The Need for Developing a Cyber Security Ecosystem of Professionals

Snapshot showing Caribbean ‘attack’ activity from Norse

 

Over the period 6th and 7th February, 2017, it was my honour and privilege to participate in, and make contributions to, a closed expert group meeting to assess future threats as executed by a national intelligence agency. The following is the paper I presented on developing cyber security capacity to meet future challenges.

 

Introduction

 

The cyber security implications of technological advancements, such as, the Internet of Things (IoT) or smart technologies, along with the possibility of cyber warfare and realities of cybercrime are thought-provoking areas around which intelligence agencies must develop threat awareness. However, a more significant threat which will affect the cyber security of Trinidad and Tobago over the next five years is lack of an environment which can stimulate and foster the growth of local cyber security professionals.

Indication of such a deficient environment can be gleaned from the examples below.

  • At a government agency with responsibility for implementation of the national strategy towards Information and Communication Technology (ICT), a senior position with responsibility for cyber security has been vacant since 2010.
  • At “M4 an event by Microsoft” held in Nov 2014, Mr. Roberto Arbelaez, Chief Security Advisor for the Americas at Microsoft, stated that he knew many world class Information Security professionals of Trinidadian heritage. However he went on to state that unfortunately they all worked outside of Trinidad and Tobago.
  • At a 2016 Christmas dinner event for an association of lawyers, a prominent lawyer lamented that Trinidad lawyers, having opted not to pursue continuing education, were lacking in areas of increasing import including cybercrime[1].

While this may be considered anecdotal evidence, the lack of attention to cyber security does not allow for formal research to provide proper evidence on the state of cyber security locally.

 

Cyber security ecosystem of professionals

Within their research Thomas et al illustrate the cybercrime underground economy as a complex ecosystem of actors within a value chain where profit centres are built upon underlying support infrastructure.  This allows criminal entrepreneurs to devise scams by procuring the necessary resources al a carte; taking advantage of specialization and economies of scale and resulting in a web of interactions which potentially span the globe. One can argue that such a criminal ecosystem, like many other cyber security threats, can only be disrupted by an equally powerful cyber security ecosystem of professionals.

 

 

In their paper “Framing Dependencies Introduced by Underground Commoditization”, Thomas et al illustrate the value chain relationships between various entities to scam victims as potentially spanning the globe

What response can Trinidad and Tobago provide to the threat of cybercrime? Working in our favour we do have efforts to bolster the capacity of the cybercrime unit of our law enforcement arm and there have been several attempts to address lacunas which exist in our existing legislative framework to address cybercrime. Additionally, Trinidad and Tobago is progressing in the development of a CSIRT and can boast of participation in regional efforts coordinated by international bodies such as the Commonwealth Secretariat (ComSec) and the Organisation of American States (OAS) towards addressing cyber security deficiencies.

However, in pronouncing on the results of five regional cyber security needs assessment exercises at the Caribbean Stakeholders Meeting; Cyber Security and Cybercrime, in April 2016 (CSMII), ComSec bemoaned the fact that there still exists a lack of awareness on cybercrime and lack of basic cyber hygiene within the private sector and within regional governments. The Commonwealth Telecommunications Organization also cited a lack of human resources and political support as challenges towards the implementation of cyber security strategies.

Close observation of the availability of opportunities to work on the development of cyber security regionally would reveal a predominant approach where international bodies work exclusively with assigned public sector employees.  Given the highly sensitive nature of the work involved in cyber security, such an approach is expected; however at a national level we may be missing out on opportunities for broader capacity development when such opportunities arise or when training occurs.  For example, a representative of a multinational which routinely provides cyber security capacity building exercises to law enforcement across the globe previously divulged that suitably qualified private sector experts can participate in these exercises if they are appropriately recognized by law enforcement personnel.

Hence, a more inclusive approach needs to be found to ensure that a national pool of talent, at all levels, is being developed today to address unknown future needs.  The status quo will forever bind us to a dependency upon the importation of expertise or hopefulness towards the return of qualified diaspora who wish to contribute to developing cyber security.  The up-skilling of a national pool of experts also presents Trinidad and Tobago with opportunity in providing exportable resources both regionally and internationally as others seek to develop cyber security.

Beyond the need for a coordinated approach to develop a cyber security pool of talent, there seems to have been an emphasis on getting legislation in place while the technical controls, which can actually prevent threats from becoming exploited, are not given due attention.  This position was also articulated by Mr. Arbelaez, at the Caribbean Stakeholders Meeting (CSMI) in May 2014.

Are we lagging behind regionally?

 

Awareness, capacity development and technical controls are all areas which require attention to adequately build threat response capability over the next five years and there is much we can learn from our own Caribbean neighbour, Jamaica.  Having delivered presentations in November 2016 at three conferences in Jamaica as hosted by the Jamaica Computing Society, UWI Mona (4th National Cyber Security Conference) and the Jamaica Bar Association (Continuing Legal Education)[2], I can personally attest to a comparatively more mature response towards cyber security.

Presented on UN ECLAC sponsored research into opportunities and risk of digital currency within the Caribbean at the Jamaica Bar Association, Continuing Legal Education, Annual Week-end Conference 2016

 

Such fora have been productive towards supporting and encouraging local capacity development of technical capabilities in the private sector and building public awareness on cyber security.   At Jamaica’s 3rd National Cyber Security Conference in 2015, the audience was challenged to consider cyber security as an opportunity for the growth of an industry and economic development, rather than a threat, in the same vein as highlighted above.  It is interesting to note that these fora also exemplify what a cyber security professional ecosystem should look like with active participation from technical professionals, policy/regulatory/legal professionals, academics and civil society.

Moving forward

 

We need to ask some difficult questions if we are to position ourselves to cope with future cyber security threats:

  • Can we define if there is a community of experts exists in Trinidad and Tobago focusing on cyber security; and if yes, who are the persons comprising this community?
  • Is this a formal community or a loosely defined community which comes together temporarily during exercises such as this one?
  • Does its membership lean towards greater participation from the public sector or the private sector?
  • Is there recognition that private sector interest from a Small Medium Enterprise (SME) is not the same as the private sector interest of a large commercial entity?
  • How are potential candidates encouraged to contribute within this community?
  • Is the community comprised in such a way that both of fresh ideas and a wealth of experience are expressed in deliverables?
  • Do the participants of this community come from different professions, back grounds and skill sets?
  • Can such a community adopt value chain relationships to be transformed into an active ecosystem[3] of professionals seeking to promote national cyber security?
  • Can this forum be the catalyst in the formation of such an ecosystem?

