The Need for Developing a Cyber Security Ecosystem of Professionals

Snapshot showing Caribbean ‘attack’ activity from Norse

 

Over the period 6th and 7th February, 2017, it was my honour and privilege to participate in, and make contributions to, a closed expert group meeting to assess future threats as executed by a national intelligence agency. The following is the paper I presented on developing cyber security capacity to meet future challenges.

 

Introduction

 

The cyber security implications of technological advancements, such as, the Internet of Things (IoT) or smart technologies, along with the possibility of cyber warfare and realities of cybercrime are thought-provoking areas around which intelligence agencies must develop threat awareness. However, a more significant threat which will affect the cyber security of Trinidad and Tobago over the next five years is lack of an environment which can stimulate and foster the growth of local cyber security professionals.

Indication of such a deficient environment can be gleaned from the examples below.

  • At a government agency with responsibility for implementation of the national strategy towards Information and Communication Technology (ICT), a senior position with responsibility for cyber security has been vacant since 2010.
  • At “M4 an event by Microsoft” held in Nov 2014, Mr. Roberto Arbelaez, Chief Security Advisor for the Americas at Microsoft, stated that he knew many world class Information Security professionals of Trinidadian heritage. However he went on to state that unfortunately they all worked outside of Trinidad and Tobago.
  • At a 2016 Christmas dinner event for an association of lawyers, a prominent lawyer lamented that Trinidad lawyers, having opted not to pursue continuing education, were lacking in areas of increasing import including cybercrime[1].

While this may be considered anecdotal evidence, the lack of attention to cyber security does not allow for formal research to provide proper evidence on the state of cyber security locally.

 

Cyber security ecosystem of professionals

Within their research Thomas et al illustrate the cybercrime underground economy as a complex ecosystem of actors within a value chain where profit centres are built upon underlying support infrastructure.  This allows criminal entrepreneurs to devise scams by procuring the necessary resources al a carte; taking advantage of specialization and economies of scale and resulting in a web of interactions which potentially span the globe. One can argue that such a criminal ecosystem, like many other cyber security threats, can only be disrupted by an equally powerful cyber security ecosystem of professionals.

 

 

In their paper “Framing Dependencies Introduced by Underground Commoditization”, Thomas et al illustrate the value chain relationships between various entities to scam victims as potentially spanning the globe

What response can Trinidad and Tobago provide to the threat of cybercrime? Working in our favour we do have efforts to bolster the capacity of the cybercrime unit of our law enforcement arm and there have been several attempts to address lacunas which exist in our existing legislative framework to address cybercrime. Additionally, Trinidad and Tobago is progressing in the development of a CSIRT and can boast of participation in regional efforts coordinated by international bodies such as the Commonwealth Secretariat (ComSec) and the Organisation of American States (OAS) towards addressing cyber security deficiencies.

However, in pronouncing on the results of five regional cyber security needs assessment exercises at the Caribbean Stakeholders Meeting; Cyber Security and Cybercrime, in April 2016 (CSMII), ComSec bemoaned the fact that there still exists a lack of awareness on cybercrime and lack of basic cyber hygiene within the private sector and within regional governments. The Commonwealth Telecommunications Organization also cited a lack of human resources and political support as challenges towards the implementation of cyber security strategies.

Close observation of the availability of opportunities to work on the development of cyber security regionally would reveal a predominant approach where international bodies work exclusively with assigned public sector employees.  Given the highly sensitive nature of the work involved in cyber security, such an approach is expected; however at a national level we may be missing out on opportunities for broader capacity development when such opportunities arise or when training occurs.  For example, a representative of a multinational which routinely provides cyber security capacity building exercises to law enforcement across the globe previously divulged that suitably qualified private sector experts can participate in these exercises if they are appropriately recognized by law enforcement personnel.

