I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.
A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.
In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:
Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.
The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:
The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.
Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises. For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:
Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.
The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.Among these is one item in particular concerning illegally remaining on a system:
It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.
Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice? There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.
Is this kind of deviation from international norms a legitimate concern?There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.
In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.Is this the solution which other Caribbean states should be exploring?
At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.
Additional food for thought…
What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?
Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well?
How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?
The case for Multi-stakeholder engagement in reviewing the Trinidad & Tobago Cybercrime Bill, 2014
The Cybercrime Bill 2014 was read into Parliament by the Minister of National Security, Gary Griffith, on 21/03/14 and subsequent debate occurred in the Lower House of Parliament on 13/06/14. An alarm has been raised by media workers over certain clauses (21 and 23) in the Bill which they deem to be oppressive to their profession. Similar dissatisfaction has been expressed by other media workers in other Caribbean territories where attempts to introduce similar legislation have been made. Additionally, questions have arisen over the extent of stakeholder engagement practiced to review and produce the Bill.
This paper presents a historical context of the development of this legislation and presents a review of certain clauses (12, 21, 23, 26, 27, 28 and 31) or aspects within, from an ICT and Information Security perspective, so as to illustrate why a review of the Bill by a wider set of stakeholders may be required at this point.
There has been recent outcry by the Trinidad and Tobago Publishers and Broadcasters Association (TTPBA) against the proposed Cybercrime Bill 2014.
“It is evident that the media can be muzzled and the profession of investigative journalism can be undermined if this law is passed. The government has shown its willingness to discuss such issues before and we ask that they engage the TTPBA and other stakeholders again in order to work in the best interest of our democracy. In reviewing this Bill, it would seem that no thought was given to the repercussions of a free media nor to the role of the media as watchdogs of our nation.”
Additionally, the Trinidad Guardian editorial, dated 17/06/14, cited concerns with clauses 21 and 23 of the bill and went further to cite lack of proper stakeholder engagement in the consultative process leading up to the laying of the bill in Parliament. Amongst the “interest groups” cited as requiring time to “weigh in” on the bill was the Law Association, which raises the question as to if the legal fraternity has provided sufficient input on the bill.
In his contributions to the debate on the Cybercrime Bill as reported by the Trinidad Newsday, dated 16/06/14, Member of Parliament for St. Joseph, Terrence Deyalsingh raised an interesting question of the relevance of the proposed bill in relation to existing laws such as the Telecommunications Act, Electronic Monitoring Act and Interception of Communications Act. These are all interesting points which lead to the following questions: Where did this bill come from? Who were the stakeholders consulted? Does it unfairly target certain groups? Is the current outcry justified? How does it integrate into our existing set of laws? The response to these questions should lead to the position that greater stakeholder engagement is required at this point.
The bill is derived from the HIPCAR project which commenced in 2008 and was designed to provide “harmonization of ICT policies and legislation across the Caribbean”. This project was 95% funded by the European Commission with the International Telecommunications Union (ITU) as the executing agency and the Caribbean Telecommunications Union (CTU) as its project advisor. The fifteen (15) beneficiary countries were identified as Antigua and Barbuda, the Bahamas, Barbados, Belize, Dominica, the Dominican Republic, Grenada, Guyana, Haiti, Jamaica, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Suriname, and Trinidad and Tobago.
As part of its deliverables, it produced “Model Policy Guidelines & Legislation texts” across nine (9) different areas where “Cybercrimes and cybersecurity” was one of the areas. Supplementing these “model law” deliverables, technical assistance made available to tailor these deliverables to the unique scenario of individual beneficiary countries. Trinidad and Tobago benefitted from at least two (2) “Stakeholder Validation Consultation and Capacity Building Workshop to review the Legislative Framework on Cybercrime (e-Crimes)” as of June 2012. In 2009, Dominica, Grenada and St. Lucia also commenced another effort around ICT harmonization called the Electronic Government for Regional Integration Project (EGRIP).
Clearly, significant effort went into the HIPCAR project; however there has been some dissent amongst Caribbean ICT professionals as to the effectiveness of the deliverables in meeting the needs of the individual beneficiary states. At the “Caribbean Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional Development”, which was attended by several regional ICT Ministers, held in Trinidad over the period 26th to 28th May 2014, the Caribbean Area Representative to the International Telecommunications Union (ITU), Mr. Cleveland Thomas, acknowledged this dissent but attempted to place it in the context of the significance of the work accomplished given some of the constraints which presented as an externally funded project.
My own impressions from this meeting on issues of Caribbean cybercrime and cyber secuirty development can be found in my Slideshare folder. As to if the root of the dissent originates from the model law phase or the tailoring phase, this is up for debate. However, the fact that questions are now arising over the extent of consultations performed in the production of the Cybercrime Bill, seems to indicate, that the tailoring phase and/or subsequent necessary follow-up consultative processes between June 2012 and June 2014, were not executed properly or did not adequately address the concerns of relevant stakeholders.
Other Caribbean Cybercrime Efforts
How have other Caribbean nations fared with their own efforts to introduce cybercrime legislation?
In June 2013, Grenada laid in their Parliament, EGRIP based Electronic Crimes legislation much to the chagrin of local media representative bodies who expressed similar concerns of having their freedom of expression suppressed. They were supported by international press freedom bodies such as the Paris based Reporters Without Borders (RWB) and Vienna based International Pres Institute (IPI) as well as the Association of Caribbean Media Workers (ACM). Michelle Marius of ICT Pulse provides a good summary of the Grenada experience up to July 2013.
