Lessons for the Caribbean from the OAS-FIRST Cyber Security Colloquium
Trinidad & Tobago’s delegation to OAS Cyber Security Colloquium. From left, Sean Fouche, IT Manger of CARICOM IMPACS; Amos Sylvester, law enforcement; Angus Smith, Manager, Trinidad and Tobago CSIRT and Wendell Diaz, Director WASA. Image credit, Shiva Bissessar
The Organisation of American States (OAS) in collaboration with the Forum of Incident Response and Security Team (FIRST) hosted a technical colloquium and cyber security workshop over the period Sept 29th to Oct 1st 2015 in Washington DC. The colloquium brought together several practitioners from various states within the Americas to participate in interactive sessions guided by international experts from several countries including Canada, Estonia, Poland and Spain to name a few. The event was divided into three distinct tracks; Critical Infrastructure Protection (CIP), Cyber Security Incident Response Team (CSIRT) and Law Enforcement.
CIP is dedicated towards securing networks utilised in the provision of services critical to the functions of a nation state. Networks found in public utilities or the energy sector, for example, their Industrial Control Systems (ICS) or networks and systems in the finance sector, would qualify for CIP. CSIRTs are that first line of defence which receives reports of cyber security incidents, performs incident triage and analysis & prioritizes and escalates incidents towards coordinated response and resolution as necessary. Locally, some attention is being paid to energy sector CIP via the Energy Sector Security Initiative (ESSI) while the Trinidad and Tobago CSIRT is still in development.
The Caribbean was well represented at the colloquium with participants from Antigua & Barbuda, Barbados, Guyana, Jamaica, St. Kitts and Nevis and Trinidad & Tobago. These representatives came from different professional backgrounds which generally guided the track they chose to follow. Cybercrime does not respect physical boundaries, thus responses must encompass participation from both the public and private sector and the delegation from Trinidad and Tobago represented an appropriate mix of participants, as shown above. This included my own participation as a member of the private sector upon invitation and part sponsorship by the OAS. It was good to see a representative from a Trinidad & Tobago public utility in attendance as CIP should be a major area of concern for a small country largely dependent on the energy sector.
Local and International Cooperation & Coordination
The perception that cybercrime only hurts big business persists; and even some officials do not treat cybercrime with the seriousness they would treat more traditional crimes. This was underscored by Minster in the Ministry of ICT of Colombia, Mr. David Luma, who noted that normal everyday “citizens on the street” need to be reached via cyber security awareness campaigns. He also emphasized that cybercrime impacts the everyday lives of people and addressed the ‘laissez faire’ approach which some take to cybercrime risk by reminding participants that just because they have not been affected does not mean that they have not been targeted or under threat at some point.
Matthew Noyes of the U.S. Secret Service, which has a historical mandate of protecting payment and financial systems in the U.S., outlined some of the work they do towards this objective. He stated that criminals receive so much payment card data in some cyber-attacks that they cannot monetise it fast enough, leading to the development of underground secondary markets for stolen payment card data. He referred to the work of Brian Krebs, the de-facto standard for investigative journalism and reporting of financial system breaches, where Krebs gave a “Peek inside a Professional Carding Shop” in June 2015. This story included details of how these secondary markets for stolen payment cards data have advanced by highlighting that potential buyers can now sort the stolen card data by “city, state and ZIP” thereby increasing their chances of purchasing stolen card data which will not throw up red flags on fraud detection systems due to abnormal geographic usage patterns.
He further dispelled the myth of ‘hackers’ being of the ‘lone wolf’ variety working out of their mother’s basement and gave a more accurate portrayal of them being akin to capable professional entities working transnationally to carry out complex, coordinated attacks. This description was reinforced by several speakers with some even noting that attackers had an advantage over the good guys on this front as harmonization and coordination of responses to attacks are not as coordinated as the original attack. As shown by the Director of the Canadian Cyber Incident Response Centre (CCIRC), Gwen Beauchemin, there is a diverse range of motivations, attacker profiles and attack surfaces which need to be taken into account to fully address cyber security.
Attacker motivations, profiles and attack surfaces. Image credit, Canadian Cyber Incident Response Centre (CCIRC)
Cyber Security Awareness
The OAS also used the occasion to mark the opening of National Cyber Security Awareness Month by hosting another day of cyber security panel discussion and presentations underscoring the importance of awareness, on October 2nd. Delivering the keynote address was the Estonian president, Toomas Ilves, who gave insights into how Estonia, a small nation with a population of 1.4 million people, became global leader in ICT and cyber security. He attributed his nation’s achievement in provisioning the majority of Government services online to (i) the development of their fast data exchange layer (X-road) and (ii) secure identity management via two factor authentication. Further, he espoused a philosophy of encouraging both exposure to ICT and the development of ICT products from a young age, citing the Estonia success story of development of Skype. Certainly Trinidad & Tobago and the wider Caribbean could learn some lessons here given our dependence on foreign based ICT solutions.
VP, Cyber Security of TrendMicro, Tom Kellerman, lamented the fact that some organisations do not expend enough effort into cyber security awareness going so far to suggest that if budget is a concern, then organisations need to start spending some of their marketing budget on “brand protection” from cyber risks. This resonated deeply within me given my own drive on the awareness front, I have encountered Information Technology professionals who remain apathetic towards the need for proper Information Security Awareness campaigns within their environment. So much so, that at times I have switched focus away from the technical people to pitch awareness to HR or Safety departments along the dimension of changing organisational behaviours toward proper information handing. After all, proper cyber security is a risk management issue rather than an IT problem. To understand the significance of cyber awareness, consider that the devastating 2014 attacks on SONY, incorporated phishing campaigns to retrieve credentials from system administrators, as a first step. Now, if even the ‘techy sys admins’ can be duped, how would your normal staff fare against social engineering tactics? Are they capable of recognizing such threats?
Developing the Caribbean Cyber Security Ecosystem
As many presenters attempted to convey, we need to move away from thinking of cybercrime as acts perpetrated by single entities and view cybercrime as being executed by well-funded organised groups which have no respect for international borders. Hence, this requires a coordinated response from both the public and private sector and coordination and cooperation locally and internationally. Caribbean nations therefore need to develop cyber security holistically rather than adopting a silo approach to cybercrime. The nation state cannot do this on its own and while seeking assistance from bodies such as the OAS on matters of strategy, policy, legislation etc. they must simultaneously involve, engage and encourage participation from the private sector, academia and civil society on these initiatives. This would ensure capacity building and the creation of a cyber security ecosystem of professionals including researchers, lecturers, writers, service providers and vendors to contribute towards local and regional protection.