By David Jessop
Just over a week ago Google, Facebook, Amazon, Twitter, Netflix, Visa and many more premium providers of global web services, temporarily went offline. This was because they had indirectly suffered the effects of a distributed denial of service (DDoS) attack on Dyn, a largely unknown intermediary that enables web users to access the addresses of major web sites.
Experts say that it may have been the biggest DDoS attack ever mounted, because it brought down a key gateway, and was highly sophisticated in the way in which sent huge volumes of data, causing Dyn’s servers to deny access to its clients.
What was unusual was that the event in part was delivered through insecure smart devices – the so-called internet of things – including everyday items linked to the internet like web cams, baby monitors, smart TVs and DVD players, and even fridges and central heating systems.
Apart from indicating an absence of serious thinking about security by those who design and sell such web linked products and regulations to govern them, it demonstrated that it is now possible indirectly to shut down or disrupt essential online services.
Reports in the trade press suggest that so serious have DDoS attacks in general become, that more than 30 percent are now large enough to swamp almost any business or poorly protected government.
While few Caribbean cases of DDoS or cyber-crime ever become public, because of the perceived reputational damage, there are ample reports of the existence of cyber-attacks, including theft from banks; the hacking of government websites in The Bahamas and St Vincent by a group claiming to be supporters of ISIS; ransomware attacks on some Caribbean tax authorities; and most recently, the publication online in interrogatable form of 1.3 million files from The Bahamas’ corporate registry.
These revealed not just the lack of appropriate security within government portals, but the existence of outmoded IT systems and software with the potential, some experts suggest, to have compromised government’s internal communications. They also highlighted the region’s vulnerability, and the absence of local expertise or financial resource to address weaknesses, leaving others to be invited in to provide the necessary technical support and to remedy problems.
According to a joint study by the Center for Strategic Studies and McAfee published earlier this year, Latin America and the Caribbean (LAC) has become a new frontier for cyber-attacks and crime at an estimated cost of around US$90 billion per year.
The Cipher Brief, a digital, security-based platform that connects the private sector with the world’s leading security experts, recently noted that 12 percent of DDoS attacks now target the LAC region, and that the number is escalating. It is also the case that there has been a dramatic rise in the number of people, including tourists, with access to Internet-connected devices, potentially increasing national vulnerabilities.
Experts suggest attacks will increasingly be directed at softer targets in locations through which funds flow for tax advantage or commercial expediency, and where tourism has become central to the stability of a national or regional economy.
While some Caribbean governments and companies have begun to recognise the threat, strikingly not enough money or time is being spent on upgrading, protecting or testing systems related to essential infrastructure, government services, banking and financial services, private sector operations, or on securing media sites.
In addition, according to the OAS/IDB report, mistrust and an absence of authoritative information on best practice has led to an unwillingness to designate individuals in the police or military as coordinators of cybersecurity policy development, or to build public-private partnerships that might finance and build cyber security regimes.
As with so many matters in the Caribbean, the challenge is not in understanding the nature of the threat, but with implementation.
Although governments and a number of international agencies meeting in St Lucia in March signed-off on action plan to strengthen regional co-operation in areas such as training, legislation, technical capacity and law enforcement, since then progress has been slow.
To understand the scale of the problems that need to be addressed one only has to read the country by country reports in ‘Cybersecurity Are We Ready in Latin America and the Caribbean’ jointly published earlier this year by the Organisation of American States (OAS) and the Inter-American Development Bank (IDB).
It makes clear that almost all countries in the region have no overall strategy, few relevant laws and no genuine capacity to respond to a cyber-attack.
It suggests that the only country in the Anglophone Caribbean that is well prepared is Trinidad, with Jamaica not far behind. It notes that while Antigua, The Bahamas, Dominica, Haiti, and Suriname are ‘in the process of articulating a potential strategy’, there is no indication when they will have in place the essential components. As for the rest of the Caribbean Community (CARICOM), the report suggest that evidence of progress is scant.
In the Hispanic Caribbean, surprisingly, even the Dominican Republic, which is heavily dependent on connectivity, was deemed to be poorly prepared. In contrast, although not covered by the study, Cuba is well equipped. Having established the Universidad de las Ciencias Informáticas (UCI) in 2002, it now has some 14,000 graduates working in all areas of government and enterprise, and is consequently understood to have advanced cyber defence measures in place.
Unfortunately, there is a view in parts of the region that the Caribbean is somehow immune or unlikely to be of interest to cyber criminals. However, one only has to consider the enormous sums of money transferred regularly through the region’s offshore financial centres, the commercially sensitive documents held in registries and lawyer’s offices, matters of national security and criminality that all governments regularly engage with, the expansion of citizenship programmes, and the millions of daily commercial banking transactions, to immediately see the dangers cybercrime poses to small nations.
The Caribbean and Latin America have a small window in which to develop strong and integrated cybersecurity networks before attackers begin seriously to explore and infiltrate what is still a largely undefended region. As The Cipher Report puts it: ‘The question is whether governments have the political will, private industry is open to working with the public sector, and citizens start taking responsibility for their own cyber security’.