 

 

Recommendations

 

In conclusion the following recommendations can be put forward for consideration in the development of the aforementioned ecosystem of professionals

 

  1. Cyber security must be given recognition as a field of specialization and not be simply lumped under ICT. Such recognition should extend to the appointment of national champion to oversee the development of cyber security locally.
  2. Establish a national consultative body for cyber security which can serve as a sounding board for various plans towards developing cyber security. The membership of such a body cannot be exclusively comprised of public sector employees and large corporate entities.  It must include cyber security focused SMEs.  This formal body will lead to the formation of the informal cyber security ecosystem of professionals.
  3. Encourage participation from the private sector in local and regional meetings being facilitated by the aforementioned international bodies, for example ComSec and OAS. Appropriately qualified entities from this set should also be invited to participate in the training and capacity building exercises arising from such meetings.  Support for such entities should include financial assistance to participate.
  4. Assessment of institutions which are deemed critical infrastructure as well as a key Ministries and agencies.  The organizational structure of these bodies should reflect cyber security maturity extending to the roles and responsibilities of key personnel dedicated towards cyber security.  A comprehensive set of Information Security policies and audit mechanisms also need to be defined for such organisations.
  5. Information Security Governance training needs to be administered to boards and senior management of various key organisations. Additionally, Information Security Awareness training needs to be administered for the general population of employees.
  6. Alignment between the academic institutions, the national development needs scholarship system and the intake of graduates into the public and private sectors needs to take place to ensure that Information Security professionals are being developed academically and professionally. There also needs to coordination with corporate entities towards the creation of funding for cyber security research.
  7. The Government needs to facilitate the creation of opportunities within the private sector to build and develop competencies which they can call upon in the future. We need security researchers, writers, lecturers, practitioners, policy makers, legal specialists and technical experts to name but a few. The government must lead by example and procure services from fledgling entities seeking to provide services in cyber security.
  8. Information Security awareness training needs to be conducted extensively within the primary and secondary school system.
  9. Take advantage of training and capacity development exercises from international bodies and multinational corporate entities to up-skill the national pool of experts (public and private sector) towards the goal of developing cyber security for economic development.

 

[1] CNC3 News, Nov 2016

[2] Presentation to the Jamaica Bar Association was on the digital currency which also has emerging threat and cyber security dimension to it.

[3] It is important to recognize that an ecosystem differs from a community in that an ecosystem speaks to a non-siloed approach, coordination and symbiotic relationships towards growth of entities.

Are we on track for sustainable Caribbean cyber security development?

 

 

i-sqVbpDt-XL

Government agency representatives share their nations’ experiences having participated in Commonwealth Secretariat’s needs assessment exercises. Left to right; Antoinette Lucas-Andrews (Trinidad & Tobago), Eric Nurse (Grenada), Bennett Thomas (Dominica), Clifford A Bostic (Barbados) and Luxmore Edwards (Antigua and Barbuda). Photo Credit, Caribbean Telecommunications Union

The Caribbean Telecommunications Union (CTU) in conjunction with the Commonwealth Secretariat (Secretariat) recently hosted the Caribbean Stakeholders’ Meeting II – Cyber Security and Cybercrime (CSMII) in St. Lucia over the period 16th – 19th of March 2016.  The event sought to bring together senior stakeholders from various regional governments, international organisations focused on cybercrime and some members of the private sector to develop a “regional action plan” which would serve as a defined strategy for the development of programmes supporting a regional cyber security thrust when seeking donor funding.

The Secretariat has been playing a role in regional cyber security development via the Commonwealth Cybercrime Initiative (CCI) which has thus far administered interventions in the form of national needs assessments in five different Caribbean nations, as captioned above. Upon request from member states for assistance, a CCI mission team, including at least one technical expert and one criminal justice expert, is assembled from the CCI consortium of over 35 international organisations, such as; the Commonwealth Telecommunication Organisation (CTO), Council of Europe (CoE), International Telecommunications Union (ITU) and the Organisation of American States (OAS).  The mission team executes a gap analysis which leads to the production of the needs assessment report, the priorities of which are decide upon with guidance from the beneficiary member state.  An action plan is then produced for the beneficiary member state which contains commitments from consortium members towards specific identified needs.

Cyber security development needs to emerge from within

 

In the presentations by aforementioned regional representatives who were involved in these various national needs assessments exercises, three of the five representatives mentioned the lack of university graduates with cyber security training as a challenge.  During Q&A this author pointed out that an absence of university graduates with a degree specific to “cyber security” doesn’t mean that existing degree holders cannot be exposed to training and capacity building exercises designed to create such expertise at the technical, policy development or strategic levels.  It was also emphasized to the panel that when regional governments are seeking assistance from bodies such as the CCI, it is important to have local private sector subject matter experts participate in such exercises for the sake of building capacity outside of the public sector.  Contributing from the floor, Kerry-Ann Barrett of the OAS stated that they often encourage the national representatives with whom they interact, to have an inclusive approach with as wide an array of voices participating in national cyber security development exercises, even if the national representatives do not necessarily agree with the views of such voices.

The importance of adopting such an approach is that you tend to avoid the possibility of groupthink.  In relating the experiences of Dominica’s needs assessment exercise, Bennett Thomas related the experience of receiving a voluminous opinion from a representative of the CoE, which was critical of path being then defined for cybercrime legislation in certain Caribbean territories as manifest via the EGRIP model law exercise.

In commenting on the issue of where to find skilled resources, Anthony Teelucksingh of the U.S. Department of Justice encouraged participants to “leverage domestic expertise”, strive for cooperation from the private sector and seek solutions from within their own backyard.

Hence, bodies such as CARICOM IMPACS (which is the regional organisation charged with the responsibility for Caribbean cyber security), the CTU and ultimately regional governments need to do more towards actively supporting the development of Caribbean cyber security experts outside of the public sector.

 

Results for the various Caribbean needs assessments exercises showing recurring themes

Results for the various Caribbean needs assessments exercises showing recurring themes

 

Crypto currency features as risk and opportunity

*Within this article the terms crypto, digital and virtual currency are used interchangeably

 

In describing the emerging threat landscape, both INETRPOL and the Secretariat made mention of crypto currency as a challenge, while the former also singled out a greater use of the Darknet, and the Federal Bureau of Investigations (FBI) cited Business E-mail Compromise (BEC) scams, as additional threats.  Both the Darknet, where illicit and illegal goods are bought and sold in online recesses, and BEC scams were described as utilizing crypto currency as payment mechanisms.  The Secretariat later presented examples of intercepted communications from online forums illustrating apparent Caribbean users seeking ways to launder money utilizing Bitcoin and trading Bitcoin for purchase of airline ticket using a stolen credit card. However, the Secretariat also emphasized the potential benefit of virtual currencies.

As recognized in published reports by both the United Nations Economic Commission for Latin America and the Caribbean (UNECLAC) and the Commonwealth Secretariat Working Group on Virtual Currencies, there are both opportunities and risk with the advent of digital currency in the Caribbean; hence, regional leaders would be well advised to avail themselves of  expertise on this topic.  This author is currently assisting the International Telecommunications Union (ITU) towards the design and execution of a three day workshop entitled “Exploring Innovation in Transactions & Financing in the Caribbean” which will be held in Trinidad and Tobago from 1st – 3rd June 2016. This event is designed to assist Caribbean telecommunications and financial policymakers and regulators understand how financial services innovation, including mobile money and digital currency, can benefit their territories while providing them with insights on how to contain risks.

eclac comsec itu

Opportunity for “twinning” of efforts and synergies between these UN ECLAC and ITU Caribbean based efforts and the Commonwealth Secretariat’s  own efforts in area of digital currency

Building Sustainable Capacity

 

Antony Ming of the Secretariat highlighted the fact that the various regional needs assessment exercises revealed there was a significant lack of awareness on cybercrime and lack of basic cyber hygiene both within regional governments and the private sector. Citing deficiencies in capacity building, he advocated for building sustainable capacity and urged participants not to engage in “drive by training” where someone is imported to perform a few training sessions, who then leaves, advocating instead for more sustainable programmes. He stated that IT professionals needed to be engaged and academic and technical/vocational institution need to integrate cyber security into their curriculum.

