The 2016 Cybersecurity Report is the result of the collaboration between the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The report presents a complete picture and update on the status of cybersecurity (risks, challenges, and opportunities) of Latin America and the Caribbean countries.
Importantly, the report was the result of self-assessments by key stakeholders within each jurisdiction under review.
In respect of the key findings, a good summary comes from the preface by the current IADB President, Luis Alberto Moreno, who notes that:
The analysis of its 49 indicators shows that several countries in the region are vulnerable to potentially devastating cyberattacks. Four out of five countries do not have cybersecurity strategies or critical infrastructure protection plans. Two out of three do not count on command centers and cybersecurity control. The vast majority of prosecutors lack the legal capacity to pursue cybercrime actions.
Among the more noteworthy aspects of the report is the model developed to assess the state of cybersecurity in LAC. The report applies a “Cybersecurity Capability Maturity Model” (CMM). The CMM is based on a model developed by the Global Cyber Security Capacity Centre at Oxford University and has five designations: startup; formative; established; strategic; and dyamic. After analysing each country’s situation, that country is graded using the CMM designations in respect of 49 specific indicators. In turn, the 59 indicators were grouped into five broad categories:
National Cybersecurity Policy and Strategy (Policy and Strategy);
Cyber Culture and Society (Culture and Society);
Cybersecurity Education, Training and Skills (Education);
Legal and Regulatory Frameworks (Legal Frameworks); and
Standards, Organizations and Technologies (Technologies).
From a Caribbean perspective, the report is very comprehensive. All 12 Commonwealth Caribbean Countries and 14 CARICOM-party states overall (Haiti and Suriname are also included) are covered in the report. For context, 32 Latin America and Caribbean countries were surveyed in total.
To my mind, the biggest value of this report for Caribbean states is the quick diagnosis it provides of the weak area(s) in various states. This understanding should significantly assist in determining which areas should be prioritised by governments in the region and, by extension, where scarce state resources should be directed. The report should also be useful to civil society actors and organisations in determining which cybersecurity and ICT issues need flagging and actioning in their respective territories.
Implicit in the foregoing, is another important purpose of the report: it underscores the nuanced challenges faced in various jurisdictions in respect of not just cybersecurity, but ICT issues generally. By extension, the findings confirm that the one-size-fits-all-in-the-region approach to analysing and addressing cybersecurity challenges is woefully outdated.
Some months ago, I had mentioned that the Caribbean Development Portal of the United Nations Economic Commission for Latin America and the Caribbean (ECLAC) launched an online survey “to get a sense of views within the region regarding the relative importance of various policy objectives in the area of ICT”. Like most in the region, I anticipated the outcome of the report for the fact that it would be the first time that the various (sometimes siloed) information society actors in the region would have an opportunity to view a collective window into what ‘we’ considered to be important to the Caribbean region from an information society perspective.
In seeking to fulfil the survey’s objectives, respondents were required to provide a weighted score to various specific strategic goals (Not a Priority; Low Priority; Moderate Priority; Medium Priority; High Priority). In turn, these goals were organised under five broad thematic categories: Access and infrastructure; Social inclusion and sustainable development; Governance for the Information Society; Digital economy, innovation, and competitiveness; and e-Government and citizenship. Each category had varying numbers of strategic goals.
In total there were 37 respondents (full disclosure: that number included yours truly)
The Results As I would have suggested earlier, the real value of this survey was the window it offered into the thinking of ICT practitioners across various sectors in the region.
The total of 90 strategic goals were given a weighted score based on the average importance score give by the 37 respondents to the survey. Accordingly, it could be said that those results in the top third of the table were perceived to be the most important goals by respondents. The further down the table the strategic goal appeared, the less important it was to the community.
With this thinking in mind, I created the below table which divided the results into three tiers: top, mid and bottom. This was my means of seeking to readily reflect the importance of each strategic goal to the community of practitioners in the Caribbean. Each tier holds 30 responses.