Hence, a more inclusive approach needs to be found to ensure that a national pool of talent, at all levels, is being developed today to address unknown future needs.  The status quo will forever bind us to a dependency upon the importation of expertise or hopefulness towards the return of qualified diaspora who wish to contribute to developing cyber security.  The up-skilling of a national pool of experts also presents Trinidad and Tobago with opportunity in providing exportable resources both regionally and internationally as others seek to develop cyber security.

Beyond the need for a coordinated approach to develop a cyber security pool of talent, there seems to have been an emphasis on getting legislation in place while the technical controls, which can actually prevent threats from becoming exploited, are not given due attention.  This position was also articulated by Mr. Arbelaez, at the Caribbean Stakeholders Meeting (CSMI) in May 2014.

Are we lagging behind regionally?

 

Awareness, capacity development and technical controls are all areas which require attention to adequately build threat response capability over the next five years and there is much we can learn from our own Caribbean neighbour, Jamaica.  Having delivered presentations in November 2016 at three conferences in Jamaica as hosted by the Jamaica Computing Society, UWI Mona (4th National Cyber Security Conference) and the Jamaica Bar Association (Continuing Legal Education)[2], I can personally attest to a comparatively more mature response towards cyber security.

Presented on UN ECLAC sponsored research into opportunities and risk of digital currency within the Caribbean at the Jamaica Bar Association, Continuing Legal Education, Annual Week-end Conference 2016

 

Such fora have been productive towards supporting and encouraging local capacity development of technical capabilities in the private sector and building public awareness on cyber security.   At Jamaica’s 3rd National Cyber Security Conference in 2015, the audience was challenged to consider cyber security as an opportunity for the growth of an industry and economic development, rather than a threat, in the same vein as highlighted above.  It is interesting to note that these fora also exemplify what a cyber security professional ecosystem should look like with active participation from technical professionals, policy/regulatory/legal professionals, academics and civil society.

Moving forward

 

We need to ask some difficult questions if we are to position ourselves to cope with future cyber security threats:

  • Can we define if there is a community of experts exists in Trinidad and Tobago focusing on cyber security; and if yes, who are the persons comprising this community?
  • Is this a formal community or a loosely defined community which comes together temporarily during exercises such as this one?
  • Does its membership lean towards greater participation from the public sector or the private sector?
  • Is there recognition that private sector interest from a Small Medium Enterprise (SME) is not the same as the private sector interest of a large commercial entity?
  • How are potential candidates encouraged to contribute within this community?
  • Is the community comprised in such a way that both of fresh ideas and a wealth of experience are expressed in deliverables?
  • Do the participants of this community come from different professions, back grounds and skill sets?
  • Can such a community adopt value chain relationships to be transformed into an active ecosystem[3] of professionals seeking to promote national cyber security?
  • Can this forum be the catalyst in the formation of such an ecosystem?

 

 

Recommendations

 

In conclusion the following recommendations can be put forward for consideration in the development of the aforementioned ecosystem of professionals

 

  1. Cyber security must be given recognition as a field of specialization and not be simply lumped under ICT. Such recognition should extend to the appointment of national champion to oversee the development of cyber security locally.
  2. Establish a national consultative body for cyber security which can serve as a sounding board for various plans towards developing cyber security. The membership of such a body cannot be exclusively comprised of public sector employees and large corporate entities.  It must include cyber security focused SMEs.  This formal body will lead to the formation of the informal cyber security ecosystem of professionals.
  3. Encourage participation from the private sector in local and regional meetings being facilitated by the aforementioned international bodies, for example ComSec and OAS. Appropriately qualified entities from this set should also be invited to participate in the training and capacity building exercises arising from such meetings.  Support for such entities should include financial assistance to participate.
  4. Assessment of institutions which are deemed critical infrastructure as well as a key Ministries and agencies.  The organizational structure of these bodies should reflect cyber security maturity extending to the roles and responsibilities of key personnel dedicated towards cyber security.  A comprehensive set of Information Security policies and audit mechanisms also need to be defined for such organisations.
  5. Information Security Governance training needs to be administered to boards and senior management of various key organisations. Additionally, Information Security Awareness training needs to be administered for the general population of employees.
  6. Alignment between the academic institutions, the national development needs scholarship system and the intake of graduates into the public and private sectors needs to take place to ensure that Information Security professionals are being developed academically and professionally. There also needs to coordination with corporate entities towards the creation of funding for cyber security research.
  7. The Government needs to facilitate the creation of opportunities within the private sector to build and develop competencies which they can call upon in the future. We need security researchers, writers, lecturers, practitioners, policy makers, legal specialists and technical experts to name but a few. The government must lead by example and procure services from fledgling entities seeking to provide services in cyber security.
  8. Information Security awareness training needs to be conducted extensively within the primary and secondary school system.
  9. Take advantage of training and capacity development exercises from international bodies and multinational corporate entities to up-skill the national pool of experts (public and private sector) towards the goal of developing cyber security for economic development.

