Cyber Crime and Critical Infrastructure in the Americas: Only as Strong as the Weakest Link
By Nathaniel Bowler
On March 13, the British Virgin Islands House of Assembly passed the Computer Misuse and Cybercrime Act, a bill that stiffens penalties for crimes related to the publication of confidential data and the distribution of child pornography. Government deemed the bill necessary after an embarrassing incident last year in which 2.5 million confidential files were leaked from two BVI trust companies and used to develop journalistic content. Though the law’s opponents have criticized it as a move against the freedom of the local online press, its supporters, including Premier Orlando Smith, regard it as necessary in protecting the financial services industry and, perhaps more to the point, BVI’s national security.
Whether the leaked files constitute a blatant act of criminality or hacktivism aimed at shedding light on tax shelters and stashed wealth is a debate for another essay. We will use this space to focus on the risks associated with operating in cyber space and identifying weak links in the fight against cyber crime, particularly through the lens of emerging markets that are struggling to develop modern critical infrastructure in an increasingly perilous cyber landscape.
The dissemination of confidential data such as took place in BVI should come as a wakeup call for any person, company or government participating in an increasingly connected world, where privacy is an endangered commodity and ostensibly small security breaches must be seen as the precursors to much larger threats. Everyday invasions of privacy such as a hacked Twitter account may seem trivial occurrences considering the massive structures that have linked to ICT over the past decade and a half, but they should alert us to the presence of a shadowy, increasingly sophisticated criminal class and remind us that the vast global network we share with this dangerous element remains highly insecure due to a number of critical deficiencies.
The International Cyber Security Protection Alliance (ICSPA) offers a glimpse of just how connected we will be by the year 2020.
What is at stake?
The US Department of Defense has recognized that cyber attacks will be among the top threats to national security in the next decade. Furthermore, in response to “repeated cyber intrusions,” President Barack Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity in February of 2013.
As pertains to EO 13636, the US describes critical infrastructure as “systems and assets, whether physical or virtual, so vital…that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The list of vital services being linked to ICT is long and growing: electricity generation systems; gas and oil production, transport and distribution; telecommunications services; water distribution systems; agricultural production and distribution; public health systems; transportation systems; financial services; and military services. Thus, in terms of the security of any nation in the Americas, rich or poor, the stakes could not be higher.
And yet “Many countries, especially developing ones, struggle with awareness of cyber issues. The fact that cyberspace is an intangible force makes it easy to downplay the [important role] networks play in the highly connected world in which we live.” That was a conclusion drawn from the Organization of American States/Inter-American Committee against Terrorism (OAS/CICTE) Regional Cyber Security Symposium that took place in November, 2013 in Montevideo, Uruguay.
Awareness is key
Awareness is the key word here, because it represents a strategic launching point in the movement against cyber crime. Awareness also presents the first of that movement’s many challenges, as it may prove difficult to galvanize an effort against crimes that go undetected and criminals whose livelihoods largely depend on avoiding detection. As the OAS/CICTE notes, “Network intrusions are routinely discovered months or even years after the original breach was perpetrated.” Indeed there even appears to be no established terminology for nations to report on: “the term ‘cyber incident’ was not uniformly understood or applied” among 20 OAS member nations volunteering to report on instances of cyber crime to the CICTE.
A lack of awareness would be far less dangerous if cybercrime were strictly a national problem, however, like money laundering and international terrorism, cybercrime is a threat that does not respect international borders or the sovereignty of nations. Defenses must be coordinated multinational efforts with active public and private sector participation. There are parallels to be seen in current anti-money laundering/countering the financing of terrorism (AML/CFT) efforts in the Americas, for which organizations like the Caribbean Financial Action Task Force (CFATF) are seeking to establish a unified front (of course, there are obvious overlaps when it comes to cybercrime, terrorism and money laundering). Likewise, CICTE describes its mission thusly: “to promote and develop cooperation among Member States to prevent, combat and eliminate terrorism.”
Role of emerging markets in fighting cyber crime
The notion of cooperation leads us to emerging markets and their role in the fight against cyber crime. Before delving into specific examples, it may be worthwhile to underscore the head start that cyber criminals are working with. From 2001 to 2011, the number of per-capita Internet users in North America increased +152%. Latin America and the Caribbean experienced a +1,037% increase in that time, including +1,397% in the Caribbean alone. Look to nearly any jurisdiction in the Caribbean and you will likely find one or several telecommunications providers scrambling to roll out universal coverage.
Such astronomical growth comes with obvious benefits at an individual, corporate and governmental level. ICT advances have opened new channels for attracting foreign direct investment and for small and medium-sized businesses to gain a foothold and participate in international trade. More developing nations are turning to various modes of e-governance to increase public sector efficiencies and modernize public services.