In April 2014, Dominica, which has been a beneficiary to both the HIPCAR and EGRIP projects, embarked upon a National Needs Assessment and Legislative Review Workshop on Cybersecurity with the direction and assistance from international bodies including; Cybersecurity Assessment and Strategy Development from the Commonwealth Secretariat (COMSEC), the Council of Europe (COE) the Inter-American Committee against Terrorism of the Organization of American States (CCITE/OAS). The stated purpose of this workshop was to “review existing e-legislation to determine whether they are in compliance with the International Convention on Cybercrime known as the Budapest Convention on Cybercrime” towards the development of a national Cybercrime Strategy and establishing a National Cybercrime Policy. The Dominica example must be commended as an example of tireless effort to getting the right tailored fit for Dominicans in accordance with an international recognized authoritative source.
The Case for Multi Stakeholder Review
The Minister of National Security, Gary Griffith, has heeded the calls of the media fraternity and has invited them to discuss their concerns specific to clause 21 of the Cybercrime Bill. However, does this mean that the remainder of the Cybercrime Bill is perfectly fine and does not warrant review? At this juncture, I believe it would be more beneficial to employ a more encompassing approach bringing together a wide range of professionals from various stakeholder institutions and entities such as the law enforcement, the legal fraternity and of course the technical expertise represented by the ICT and Information Security fraternity. I shall highlight a few points of concerns I have with the Cybercrime Bill which I have raised with various authorities over the past few months. These are primarily derived from an ICT and Information Security perspective and underscore the need to solicit and engage in further discussion with others.
“…investigative software or hardware installed on or attached to a computer system that is used to perform a task that includes keystroke logging or transmission of an internet protocol address”
This may be a bit misleading as the functionalities mentioned are a bare minimum of what these tools are capable of and indeed further reference to these tools in clause 31 alludes to a usage far greater than “keystroke logging or transmission of an internet protocol address”. Additionally, such tools would undoubtedly fall under the classification of “Illegal devices” as described in clause 12.
Yet, clause 31(3) calls for internet service providers to “support the installation” of such tools. It is my view that if competency is expected of persons outside of the police service to support the installation of such tools, explicit protection for such users of these tools for legitimate purposes, for example, academic research or professional duties should be stated within the bill
Why is this important? In 2010, the UK Cards Association (representative body for UK banks), attempted to compel the University of Cambridge to remove Omar Choudary’s research thesis from its website which exposed flaws in their Chip and PIN bank card technology.
Figure 02: Omar Choudary’s specialized hardware ‘device’ used in academic research into Chip & PIN vulnerabilities
Under our Cybercrime Bill, the research performed by Mr Choudary, which required certain hardware tools and software to perform analysis of bank card transactions, could have been deemed as having utilized “illegal devices” with the intent of committing an offence against the members of the UK Cards Association.
Ultimately the University of Cambridge defended their right to have the work published on their website and the UK Cards Association backed down, however this case still resonates with the way universities approach cybersecurity research. Having recently completed M.Sc. Information Security studies 2012/13 at University College London, UK, I can personally attest to interactions between one of my classmates and his thesis supervisor on establishing boundaries for the scope of his research into contactless Near Field Communications (NFC) based bank card transactions for fear of how this research and published findings could be perceived.
Figure 4: Proxy and Relay NFC attack scenarios, credit C.Petridis
How would a Caribbean based Bankers Association view a University of West Indies based researcher doing similar work? What possible pressure could be levied to suppress such work? Can such legitimate research be misrepresented by a powerful lobbying group as an offensive under our Cybercrime Bill? In the US similar concerns have emerged from the security research industry with respect to the US Computer Fraud and Abuse Act (CFAA) laws being used to target security researchers conducting benign research into internet vulnerabilities.
The United Nations Office on Drugs and Crime has produced a “Comprehensive Study on Cybercrime” which presents some of the issues and differences in national strategies in criminalizing “computer misuse tools”. Are we confident we have we found the right fit for Trinidad and Tobago?
Clause: 26 – 28: Order for removal or disablement of data, Production Order & Expedited Preservation
Given the emerging field of cloud computing where data and services from various corporate entities and individuals may be hosted on a single physical server or storage device, i.e. co-located at a 3rd party’s data centre; the issues raised in clause 26 through clause 28 take on a different dimension.
How does one safely ensure that an “Order for removal or disablement of data” only affects the data and services of the target being investigated?
How does one ensure that in issuing a “Production Order” or an order for “Expedited preservation” one does not inadvertently copy data from another entity who is not the subject of investigation? This should be a significant concern to corporate entities who would be keenly interested in protecting the privacy or their own data as well as data stored on behalf of their customers.
How do the police even get forensic access to data of Trinidadian entities when said entity’s data is domicile in other counties? We would normally believe that Mutual Legal Assistance Treaty (MLAT) between countries would bridge this gap, but given the lack of results the public has seen from a very public email investigation originating in 2013 we need to be mindful as to how such investigations are executed.
The emerging field of cloud forensics may have some solutions here; one proposal being to have competent cloud forensic experts on staff at data centres, who are then included in the chain of custody to facilitate such orders which may require instances of data acquiring, removal, disablement etc. The Cloud Security Alliance (CSA) a consortium of cloud industry stakeholders is undertaking an effort at present towards mapping an ISO standard for digital forensics (ISO/IEC 27037:2012) to cloud computing.
