Above: Government agency representatives share their nations’ experiences having participated in Commonwealth Secretariat’s needs assessment exercises. Left to right; Antoinette Lucas-Andrews (Trinidad & Tobago), Eric Nurse (Grenada), Bennett Thomas (Dominica), Clifford A Bostic (Barbados) and Luxmore Edwards (Antigua and Barbuda). Photo courtesy the Caribbean Telecommunications Union
The Caribbean Telecommunications Union (CTU) in conjunction with the Commonwealth Secretariat (Secretariat) recently hosted the Caribbean Stakeholders’ Meeting II – Cyber Security and Cybercrime (CSMII) in St. Lucia from 16th – 19th of March 2016.
The event targeted senior stakeholders from various regional governments, international organisations focused on cybercrime and some members of the private sector to develop a “regional action plan” which would serve as a defined strategy for the development of programmes supporting a regional cyber security thrust when seeking donor funding.
The Secretariat has been playing a role in regional cyber security development via the Commonwealth Cybercrime Initiative (CCI) which has thus far administered interventions in the form of national needs assessments in five different Caribbean nations, as captioned above.
Upon request from member states for assistance, a CCI mission team, including at least one technical expert and one criminal justice expert, is assembled from the CCI consortium of over 35 international organisations, such as; the Commonwealth Telecommunication Organisation (CTO), Council of Europe (CoE), International Telecommunications Union (ITU) and the Organisation of American States (OAS).
The mission team executes a gap analysis which leads to the production of the needs assessment report, the priorities of which are decide upon with guidance from the beneficiary member state. An action plan is then produced for the beneficiary member state which contains commitments from consortium members towards specific identified needs.
Cyber security development needs to emerge from within
In the presentations by regional representatives who were involved in these various national needs assessments exercises, three of the five representatives mentioned the lack of university graduates with cyber security training as a challenge.
During Q&A this author pointed out that an absence of university graduates with a degree specific to “cyber security” doesn’t mean that existing degree holders cannot be exposed to training and capacity building exercises designed to create such expertise at the technical, policy development or strategic levels.
It was also emphasized to the panel that when regional governments are seeking assistance from bodies such as the CCI, it is important to have local private sector subject matter experts participate in such exercises for the sake of building capacity outside of the public sector.
Contributing from the floor, Kerry-Ann Barrett of the OAS stated that they often encourage the national representatives with whom they interact, to have an inclusive approach with as wide an array of voices participating in national cyber security development exercises, even if the national representatives do not necessarily agree with the views of such voices.
The importance of adopting such an approach is that you tend to avoid the possibility of groupthink. In relating the experiences of Dominica’s needs assessment exercise, Bennett Thomas related the experience of receiving a voluminous opinion from a representative of the CoE, which was critical of path being then defined for cybercrime legislation in certain Caribbean territories as manifest via the EGRIP model law exercise.
Commenting on the issue of where to find skilled resources, Anthony Teelucksingh of the U.S. Department of Justice encouraged participants to “leverage domestic expertise”, strive for cooperation from the private sector and seek solutions from within their own backyard.
Hence, bodies such as CARICOM IMPACS (which is the regional organisation charged with the responsibility for Caribbean cyber security), the CTU and ultimately regional governments need to do more towards actively supporting the development of Caribbean cyber security experts outside of the public sector.
Crypto* currency features as risk and opportunity
In describing the emerging threat landscape, both INTERPOL and the Secretariat made mention of crypto currency as a challenge, while the former also singled out a greater use of the Darknet, and the Federal Bureau of Investigations (FBI) cited Business E-mail Compromise (BEC) scams, as additional threats.
Both the Darknet, where illicit and illegal goods are bought and sold in online recesses, and BEC scams were described as utilizing crypto currency as payment mechanisms. The Secretariat later presented examples of intercepted communications from online forums illustrating apparent Caribbean users seeking ways to launder money utilizing Bitcoin and trading Bitcoin for purchase of airline ticket using a stolen credit card. However, the Secretariat also emphasized the potential benefit of virtual currencies.
As recognized in published reports by both the United Nations Economic Commission for Latin America and the Caribbean (UNECLAC) and the Commonwealth Secretariat Working Group on Virtual Currencies, there are both opportunities and risk with the advent of digital currency in the Caribbean; hence, regional leaders would be well advised to avail themselves of expertise on this topic.