What immediately jumps out is that the number of thematic goals offered for scoring to the respondents varied greatly across the five categories. The largest category: “Digital Economy, innovation and competitiveness” had 27 different strategic goals. By comparison, the “e-Government and citizenship” category only possessed 10 of these strategic goals. Obviously, this would render a category versus category comparison within each tier, an illegitimate analysis.
Accordingly, the approach I took to making sense of the responses was to consider the percentage of each category that showed up in each Tier. I then went the additional step of highlighting (in pink) the tier in which each category was most dominant. When done, a clearer picture of the thinking of the Caribbean’s ICT practitioners begins to emerge.
What then becomes immediately striking is that infrastructure was most dominantly represented as a bottom tier priority. This is an Interesting outcome since, without the physical infrastructure in place to allow for access, there can be no true information society. It is the fundamental building block. To illustrate the point, not countingBarbados, most of the rest of the territories in the Caribbean can legitimately be categorised as lacking sufficient physical infrastructure to guarantee high speed internet access to the entire population.
This is a troubling collective view.
I would not dare suggest that a mere 37 practitioners accurately represent the thinking of all our region’s leading technologist. However, it is the only data of this kind that we do have. Having said that, on the face of it, if there is any merit in the survey, the ready conclusion is that our ICT thinkers and practitioners are perhaps too focused on ideal outcomes over practical, next-steps.
By now, the news cycle surrounding the temporary shutdown of Whatsapp by a Brazilian Court has petered out.
If you missed it (or are only reading this 50 years later!), the gist is that in 2015 Whatsapp is a large transnational mobile messaging service with global appeal and very high reach in Brazil. Prosecutors in Brazil required Whatsapp to hand over sensitive data in ongoing criminal proceedings. Whatsapp did not respond. The prosecutors moved the Court to punish Whatsapp. The Court applied provisions under the shiny, new Marco Civil statute to penalise Whatsapp by way of ordering the shutdown of the service in Brazil.
As a Caribbean lawyer, my natural curiosity led me to wonder how this would have played out in the West Indian context. Perhaps more importantly, I started to consider the specific lessons arising from the events in Brazil for the region.
What is the Appropriate Approach to Legislating Technology?
For me, the starting point is philosophical: how do we wish to deal with these situations? Specifically, how do we wish to attempt to legislate situations where a web service refuses to comply with domestic laws or directives? To bring greater reality to the scenario, let us assume that said web service i) has truly global reach and ii) more than likely has no data servers located within the physical jurisdiction of your state.
The Commonwealth Caribbean is part of an increasingly interconnected world where the importance of physical location, relative to matters of commerce, entertainment, knowledge transfer and productivity, is lessening by the day. This, thanks to advances with internet access and a multitude of useful internet-based services.
A rising tide lifts all ships and so, the almost too obvious corollary is that criminal and civil wrongs with an increasingly digital element are going to occur more frequently as well. Already, we see where these eventualities are increasingly occurring with the assistance of new, leading-edge internet-facing services such as Skype and Facebook.
On reflection, it would seem that the approaches that our parliaments in the region can take are to:
do nothing and hope that the challenges presented by the particular technological innovation doesn’t disrupt the general way of life or become too much of a live issue, thereby demanding the intervention of the judiciary and/or the legislature;
do the bare minimum in the way of enacting broad laws, intermittently, which ostensibly touch and concern our current technology-mediated reality; or
accept the reality of a world that is heavily impacted and mediated by digital technologies and attempt to aggressively legislate to suit.
The first option is untenable. It is the equivalent of an Ostrich hiding its head in the sand.
The second is closest to the reality in the region. Some laws are, ostensibly, enacted to tackle aspects of our new digital reality such as privacy and computer misuse legislation. Most of these laws are woefully bereft of updates to tackle the novel, innovative challenges presented by newer technologies.