In presenting the DRAFT action plan, risks were highlighted which include:

  • Low political and administrative priority by member states to implement programs.
  • Lack of capacity and capability by member states to implement and sustain the programs
  • Change in Government resulting in changing priorities

The presence of such risks supports the need to divest the impetus to develop cyber security beyond the lead governmental actor and involve the private sector; both large entities and Small Medium Enterprises (SMEs) alike.

 

Conclusion

 

The CSMII meeting was a success, yielding a regional cyber security action plan which was presented to, and endorsed by, several regional government ministers present at the meeting.  The draft plan reviewed contained very interesting ideas which would be beneficial to Caribbean cyber security should they become implemented; however, is this enough?

Cyber security demands international co-operation and assistance and the CCI etc. are willing and able to assist; however we continue to look outward for international solutions to our problems while not investing enough in the future growth of our own experts internally.  Capacity building does not have to be an end state deliverable; instead, it can occur simultaneous to the development of these efforts by including local and regional private sector subject matter experts within the present dialogue being undertaken by government and quasi government agencies and aforementioned international organisations.  We need to be creating opportunities for development of nascent cyber security specialists.

One of the issues I had with the forum was that the time allotted to reviewing the already prepared draft action plan was extremely short and the use of workgroups for such review created the appearance of detailed review and consensus which isn’t necessarily the case.  For example, one member of the workgroup I participated in called out another member of the group for what seemed to be attempts to hijack control of the session away from the group leader.  Do we really want poor group dynamics to upstage beneficial output?

CARICOM IMPACS and the CTU need to build out a network of regional private sector subject matter experts they can utilize to review and provide feedback to proposals they receive from international organisations or towards the scoping of their own requirements, within an adequate timeframe.  Such an approach will add an extra layer of legitimacy to the outputs of such future meetings and agreements while also creating opportunities for development of Caribbean cyber security experts.  They also need to address public outreach on such matters to ensure the public is engaged and that stimulating conversation continues in the public domain long after these events occur. Public written record of such events will be read by the next set of emerging experts; hence, there should be defined mechanisms for quality reporting and dissemination of such record of events. There is an appetite for such material; however I’ve noted a lack of corporate support for such activity, unless there is a specific product pitch.  These two points are essential components for any regional push to develop a functional cyber security ecosystem.

We must plot a course which will move us past seeking assistance to actually being in a position to provide assistance to international efforts.  For example, the Secretariat’s Working Group on Virtual Currencies has issued recommendations which calls for member states to provide consumer awareness and calls for education and training of law enforcement and the judiciary, on the matter of virtual currency. Given the significant work completed by UN ECLAC in this area, the Caribbean is well positioned to provide assistance to the Secretariat and its member states desirous of following these recommendations.  This is but one example of how the Caribbean can contribute on a global scale in the area; can you think of others?

 

CSMII photos

CSMII presentations

Related Articles:

T&T Cybercrime bill demands multi-stakeholder input (July 2014)

Are Caribbean Cybercrime bills based on flawed model law (June 2015)

UWI Mona hosts Jamaica’s 3rd National Cyber Security Conference

Jca conf 3

Professor Dunn, Caribbean Institute of Media and Communication, Trevor Forrest, 876 Technology Solutions, Damian Donaldson, IT Consultant, Shiva Bissessar, Pinaka Technology Solutions & Shernon Osepa, Internet Society.  Photo Credit UWI CARIMAC

 

 

The Caribbean Institute of Media and Communication (CARIMAC), University of the West Indies (UWI), in partnership with the International Telecommunications Union (ITU) and the Internet Society (ISOC), recently hosted Jamaica’s 3rd National Cybersecurity Conference.  Over the period 17th-18th November, 2015, an eager audience was treated to informed presentations from various presenters under the theme of “Data Protection, Financial Services and Customer Awareness”.  The ISOC was represented by Mr Shernon Osepa, Manager, Regional Affairs for Latin America and the Caribbean Bureau, and Mrs Christine Runnegar, Director, Public Policy, while Shiva Bissessar served as the representative expert of the ITU, having previously worked with the ITU on a couple occasions including developing cyber security awareness amongst youths in the Caribbean.  Ms Acadia Senese, Legal Counsel, Goggle Inc. rounded out the listing of international presenters.  However, there were many local expert presenters who gave insights into their experiences in providing a mature response to cyber security threats as can be gleaned from the programme agenda.  Some of the key points as presented by these presenters are shared below.

 

At The National Level

 

Minister of State within the Ministry of Science, Technology, Energy and Minings, The Hon. Julian J. Robinson, spoke of some of the measures the Government was taking to address cyber security risk including the hiring of a Chief Information Officer who was tasked with establishing minimum standards across various ministries as a direct response to some high profile attacks on Government websites in late 2014.  He also challenged the public at large to read and become involved in the National Cyber Security Strategy towards the goal of holding the Government accountable on its promises.

 

Fullscreen capture 08122015 232433.bmp

Four pillars of Jamaica’s National Cyber Security Framework

 

In explaining the aspect of “Human resource and capacity building” he stated his intention to engage the likes of the ITU and ISOC, as well as the private sector to create a cadre of local cyber security experts.  Additionally, he demonstrated that they were already treating public awareness as a key aspect of the strategy citing the observation of October as cyber security month and stating that a Jamaican version of a “Stop Click Connect” awareness campaign was in development.

 

Private Sector Intervention

 

Mrs Audrey Tugwell Henry, Senior General Manager, NCB highlighted that while managing cyber security technical issues is an important factor; a bigger issue is actually convincing the public of the threat and getting them to practice safe behaviours towards securing their identities and financial information, for example, getting them to stop writing PINs on the back of bank cards.  Stating that her own name had been used within phishing campaigns, she cited the importance of ongoing training for staff member towards the development of “human firewalls” to thwart attacks.  She indicated that attacks can occur for a myriad of reasons but always have the end result of increasing operational cost as it takes on average 10 full days to restore services.

Sparking some controversy with comments suggesting that local websites were akin to mere storefronts with not much behind them to be taken by cyber criminals, Mr Dennis Chung drew some dissenting comments from couple of subsequent speakers.  However, I viewed the comment as a tongue in cheek call for a greater level of development of electronic services to be delivered via local websites, especially as the panel during which the comment was made was being moderated by chair of eGov Jamaica Limited. Professor Evan Duggan. Mr Chung also questioned whether there were adequate resources trained to treat with a serious cyber-attack and challenged authorities to view cyber security as an opportunity rather than a threat.  The opportunity being referred to was that of building an industry of cyber security professionals to target a potentially very large market, much akin to the development of a cyber-security ecosystem as espoused in last blog post.  Mr. Chung went further to suggest that the development of such expertise could take precedent over efforts to nurture mobile apps developers or game developers.

