Cyber Crime and CI in the Americas
Only as Strong as Our Weakest Link
The British Virgin Islands (BVI) House of Assembly passed the Computer Misuse and Cybercrime Act on 13 March 2014. This Bill stiffens penalties for crimes related to both the distribution of child pornography and also the publication of confidential data. The Bill was deemed necessary after an embarrassing incident last year in which 2.5 million confidential files were leaked from two national trust companies. Opponents have criticized it as a move against the freedom of the online press, but its supporters, including Premier Orlando Smith, regard it as necessary in protecting the financial services industry and, perhaps more to the point, BVI’s national security.
Whether the leaked files constitute a blatant act of criminality or of “hacktivism” aimed at shedding light on tax shelters and stashed wealth, is a debate for another essay. For now, let us focus on the risks associated with operating in cyber space and on identifying weak links in the fight against cybercrime – particularly through the lens of emerging markets struggling to develop modern critical infrastructure in an increasingly perilous cyber landscape.
THE CHALLENGE OF AWARENESS
The dissemination of confidential data, such as took place in BVI, should come as a wakeup call for any person, company or government participating in an increasingly connected world, where privacy is an endangered commodity and ostensibly small security breaches can pose a threat to the very foundations of society. Everyday invasions of privacy, such as a hacked Twitter account, may seem trivial occurrences considering the massive structures that have been linked to International Cyber Terrorism (ICT) over the past decade and a half, but they should alert us to the presence of a shadowy, increasingly sophisticated criminal class, and remind us that this vast global network we share with this criminal element remains highly insecure due to a number of critical deficiencies.
What is at stake? The U.S. Department of Defense has recognized that cyber attacks will be among the top threats to national security in the next decade. Furthermore, in response to “repeated cyber intrusions,” President Barack Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, in February2013.
As pertains to the EO 13636, the U.S. describes critical infrastructure as “systems and assets, whether physical or virtual, so vital… that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The list of vital services being linked to ICT is long and growing: electricity generation systems; gas and oil production, transport and distribution; telecommunications services; water distribution systems; agricultural production and distribution; public health systems; transportation systems; financial services; and military services. Thus, in terms of the security of any nation of the Americas, whether rich or poor, the stakes could not be higher. Yet “Many countries, especially developing ones, struggle with awareness of cyber issues. The fact that cyberspace is an intangible force makes it easy to downplay the [important role] networks play in the highly connected world in which we live.” That was a conclusion drawn from the Organization of American States/Inter-American Committee Against Terrorism (OAS/CICTE) Regional Cyber Security Symposium that took place in November 2013 in Montevideo, Uruguay.
“Awareness” is the key word here because it represents a strategic launch point in the movement against cybercrime. Awareness also presents the first of many challenges, as it may prove difficult to galvanize an effort against crimes that go undetected, and criminals whose livelihoods largely depend on avoiding detection.
As the OAS/CICTE notes, “Network intrusions are routinely discovered months or even years after the original breach was perpetrated.” Indeed, there even appears to be no established terminology for nations to report upon. In fact, the term ‘cyber incident’ was neither uniformly understood nor applied among the 20 OAS member nations volunteering to report on instances of cybercrime to the CICTE.
A lack of awareness would be far less dangerous if cybercrime were strictly a national problem, however, like money laundering and international terrorism, cybercrime is a threat that respects neither international borders nor the sovereignty of nations. Defenses must be coordinated multinational efforts with active public and private sector participation. Parallels can be seen in current anti-money laundering – countering the financing of terrorism (AML/CFT) efforts in the Americas – for which organizations like the Caribbean Financial Action Task Force (CFATF) are seeking to establish a unified front. There are, of course, obvious overlaps when it comes to cybercrime, terrorism and money laundering. Therefore, CICTE describes its mission thusly: “to promote and develop cooperation among Member States to prevent, combat and eliminate terrorism.”
The notion of cooperation leads us to emerging markets and their role in the fight against cybercrime.
EXPONENTIAL GROWTH OF THE CYBER THREAT
Before delving into specific examples, we must underscore the head start that cyber criminals have had. From 2001 to 2011, the number of per-capita Internet users in North America increased by more than 152%. Latin America and the Caribbean experienced a 1,037% increase in that time. Look at nearly any jurisdiction in the Caribbean and you will likely find one or several telecommunications providers scrambling to roll out universal coverage.
Such astronomical growth comes with obvious benefits at an individual, corporate and government level. ICT advances have opened new channels for attracting foreign direct investment and for small and medium-sized businesses to gain a foothold and participate in international trade. More developing nations are turning to various modes of e-governance, to increase public sector efficiencies and modernize services.
But such rapid expansion comes at a price! The fact is, many governments – particularly those of small-island developing states (SIDS), have been slow to respond to the Internet boom (for many reasons, as outlined by the OAS/CICTE), and it is probably not reasonable to assume that nations with small populations (and small governments) will have the financial resources or technical knowhow to enact legislation that will bring its anti-cybercrime regime up to international standards. Many of these countries already find their law enforcement resources stretched thin as they deal with high crime rates that include murder, theft and drug trafficking – tangible crimes which, at least in appearance, are the more immediate security threat.