Additionally, legislation is often drafted but never actually makes the full journey to enacted law. A good example is the Data Protection bill in Barbados. This bill has been tabled since 2005 but at the time of this post, it has still not been passed.
I suspect that while it is attractive in intent, the third option of aggressively legislating would not be practical or take us as far as we ideally imagine. Why?
Firstly, it would not be practical given the small matter of human resource constraints. We simply don’t have enough warm bodies to be deployed to research and draft the relevant laws necessary to keep up with the times and avoid law lag. w
Aggressively legislating perhaps would not have the desired effect. There is an assumption that the appropriate approach to protecting society in the face of advances in technology is to aggressively and constantly throw new legislation or regulation at the advances. This assumption is inherently faulty.
Further, we have seen from the way the first instance Court in Brazil attempted to apply what is, for all intents and purposes, well heralded, cutting edge, digital rights legislation that, ridiculous outcomes can still flow. Essentially, even with the best legislative framework, the human element can always lead to irrational consequences when applying this framework.
to focus on how the legal system holistically addresses technological change. We should examine the respective roles that administrative bodies, national courts, tribunals, law reform bodies, and other entities play in helping the law adapt to rapid technological change.
I can’t claim an answer to the conundrum but I suspect that the ideal solution may well lay in deploying primary enactments that are, in their drafting, sufficiently seized of the likely direction, internet-facing technologies are taking. To be clear, when I refer to direction, I speak of the perceived unique manner in which a particular technological advance will likely mediate our lived reality. This, as opposed to the specific characteristics of any particular technology being deployed in the market at a particular time.
Under this approach, the legislation is informed by the specific milieu of rights and duties of the various actors (end-users, consumers, service providers, government etc) but in broad terms. The legislation ought not to be so prescriptively specific that a sudden or unexpected shift in society’s appetite for a particular technology would render the piece of legislation useless.
This is the first part, the second piece of the puzzle requires that primary statute to be supplemented by a regulatory framework where the regulators are given sufficiently broad remit and allowed the necessary discretion to promulgate and retire regulations as they see fit. The sum effect? Regulations, as opposed to the primary enactments, are the primary legislative tool tasked with tackling the nuances of a particular technology wave. The working assumption here is that regulators, already empowered by the relevant statute will not be as encumbered as legislators in responding to shifts in the environment. Indeed, so long as in regulating, the regulator does not attempt to create or remove substantive rights afforded by the primary, empowering statute, the regulators could more quickly put relatively robust frameworks in place for managing how a particular new media entity offering an internet-based service ought to operate in the particular society.
A dearth of relevant laws.
So, let us assume that these new media entities with a global footprint were huge fans of the rule of law, were not beholden to primarily capitalist motivations and were willing to comply with local laws. The question then would be: what would they be complying with? A common complaint from technologist in the region is that generally speaking, there is a dearth of laws which are cognisant of and deal directly with the reality of a technology-centric era. Where such laws exist, their actual reach pales in comparison to the reality presented by technological advances.
There are no enacted laws in the Commonwealth Caribbean designed to recognise and protect ‘digital rights’ in a manner akin to the Marco Civil in Brazil. Although, we should not feel too badly on this ground; Brazil is a world leader in recognising and seeking to protect rights with regards to the internet. As recently as last year, when they passed the Marco Civil into law, no other country had done it.
Having said that, we need no better illustration of the relative state of our legal advances in the region than the recent Trinidadian High Court decision in Theresa Ho v Lendl Simmons. There, the judge had to carry out an admirable feat of juristic gymnastics to pin liability to a man who had used his phone to share sexually explicit photos of a former lover. The judge noted:
It must also be recognized that while the Courts in the United Kingdom are now obligated to apply the law in relation to breach of confidence in a manner that is consistent with that Nation’s obligations under the Human Rights Act 1988 and its obligations under the European Convention for the Protection of Human Rights and Fundamental Freedoms, no such obligation exists in this jurisdiction.