 

Outward Risk & Due Diligence

The development of a nascent cyber security industry augured well with a contribution from Mrs Christine Runnegar who gave insights into the ISOC’s concept of collaborate security where she spoke of managing inbound and outward risks (i.e. the risk you present to others in not properly protecting your infrastructure) though proactive collaboration at local, region and international levels.  The concept of being responsible for securing environments again reared its head during the legal panel session where Ms Nicole Foga encouraged the audience to “know the legal framework” as pertains to the commission of offences under the Cybercrime Act, 2015.  In particular, Section 14 (2) (B) was introduced as speaking to the responsibilities of, and potential consequences to, individuals within organisations tasked with the responsibility of eliminating outward risks.  In reinforcing this point to the audience, Ms Foga stated that the popular local saying “trust meh nah” no longer holds water in such circumstances and that individuals now needed to be wary of the responsibilities they assume within organizations and ensure that they practice due diligence towards ensuring offenses under the act do not occur in the corporate environment.

 

Fullscreen capture 22122015 014551.bmp

Offences by Bodies Corporate; Jamaica Cybercrime Act, 2015

 

An analysis of the corresponding clause within the Trinidad and Tobago 2014 Cybercrime Bill reveals some similar wording and intention, however Ms Foga drew attention to the use of the word “connived” within Section 14 (2) (A) as she raised the question of how do you go about determining whether persons did in fact connive to commit an offense.   The issue of cyber insurance was first raised by Ms Amina Maknoon who highlighted its utility as a risk prevention and mitigation tool and this was reinforced by Ms Foga.  Subsequent responses to questions on the topic of cyber insurance in the local Jamaican market revealed an opportunity for local insurance companies to develop products along this dimension at appropriate price points to suite large corporations and Small Medium Enterprises (SMEs) alike.

 

Individuals & SMEs

It is quite easy to overlook the needs of individuals and SMEs on such an issue, however the audience members did not let their opportunity to seek out expert advice on the matter go to waste.  Indeed, underscoring the need for greater levels of public awareness when it comes to hoaxes and scams, one gentleman took to the microphone during Q&A of one of the sessions with a genuine concern over a letter he received which purported that he was the recipient of a large financial reward.  In my presentation on citizen action towards protection and in referencing this gentleman’s plight, I explained that this was an excellent example of how traditional scams can be updated over time and find new methods to reach vulnerable targets via social media, emails list or even phone calls.    A statement from Mrs Dolsie Allen, CEO, Consumer Affairs Commission citing some level of deficiency in how the banking sector currently handles customer awareness, presented the perfect segue to illustrate how institutions can avail themselves of more funding towards customer or employee cyber awareness by simply reallocating money dedicated for brand promotion into brand protection from cyber risk.  Additionally, Mr Trevor Forrest of 876 Technology Solutions advised that SMEs need to plan ahead well in advance and have a defined incident management plan at hand in preparation for attacks.

 

Conclusion

Professor Dunn and the CARIMAC should certainly be commended for organizing such a highly informative and  conference for the third consecutive year.  The tightly packed agenda was designed to allow for ventilation of policy, technical and legal issues and each panel featured an international panelist. My only question to Professor Dunn remains, when does he intend to take the show on the road and make this a regional event?

Lessons for the Caribbean from the OAS-FIRST Cyber Security Colloquium

 

IMG_20151002_134920

Trinidad & Tobago’s delegation to OAS Cyber Security Colloquium. From left, Sean Fouche, IT Manger of CARICOM IMPACS; Amos Sylvester, law enforcement;  Angus Smith, Manager, Trinidad and Tobago CSIRT and Wendell Diaz, Director WASA. Image credit, Shiva Bissessar

The Organisation of American States (OAS) in collaboration with the Forum of Incident Response and Security Team (FIRST) hosted a technical colloquium and cyber security workshop over the period Sept 29th to Oct 1st 2015 in Washington DC.  The colloquium brought together several practitioners from various states within the Americas to participate in interactive sessions guided by international experts from several countries including Canada, Estonia, Poland and Spain to name a few.  The event was divided into three distinct tracks; Critical Infrastructure Protection (CIP), Cyber Security Incident Response Team (CSIRT) and Law Enforcement.

CIP is dedicated towards securing networks utilised in the provision of services critical to the functions of a nation state.  Networks found in public utilities or the energy sector, for example, their Industrial Control Systems (ICS) or networks and systems in the finance sector, would qualify for CIP.  CSIRTs are that first line of defence which receives reports of cyber security incidents, performs incident triage and analysis & prioritizes and escalates incidents towards coordinated response and resolution as necessary.  Locally, some attention is being paid to energy sector CIP via the Energy Sector Security Initiative (ESSI) while the Trinidad and Tobago CSIRT is still in development.

The Caribbean was well represented at the colloquium with participants from Antigua & Barbuda, Barbados, Guyana, Jamaica, St. Kitts and Nevis and Trinidad & Tobago. These representatives came from different professional backgrounds which generally guided the track they chose to follow.  Cybercrime does not respect physical boundaries, thus responses must encompass participation from both the public and private sector and the delegation from Trinidad and Tobago represented an appropriate mix of participants, as shown above.  This included my own participation as a member of the private sector upon invitation and part sponsorship by the OAS.   It was good to see a representative from a Trinidad & Tobago public utility in attendance as CIP should be a major area of concern for a small country largely dependent on the energy sector.

Local and International Cooperation & Coordination

The perception that cybercrime only hurts big business persists; and even some officials do not treat cybercrime with the seriousness they would treat more traditional crimes.  This was underscored by Minster in the Ministry of ICT of Colombia, Mr. David Luma, who noted that normal everyday “citizens on the street” need to be reached via cyber security awareness campaigns.  He also emphasized that cybercrime impacts the everyday lives of people and addressed the ‘laissez faire’ approach which some take to cybercrime risk by reminding participants that just because they have not been affected does not mean that they have not been targeted or under threat at some point.

Matthew Noyes of the U.S. Secret Service, which has a historical mandate of protecting payment and financial systems in the U.S., outlined some of the work they do towards this objective.  He stated that criminals receive so much payment card data in some cyber-attacks that they cannot monetise it fast enough, leading to the development of underground secondary markets for stolen payment card data.  He referred to the work of Brian Krebs, the de-facto standard for investigative journalism and reporting of financial system breaches, where Krebs gave a “Peek inside a Professional Carding Shop” in June 2015.  This story included details of how these secondary markets for stolen payment cards data have advanced by highlighting that potential buyers can now sort the stolen card data by “city, state and ZIP” thereby increasing their chances of purchasing stolen card data which will not throw up red flags on fraud detection systems due to abnormal geographic usage patterns.

