Cyber security Report on Latin America and the Caribbean

Last Month, the Inter-American Development Bank, in association with the Organisation of American States, launched a publication titled: 

Cybersecurity: Are We Ready in Latin America and the Caribbean

image

According to the blurb on the website: 

The 2016 Cybersecurity Report is the result of the collaboration between the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The report presents a complete picture and update on the status of cybersecurity (risks, challenges, and opportunities) of Latin America and the Caribbean countries.

Importantly, the report was the result of self-assessments by key stakeholders within each jurisdiction under review.

In respect of the key findings, a good summary comes from the preface by the current IADB President, Luis Alberto Moreno, who notes that:

The analysis of its 49 indicators shows that several countries in the region are vulnerable to potentially
devastating cyberattacks. Four out of five countries do not have cybersecurity strategies or critical infrastructure
protection plans. Two out of three do not count on command centers and cybersecurity control. The vast
majority of prosecutors lack the legal capacity to pursue cybercrime actions.

 

Among the more interesting aspects of the report is the model developed to assess the state of cybersecurity in LAC. The report applies what they describe as a “Cybersecurity Capability Maturity Model” (CMM). The CMM is based on a model developed by the

Global Cyber
Security Capacity Centre
at Oxford University and has five designations: startup; formative; established; strategic; and dyamic.  After analysing each country’s situation, that country is graded using the CMM designations in respect of 49 specific indicators. In turn, the 59 indicators were grouped into five broad categories:  

  1. National Cybersecurity Policy
    and Strategy (Policy and Strategy); 
  2. Cyber Culture and Society
    (Culture and Society); 
  3. Cybersecurity Education, Training and
    Skills (Education); 
  4. Legal and Regulatory Frameworks (Legal
    Frameworks); and 
  5. Standards, Organizations and Technologies
    (Technologies).
image

From a Caribbean perspective, the report is very comprehensive. All 12 Commonwealth Caribbean Countries and 14 CARICOM-party states overall (Haiti and Suriname are also included) are covered in the report. For context, 32 Latin America and Caribbean countries were surveyed in total.

To my mind, the biggest value of this report for Caribbean states is the quick diagnosis it provides of the weak area(s) in various states. This understanding should significantly assist in determining which areas should be prioritised by governments in the region and, by extension, where scarce state resources should be directed. Similarly, it should also be useful to civil society actors and organisations in determining which cybersecurity and ICT issues need flagging and actioning the most in their respective territories.

Implicit in the foregoing, is another important purpose that this report serves: it underscored the nuanced challenges we face from jurisdiction to jurisdiction in respect of not just cybersecurity but ICT issues generally. By extension, the findings confirm that the one-size-fits-all-in-the-region approach to analysing and addressing challenges is woefully outdated.

You can directly download the report as a pdf (English | Español

Also, I should mention that the IADB has shared the dataset that was mined to create the report. If you are interested in sifting through the data yourself

(and have the time), you can grab it here.

Results of ECLAC Survey on Priorities for the Information Society in the Caribbean

Some months ago, I had mentioned that the Caribbean Development Portal of the United Nations Economic Commission for Latin America and the Caribbean (ECLAC) launched an online survey “to get a sense of views within the region regarding the relative importance of various policy objectives in the area of ICT”. Like most in the region, I anticipated the outcome of the report for the fact that it would be the first time that the various (sometimes siloed) information society actors in the region would have an opportunity to view a collective window into what ‘we’ considered to be important to the Caribbean region from an information society perspective.

The results of the survey was published in

the July-September 2015 edition of FOCUS magazine, starting at page 10. FOCUS magazine is the regular publication of the Caribbean sub-regional group within ECLAC.

In seeking to fulfil the survey’s objectives, respondents were required to provide a weighted score to various specific strategic goals (Not a Priority; Low Priority; Moderate Priority; Medium Priority; High Priority). In turn, these goals were organised under five broad thematic categories: Access and infrastructure; Social inclusion and sustainable development; Governance for the Information Society; Digital economy, innovation, and competitiveness; and e-Government and citizenship. Each category had varying numbers of strategic goals.

In total there were 37 respondents (full disclosure: that number included yours truly)

The Results
As I would have suggested earlier, the real value of this survey was the window it offered into the thinking of ICT practitioners across various sectors in the region.

The total of 90 strategic goals were given a weighted score based on the average importance score give by the 37 respondents to the survey. Accordingly, it could be said that those results in the top third of the table were perceived to be the most important goals by respondents. The further down the table the strategic goal appeared, the less important it was to the community. 