While I fully appreciate the need for legislation to be as technology agnostic as possible, I raise this point as an example of how the pace of rapidly emerging and maturing technologies can outstrip the lethargic pace of policy, regulatory and legislative efforts as well as to underscore the importance of technical expertise stakeholder consultations to continuously update these processes with scenarios which may challenge the path being followed.
At present, are there sufficient (or for that matter…any) Information Security centric roles within the public service tasked with looking at these issues from a strategic perspective to come up with the potential scenarios I have outlined above? The capacity building effort to accompany this type of legislative agenda must begin well in advance of enactment but I believe this is sorely lacking at present.
Clause 19: Violation of Privacy
The advancements have not only been on the technical side though, and again the following two points establish the need for stakeholder engagement with strategic thinkers who are tuned into current issue and can examine if the cybercrime policy, regulatory and legislative efforts being pursued are sufficient. It also underscores the need for possible further analysis at the legal wording of certain clauses.
Michael Robertson of Massachusetts, USA, was charged with two counts of violating several women’s right to privacy by taking ‘upskirt’ photos of them. Upskriting refers to the practice of covertly taking photos of another person’s exposed underwear or private area without their knowledge. While his defence acknowledged that he did take such photos of women as they used public transport, they argued that the wording of the ‘peeping tom’ laws he was charged under, only made provisions for victims who were nude or semi-nude; consequently, in March 2014 he was found not guilty. In light of this ruling the wording of clause 19(3) of our own Cybercrime Bill which deals with violation of privacy offences, may require a revisit to ensure that the intention of the clause is maintained under the circumstances cited in this case.
Clause 21: Harassment utilizing electronic communication
This is one of the clauses which has drawn the ire of Caribbean media workers, and their take on the matter has been well ventilated; my views are presented from the technical perspective. Again the wording of certain clauses comes into focus when one looks at clause “Harassment utilizing electronic communication” specifically clauses 21(1) & 21(6) where the term cyberbully is mentioned.
As currently worded the “cyberbully” needs to use the computer system “repeatedly or continuously” to commit an offence against someone. Yet, there are instances where a single action by an offending party (i.e. non-repeated or non-continuous) on a social media site against a victim can spawn a multitude of supporting actions from other entities all directed against the same victim. For example, it not inconceivable that a single offensive tweet about someone can lead to a multitude of retweets and favourites without any follow-up action from the offending party.
In such an instance the concept of the use of a computer to “support severe repeated and hostile behaviour” as found I the original HIPCAR model law document may be more appropriate given the context and usage of the word “support”. Again, this is one for the legal wording experts.
HIPCAR Cybercrime model law document
Clause 23: Offence by body corporate
Interestingly, one of the areas of the Cybercrime Bill which I actually view as strengthening the cause of ensuring proper Information Security Governance within corporate entities is one of the clauses which media workers have taken issue with i.e. clause 23. Different lens of perception leads to a different point of view!
While I fully appreciate the media workers perspective, from an ICT and Information Security perspective, I view this clause as placing responsibility squarely on the shoulders of corporate entities, and appropriate individual members of staff, to ensure that they have practiced “due diligence” in their efforts to secure their ICT infrastructure, people and processes from committing offenses identified within the bill. Further details on my opinion of the benefits of this clause can be found in my Slideshare folder.
While the Government must be commended for their continued efforts to keep legislation abreast with technical advancement, it is incumbent upon the Government to ensure that as wide as possible stakeholder engagement takes place into reviewing the bill and ensuring that concerns are captured and treated with appropriately. It is also incumbent upon the Government to ensure that they have the right compliment of technical expertise on board to continuously survey the landscape of cybersecurity and cybercrime developments around the world and constantly provide feedback on policy/regulatory and legislative efforts being pursued.
The limited review presented here is illustrative of the complexity of the issue and how its multiple dimensions resultantly produced multiple perspectives. For example, some of the opposition I’ve heard coming from local and Caribbean based ICT professionals have to do with the harsh penalties and sentences for certain offensives; yet recently in the UK there has been overwhelming support for announcements of life sentences for certain cyberattack offenses.
Somewhere a balance must be found and it is up to the public at large, corporate entities and institutions to inform themselves on how this bill potentially impacts them. These views must then be presented to public officials at appropriate forums designed to receive and objectively process such feedback. Multi-stakeholder engagement is now required to find the most appropriate fit for Trinidad and Tobago.
Snapshot showing Caribbean ‘attack’ activity from Norse
Over the period 6th and 7th February, 2017, it was my honour and privilege to participate in, and make contributions to, a closed expert group meeting to assess future threats as executed by a national intelligence agency. The following is the paper I presented on developing cyber security capacity to meet future challenges.
The cyber security implications of technological advancements, such as, the Internet of Things (IoT) or smart technologies, along with the possibility of cyber warfare and realities of cybercrime are thought-provoking areas around which intelligence agencies must develop threat awareness. However, a more significant threat which will affect the cyber security of Trinidad and Tobago over the next five years is lack of an environment which can stimulate and foster the growth of local cyber security professionals.
Indication of such a deficient environment can be gleaned from the examples below.
At a government agency with responsibility for implementation of the national strategy towards Information and Communication Technology (ICT), a senior position with responsibility for cyber security has been vacant since 2010.
