A brief examination of Jamaica’s new National Cyber Security Strategy.
Over the past 3 years or so, the Government of Jamaica has been embarrassed by a number of cybersecurity breaches that have occurred across its ministries, departments and agencies, which ranged from simple website defacement, to the theft of data from key institutions. Though there had been some discussion about cybercrime/cybersecurity and the need for improved systems, those incidents were likely to have the effect of galvanising the Government to move from idle talk to action.
Two weeks ago, one of those outputs, a National Cyber Security Strategy, was made publicly available. The strategy is the culmination of a number of activities that were charged by the National Cyber Security Task Force established by the Ministry of Science, Technology, Energy and Mining. The launch of a Cyber Incident Response Team is being eagerly awaited, and (hopefully) should be realised soon.
However, Jamaica’s new cyber security strategy does signal a new and important development in efforts to address and better manage Jamaica’s cyber landscape. Below is a synopsis of the strategy, and some early thoughts on its contents.
The strategy in a nutshell
Cybercrimes and cyber incidents in Jamaica have been increasing. In 2011, there were 19 reported cybercrimes and 1,432 cyber incidents, whilst in 2012, those figures jumped to 43 and 2,438, respectively (Source: Government of Jamaica).
The implementation of the strategy should be guided by the following six principles: leadership; shared responsibility; protection of fundamental rights and freedom; risk management; innovation and business development; sustainable resources. These principles, though self-explanatory, appear to aim to ensure that the Government provides leadership, and creates an enabling environment to address cybersecurity whilst balancing the needs of citizens and the business community.
To that end, the Government’s cybersecurity framework comprises the following four key areas and the accompanying strategic objectives
1. Technical measures, such as ensuring that
- critical infrastructure systems are resilient in the face of current and future cyber threats
- national capability for ensuring timely and effective response to cyber incidents is established and maintained
- a risk based approach is applied in establishing it and information security standards, policies and guidelines for ICT infrastructure and cyber security governance
- leveraging regional and international partnerships.
2. Human resource and capacity building, which includes ensuring that
- an available pool of skilled and knowledgeable professionals in the field of information security is maintained
- Jamaica has an active and dynamic culture of research and development
3. Legal and regulatory, which includes ensuring that
- Jamaica is a safe place to do business
- establishment of a robust governance framework to support the cyber security landscape
- maintenance of an effective legal framework and enforcement capabilities to investigate and prosecute cybercrimes
- legal protection in cyberspace.
4. Public education and awareness, to ensure that
- Jamaicans are knowledgeable and aware of the cyber risks, as well as, the actions to be taken regarding cyber security
- measures are implemented to protect vulnerable groups in cyberspace
- Jamaica has a culture of cyber security.
The strategy will be valid for a period of three years, and within the next three months an implementation plan must be developed.
Jamaica’s National Cyber Security Strategy is a glossy and beautifully laid out document. The strategy is relatively straightforward and has been distilled to cover the four areas outlined above. Also annexed to the document is a list of proposed activities that could satisfy the strategic objectives, which are likely to be used to prepare the anticipated implementation plan.
However, when the document is examined in its totality, it still appears somewhat superficial, in that it has little depth: a general course has been plotted, but much still needs to be fleshed out. To some degree, this approach could be attributed to the fact that cybersecurity is a new area, and the since most of players would have little experience in that space, the strategy has been designed to given them, and the entire process, some latitude to adjust as needed.
Further, when the list of proposed activities is considered, the fact that international donors will be needed to provide assistance for some activities, and there might not be a dedicated unit charged with managing and implementing the strategy, from the outset, the strategy seems to be an ambitious undertaking. It will therefore be interesting to see how Jamaica navigates and implements it, going forward.
Image credit: Andriyko_UA, Wikimedia Commons