With this thinking in mind, I created the below table which divided the results into three tiers: top, mid and bottom. This was my means of seeking to readily reflect the importance of each strategic goal to the community of practitioners in the Caribbean. Each tier holds 30 responses.

image

What immediately jumps out is that the number of thematic goals offered for scoring to the respondents varied greatly across the five categories. The largest category: “Digital Economy, innovation and competitiveness” had 27 different strategic goals. By comparison, the “e-Government and citizenship” category only possessed 10 of these strategic goals. Obviously, this would render a category versus category comparison within each tier, an illegitimate analysis.

Accordingly, the approach I took to making sense of the responses was to consider the percentage of each category that showed up in each Tier. I then went the additional step of highlighting (in pink) the tier in which each category was most dominant. When done, a clearer picture of the thinking of the Caribbean’s ICT practitioners begins to emerge. 

image

What then becomes immediately striking is that infrastructure was most dominantly represented as a bottom tier priority. This is an Interesting outcome since, without the physical infrastructure in place to allow for access, there can be no true information society. It is the fundamental building block. To illustrate the point, not counting Barbados, most of the rest of the territories in the Caribbean can legitimately be categorised as lacking sufficient physical infrastructure to guarantee high speed internet access to the entire population.

This is a troubling collective view.

I would not dare suggest that a mere 37 practitioners accurately represent the thinking of all our region’s leading technologist. However, it is the only data of this kind that we do have. Having said that, on the face of it, if there is any merit in the survey, the ready conclusion is that our ICT thinkers and practitioners are perhaps too focused on ideal outcomes over practical, next-steps.

The Brazil Whatsapp Shutdown and Lessons for the Caribbean

image

By now, the news cycle surrounding the temporary shutdown of Whatsapp by a Brazilian Court has petered out. 

If you missed it (or are only reading this 50 years later!), the gist is that in 2015 Whatsapp is a large transnational mobile messaging service with global appeal and very high reach in Brazil. Prosecutors in Brazil required Whatsapp to hand over sensitive data in ongoing criminal proceedings. Whatsapp did not respond. The prosecutors moved the Court to punish Whatsapp. The Court applied provisions under the shiny, new Marco Civil statute to penalise Whatsapp by way of ordering the shutdown of the service in Brazil.   

 If you require more detail, an excellent survey of the key issues, actors and opinions was provided by Taisa Sganzerla.

As a Caribbean lawyer, my natural curiosity lead me to wonder how this would have played out in the West Indian context. Perhaps more importantly, I started to consider the specific lessons arising from the events in Brazil for the region.


What is the Appropriate Approach to Legislating Technology? 

For me, the starting point is the philosophical: how do we wish to deal with these situations? Specifically, how do we wish to attempt to legislate situations where a web service

refuses to comply with domestic laws or directives? To bring greater reality to the scenario, let us assume that said web service has i) truly global reach and ii) that web service more than likely has no data servers located within the physical jurisdiction of your state.

The Commonwealth Caribbean is part of an increasingly interconnected world where the importance of physical location, relative to matters of commerce, entertainment, knowledge transfer and productivity, is lessening by the day. This, thanks to advances with internet access and a multitude of useful internet-based services. 

A rising tide lifts all ships and so, the almost too obvious corollary is that criminal and civil wrongs with an increasingly digital element are going to occur more frequently as well. Already, we see where these eventualities are increasingly occurring with the assistance of via new, leading edge internet-facing services such as Skype and Facebook

On reflection, it would seem that the approaches that our parliaments in the region can take are to: 

  1. do nothing and hope that the challenges presented by the particular technological innovation doesn’t disrupt the general way of life or become too much of a live issue thereby demanding the intervention of the judiciary and/or the legislature; 
  2. do the bare minimum in the way of enacting broad laws, intermittently, which ostensibly touch and concern our current technology-mediated reality; or 
  3. accept the reality of a world that is heavily impacted and mediated by digital technologies and attempt to aggressively legislate to suit.

The first option is clearly untenable. It is the equivalent of an Ostrich hiding his head in the sand.

The second is closest to the reality in the region. While there are quite a few laws that are, ostensibly, enacted to tackle aspects of our new digital reality such as privacy and computer misuse, most are woefully bereft of updates which can tackle the novel, innovative challenges presented by newer technologies. 