At “M4 an event by Microsoft” held in Nov 2014, Mr. Roberto Arbelaez, Chief Security Advisor for the Americas at Microsoft, stated that he knew many world class Information Security professionals of Trinidadian heritage. However he went on to state that unfortunately they all worked outside of Trinidad and Tobago.
At a 2016 Christmas dinner event for an association of lawyers, a prominent lawyer lamented that Trinidad lawyers, having opted not to pursue continuing education, were lacking in areas of increasing import including cybercrime.
While this may be considered anecdotal evidence, the lack of attention to cyber security does not allow for formal research to provide proper evidence on the state of cyber security locally.
Cyber security ecosystem of professionals
Within their research Thomas et al illustrate the cybercrime underground economy as a complex ecosystem of actors within a value chain where profit centres are built upon underlying support infrastructure. This allows criminal entrepreneurs to devise scams by procuring the necessary resources al a carte; taking advantage of specialization and economies of scale and resulting in a web of interactions which potentially span the globe. One can argue that such a criminal ecosystem, like many other cyber security threats, can only be disrupted by an equally powerful cyber security ecosystem of professionals.
In their paper “Framing Dependencies Introduced by Underground Commoditization”, Thomas et al illustrate the value chain relationships between various entities to scam victims as potentially spanning the globe
What response can Trinidad and Tobago provide to the threat of cybercrime? Working in our favour we do have efforts to bolster the capacity of the cybercrime unit of our law enforcement arm and there have been several attempts to address lacunas which exist in our existing legislative framework to address cybercrime. Additionally, Trinidad and Tobago is progressing in the development of a CSIRT and can boast of participation in regional efforts coordinated by international bodies such as the Commonwealth Secretariat (ComSec) and the Organisation of American States (OAS) towards addressing cyber security deficiencies.
Close observation of the availability of opportunities to work on the development of cyber security regionally would reveal a predominant approach where international bodies work exclusively with assigned public sector employees. Given the highly sensitive nature of the work involved in cyber security, such an approach is expected; however at a national level we may be missing out on opportunities for broader capacity development when such opportunities arise or when training occurs. For example, a representative of a multinational which routinely provides cyber security capacity building exercises to law enforcement across the globe previously divulged that suitably qualified private sector experts can participate in these exercises if they are appropriately recognized by law enforcement personnel.
Hence, a more inclusive approach needs to be found to ensure that a national pool of talent, at all levels, is being developed today to address unknown future needs. The status quo will forever bind us to a dependency upon the importation of expertise or hopefulness towards the return of qualified diaspora who wish to contribute to developing cyber security. The up-skilling of a national pool of experts also presents Trinidad and Tobago with opportunity in providing exportable resources both regionally and internationally as others seek to develop cyber security.
Awareness, capacity development and technical controls are all areas which require attention to adequately build threat response capability over the next five years and there is much we can learn from our own Caribbean neighbour, Jamaica. Having delivered presentations in November 2016 at three conferences in Jamaica as hosted by the Jamaica Computing Society, UWI Mona (4th National Cyber Security Conference) and the Jamaica Bar Association (Continuing Legal Education), I can personally attest to a comparatively more mature response towards cyber security.
Presented on UN ECLAC sponsored research into opportunities and risk of digital currency within the Caribbean at the Jamaica Bar Association, Continuing Legal Education, Annual Week-end Conference 2016
Such fora have been productive towards supporting and encouraging local capacity development of technical capabilities in the private sector and building public awareness on cyber security. At Jamaica’s 3rd National Cyber Security Conference in 2015, the audience was challenged to consider cyber security as an opportunity for the growth of an industry and economic development, rather than a threat, in the same vein as highlighted above. It is interesting to note that these fora also exemplify what a cyber security professional ecosystem should look like with active participation from technical professionals, policy/regulatory/legal professionals, academics and civil society.
We need to ask some difficult questions if we are to position ourselves to cope with future cyber security threats:
Can we define if there is a community of experts exists in Trinidad and Tobago focusing on cyber security; and if yes, who are the persons comprising this community?
Is this a formal community or a loosely defined community which comes together temporarily during exercises such as this one?
Does its membership lean towards greater participation from the public sector or the private sector?
Is there recognition that private sector interest from a Small Medium Enterprise (SME) is not the same as the private sector interest of a large commercial entity?
How are potential candidates encouraged to contribute within this community?
Is the community comprised in such a way that both of fresh ideas and a wealth of experience are expressed in deliverables?
Do the participants of this community come from different professions, back grounds and skill sets?
Can such a community adopt value chain relationships to be transformed into an active ecosystem of professionals seeking to promote national cyber security?
Can this forum be the catalyst in the formation of such an ecosystem?
In conclusion the following recommendations can be put forward for consideration in the development of the aforementioned ecosystem of professionals
Cyber security must be given recognition as a field of specialization and not be simply lumped under ICT. Such recognition should extend to the appointment of national champion to oversee the development of cyber security locally.
Establish a national consultative body for cyber security which can serve as a sounding board for various plans towards developing cyber security. The membership of such a body cannot be exclusively comprised of public sector employees and large corporate entities. It must include cyber security focused SMEs. This formal body will lead to the formation of the informal cyber security ecosystem of professionals.
Encourage participation from the private sector in local and regional meetings being facilitated by the aforementioned international bodies, for example ComSec and OAS. Appropriately qualified entities from this set should also be invited to participate in the training and capacity building exercises arising from such meetings. Support for such entities should include financial assistance to participate.