 

[1] CNC3 News, Nov 2016

[2] Presentation to the Jamaica Bar Association was on the digital currency which also has emerging threat and cyber security dimension to it.

[3] It is important to recognize that an ecosystem differs from a community in that an ecosystem speaks to a non-siloed approach, coordination and symbiotic relationships towards growth of entities.

Lessons for the Caribbean from the OAS-FIRST Cyber Security Colloquium

 

IMG_20151002_134920

Trinidad & Tobago’s delegation to OAS Cyber Security Colloquium. From left, Sean Fouche, IT Manger of CARICOM IMPACS; Amos Sylvester, law enforcement;  Angus Smith, Manager, Trinidad and Tobago CSIRT and Wendell Diaz, Director WASA. Image credit, Shiva Bissessar

The Organisation of American States (OAS) in collaboration with the Forum of Incident Response and Security Team (FIRST) hosted a technical colloquium and cyber security workshop over the period Sept 29th to Oct 1st 2015 in Washington DC.  The colloquium brought together several practitioners from various states within the Americas to participate in interactive sessions guided by international experts from several countries including Canada, Estonia, Poland and Spain to name a few.  The event was divided into three distinct tracks; Critical Infrastructure Protection (CIP), Cyber Security Incident Response Team (CSIRT) and Law Enforcement.

CIP is dedicated towards securing networks utilised in the provision of services critical to the functions of a nation state.  Networks found in public utilities or the energy sector, for example, their Industrial Control Systems (ICS) or networks and systems in the finance sector, would qualify for CIP.  CSIRTs are that first line of defence which receives reports of cyber security incidents, performs incident triage and analysis & prioritizes and escalates incidents towards coordinated response and resolution as necessary.  Locally, some attention is being paid to energy sector CIP via the Energy Sector Security Initiative (ESSI) while the Trinidad and Tobago CSIRT is still in development.

The Caribbean was well represented at the colloquium with participants from Antigua & Barbuda, Barbados, Guyana, Jamaica, St. Kitts and Nevis and Trinidad & Tobago. These representatives came from different professional backgrounds which generally guided the track they chose to follow.  Cybercrime does not respect physical boundaries, thus responses must encompass participation from both the public and private sector and the delegation from Trinidad and Tobago represented an appropriate mix of participants, as shown above.  This included my own participation as a member of the private sector upon invitation and part sponsorship by the OAS.   It was good to see a representative from a Trinidad & Tobago public utility in attendance as CIP should be a major area of concern for a small country largely dependent on the energy sector.

Local and International Cooperation & Coordination

The perception that cybercrime only hurts big business persists; and even some officials do not treat cybercrime with the seriousness they would treat more traditional crimes.  This was underscored by Minster in the Ministry of ICT of Colombia, Mr. David Luma, who noted that normal everyday “citizens on the street” need to be reached via cyber security awareness campaigns.  He also emphasized that cybercrime impacts the everyday lives of people and addressed the ‘laissez faire’ approach which some take to cybercrime risk by reminding participants that just because they have not been affected does not mean that they have not been targeted or under threat at some point.

