fight cyber crime. As sovereign states, we often deal with cyber crime in isolation to each other, and with little, if any, information sharing occurring among countries. As a result, criminals take advantage of this situation by implementing the same line of attack in different countries in the region. Hence, while it is critical for national Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs) to be established, they must all be able to communicate with each other, which could be done via a regional CERT/CSIRT, or similar body. The regional body could disseminate information and coordinate a coherent regional response when needed, which in turn would strengthen network security at the country level.
3. We must address false pride as it pertains to network security. This point was directed primarily at network security managers, systems administrators, etc., where the view was that network specialists are quick to give assurances that the networks or systems under their care are fully secure. Instead, Richardson advocated that the practice of having networks independently tested, especially by entities that specialise in penetration testing and intrusion detection, in order to obtain authoritative feedback on the security of one’s network.
4. Finally, we must actively defend our cyber border. This point reiterates the sentiments expressed above. We must be more proactive in defending our borders, because the Caribbean, as individual countries and as a region, is not under the radar of criminals. Hence we ought to be prepared to establish or adopt the requisite systems and protocols critical to improving our cyber defences at the country level, such as CERTs, IXPs and DNSSEC (Domain Name System Security Extensions).
In the question and answer session that followed, Richardson was asked why criminals might be focussing on the Caribbean. In his reply he highlighted that the increase in Internet bandwidth means that more entities of interest are online, and so greater opportunities exist. Additionally, the lack of proper legislation, both at the national and regional levels, on what is, or is not, a crime (or cyber crime) as well as to facilitate information sharing between countries, mean that the chances of prosecution would be limited or considerably less severe.
With regard to the third point, participants interjected that frequently, corporate clients are not prepared to spend on network security, and will even rely on free products as a major line of defence. This stance within our business community, which was corroborated, does suggest that organisations in the Caribbean still have not truly appreciated the importance of cyber security and the threats to which they are continuously exposed.
Finally, in light of the caution Richardson expressed earlier in his talk on being overly reliant on firewalls and antivirus software, he again stressed that all network security appliances, especially firewalls, must be configured. They are not plug-and-play in nature, and must be programmed for the environment in which they must operate. Furthermore, even under the best conditions, regular assessments ought to be conducted to ensure that networks have not been compromised, especially since detection and protection systems tend to be at least on step behind the criminals.
Image credits: ICT Pulse