Assessment of institutions which are deemed critical infrastructure as well as a key Ministries and agencies. The organizational structure of these bodies should reflect cyber security maturity extending to the roles and responsibilities of key personnel dedicated towards cyber security. A comprehensive set of Information Security policies and audit mechanisms also need to be defined for such organisations.
Information Security Governance training needs to be administered to boards and senior management of various key organisations. Additionally, Information Security Awareness training needs to be administered for the general population of employees.
Alignment between the academic institutions, the national development needs scholarship system and the intake of graduates into the public and private sectors needs to take place to ensure that Information Security professionals are being developed academically and professionally. There also needs to coordination with corporate entities towards the creation of funding for cyber security research.
The Government needs to facilitate the creation of opportunities within the private sector to build and develop competencies which they can call upon in the future. We need security researchers, writers, lecturers, practitioners, policy makers, legal specialists and technical experts to name but a few. The government must lead by example and procure services from fledgling entities seeking to provide services in cyber security.
Information Security awareness training needs to be conducted extensively within the primary and secondary school system.
Take advantage of training and capacity development exercises from international bodies and multinational corporate entities to up-skill the national pool of experts (public and private sector) towards the goal of developing cyber security for economic development.
Government agency representatives share their nations’ experiences having participated in Commonwealth Secretariat’s needs assessment exercises. Left to right; Antoinette Lucas-Andrews (Trinidad & Tobago), Eric Nurse (Grenada), Bennett Thomas (Dominica), Clifford A Bostic (Barbados) and Luxmore Edwards (Antigua and Barbuda). Photo Credit, Caribbean Telecommunications Union
The Caribbean Telecommunications Union (CTU) in conjunction with the Commonwealth Secretariat (Secretariat) recently hosted the Caribbean Stakeholders’ Meeting II – Cyber Security and Cybercrime (CSMII) in St. Lucia over the period 16th – 19th of March 2016. The event sought to bring together senior stakeholders from various regional governments, international organisations focused on cybercrime and some members of the private sector to develop a “regional action plan” which would serve as a defined strategy for the development of programmes supporting a regional cyber security thrust when seeking donor funding.
The Secretariat has been playing a role in regional cyber security development via the Commonwealth Cybercrime Initiative (CCI) which has thus far administered interventions in the form of national needs assessments in five different Caribbean nations, as captioned above. Upon request from member states for assistance, a CCI mission team, including at least one technical expert and one criminal justice expert, is assembled from the CCI consortium of over 35 international organisations, such as; the Commonwealth Telecommunication Organisation (CTO), Council of Europe (CoE), International Telecommunications Union (ITU) and the Organisation of American States (OAS). The mission team executes a gap analysis which leads to the production of the needs assessment report, the priorities of which are decide upon with guidance from the beneficiary member state. An action plan is then produced for the beneficiary member state which contains commitments from consortium members towards specific identified needs.
Cyber security development needs to emerge from within
In the presentations by aforementioned regional representatives who were involved in these various national needs assessments exercises, three of the five representatives mentioned the lack of university graduates with cyber security training as a challenge. During Q&A this author pointed out that an absence of university graduates with a degree specific to “cyber security” doesn’t mean that existing degree holders cannot be exposed to training and capacity building exercises designed to create such expertise at the technical, policy development or strategic levels. It was also emphasized to the panel that when regional governments are seeking assistance from bodies such as the CCI, it is important to have local private sector subject matter experts participate in such exercises for the sake of building capacity outside of the public sector. Contributing from the floor, Kerry-Ann Barrett of the OAS stated that they often encourage the national representatives with whom they interact, to have an inclusive approach with as wide an array of voices participating in national cyber security development exercises, even if the national representatives do not necessarily agree with the views of such voices.
The importance of adopting such an approach is that you tend to avoid the possibility of groupthink. In relating the experiences of Dominica’s needs assessment exercise, Bennett Thomas related the experience of receiving a voluminous opinion from a representative of the CoE, which was critical of path being then defined for cybercrime legislation in certain Caribbean territories as manifest via the EGRIP model law exercise.
In commenting on the issue of where to find skilled resources, Anthony Teelucksingh of the U.S. Department of Justice encouraged participants to “leverage domestic expertise”, strive for cooperation from the private sector and seek solutions from within their own backyard.
Hence, bodies such as CARICOM IMPACS (which is the regional organisation charged with the responsibility for Caribbean cyber security), the CTU and ultimately regional governments need to do more towards actively supporting the development of Caribbean cyber security experts outside of the public sector.
Results for the various Caribbean needs assessments exercises showing recurring themes
Crypto currency features as risk and opportunity
*Within this articlethe terms crypto, digital and virtual currency are used interchangeably
In describing the emerging threat landscape, both INETRPOL and the Secretariat made mention of crypto currency as a challenge, while the former also singled out a greater use of the Darknet, and the Federal Bureau of Investigations (FBI) cited Business E-mail Compromise (BEC) scams, as additional threats. Both the Darknet, where illicit and illegal goods are bought and sold in online recesses, and BEC scams were described as utilizing crypto currency as payment mechanisms. The Secretariat later presented examples of intercepted communications from online forums illustrating apparent Caribbean users seeking ways to launder money utilizing Bitcoin and trading Bitcoin for purchase of airline ticket using a stolen credit card. However, the Secretariat also emphasized the potential benefit of virtual currencies.