But such rapid expansion comes at a price. The fact is that many governments, particularly those of small-island developing states (SIDS), have been slow to respond to the Internet boom for the reasons outlined by the OAS/CICTE, and it is probably not reasonable to assume that nations with small populations and accordingly small governments will have the financial resources or technical knowhow to enact legislation that will bring their anti-cyber crime regimes up to international standards. Many of these countries already find their law enforcement resources stretched thin as they deal with high crime rates that include murder, theft and drug trafficking—tangible crimes which, at least by appearances, constitute a more immediate security threat. But, as the Barbados-based Caribbean Cyber Security Center (CCSC) points out, cyber crime has already surpassed the international drug trade in terms of illicit revenues.
Failure to respond, not just at a local but a regional level, is precisely what is turning the Caribbean/Latin American region into a hive for cyber criminality. To illustrate, the OAS reports that instances of cyber crime increased +14% year over year in Jamaica in 2012, with most of the cases related to attacks on public institutions. In spite of a public awareness campaign, Jamaica’s lack of incident response, investigative personnel and international cooperation indicate that the island remains a weak link with serious cyber crime deficiencies. That only four criminal convictions (including one individual charged with attacking Jamaica’s critical infrastructure) took place between 2010 (the year the Cybercrimes Act was passed) and 2013 has led Parliament to establish a joint committee to review the Act and recommend revisions to bolster the Organized Crime Investigation Division’s Cybercrime Unit. This is not to pick on Jamaica. The CCSC predicts that “the level of sophistication of attacks will increase…We can look forward to more web site defacement, more DDOS attacks and more breaches in customer account data across the region.
New types of cyber crime will evolve
There will be new strains of malware, spyware and crimeware and an increase in the number of botnets in this region.” Even the mightiest economic powers of the Latin American/Caribbean region have had their difficulties keeping apace with cybercriminals. From 2011 to 2012, Mexico, effectively Ground Zero for cybercrime in the Americas, reported a +40% increase in cyber incidents, with the majority of cases attributed to hacktivist activity. According to Norton’s annual survey, cyber crime cost Mexico an estimated $3B in 2012, nearly double the 2011 cost and a disproportionately large percentage of the $110B that cyber crime cost the world in 2012. Mexico’s high level of connectivity has combined with a well-documented struggle with organized crime to establish a true hub for cyber criminality. Over the past 10 months, the Public Security Secretariat (SSP) has reported over 1,300 incidents of cyber crime in Mexico City alone, including widespread identity theft and child pornography.
Jamaica can’t go it alone. Nor can Mexico, with decidedly more resources at its disposal. Recent developments indicate that changes may be on the horizon, as Argentina, Chile, Colombia, Costa Rica, Mexico and Panama have been invited to accede to the Budapest Convention on Cybercrime, the treaty that in 2001 established international standards for addressing Internet and computer-related crime. Paraguay and Peru have also expressed interest in signing on to the convention, which, to date, only the Dominican Republic has joined. On March 31, Mexico will hold a national workshop on cybercrime legislation, and an international workshop will take place from April 1-2, with the backing of the OAS and the Council of Europe.
For its part, the CCSC has outlined an expansive, eight-point road map for bolstering cyber security standards in the Caribbean:
- Establishment of a Caribbean Cyber Security & Crime Non-Governmental Organization or Secretariat.
- Establishment of a Regional Cyber Security Assessment Service Desk for Government Networks.
- Establishment of a Caribbean Cyber Security Operations Center (CCSOC).
- Enhancement of Regional Cyber Security SME for both the Public & Private Sectors.
- Facilitate Improved Caribbean Cyber Security & Crime Research and Development Partnerships with Key Global IT Security Solutions Providers and Organizations.
- Establishment of a Caribbean Public Sector Regional Cyber Security Awareness Campaign.
- Facilitate Regional Cyber Security & Crime Information Sharing.
- Establishment of a Regional Computing Crimes Forensics Capability.
The weakest link
Of course, the weakest link in cyber security remains the individual. The Information Age has led us down a path from which there is no return, and has exposed us to conveniences that most of us probably would not willingly give up. As technology becomes more pervasive in our lives, public awareness and educational campaigns may prove the most effective means of shrinking the playing field for would-be criminals.
Still, as seen in Jamaica, public awareness will not be enough. Though no doomsday scenario has yet come to pass, the time has come for the Americas to take aggressive measures to assure that none ever do. All countries must be on board, from the smallest of SIDS to the massive economies of North America, because any weak link can compromise the security of the region. Safe and smart computing, the establishment of proactive cyber security hubs like those envisioned by the CCSC and international cooperation will all play a pivotal role in protecting ourselves, our businesses and the critical infrastructure systems on which our societies have grown to depend.
Nathaniel Bowler is an author, blogger and leading regional analyst with expertise in the Caribbean markets. Nathaniel specializes in tracking important regional news trends as they unfold in order to help clients identify strategic business opportunities and areas of risk. Nathaniel has worked as a contributing author for regional publications, distinguishing himself through analysis of key topics such as cyber security, anti-money laundering, public-private partnerships, sports tourism and alternative energy.