He further dispelled the myth of ‘hackers’ being of the ‘lone wolf’ variety working out of their mother’s basement and gave a more accurate portrayal of them being akin to capable professional entities working transnationally to carry out complex, coordinated attacks.  This description was reinforced by several speakers with some even noting that attackers had an advantage over the good guys on this front as harmonization and coordination of responses to attacks are not as coordinated as the original attack.  As shown by the Director of the Canadian Cyber Incident Response Centre (CCIRC), Gwen Beauchemin, there is a diverse range of motivations, attacker profiles and attack surfaces which need to be taken into account to fully address cyber security.

 

 

Fullscreen capture 20102015 013029

Attacker motivations, profiles and attack surfaces.  Image credit, Canadian Cyber Incident Response Centre (CCIRC)

Cyber Security Awareness

The OAS also used the occasion to mark the opening of National Cyber Security Awareness Month by hosting another day of cyber security panel discussion and presentations underscoring the importance of awareness, on October 2nd. Delivering the keynote address was the Estonian president, Toomas Ilves, who gave insights into how Estonia, a small nation with a population of 1.4 million people, became global leader in ICT and cyber security.  He attributed his nation’s achievement in provisioning the majority of Government services online to (i) the development of their fast data exchange layer (X-road) and (ii) secure identity management via two factor authentication.  Further, he espoused a philosophy of encouraging both exposure to ICT and the development of ICT products from a young age, citing the Estonia success story of development of Skype.  Certainly Trinidad & Tobago and the wider Caribbean could learn some lessons here given our dependence on foreign based ICT solutions.

VP, Cyber Security of TrendMicro, Tom Kellerman, lamented the fact that some organisations do not expend enough effort into cyber security awareness going so far to suggest that if budget is a concern, then organisations need to start spending some of their marketing budget on “brand protection” from cyber risks.  This resonated deeply within me given my own drive on the awareness front, I have encountered Information Technology professionals who remain apathetic towards the need for proper Information Security Awareness campaigns within their environment.  So much so, that at times I have switched focus away from the technical people to pitch awareness to HR or Safety departments along the dimension of changing organisational behaviours toward proper information handing.   After all, proper cyber security is a risk management issue rather than an IT problem. To understand the significance of cyber awareness, consider that the devastating 2014 attacks on SONY, incorporated phishing campaigns to retrieve credentials from system administrators, as a first step.  Now, if even the ‘techy sys admins’ can be duped, how would your normal staff fare against social engineering tactics?  Are they capable of recognizing such threats?

Developing the Caribbean Cyber Security Ecosystem

As many presenters attempted to convey, we need to move away from thinking of cybercrime as acts perpetrated by single entities and view cybercrime as being executed by well-funded organised groups which have no respect for international borders.  Hence, this requires a coordinated response from both the public and private sector and coordination and cooperation locally and internationally.    Caribbean nations therefore need to develop cyber security holistically rather than adopting a silo approach to cybercrime.  The nation state cannot do this on its own and while seeking assistance from bodies such as the OAS on matters of strategy, policy, legislation etc. they must simultaneously involve, engage and encourage participation from the private sector, academia and civil society on these initiatives.  This would ensure capacity building and the creation of a cyber security ecosystem of professionals including researchers, lecturers, writers, service providers and vendors to contribute towards local and regional protection.

 

Trinidad’s “archaic laws”, Revenge Porn & Data Privacy in the Cloud

 

Fullscreen capture 27102015 115219.bmp

Lack of legislation cited as impediment to Caribbean cyber security. Image Credit, Shiva Bissessar (based on data from OAS June 2014 report)

On Oct 26th 2015, Justice Frank Seepersad in the Trinidad & Tobago High Court made a ruling, as reported by the Daily Express, in a “revenge porn” matter noting that technology advancement on this issue and others, including defamatory posting of comments on social media, has outstripped the pace of legislative reform to keep abreast of same;

“It is unfortunate that as a society we have not been proactive and that we are burdened with so many archaic laws that predate our independence”

In the absence of laws which directly speak to issue of revenge porn, the ruling was based on a breach of implicit confidentiality. The ruling comes on the heels of another privacy / confidentiality local story involving allegations of intimate photos being removed from a customer’s device by a repair shop and being circulated on social media.

Justice Seepersad’s quoted statement from the ruling echoes the sentiment expressed by Brad Smith, President and Chief Legal Officer of Microsoft in a blog post on the recent October 6th 2015 decision by the Court of Justice of the European Union to invalidate the EU-US Safe Harbor Agreement which was previously used by corporations to facilitate movement of data across the Atlantic;

“Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud.”

Today, technology can be abused to facilitate widespread dissemination of private intimate photos in acts of revenge porn.  It can also be abused to gain access into persons’ personal data, including Personal Identifiable Information (PII), within cloud facilities across the globe. The above quotes seem to reflect a growing realization that more effort needs to go into keeping laws abreast of technological innovation.  Also, the underlying court rulings both seek to protect individuals right to privacy, in the face of growing technological means to facilitate retribution and possible surveillance, respectively.

But where is the Trinidad & Tobago, and wider Caribbean, with respect to updating laws to keep abreast with technological innovation and addressing the threats which they pose via abuses or even condoned usage?  How technology specific or technology agnostic should laws be? Does the proposed Trinidad & Tobago Cyber Crime Bill (2014 & 2015) have adequate provisions for issues like revenge porn and cloud privacy? What else may be missing? What’s taking place globally with respect to legislation around these issues?  What is the Commonwealth doing? How are we stacking up?

See below for some previous material I have produced, from an Information Security perspective, on the topic of developing the cyber security landscape to address cyber crime locally and in the Caribbean which bears some relevance to these questions:

  1. Achieving Caribbean Cyber Security – 10th Caribbean Internet Governance Forum
  2. Trinidad & Tobago Cybercrime Bill 2014: Due Diligence
  3. T&T Cybercrime bill demands multi-stakeholder input – TechnewsTT, July 2014
  4. Are Caribbean Cybercrime Bills based on flawed model law – Trinidad Guardian, June 2015
  5. The TT Cybercrime Bill debate continues:  Critics, Opinions and Facts – Pinaka Technology Solutions Blog, June 2015
  6. At The Intersection Of Ethics, Law & Technology In Trinidad & Tobago – Pinaka Technology Solutions Blog, July 2015

Additionally, coming soon is a NEW article in one of our local daily newspapers tentatively entitled “Lessons for the Caribbean from the OAS-FIRST Cyber Security Colloquium”.  Stay tuned!

12088121_1665700890339427_4952234707064601989_n

Exploring digital currency and E-payment in the Caribbean

*This post was initially carried by the Trinidad Express, Sept 29th

**While reference is made within this piece to a study and report, the opinions expressed are my own.

 

DSC_7111

Figure 1: UN ECLAC 1st EGM: (Left to Right) ECLAC’s Deputy Director (Ag.) and Associate Information Management Officer. Dillon Alleyne and Robert Williams, respectively & consultant, Shiva Bissessar (courtesy UN ECLAC)

In November 2014 The UN Economic Commission for Latin America and the Caribbean (ECLAC) commenced a study entitled “Opportunities and risks associated with the advent of digital currency in the Caribbean”, where yours truly was selected as the consultant to perform the required research and write the final report.  The study sought to introduce the Caribbean to the phenomenon of digital currency and explore the opportunities and risks which arise from application of this innovation within the Caribbean.  The work was performed in the context of continued regional deficiencies in electronic payment infrastructure (e-commerce and mobile money) and the appearance of service providers seeking to provide solutions in response to these deficiencies including digital currency service providers.