Opportunity for “twinning” of efforts and synergies between these UN ECLAC and ITU Caribbean based efforts and the Commonwealth Secretariat’s own efforts in area of digital currency
Building Sustainable Capacity
Antony Ming of the Secretariat highlighted the fact that the various regional needs assessment exercises revealed there was a significant lack of awareness on cybercrime and lack of basic cyber hygiene both within regional governments and the private sector. Citing deficiencies in capacity building, he advocated for building sustainable capacity and urged participants not to engage in “drive by training” where someone is imported to perform a few training sessions, who then leaves, advocating instead for more sustainable programmes. He stated that IT professionals needed to be engaged and academic and technical/vocational institution need to integrate cyber security into their curriculum.
Low political and administrative priority by member states to implement programs.
Lack of capacity and capability by member states to implement and sustain the programs
Change in Government resulting in changing priorities
The presence of such risks supports the need to divest the impetus to develop cyber security beyond the lead governmental actor and involve the private sector; both large entities and Small Medium Enterprises (SMEs) alike.
The CSMII meeting was a success, yielding a regional cyber security action plan which was presented to, and endorsed by, several regional government ministers present at the meeting. The draft plan reviewed contained very interesting ideas which would be beneficial to Caribbean cyber security should they become implemented; however, is this enough?
Cyber security demands international co-operation and assistance and the CCI etc. are willing and able to assist; however we continue to look outward for international solutions to our problems while not investing enough in the future growth of our own experts internally. Capacity building does not have to be an end state deliverable; instead, it can occur simultaneous to the development of these efforts by including local and regional private sector subject matter experts within the present dialogue being undertaken by government and quasi government agencies and aforementioned international organisations. We need to be creating opportunities for development of nascent cyber security specialists.
One of the issues I had with the forum was that the time allotted to reviewing the already prepared draft action plan was extremely short and the use of workgroups for such review created the appearance of detailed review and consensus which isn’t necessarily the case. For example, one member of the workgroup I participated in called out another member of the group for what seemed to be attempts to hijack control of the session away from the group leader. Do we really want poor group dynamics to upstage beneficial output?
CARICOM IMPACS and the CTU need to build out a network of regional private sector subject matter experts they can utilize to review and provide feedback to proposals they receive from international organisations or towards the scoping of their own requirements, within an adequate timeframe. Such an approach will add an extra layer of legitimacy to the outputs of such future meetings and agreements while also creating opportunities for development of Caribbean cyber security experts. They also need to address public outreach on such matters to ensure the public is engaged and that stimulating conversation continues in the public domain long after these events occur. Public written record of such events will be read by the next set of emerging experts; hence, there should be defined mechanisms for quality reporting and dissemination of such record of events. There is an appetite for such material; however I’ve noted a lack of corporate support for such activity, unless there is a specific product pitch. These two points are essential components for any regional push to develop a functional cyber security ecosystem.
We must plot a course which will move us past seeking assistance to actually being in a position to provide assistance to international efforts. For example, the Secretariat’s Working Group on Virtual Currencies has issued recommendations which calls for member states to provide consumer awareness and calls for education and training of law enforcement and the judiciary, on the matter of virtual currency. Given the significant work completed by UN ECLAC in this area, the Caribbean is well positioned to provide assistance to the Secretariat and its member states desirous of following these recommendations. This is but one example of how the Caribbean can contribute on a global scale in the area; can you think of others?
Trinidad & Tobago’s delegation to OAS Cyber Security Colloquium. From left, Sean Fouche, IT Manger of CARICOM IMPACS; Amos Sylvester, law enforcement; Angus Smith, Manager, Trinidad and Tobago CSIRT and Wendell Diaz, Director WASA. Image credit, Shiva Bissessar
The Organisation of American States (OAS) in collaboration with the Forum of Incident Response and Security Team (FIRST) hosted a technical colloquium and cyber security workshop over the period Sept 29th to Oct 1st 2015 in Washington DC. The colloquium brought together several practitioners from various states within the Americas to participate in interactive sessions guided by international experts from several countries including Canada, Estonia, Poland and Spain to name a few. The event was divided into three distinct tracks; Critical Infrastructure Protection (CIP), Cyber Security Incident Response Team (CSIRT) and Law Enforcement.
CIP is dedicated towards securing networks utilised in the provision of services critical to the functions of a nation state. Networks found in public utilities or the energy sector, for example, their Industrial Control Systems (ICS) or networks and systems in the finance sector, would qualify for CIP. CSIRTs are that first line of defence which receives reports of cyber security incidents, performs incident triage and analysis & prioritizes and escalates incidents towards coordinated response and resolution as necessary. Locally, some attention is being paid to energy sector CIP via the Energy Sector Security Initiative (ESSI) while the Trinidad and Tobago CSIRT is still in development.
The Caribbean was well represented at the colloquium with participants from Antigua & Barbuda, Barbados, Guyana, Jamaica, St. Kitts and Nevis and Trinidad & Tobago. These representatives came from different professional backgrounds which generally guided the track they chose to follow. Cybercrime does not respect physical boundaries, thus responses must encompass participation from both the public and private sector and the delegation from Trinidad and Tobago represented an appropriate mix of participants, as shown above. This included my own participation as a member of the private sector upon invitation and part sponsorship by the OAS. It was good to see a representative from a Trinidad & Tobago public utility in attendance as CIP should be a major area of concern for a small country largely dependent on the energy sector.
