Brief impressions of the current state of Cyber Security development efforts in the Caribbean with focus on Trinidad and Tobago, as gleaned from the recently held (26th -28th May 2014) Caribbean Stakeholders Meeting (ICT) and knowledge of the landscape in Trinidad & Tobago.
Boost Fertility New Invention Ups Success Rates.pdf
Impressions from Caribbean ICT Stakeholder Meeting, CyberSecurity
1. Impressions from Caribbean ICT
Stakeholders Meeting
26th- 28th May 2014
Focus on Cyber Crime/Cyber Security issues discussed
Shiva Bissessar, BSc (Hons), MBA, MSc
Managing & Technical Director
Pinaka Technology Solutions
@BeasCycle
spbisses@gmail.com
2. • 17 years ICT experience, 5 of which in Senior Professional
roles delivering major Telecommunications and
Information Security projects.
• 2008: Founding member of Information Security focused
Organizational Unit. Established digital forensics lab, had
oversight of vulnerability analysis and penetration testing,
assisted policy development process.
• M.Sc. Information Security comes from University College
London
• Information Security Advisory & ICT Programme
Management
In Brief
3. Varying Levels of Caribbean Readiness
• International bodies incl. OAS, ITU, Commonwealth
Cybercrime Initiative (CCI), are ready and willing to assist,
however there seems to be a lack of corresponding urgency
or inability to receive such assistance, on behalf of Caribbean
governments. Lack of cyber security champions on board!
• There is an undertow of dissatisfaction with the model law
documents produced from EGRIP and HIPCAR exercises. This
is not only at the technical level!
• Dominica novel approach to seek guidance from CCI in
executing a Cyber-security Needs Assessment Workshop and
ensure legislative efforts and Cybercrime Strategy is in
accordance with Budapest Convention on Cybercrime.
4. Protection vs. Legislation
• Roberto Arbelaez, Chief Security Advisor for the Americas,
Microsoft, noted that legislative efforts to protect against
Cyber-crime, promote Cyber-security and provide threat of
prosecution may not be an effective deterrent to curb
attacks.
• He further noted that the lack of technical controls and
protection of assets makes the Caribbean region an
attractive destination of choice for attackers.
• Anthony Teelucksingh, Senior Counsel at U.S. Department of
Justice, countered that both technical controls and
legislation are equally important tools in the arsenal against
Cyber-crime.
5. Public Sector Cloud Push
• Microsoft, Columbus/FLOW and Digicel are all making a
push to increase uptake of Cloud services in Public
Sector in context of absence of regional or local data
protection and privacy laws policies, standards.
• EU data protection regulator says Microsoft enterprise
cloud contracts are in line with EU privacy
requirements. (Apr 14th 2014)
http://www.out-law.com/en/articles/2014/april/eu-data-protection-regulator-says-microsoft-enterprise-cloud-contracts-are-
in-line-with-eu-privacy-requirements/
• US court forces Microsoft to hand over personal data
from Irish server. Emails and private information from
customers of US companies must be handed over –
even if data is stored outside US. (Apr 29th 2014)
http://www.theguardian.com/technology/2014/apr/29/us-court-microsoft-personal-data-emails-irish-server
7. Status
• Heavy focus on HIPCAR based legislative effort while technical controls
are limited or non existent.
• Many projects underway which have Information Security / Cyber-
security dimensions which is being disregarded.
• Dearth of in-house expertise leads to high vendor dependency or
international expert driven projects. Insufficient local representation!
• Inadequate revision to policy/regulation/legislative efforts to keep
abreast of technical advancements and news disclosures (e.g NSA)
• ITU-IMPACT group agreement signed and necessary payments made for
establishment of CSIRT. Is there adequate local technical expertise on
this initiative?
• Cybercrime Bill read into Parliament and soon to be debated. Is GoRTT
ready for “due diligence” requirements within the Cryber-crime Bill? Are
GoRTT agencies equipped to protect “critical infrastructure”?