The study brought together key stakeholders within the Caribbean involved in activities toward the development of better electronic payment infrastructure. These stakeholders included:

  • E-commerce providers & software developers desirous of more responsive payment infrastructure
  • Mobile wallet & digital currency service providers seeking entry in the Caribbean
  • Central Bank Policy and Anti-Money Laundering (AML) senior representatives
  • Government senior legal representative
  • Finance academia representative

These parties were identified and invited to participate in two Expert Group Meetings (EGM).  The 1st EGM was essential towards data collection of the views and positions of the aforementioned while the 2nd EGM was used to review a final draft of thereport.  The summaries of these meetings remain the only public output of this study to date.

The study also served to conduct a formal survey of some of the region’s Central Banks as to their awareness on digital currency and mobile money in the evolving landscape of electronic payments. The study was intended to provide Caribbean authorities with enough information for them to begin the process of performing a balanced evaluation of opportunities and risks associated with digital currency in the Caribbean.

Key Takeaways

*As the study remains unpublished, there are limits as to what can be discussed, however some aspects as made public in the EGM reports are referenced.

The study uncovered evidence of longstanding deficiencies in electronic payment systems within the Caribbean which has forced e-commerce vendors to rely on workaround methods to receive payments.  The deficiencies manifest as prohibitive charges and burdensome requirements placed on vendors to acquire local merchant accounts with the ability to receive credit card payment.  This has forced certain vendors to take a path of least resistance and resort to external payment providers such as Paypal, rather than contend with the expensive red tape laden scenario as posed by local banks.

The study also uncovered instances of vendors seeking to provide mobile money and digital currency solutions, including remittance solutions, within certain Caribbean territories.  However, given the innovativeness of the solutions these vendors were seeking to provide, their regulatory uncertainty and the largely risk averse commercial banking sector, such vendors have had difficulty in acquiring bank accounts to provide their services.  Indeed, it is worth noting that a low return of completed survey instruments was experienced within the study, in seeking feedback from regional Central Banks.

If we were to compare the approach towards digital currency within the Caribbean against that of a first world capital of finance e.g. London, we would find that a predominantly unacquainted and conservative approach dominates the Caribbean mindset, with many in authority focusing on the weaknesses of digital currency. Contrast this with the approach taken by the UK’s HMRC in March 2015 where intentions towards standardisation in consumer protection and AML regulation of digital currency were announced while also allocating £10M towards further research.  The contrast is illustrated below.

Fullscreen capture 9132015 31610 PM.bmp

Figure 2: The Caribbean seems to be stuck focusing weaknesses of digital currency while global finance capitals are improving on weaknesses and exploiting opportunities. (Bissessar, 2014 & 2015)

 

Hence, if the full benefits of digital currency are to be achieved within the Caribbean we cannot continue to rely on traditional actors as noted in the 2nd EGM meeting notes (item #47).

“In discussion on the conclusion of the study, the consultant expressed the view that the current target audience for the study may need to be shifted away from central bankers. He noted that central bankers have demonstrated a reticence to officially comment on the process, as suggested by their lack of response to the survey instrument. He expressed the view that central banks as regulators tend towards deference on the concerns of international finance bodies, which invariably raises the level of risk aversion. This institutional environment does not augur well for the encouragement of technological innovation in the region. He suggested that perhaps if the focus of the study’s discussion shifted towards academics and the technology and innovation sector, more traction could be gained toward regional engagement with issues surrounding digital currencies, and the momentum could be built upon to encourage a more active role on the part of regulators. He also noted that it was not the role of the study to sell regulators on the benefits of these technologies, but rather to bring legitimacy to the debate around digital currencies and to encourage local and regional authorities to treat with the issue objectively, rather than with a sole focus on risk.”

 

Relevance of this Caribbean study 

In February 2015 the Commonwealth held the Virtual Currency Round Table which was attended remotely by Mr. Robert Williams of ECLAC who articulated the objective evaluation of both opportunities and risks of digital currency which the ECLAC study was achieving within the Caribbean region.  Also participating in this meeting was Jamaica’s Director of Legal Reform within the Ministry of Justice, Mr. Maurice Bailey who also actively participated in, and commended the efforts of, the study within the 2nd ECLAC EGM in April 2015.  Subsequently, the Commonwealth Working Group on Virtual Currencies (CWGVC) released conclusions from their meeting in Aug 2015  as shown below:

 

CONCLUSIONS

The Group agreed that:

  • Virtual currencies have a potential to benefit Member States and to drive development;
  • The use of virtual currencies has benefits and risks;
  • Awareness, education and funding for training for law enforcement, prosecutors, judges, regulatory authorities and the financial sector are needed;
  • Member States should consider developing and improving the capacity of law enforcement especially in the areas of digital forensics and analytics;
  • Member States should consider the applicability of their existing legal frameworks to virtual currencies and where appropriate they should consider adapting them or enacting new legislation to regulate virtual currencies;
  • Legal frameworks should address risks and vulnerabilities, be technologically neutral and avoid stifling innovation;
  • Member States are encouraged to implement the FATF Guidance for a Risk Based Approach to Virtual Currencies (June 2015);
  • The Commonwealth Secretariat should create a digital repository of best practice and model regulations as part of an online community to assist Member States in developing policy; and
  • Relevant technical terms should be clearly defined in the guidance to be made available to Member States.

OUTCOMES

The Group resolved upon the following outcomes (the ‘Outcomes’):

  • to complete a report on the prevalence and impact of virtual currencies within one (1) month;
  • to convene again in early 2016 to consider draft technical guidance for member states on virtual currencies; and
  • to continue to raise awareness and develop capacity building on virtual currencies within the Commonwealth

 

Various aspects cited within the CWGVC conclusions are treated with in the ECLAC study including:

  • Discussion of some possible distinct benefits to the Caribbean
  • Discussion of anonymity (relevant to law enforcement, prosecutors, digital forensics etc.)
  • Discussion of treatment options re: policy and regulatory development, FATF guidelines

Hence, this ECLAC study can contribute to the overall best practice, awareness and capacity building efforts as mandated within the CWGVC conclusions.  The Caribbean therefore has the opportunity to be recognized as being early and taking a forward thinking and balanced approach towards getting ahead of the game with respect to this emerging financial innovation.

Improving Caribbean Software / Mobile App Security

code qa

 

The Caribbean has seen recent growth in mobile app development which is being driven by various stakeholders as a means of increasing ICT innovation and entrepreneurship.   Evidence of this trend can be found in various news clippings from the region:

 

Indeed, this growth also exists on the demand side with various Caribbean commercial and non-commercial entities having developed mobile apps as a new means to connect, provide services and interact with their clientele. The range of businesses engaging in such activity also includes banks and businesses facilitating payments.