Local and International Cooperation & Coordination
The perception that cybercrime only hurts big business persists; and even some officials do not treat cybercrime with the seriousness they would treat more traditional crimes. This was underscored by Minster in the Ministry of ICT of Colombia, Mr. David Luma, who noted that normal everyday “citizens on the street” need to be reached via cyber security awareness campaigns. He also emphasized that cybercrime impacts the everyday lives of people and addressed the ‘laissez faire’ approach which some take to cybercrime risk by reminding participants that just because they have not been affected does not mean that they have not been targeted or under threat at some point.
Matthew Noyes of the U.S. Secret Service, which has a historical mandate of protecting payment and financial systems in the U.S., outlined some of the work they do towards this objective. He stated that criminals receive so much payment card data in some cyber-attacks that they cannot monetise it fast enough, leading to the development of underground secondary markets for stolen payment card data. He referred to the work of Brian Krebs, the de-facto standard for investigative journalism and reporting of financial system breaches, where Krebs gave a “Peek inside a Professional Carding Shop” in June 2015. This story included details of how these secondary markets for stolen payment cards data have advanced by highlighting that potential buyers can now sort the stolen card data by “city, state and ZIP” thereby increasing their chances of purchasing stolen card data which will not throw up red flags on fraud detection systems due to abnormal geographic usage patterns.
He further dispelled the myth of ‘hackers’ being of the ‘lone wolf’ variety working out of their mother’s basement and gave a more accurate portrayal of them being akin to capable professional entities working transnationally to carry out complex, coordinated attacks. This description was reinforced by several speakers with some even noting that attackers had an advantage over the good guys on this front as harmonization and coordination of responses to attacks are not as coordinated as the original attack. As shown by the Director of the Canadian Cyber Incident Response Centre (CCIRC), Gwen Beauchemin, there is a diverse range of motivations, attacker profiles and attack surfaces which need to be taken into account to fully address cyber security.
Attacker motivations, profiles and attack surfaces. Image credit, Canadian Cyber Incident Response Centre (CCIRC)
Cyber Security Awareness
The OAS also used the occasion to mark the opening of National Cyber Security Awareness Month by hosting another day of cyber security panel discussion and presentations underscoring the importance of awareness, on October 2nd. Delivering the keynote address was the Estonian president, Toomas Ilves, who gave insights into how Estonia, a small nation with a population of 1.4 million people, became global leader in ICT and cyber security. He attributed his nation’s achievement in provisioning the majority of Government services online to (i) the development of their fast data exchange layer (X-road) and (ii) secure identity management via two factor authentication. Further, he espoused a philosophy of encouraging both exposure to ICT and the development of ICT products from a young age, citing the Estonia success story of development of Skype. Certainly Trinidad & Tobago and the wider Caribbean could learn some lessons here given our dependence on foreign based ICT solutions.
VP, Cyber Security of TrendMicro, Tom Kellerman, lamented the fact that some organisations do not expend enough effort into cyber security awareness going so far to suggest that if budget is a concern, then organisations need to start spending some of their marketing budget on “brand protection” from cyber risks. This resonated deeply within me given my own drive on the awareness front, I have encountered Information Technology professionals who remain apathetic towards the need for proper Information Security Awareness campaigns within their environment. So much so, that at times I have switched focus away from the technical people to pitch awareness to HR or Safety departments along the dimension of changing organisational behaviours toward proper information handing. After all, proper cyber security is a risk management issue rather than an IT problem. To understand the significance of cyber awareness, consider that the devastating 2014 attacks on SONY, incorporated phishing campaigns to retrieve credentials from system administrators, as a first step. Now, if even the ‘techy sys admins’ can be duped, how would your normal staff fare against social engineering tactics? Are they capable of recognizing such threats?
Developing the Caribbean Cyber Security Ecosystem
As many presenters attempted to convey, we need to move away from thinking of cybercrime as acts perpetrated by single entities and view cybercrime as being executed by well-funded organised groups which have no respect for international borders. Hence, this requires a coordinated response from both the public and private sector and coordination and cooperation locally and internationally. Caribbean nations therefore need to develop cyber security holistically rather than adopting a silo approach to cybercrime. The nation state cannot do this on its own and while seeking assistance from bodies such as the OAS on matters of strategy, policy, legislation etc. they must simultaneously involve, engage and encourage participation from the private sector, academia and civil society on these initiatives. This would ensure capacity building and the creation of a cyber security ecosystem of professionals including researchers, lecturers, writers, service providers and vendors to contribute towards local and regional protection.
On Oct 26th 2015, Justice Frank Seepersad in the Trinidad & Tobago High Court made a ruling, as reported by the Daily Express, in a “revenge porn” matter noting that technology advancement on this issue and others, including defamatory posting of comments on social media, has outstripped the pace of legislative reform to keep abreast of same;
“It is unfortunate that as a society we have not been proactive and that we are burdened with so many archaic laws that predate our independence”
In the absence of laws which directly speak to issue of revenge porn, the ruling was based on a breach of implicit confidentiality. The ruling comes on the heels of another privacy / confidentiality local story involving allegations of intimate photos being removed from a customer’s device by a repair shop and being circulated on social media.
Justice Seepersad’s quoted statement from the ruling echoes the sentiment expressed by Brad Smith, President and Chief Legal Officer of Microsoft in a blog post on the recent October 6th 2015 decision by the Court of Justice of the European Union to invalidate the EU-US Safe Harbor Agreement which was previously used by corporations to facilitate movement of data across the Atlantic;
“Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud.”