This author is currently assisting the International Telecommunications Union (ITU) towards the design and execution of a three day workshop entitled “Exploring Innovation in Transactions & Financing in the Caribbean” which will be held in Trinidad and Tobago from 1st – 3rd June 2016. This event is designed to assist Caribbean telecommunications and financial policymakers and regulators understand how financial services innovation, including mobile money and digital currency, can benefit their territories while providing them with insights on how to contain risks.
Building Sustainable Capacity
Antony Ming of the Secretariat highlighted the fact that the various regional needs assessment exercises revealed there was a significant lack of awareness on cybercrime and lack of basic cyber hygiene both within regional governments and the private sector.
Citing deficiencies in capacity building, he advocated for building sustainable capacity and urged participants not to engage in “drive by training” where someone is imported to perform a few training sessions, who then leaves, advocating instead for more sustainable programmes. He stated that IT professionals needed to be engaged and academic and technical/vocational institution need to integrate cyber security into their curriculum.
In presenting the DRAFT action plan, risks were highlighted which include:
- Low political and administrative priority by member states to implement programs.
- Lack of capacity and capability by member states to implement and sustain the programs
- Change in Government resulting in changing priorities
The presence of such risks supports the need to divest the impetus to develop cyber security beyond the lead governmental actor and involve the private sector; both large entities and Small Medium Enterprises (SMEs) alike.
The CSMII meeting was a success, yielding a regional cyber security action plan which was presented to, and endorsed by, several regional government ministers present at the meeting. The draft plan reviewed contained very interesting ideas which would be beneficial to Caribbean cyber security should they become implemented; however, is this enough?
Cyber security demands international co-operation and assistance and the CCI etc. are willing and able to assist; however we continue to look outward for international solutions to our problems while not investing enough in the future growth of our own experts internally.
Capacity building does not have to be an end state deliverable; instead, it can occur simultaneous to the development of these efforts by including local and regional private sector subject matter experts within the present dialogue being undertaken by government and quasi government agencies and aforementioned international organisations. We need to be creating opportunities for development of nascent cyber security specialists.
One of the issues I had with the forum was that the time allotted to reviewing the already prepared draft action plan was extremely short and the use of workgroups for such review created the appearance of detailed review and consensus which isn’t necessarily the case.
For example, one member of the workgroup I participated in called out another member of the group for what seemed to be attempts to hijack control of the session away from the group leader. Do we really want poor group dynamics to upstage beneficial output?
CARICOM IMPACS and the CTU need to build out a network of regional private sector subject matter experts they can utilize to review and provide feedback to proposals they receive from international organisations or towards the scoping of their own requirements, within an adequate timeframe.
Such an approach will add an extra layer of legitimacy to the outputs of such future meetings and agreements while also creating opportunities for development of Caribbean cyber security experts. They also need to address public outreach on such matters to ensure the public is engaged and that stimulating conversation continues in the public domain long after these events occur.
Public written record of such events will be read by the next set of emerging experts; hence, there should be defined mechanisms for quality reporting and dissemination of such record of events. There is an appetite for such material; however I’ve noted a lack of corporate support for such activity, unless there is a specific product pitch. These two points are essential components for any regional push to develop a functional cyber security ecosystem.
We must plot a course which will move us past seeking assistance to actually being in a position to provide assistance to international efforts. For example, the Secretariat’s Working Group on Virtual Currencies has issued recommendations which calls for member states to provide consumer awareness and calls for education and training of law enforcement and the judiciary, on the matter of virtual currency.
Given the significant work completed by UN ECLAC in this area, the Caribbean is well positioned to provide assistance to the Secretariat and its member states desirous of following these recommendations. This is but one example of how the Caribbean can contribute on a global scale in the area; can you think of others?
*Within this article the terms crypto, digital and virtual currency are used interchangeably
Shiva Bissessar has consulted with the UN ECLAC on research projects involving digital currency and Caribbean disaster risk management, and has worked with another international agency in developing a national cyber security awareness in secondary schools programme and an Over The Top (OTT) workshop.
He is currently assisting the ITU with the “Exploring Innovation in Transactions & Financing in the Caribbean” workshop scheduled for June 2016. He also lectures Information System Security, Ethics and Law at the Arthur Lok Jack Graduate School of Business. To find out more of the various services offered, please visit www.pinaka.co.tt.