 

Insecure Code Abounds

However, a recent WSJ blog article based on an academic paper entitled “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World”, has cast some doubt on security of some mobile banking apps.  According to the paper by Reaves, Bradley, et al., “28 significant vulnerabilities across seven applications” were found and categorized under the following headers:

  • SSL/TLS & Certificate Verification
  • Non-standard Cryptography
  • Access Control
  • Information Leakage

 

 

What does this mean for us in the Caribbean?  None of the apps tested were from the Caribbean, however the absence of testing doesn’t necessarily translate to security.

 

Questions?

If you are a Caribbean based mobile app developer, software developer or an organisation which outsources software development you need to be asking yourself…how secure is my software development lifecycle?

 

  • What category do I fall within the Open Web Application Security Project Foundation (OWASP) software development capability maturity model?

 

security CMM

Figure 1: Capability Maturity Model, image credit OWASP

security SDLC

Figure 2: Security process in reality, image credit Nazar Tymoshyk, SoftServe

 

 

  • What static analysis tools are available to test my code?

 

Should you require assistance in answering the last question, click on the video link below to get a 1 minute introduction on Kiuwan and please do get in contact for further information and/or free web-demo.

 

See also details and register for FREE upcoming webinar, “Take your code and quality to the next level” on Sept 10th at 10am (AST)

 

Additional Resources

  • White Paper – Software Development Outsourcing – This paper presents and assesses the different techniques for the code quality and security evaluation that a “receptor” (recipient organization) of externally developed software can apply to determine the intrinsic (technical) quality and security of the delivered software

At The Intersection Of Ethics, Law & Technology In Trinidad & Tobago

On 12th July 2015, the students of the Master of Information Systems & Technology Management (MISTM) programme at the Arthur Lok Jack Graduate School of Business were exposed to the growing global ethical debate of security vs. privacy within the context of existing local laws with an information Security dimension (as well as impending proposed legislation).   As part of my Information System Security, Ethics and Law (ISSEL) course, within the class dedicated to examine ethical and legal issues as pertains to Information Security, I invited two guest presenters, both lawyers, to share their expertise with the students:

  • Cláudio Lucena, Professor of Law, Paraíba State University, Brazil
  • Jason Nathu, Tutor, Legal Aid Clinic, Hugh Wooding Law School

Security vs. Privacy

Mr. Lucena noted that increased awareness for privacy in the virtual world as a relatively new phenomenon due to the digital revolution and increased technological capabilities for mass collection of data, while stating; “The Right To Privacy” in the physical world dates back to 1890.  He suggested that the strength of the response towards 2012 Snowden revelations of global surveillance was mainly due to the fact that it revealed infractions against foreign leaders and persons involved in international relations, rather than only surveillance normal  citizens.  The awareness generated from these revelations was cited as contributing towards a March 2015 decision by the UN Human Rights Council to adopt a resolution to appoint a special rapporteur on the right to privacy. As a Brazilian citizen he related how specific revelations of surveillance in Brazil led to a heightened pace towards the passage of Marco Civil Da Internet as an online protection of civil liberties, and data protection laws to ensure adequate data handling.

 

IMG_20150712_104758

ISSEL student posing a question to Mr. Lucena

 

After laying this foundation, we got into other issue such as:

  • The ideological difference between the EU and US approaches towards data privacy where the EU approach tends towards protecting individuals’ rights to maintaining ownership of data.
  • How the right to “Right To Be Forgotten” seeks to protect individuals from search results about themselves which can be deemed as inaccurate, inadequate, irrelevant or excessive.

Interestingly, I met Mr. Lucena at the 2015 South School Internet Governance in Costa Rica, where we were fortunate to have seen a presentation by Mr. Pedro Less Andrade, Latin American Policy Counsel of Google, who presented (en español) some of the challenges of the right to be forgotten ruling.

Local Legal Context

Quite suiting a core theme of the day, Mr. Nathu grounded his delivery entitled “Information Security:  The Local Legal Context” by defining the right to privacy and then segued into discussion on the Data Protection, Computer Misuse and Electronic Transactions Acts.

IMG_20150712_113154

Mr. Nathu defining the right to privacy

 

Previously, Mr. Lucena, in commenting on Brazil’s weak cybercrime laws, suggested that there was a perception of cybercriminals as being less of a criminal.  This was echoed by Mr. Nathu, who also stated there was a low prosecution rate for e-crimes globally.   In highlighting the difference between criminal prosecution and civil proceeding he questioned why certain organisations, e.g. banks, would expose themselves as victims of cybercrime, and thereby suffer reputational loss, in criminal proceedings, which would result in no monetary compensation.

A few of the additional salient points on the aforementioned laws brought out by Mr. Nathu included:

  • Lack of proper consultations and serious objections from professional bodies such as the Media and Law Associations on certain aspects of the Data Protection Act, which remains partially proclaimed.
  • The Computer Misue act has over specification in some areas, e.g. definition of a computer, yet it “Broadly and vaguely protects against hacking, data misuse…”.
  • The Electronic Transactions Act remains partially proclaimed and it “does not REQUIRE a public body to accept or issue any document in electronic form”.
  • The pace of enacting and subsequent legislative reform is slow.

In responding to a question on why such deficiencies within our laws exist, Mr. Nathu offered that communication and consultation was an issue.  He urged the students to become more involved on matters with a technology and legal intersection.   On a conciliatory note, he admitted we were a young society with respect to this type of legislation and added that it is good that we have some laws in place, as a framework to build upon, even if it is not quite as robust to respond to the surrounding global context.

 

Conclusion

Fullscreen capture 7112015 113112 AM.bmp

Collaboration is stated as one of the five key areas of focus within Trinidad and Tobago’s national Cyber Security Strategy and it was certainly good to get collaboration from guest lectures of the caliber of Mr. Lucen and Mr. Nathu to share their expertise with a classroom of primarily technology based master level students.   Additionally both presenters mentioned the need for higher levels of activism and involvement. In the U.S. there is an organization known as the Electronic Frontier Foundation (EFF) which seeks to defend civil liberties in the digital world:

Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.

Would you say we have a sufficient intersection between the technology and legal professions in Trinidad and Tobago towards the protection of rights in the digital age?

OTT VoIP in the Caribbean: A Vexing Policy Issue

tatt open forum

The Telecommunications Authority of Trinidad & Tobago (TATT) held their 21st ICT open forum on 18th June 2015 posing the question “Should Over The Top Services Be Regulated” to the three regulatory heads of the regional mobile providers Digicel, TSTT and LIME Caribbean, and the audience, no doubt, 100% comprised of mobile customers.