Today, technology can be abused to facilitate widespread dissemination of private intimate photos in acts of revenge porn. It can also be abused to gain access into persons’ personal data, including Personal Identifiable Information (PII), within cloud facilities across the globe. The above quotes seem to reflect a growing realization that more effort needs to go into keeping laws abreast of technological innovation. Also, the underlying court rulings both seek to protect individuals right to privacy, in the face of growing technological means to facilitate retribution and possible surveillance, respectively.
But where is the Trinidad & Tobago, and wider Caribbean, with respect to updating laws to keep abreast with technological innovation and addressing the threats which they pose via abuses or even condoned usage? How technology specific or technology agnostic should laws be? Does the proposed Trinidad & Tobago Cyber Crime Bill (2014 & 2015) have adequate provisions for issues like revenge porn and cloud privacy? What else may be missing? What’s taking place globally with respect to legislation around these issues? What is the Commonwealth doing? How are we stacking up?
See below for some previous material I have produced, from an Information Security perspective, on the topic of developing the cyber security landscape to address cyber crime locally and in the Caribbean which bears some relevance to these questions:
On 12th July 2015, the students of the Master of Information Systems & Technology Management (MISTM) programme at the Arthur Lok Jack Graduate School of Business were exposed to the growing global ethical debate of security vs. privacy within the context of existing local laws with an information Security dimension (as well as impending proposed legislation). As part of my Information System Security, Ethics and Law (ISSEL) course, within the class dedicated to examine ethical and legal issues as pertains to Information Security, I invited two guest presenters, both lawyers, to share their expertise with the students:
Jason Nathu, Tutor, Legal Aid Clinic, Hugh Wooding Law School
Security vs. Privacy
Mr. Lucena noted that increased awareness for privacy in the virtual world as a relatively new phenomenon due to the digital revolution and increased technological capabilities for mass collection of data, while stating; “The Right To Privacy” in the physical world dates back to 1890. He suggested that the strength of the response towards 2012 Snowden revelations of global surveillance was mainly due to the fact that it revealed infractions against foreign leaders and persons involved in international relations, rather than only surveillance normal citizens. The awareness generated from these revelations was cited as contributing towards a March 2015 decision by the UN Human Rights Council to adopt a resolution to appoint a special rapporteur on the right to privacy. As a Brazilian citizen he related how specific revelations of surveillance in Brazil led to a heightened pace towards the passage of Marco Civil Da Internet as an online protection of civil liberties, and data protection laws to ensure adequate data handling.
ISSEL student posing a question to Mr. Lucena
After laying this foundation, we got into other issue such as:
The ideological difference between the EU and US approaches towards data privacy where the EU approach tends towards protecting individuals’ rights to maintaining ownership of data.
How the right to “Right To Be Forgotten” seeks to protect individuals from search results about themselves which can be deemed as inaccurate, inadequate, irrelevant or excessive.
Interestingly, I met Mr. Lucena at the 2015 South School Internet Governance in Costa Rica, where we were fortunate to have seen a presentation by Mr. Pedro Less Andrade, Latin American Policy Counsel of Google, who presented (en español) some of the challenges of the right to be forgotten ruling.
Local Legal Context
Quite suiting a core theme of the day, Mr. Nathu grounded his delivery entitled “Information Security: The Local Legal Context” by defining the right to privacy and then segued into discussion on the Data Protection, Computer Misuse and Electronic Transactions Acts.
Mr. Nathu defining the right to privacy
Previously, Mr. Lucena, in commenting on Brazil’s weak cybercrime laws, suggested that there was a perception of cybercriminals as being less of a criminal. This was echoed by Mr. Nathu, who also stated there was a low prosecution rate for e-crimes globally. In highlighting the difference between criminal prosecution and civil proceeding he questioned why certain organisations, e.g. banks, would expose themselves as victims of cybercrime, and thereby suffer reputational loss, in criminal proceedings, which would result in no monetary compensation.
A few of the additional salient points on the aforementioned laws brought out by Mr. Nathu included:
Lack of proper consultations and serious objections from professional bodies such as the Media and Law Associations on certain aspects of the Data Protection Act, which remains partially proclaimed.
The Computer Misue act has over specification in some areas, e.g. definition of a computer, yet it “Broadly and vaguely protects against hacking, data misuse…”.
The Electronic Transactions Act remains partially proclaimed and it “does not REQUIRE a public body to accept or issue any document in electronic form”.
The pace of enacting and subsequent legislative reform is slow.
In responding to a question on why such deficiencies within our laws exist, Mr. Nathu offered that communication and consultation was an issue. He urged the students to become more involved on matters with a technology and legal intersection. On a conciliatory note, he admitted we were a young society with respect to this type of legislation and added that it is good that we have some laws in place, as a framework to build upon, even if it is not quite as robust to respond to the surrounding global context.
Collaboration is stated as one of the five key areas of focus within Trinidad and Tobago’s national Cyber Security Strategy and it was certainly good to get collaboration from guest lectures of the caliber of Mr. Lucen and Mr. Nathu to share their expertise with a classroom of primarily technology based master level students. Additionally both presenters mentioned the need for higher levels of activism and involvement. In the U.S. there is an organization known as the Electronic Frontier Foundation (EFF) which seeks to defend civil liberties in the digital world:
Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.
Would you say we have a sufficient intersection between the technology and legal professions in Trinidad and Tobago towards the protection of rights in the digital age?