But, as the Barbados-based Caribbean Cyber Security Center (CCSC) points out, cybercrime has already surpassed the international drug trade in terms of illicit revenues. Failure to respond at a regional level is precisely what is turning the Caribbean/ Latin American region into a hive for cyber criminality. To illustrate, the OAS reports that, in Jamaica, instances of cybercrime increased more than 14% each year since 2012, with most of the cases related to attacks on public institutions.
In spite of a public awareness campaign, Jamaica’s lack of incident response, investigation personnel and international cooperation indicate that the island remains a weak link, with serious cybercrime deficiencies. That only four criminal convictions (including one individual charged with attacking Jamaica’s critical infrastructure) took place between 2010 (the year the Cybercrimes Act was passed) and 2013, has led Parliament to establish a joint committee to review the Act and recommend revisions to bolster the Organized Crime Investigation Division’s Cybercrime Unit.
This is not intended to pick on Jamaica. The CCSC predicts that “the level of sophistication of attacks will increase…We can look forward to more web site defacement, more DDOS attacks and more breaches in customer account data across the region. There will be new strains of malware, spyware and crimeware and an increase in the number of botnets in this region.”
Even the mightiest economic powers of the Latin American/Caribbean region have had difficulty keeping pace with cyber criminals.
From 2011 to 2012, Mexico – ‘ground zero’ for cybercrime in the Americas – reported more than a 40% increase in cyber incidents, with the majority of cases attributed to hacktivist activity. According to its 2013 survey, Norton Symantec found that cybercrime cost Mexico an estimated $3B in 2012 (nearly double that of 2011), and represents a growing percentage of the total amount that cybercrime costs the world on an annual basis ($110B in 2012). What is noteworthy is the rate of increase of cybercrime, and the way Mexico is trending to become a regional hub. It will be interesting to see if the trend continued last year when Norton’s 2014 report is released.
Mexico’s high level of connectivity has combined with a well-documented struggle with organized crime to establish a true hub for cyber criminality. Over the past 10 months, the U.S. Public Security Secretariat (SSP) has reported over 1,300 incidents of cybercrime in Mexico City alone, including widespread identity theft and child pornography.
COMMON FRONT AGAINST CYBERCRIME
Jamaica can’t go it alone. Nor can Mexico, which has decidedly more resources at its disposal. Changes may be on the horizon. Argentina, Chile, Colombia, Costa Rica, Mexico and Panama have been invited to accede to the Budapest Convention on Cybercrime, the treaty that in 2001 established international standards for addressing Internet and computer-related crime.
Paraguay and Peru have also expressed interest in signing on to the convention, which, to date, only the Dominican Republic has joined. On 31 March 2014, Mexico held a national workshop on cybercrime legislation, and an international workshop took place in 1-2 April, with the backing of the OAS and the Council of Europe.
For its part, the CCSC has outlined an expansive, eight-point road map for bolstering cyber security standards in the Caribbean:
- Establishment of a Caribbean Cyber Security & Crime Non-Governmental Organization or Secretariat.
- Establishment of a Regional Cyber Security Assessment Service Desk for Government Networks.
- Establishment of a Caribbean Cyber Security Operations Center (CCSOC).
- Enhancement of Regional Cyber Security SME for the Public & Private Sectors.
- Facilitate Improved Caribbean Cyber Security & Crime Research and Development Partnerships with Key Global IT Security Solutions Providers and Organizations.
- Establishment of a Caribbean Public Sector Regional Cyber Security Awareness Campaign.
- Facilitate Regional Cyber Security & Crime Information Sharing.
- Establishment of a Regional Computing Crimes Forensics Capability.
Of course, the weakest link in cyber security remains the individual. The Information Age has led us down a path from which there is no return, and exposed us to conveniences that most would probably not be willing to give up. As technology becomes more pervasive in our lives, public awareness and educational campaigns may prove the most effective means of shrinking the playing field for would-be criminals.
Still, as seen in Jamaica, public awareness will not be enough. Though no doomsday scenarios have yet come to pass, the time has come for the Americas to take aggressive measures to assure that none ever do. All countries must be on board – from Montserrat to the United States – because all have a stake in cyber security.
Safe and smart computing, the establishment of proactive cyber security hubs, like those envisioned by the CCSC, and international cooperation will all play pivotal roles in protecting ourselves, our businesses and the critical infrastructure systems upon which our societies have come to depend.
Nathaniel Bowler is an author, blogger and leading regional analyst with expertise in the Caribbean markets. Nate has worked as a contributing author for regional publications, distinguishing himself through analysis of key topics such as cyber security, anti-money laundering, public-private partnerships, sports tourism and alternative energy.
© FrontLine Security 2014