TATT’s representatives presented a summary of their consultative document “Towards the Treatment of Over-The-Top (OTT) Services” which remains open for public comment through till Monday July 6th 2015.  While the consultative document starts off speaking to Over The Top (OTT) services in general and mentions that OTT services includes other services including  video; within this forum (as within their document) there was a clear focus on OTT Voice over Internet Protocol (VoIP) services.  The focus on OTT VoIP was subsequently brought up in the Q&A portion of the proceedings with audience member, Mr Simon Fraser of UWI, posing comments around the future ‘can of worms’ scenario of which OTT services should be regulated or not.   In defining OTT VoIP, three categories were mentioned:

OTT VoIP Category Example
App to App Viber to Viber call
App to PSTN Viber to call terminating on mobile provider network
PSTN to App Call from mobile provider network terminating on Viber

 

In making a determination on regulation of OTT VoIP, TATT has to take into consideration the Authorised Service Providers’ (ASPs’) perspective and the threat posed by this innovation to their; (i) potential loss in revenues (ii) utilization of network resources (iii) having to compete with an unregulated service i.e. uneven playing field.  TATT also has an obligation to ensure that consumers are protected in this tango between ASPs and OTT services and indeed within their consultative document they note:

With the increase in demand for OTT services by the public, there may be a negative impact on the market if such services are removed

TATT offered few possible scenarios for resolution, including.

Solution Explanation
Aggressive Blocking of OTT VoIP services as was done by Digicel in Jamaica and Haiti
Collaborative Partnering with select OTT VoIP players to develop a mutually beneficial relationship
Opportunistic Creation of premium data packages which allow for OTT VoIP

 

Positioning to Block or Collaborate

In presenting Digicel’s case for possible regulation of OTT VoIP, Mr Kieran Meskell, Head – Regulatory Affairs, stated that OTT VoIP service providers had an unfair competitive advantage over ASPs as they had no cost to build and maintain networks neither did they have any obligations to fulfil as regulated ASP. They painted a bleak future scenario of Caribbean mobile network operator insolvency due to drastic loss of revenue from their mobile voice calls business and increased cost of upgrades and maintenance of mobile networks.  They highlighted that they had a contract in place with Viber to provide OTT services over their network, which Viber chose not to honour. This is what led to their action of seeking to block the service which TATT previously negotiated to stave off pending further investigation.

TSTT, who previously communicated the position that they will not block OTT VoIP services, took a more restrained approach, but stated none the less that they were concerned with OTT services which are in direct competition with licensed communication services.  Ms Christa Leith, Head – Regulatory & Policy Affairs,  noted OTT services as bypassing traditional distribution systems within their network and indicated their desired for a symbiotic relationship rather than a parasitic relationship.  While citing several regulatory imbalances in comparing ASPs against OTT service providers along several dimensions (including licenses, quality of service, fees and interconnection), they acknowledged that traditional business models in the telecoms sector needed to be re-examined.  TSTT expressed a position of “refining their OTT strategy” and stated they were open to collaborating with OTT services providers via “appropriate business models”.

 

“Vexing issue at the policy level…”

Head – Regulatory Affairs & Policy, LIME Caribbean / Columbus Communication Trinidad Limited, Mr David Cox came to the podium without a power point presentation but articulated the most thought provoking delivery of the evening.  Coming from a telecoms regulator background he had a perspective on the problem from both sides of the table and he chose to convey his thoughts as a conundrum facing the nation, and indeed the Caribbean, via a series of exploratory questions.  Grounding his delivery with a statement that his organisation has adopted an open internet policy (no blocking, no throttling), Mr Cox spoke less of OTT services and more about information and the differentiation between networks and information.  He acknowledged the need for proper regulatory balance in the telecoms sector agreed that money for the maintenance and upgrade of network will evaporate if this balance is not achieved.  However, he went on to question whether regulation of networks implied regulation of information and suggested at times, a light-handed approach to regulation is beneficial.

Some of his question included:

  • Are ASPs the best agents to manage access to information? Should this be left to consumers?
  • Is there a role for self-regulation? What if companies make their decisions to block and let market forces prevail (i.e. let customers express their dissatisfaction by moving to another provider)?
  • What regulatory approach best promotes competition in the market place?
  • Can premium rate charges for OTT services and market forces solve this problem?

Citing a deficiency of in-market data presented by TATT, he suggested the use of foreign data on usage of OTT services may not paint an accurate picture within the local market usage of OTT services.  He also posed a final question to Digicel querying if Viber had not reneged on their agreement, would such an agreement be considered as a solution to the OTT problem or would that have been a temporary fix until a regulated solution was gotten from TATT.   It would seem that this is the question which should have kicked off the proceedings, or any future proceeding on this topic, for that matter.

 

From the Floor

In taking to the microphone, consumers spoke of their reliance upon these services to overcome international rates and burdensome data roaming charges and questioned the network providers’ claims of delivering a level of Quality of Service, citing recent outages and call quality concerns. Other notable concerns included:

  • Mr Lassana Murray, Quenk Technologies, noted that the blocking of OTT services would lead to a lost market opportunity for local software developers to create applications in that space.
  • Ms Tamara Ragoonath of DirtecTV questioned why TATT was playing such a leading role in the OTT VoIP debate when they had an outstanding issue with respect to local subscription television services providers carrying international channels which they did not have the rights to broadcast, thereby placing DirectTV on an unlevelled playing field with these providers (…in response TATT stated that a final resolution on this matter, possibly in the form of cessation notices to offending service providers was coming soon).

 

 

Conclusion

There is no doubt the OTT VoIP has the potential to erode mobile operator’s revenues, but with two out of three mobile operators willing to at least explore non-regulated solutions, one is left wondering if the future is as bleak as Digiciel made it out to be.  Additionally, they all seemed to all agree that Telco business models need to be re-examined.  Hence possible solution scenarios include a light-handed regulatory approach plus collaborative mechanisms between ASPs and OTT services (as advocated by TSTT) or some combination of opportunistic measures via the use of premium rate charges and aggressive measures of allowing ASPs to block what they want and let market forces to prevail (as raised by Mr. Cox).

OTT services are but one innovation we are currently experiencing locally and in the Caribbean, but globally mobile operators are emerging from their traditional business models and immersing themselves into mobile money, payment systems and financial transactions. In fact, the International Telecommunications Union (ITU) currently has a focus group examining Digital Financial Services which is seeking to standardize mobile money technology and solutions.  Hence mobile operators have the ability to derive revenues from new streams such as these and even begin competing with financial institutions.  One can only speculate the kickback local and regional Telcos will experience from traditional financial institutions once this round of innovation and perceived encroachment comes around.

Cybersecurity strategy implementation challenged by lack of political support

Good work by Trinidad & Tobago’s own Anita Sohan, currently on fellowship at the Commonwealth Telecommunications Organisation (CTO) in the UK as highlighted in the CTO May 2015 newsletter:

The objectives of this work programme were to give Anita experience in designing and implementing a survey for Commonwealth Member States to determine the challenges they face in implementing national cybersecurity strategies and, based on those findings, to report on suggested responses to these challenges.

The survey found that challenges implementing cybersecurity strategies are wide-ranging, and include lack of human resources and political support along with limited awareness of the issues. Key in aiding countries in this work is capacity building and awareness raising, along with facilitating international co-operation.

Looking forward to reading how Trinidad & Tobago and other individual Caribbean nations fared.

1 2