By David Jessop
Since March of last year when governments, enterprise and much of the world all but closed their doors to transacting business in person, the region has only been able to function because of the relative ubiquity of the internet and the ability to operate online.
Although much of the region has high levels of connectivity – the website, Internet World Stats, indicates a 60.1 percent penetration rate last year for the region as a whole – the rate is notably much lower in Haiti, and surprisingly parts of the French-speaking Caribbean. However, this is not to say that providers across the region have systems able to provide the coverage, stability or speed required to allow the Caribbean to compete globally, e.government, or to support the services industries that might make more competitive a geographically fragmented region remote from its major markets.
COVID has more than made the case for regional economic recovery to focus in part on building the infrastructure for affordable 5G coverage, and the speed, capacity and connectivity required to spur efficiency, diversification, and better governance.
While the geopolitical debate will continue to rage over who is going to provide and fund Caribbean 5G services, just as important is the growing global cybersecurity threat from a range of hostile actors.
Understandably, Caribbean governments and businesses do not discuss in detail the nature of the provisions they have made or are planning to protect critical infrastructure, key sectors such as banking and financial systems, let alone national security.
However, the rising level of potential threat to Caribbean governments and enterprise and the need for every nation in the region to develop much stronger cyber defence capabilities is apparent in the increasing number of references in the statements and communiques that follow regional, and international meetings.
Of these the most explicit mention came after this year’s virtual UK-Caribbean Forum. A communiqué recognised the critical role cyberspace plays in the economic, social, cultural, and political life of the region, noting ministers’ emphasis on the importance of protecting critical national infrastructure and the need for an ‘effective and proportionate’ domestic response. An action plan made clear that Britain will support Caribbean capacity building and provide practical help to Caribbean agencies making use of the UK’s widely acknowledged advanced cyber expertise and capabilities.
That the threat in a Caribbean context is real, and actually and reputationally damaging should by now be beyond doubt.
In February it became clear that Jamaica had suffered a massive data breach that had exposed the immigration and COVID-19 records of hundreds of thousands of people from North America, Europe and elsewhere who had used its Jamcovid-19 app.
Whether this resulted in the exfiltration of such information for malicious use is unclear, but it was a wake-up call. Prime minister Holness subsequently insisted that plans for building cyber resilience in Jamaica must be accelerated. This would, he said, result in the construction of ‘a robust governance framework and infrastructure for cybersecurity within ‘Plan Secure Jamaica’.
This involves the development of a new National Cybersecurity Strategy, the creation of a new Cyber Academy, inter-agency cooperation, external support, and establishing a cross-government cyber analysis team. Separately, other ministers have acknowledged that the country is undertaking with Israeli support the development of cyber-systems for ‘constant monitoring’, legislative changes and a training component for the military.
Jamaica aims to ensure all government websites and networks are compliant with international standards and best practice, an approach that coincides with increasing instances of malicious cyber-attacks directed at governments and private entities worldwide.
Of these, the most staggering example has been the revelation that the US government, NATO, the European parliament and about 16,000 other government and larger company systems worldwide were compromised in December 2019 through the hacking, principally of the network management system Orion, using a product from SolarWinds. The supply-chain attack, which went undetected for over a year, appears to have provided access in ways that are reportedly still proving hard to discover because of the sophistication of the hacker’s methods of entry and exit.
So serious has the breach been that apart from imposing new sanctions on Russia, the alleged perpetrator – Washington says it is “highly confident”’ that state-linked hacker ‘Cozy Bear’ was behind the “broad-scope cyber-espionage campaign” – it is expected that president Biden will shortly sign a new cyber executive order. This will establish a basis for corporate reporting of cyber breaches, the systematic investigation of cyber events, and establish standards for software development.
Notwithstanding, cybersecurity should not be seen as just an issue for governments.
A recent PwC Global Chief Executive Officer (CEO) survey found that among Caribbean CEOs, 67 percent said the issue was their leading concern with many pointing to a significant increase in incidents in 2020, including ransomware attacks. A consequent 50 percent reported increased spending of 10 percent or more in response.
Because of the overriding economic implications now and for the future, ensuring regular security audits, penetration testing, and forensic investigations involving both local and international partners should be seen as a joint public-private responsibility.
As ransomware attacks on UK hospitals and schools, cyber-related attempts at poisoning the water supply in Florida, and the threats and blackmail against large companies such as Sony Pictures all demonstrate, no one is immune from risk whether an attack comes from terrorists, organised crime, or a malicious state actor.
This is the time when every Caribbean governments, their agencies, and regional businesses should be thinking about how they respond jointly to the increasing threat. They need to be more pre-emptively aware of their vulnerability, the implications for a regionally connected digital society, and the need for robust legislation, that also ensures the protection of individual’s rights and the use of their data.