Additionally, as is exemplified by the Data Protection bill in Barbados which has been tabled since 2005, very often, legislation is often drafted but never actually makes the full journey to enacted law.

image

I suspect that while it is attractive in intent, the third option of aggressively legislating would not be practical or take us as far as we ideally imagine. Why? 

Firstly, it would not be practical given the small matter of human resource constraints. We simply don’t have enough warm bodies to be deployed to research, and draft the relevant laws necessary to keep up with the times and avoid law lag

Aggressively legislating perhaps would not have the desired effect since the assumption that the appropriate approach to protecting society in the face of advances in technologies is to aggressively and constantly throw new legislation or regulation at the advances is an inherently faulty one. 

And plus, we have seen from the way the first instance Court in Brazil attempted to apply what is, for all intents and purposes, well heralded, cutting edge, digital rights legislation that, ridiculous outcomes can still flow. Even with the best of legislation, the human element can always lead to irrational consequences. 

One suggestion from Internet Governance thinker, Niel Harper is 

to focus on how the legal system holistically addresses technological change. We should examine the respective roles that administrative bodies, national courts, tribunals, law reform bodies, and other entities play in helping the law adapt to rapid technological change.

I can’t claim an answer to the conundrum but my own suspicion is that the ideal solution may well lay in deploying primary enactments that are, in their drafting, sufficiently seized of the likely direction, internet-facing technologies are taking. To be clear, when i refer to direction, I refer to the perceived unique manner in which a particular technological advance will likely mediate our lived reality. This, as opposed to the specific characteristics of any particular technology being deployed in the market at a particular time. 

Under this approach, the legislation would thereafter seek to be informed by the particular milieu of rights and duties of the various actors (end users, consumers, service providers, government etc) in the broadest terms. The legislation ought not to be so prescriptively specific that a sudden or unexpected shift in society’s appetite for a particular technology would render the piece of legislation useless. 

This is the first part, the second piece of the puzzle requires that such statute be supplemented by a regulatory framework where the regulators are given sufficiently broad remit and allowed the necessary discretion to promulgate and retire regulations as they see fit. The sum effect is that regulations, as opposed to the primary enactment, would be attuned to the nuances of a particular technology wave. The idea being, regulators, already empowered by statute to so act, would not necessarily be as encumbered as legislators. Indeed, so long as in regulating, they do not attempt to create or remove substantive rights afforded by the primary, empowering statute, the regulators could more quickly put relatively robust frameworks in place for managing how a particular new media entity offering an internet-based service ought to operate in the particular society.


Dearth of relevant laws.

So, let us assume that these new media entities with a global footprint were huge fans of the rule of law, were not beholden to primarily capitalist motivations and were willing to comply with local laws. The question then would be, what would they be complying with? A common complaint from technologist in the region is that, generally speaking, there are a dearth of laws which are cognisant of and deal directly with the reality of a technology-centric era. Where such laws exists, their actual reach pales in comparison to the reality presented by technological advances.

Without question, there are no enacted laws in the Commonwealth Caribbean designed to recognise and protect ‘digital rights’ in a manner akin to the Marco Civil in Brazil. Although, we should not feel too badly on this ground; Brazil is a world leader in recognising and seeking to protect rights with regards to the internet. As recently as last year, when they passed the Marco Civil into law, no other country had done it.

Having said that, we need no better illustration of the relative state of our legal advances in the region than the recent Trinidadian High Court decision in: Theresa Ho v Lendl Simmons. There, the judge had to carry out an admirable feat of juristic gymnastics to pin liability to a man who had used his phone to share sexually explicit photos of a former lover. The judge noted:

It must also be recognized that while the Courts in the United Kingdom are now obligated to apply the law in relation to breach of confidence in a manner that is consistent with that Nation’s obligations under the Human Rights Act 1988 and its obligations under the European Convention for the Protection of Human Rights and Fundamental Freedoms,  no such obligation exists in this jurisdiction.  

The instant case reinforces this Court’s belief that it cannot confine itself to a myopic view of the law and in the absence of legislative protection, the common law concept of Breach of Confidence has to be moulded so as to address modern societal demands.  The law has to be dynamic and has to develop in such a way to ensure that it remains relevant and it must be recognised that there is an obligation of conscience which requires that videos, photographs and/or recordings that capture private intimate relations, should be clothed with a quality of confidentiality.  