Matthew Noyes of the U.S. Secret Service, which has a historical mandate of protecting payment and financial systems in the U.S., outlined some of the work they do towards this objective.  He stated that criminals receive so much payment card data in some cyber-attacks that they cannot monetise it fast enough, leading to the development of underground secondary markets for stolen payment card data.  He referred to the work of Brian Krebs, the de-facto standard for investigative journalism and reporting of financial system breaches, where Krebs gave a “Peek inside a Professional Carding Shop” in June 2015.  This story included details of how these secondary markets for stolen payment cards data have advanced by highlighting that potential buyers can now sort the stolen card data by “city, state and ZIP” thereby increasing their chances of purchasing stolen card data which will not throw up red flags on fraud detection systems due to abnormal geographic usage patterns.

He further dispelled the myth of ‘hackers’ being of the ‘lone wolf’ variety working out of their mother’s basement and gave a more accurate portrayal of them being akin to capable professional entities working transnationally to carry out complex, coordinated attacks.  This description was reinforced by several speakers with some even noting that attackers had an advantage over the good guys on this front as harmonization and coordination of responses to attacks are not as coordinated as the original attack.  As shown by the Director of the Canadian Cyber Incident Response Centre (CCIRC), Gwen Beauchemin, there is a diverse range of motivations, attacker profiles and attack surfaces which need to be taken into account to fully address cyber security.

 

 

Fullscreen capture 20102015 013029

Attacker motivations, profiles and attack surfaces.  Image credit, Canadian Cyber Incident Response Centre (CCIRC)

Cyber Security Awareness

The OAS also used the occasion to mark the opening of National Cyber Security Awareness Month by hosting another day of cyber security panel discussion and presentations underscoring the importance of awareness, on October 2nd. Delivering the keynote address was the Estonian president, Toomas Ilves, who gave insights into how Estonia, a small nation with a population of 1.4 million people, became global leader in ICT and cyber security.  He attributed his nation’s achievement in provisioning the majority of Government services online to (i) the development of their fast data exchange layer (X-road) and (ii) secure identity management via two factor authentication.  Further, he espoused a philosophy of encouraging both exposure to ICT and the development of ICT products from a young age, citing the Estonia success story of development of Skype.  Certainly Trinidad & Tobago and the wider Caribbean could learn some lessons here given our dependence on foreign based ICT solutions.

VP, Cyber Security of TrendMicro, Tom Kellerman, lamented the fact that some organisations do not expend enough effort into cyber security awareness going so far to suggest that if budget is a concern, then organisations need to start spending some of their marketing budget on “brand protection” from cyber risks.  This resonated deeply within me given my own drive on the awareness front, I have encountered Information Technology professionals who remain apathetic towards the need for proper Information Security Awareness campaigns within their environment.  So much so, that at times I have switched focus away from the technical people to pitch awareness to HR or Safety departments along the dimension of changing organisational behaviours toward proper information handing.   After all, proper cyber security is a risk management issue rather than an IT problem. To understand the significance of cyber awareness, consider that the devastating 2014 attacks on SONY, incorporated phishing campaigns to retrieve credentials from system administrators, as a first step.  Now, if even the ‘techy sys admins’ can be duped, how would your normal staff fare against social engineering tactics?  Are they capable of recognizing such threats?

Developing the Caribbean Cyber Security Ecosystem

As many presenters attempted to convey, we need to move away from thinking of cybercrime as acts perpetrated by single entities and view cybercrime as being executed by well-funded organised groups which have no respect for international borders.  Hence, this requires a coordinated response from both the public and private sector and coordination and cooperation locally and internationally.    Caribbean nations therefore need to develop cyber security holistically rather than adopting a silo approach to cybercrime.  The nation state cannot do this on its own and while seeking assistance from bodies such as the OAS on matters of strategy, policy, legislation etc. they must simultaneously involve, engage and encourage participation from the private sector, academia and civil society on these initiatives.  This would ensure capacity building and the creation of a cyber security ecosystem of professionals including researchers, lecturers, writers, service providers and vendors to contribute towards local and regional protection.