Above: Attorney General Reginald Armour. Photo by Damian Luk Pat/GORTT.

BitDepth#1445 for February 12, 2024

The last meeting of the OAS discussions between government level experts on cybercrime took place in December 2016.

On the agenda then were the challenges of prevention, investigation and prosecution of cybercrime and the importance of effective legislation.

Those priorities are still relevant, but in the larger landscape of cybercrime, everything has changed.

According to National Security Minister Fitzgerald Hinds, there have been 205 successful cyber attacks in Trinidad and Tobago between 2019 and 2023. It’s tempting to add to that the caveats that under-reporting of data breaches is widespread and to further note that the minister did not define what constituted a successful cyberattack.

Is this the count of successful intrusions into a secured network? Is it the number of breaches that resulted in the exfiltration of private data?

The Trinidad and Tobago Cybersecurity Incident Response Team (TTCSIRT), nominally the first port of call in a data breach, is frequently left entirely out of the loop in private sector data breaches.

In the face of the hard rain of reported data breaches by professional ransomware hackers, the government is preparing a “cybercrime legislative package” that will update existing laws both on the books and still to be proclaimed.

This followed an attack on the Ministry of the Attorney General and Legal Affairs, after which Digital Transformation Minister Hassel Bacchus declared that the Legal Affairs Ministry is “one of the more secure environments” after the attack.

The public might have hoped that this important ministry might have been more secure before an attack.

All too often, the revelation of a cybersecurity breach is triggered by a failure of services or exposure by ransomware collectives.

Ricardo Fraser, vice-president of the International Information System Security Consortium (Caribbean and Latin America Chapter), said that, “Organisations bear a crucial responsibility as custodians to safeguard data against unauthorised access. In the unfortunate event of a breach, organisations must prioritise transparency by promptly notifying stakeholders without fear of unwarranted criticism.”

“A cybersecurity breach doesn’t necessarily indicate shortcomings in an organisation’s established controls; independent investigations are essential to determine any potential negligence.”

“Proper reporting of breach incidents is paramount to balance the needs of all stakeholders, including customers, regulators, and shareholders. While organisations may initially hesitate to report breaches due to concerns about reputation and shareholder interests, measures should be implemented to ensure individual privacy protection and minimise individual impacts, whether reporting is mandatory or voluntary.”

Shiva Parasram, an ethical hacker and cybersecurity consultant said that, “As a researcher, I spend many hours every day on the dark web. If they make this work illegal, it stifles independent investigation. Then, a lot of companies will suffer because I help many companies this way. I give lots of free advice to the general public.”

“[The 2017 bill] wasn’t very well thought out at all. I’m really hoping that some serious thinking gets put into it and that they actually invite people who know what this stuff is about and how it can benefit cybersecurity researchers, particularly what’s required with dark web and penetration testing, vulnerability scanning and assessments and ethical hacking. It should really be guided by a subject matter expert.”

Fraser notes that, “Certified investigative and information security professionals adhere to a strict code of conduct emphasising societal protection. It’s imperative to recognise that disclosing or disseminating breached data improperly not only harms the organisation but also violates the privacy rights of individuals whose sensitive information is exposed.”

Fraser warns, however, that, “Investigating professionals such as journalists, fraud investigators, and ethical hackers play a crucial role in handling breached data responsibly. They must exercise caution to avoid further compromising the privacy of victims while probing or highlighting such incidents.”

The headline gold rush that followed the TSTT breach included several instances of journalist overreach, exposing information then available only on the dark web to a much wider audience.

Without clear guidelines and the scope to do the work of journalism, any new law will not serve the public well.

Shiela Rampersad, President of MATT in 2018, called on a Joint Select Committee convened that year to discuss the 2017 bill, urging the inclusion of, “A public interest exemption to protect all individuals and organisations working towards greater transparency in public affairs.”

The law, as written, Rampersad noted, would levy daunting penalties ($200,000 to $500,000 per infringement) for journalists and whistleblowers contravening of a strict reading of its scope, which was entirely too broad.

Clause 8 of the 2017 bill, for instance, would have made illegal any independent investigation into any data breach that has come to public attention through the media or cybersecurity investigators over the last four years. While clauses 35, 36 and 37 provided caveats for hosting providers, caching services and ISPs.

There is a sense of urgency to create new cybercrime laws, but that haste cannot ignore the dynamic reality of the situation any more than it can neglect the growing threat that cyber criminals now present.