My own conclusion: had a similar situation to the Brazil/Whatsapp decision occurred in the Commonwealth Caribbean, there would be no specific enough statutory regime to compel compliance of a transnational service based in another country. We would be left, like the judge in the Ho v Simmons case to ‘reach’. The one positive: the vast majority of countries in the Commonwealth Caribbean apply the common law, an inherently dynamic approach to law making which allows judges, in appropriate circumstances, to mould and grow the law to to fit nuanced circumstances. Even then though, common law, unsupported by a statutory backing can be somewhat unpredictable in its case by case application of principles; even in scenarios where the law is clear.


Size matters

image

Ultimately what we saw in the Brazil/Whatsapp situation was the flexing of the muscles of the Brazilian judiciary in a country with a population of 200.4 million people. While the quick action of the Appellate Court to reverse the decision staved off a bigger showdown, the truth is, large transnational digital media companies like Whatsapp, Facebook and Microsoft are more likely to comply or, in the very least, sit at the table to negotiate when dealing with some of the biggest economies in the world. 

Consider the case of search behemoth Google. Google left China in 2010 under protest about China’s requirements for them to self-censure search results. Yay for human rights. Recently however, without as much fanfare, they have announced an attempt to get back in. 

The lesson: where the country in which a transnational digital media giant wishes to extend its services has a statistically significant enough population, that new media company, once motivated by profit, will eventually want to play ball. Its not necessarily just about human rights issues like openness and privacy protection, as CEOs like Mark Zuckerberg would have us believe. 

The hard truth is, the bigger the population, the larger the potential market for services and, in turn, the greater the potential for revenue generation. In the English speaking Caribbean, the population sizes range from a whopping 2.9 million in Jamaica to just over 50,000 inhabitants in St. Kitts. 

Would Google or Microsoft cry about a court in a country in the Commonwealth Caribbean, in a fashion similar to the Brazilian Court, blocking access to their web-based services? It is left to be seen but I doubt it. Such media giants have nothing of value to lose. Not yet anyway.

ECLAC Survey on Information Society Priorities in the Caribbean

The United Nations Economic Commission for Latin America and the Caribbean (ECLAC) is currently conducting a survey to determine The priorities for the Information Society in the Caribbean. Pretty heady stuff.

Go to http://caribbean.eclac.org/content/survey-priorities-information-society-caribbean to take part. You can even opt to leave an email for follow-up contact.

Formation of an Internet Society Chapter in Barbados (ISOC-BB)

After recent discussions with members of the local internet governance community in Barbados, a decision has been taken to take active steps towards the formation of an Internet Society Chapter in Barbados. 

What Is the Internet Society?

The Internet Society (ISOC) is an international, non-profit organization founded in 1992 to provide leadership in Internet related standards, education, and policy. The mission of ISOC is “to promote the open development, evolution and use of the Internet for the benefit of all people throughout the world.”

image

The Internet Society website.


How will an ISOC Chapter benefit Barbados?

Today, people in Barbados use the Internet to purchase critical goods and services; to make and maintain connections with business prospects, family members and friends; to pay taxes and manage money. We socialise via the Internet and also use it to entertain ourselves. The Internet is no longer just a curiosity, it is a necessity. 

As with all necessities of life, structures need to be put in place to safeguard its continued availability and proper functioning. By raising awareness and championing appropriate future-facing policies, we believe that an ISOC Chapter will further the proper development of the Internet in Barbados.

What will an ISOC Barbados Chapter do?

We propose to undertake two main pillars of activity: 

  1. Organising events and activities which will bring together various stakeholders to discuss ideas and share perspectives; and
  2. Determining and championing public policy perspectives in relation to the use and development of the Internet which the Chapter’s members believe will redound to the benefit of Barbados and Barbadians.


How will ISOC Membership benefit you?

From the ISOC website

“As an Internet Society Chapter member, you can benefit in a number of ways. 

Whether you’re trying to find a job, expand your business, stay abreast of the latest trends, build your professional network, or just connect with those who share your passion for the Internet, an Internet Society Chapter is the ideal forum.

If you want to make a difference in your community by helping to advance the Internet Society’s mission, a Chapter is the perfect vehicle.

If you want to develop your communications, management, and leadership skills, volunteering for a Chapter creates great opportunities to stretch yourself (and get a high level of visibility among prospective employers or customers).”


How can you help?

At this initial stage, two objectives are of critical importance: building membership and charting the course forward. 

To become a member is a simple two stage process: 

  1. Sign up to be a member of the Internet Society
  2. Plug your details into the Barbados Chapter sign-up sheet

Thereafter we will be looking to poll the membership in the coming weeks for ideas on our overall mission and the specific projects we may wish to pursue.