The instant case reinforces this Court’s belief that it cannot confine itself to a myopic view of the law and in the absence of legislative protection, the common law concept of Breach of Confidence has to be moulded so as to address modern societal demands. The law has to be dynamic and has to develop in such a way to ensure that it remains relevant and it must be recognised that there is an obligation of conscience which requires that videos, photographs and/or recordings that capture private intimate relations, should be clothed with a quality of confidentiality.
My conclusion: had a similar situation to the Brazil/Whatsapp decision occurred in the Commonwealth Caribbean, there would be no specific enough statutory regime to compel compliance of a transnational service based in another country. We would be left, like the judge in the Ho v Simmons case to ‘reach’. The one positive: the vast majority of countries in the Commonwealth Caribbean apply the common law. The common law provides an inherently dynamic approach to law-making which allows courts to mould and stretch the law to fit the specific circumstances presented to it. Although, the common law, unsupported by a statutory backbone can be somewhat unpredictable in its case-by-case application of seemingly established principles.
Ultimately what we saw in the Brazil/Whatsapp situation was the flexing of the muscles of the Brazilian judiciary in a very large country. The quick action of the Appellate Court to reverse the decision of the lower court staved off a bigger showdown. Notwithstanding, a greater truth looms: large transnational digital media companies like Whatsapp, Facebook and Microsoft are more likely to comply or, in the very least, sit at the table to negotiate, when dealing with some of the biggest economies in the world.
Consider the case of search behemoth Google. Google left China in 2010 under protest about China’s requirements for them to self-censure search results. Yay for human rights. Recently, however, without as much fanfare, they announced an attempt to get back in.
The lesson: where the country in which a transnational digital media giant wishes to extend its services has a statistically significant enough population, that new media company, once motivated by profit, will eventually want to play ball. It is not necessarily just about human rights issues like openness and privacy protection, as CEOs like Mark Zuckerberg would have us believe.
The hard truth is, the bigger the population, the larger the potential market for services and, in turn, the greater the potential for revenue generation. In the English speaking Caribbean, the population sizes range from 2.9 million in Jamaica to just over 50,000 inhabitants in St. Kitts. Our populations, even collectively, would hardly make a dent in the global population figures.
Would Google or Microsoft cry about a court in a country in the Commonwealth Caribbean, in a fashion similar to the Brazilian Court, blocking access to their web-based services? It is left to be seen but I doubt it. Such media giants have nothing of value to lose here. Not yet anyway.
The United Nations Economic Commission for Latin America and the Caribbean (ECLAC) is currently conducting a survey to determine The priorities for the Information Society in the Caribbean. Pretty heady stuff.
After recent discussions with members of the local internet governance community in Barbados, a decision has been taken to take active steps towards the formation of an Internet Society Chapter in Barbados.
What Is the Internet Society?
The Internet Society (ISOC) is an international, non-profit organization founded in 1992 to provide leadership in Internet related standards, education, and policy. The mission of ISOC is “to promote the open development, evolution and use of the Internet for the benefit of all people throughout the world.”
Today, people in Barbados use the Internet to purchase critical goods and services; to make and maintain connections with business prospects, family members and friends; to pay taxes and manage money. We socialise via the Internet and also use it to entertain ourselves. The Internet is no longer just a curiosity, it is a necessity.
As with all necessities of life, structures need to be put in place to safeguard its continued availability and proper functioning. By raising awareness and championing appropriate future-facing policies, we believe that an ISOC Chapter will further the proper development of the Internet in Barbados.
What will an ISOC Barbados Chapter do?
We propose to undertake two main pillars of activity:
Organising events and activities which will bring together various stakeholders to discuss ideas and share perspectives; and
Determining and championing public policy perspectives in relation to the use and development of the Internet which the Chapter’s members believe will redound to the benefit of Barbados and Barbadians.
“As an Internet Society Chapter member, you can benefit in a number of ways.
Whether you’re trying to find a job, expand your business, stay abreast of the latest trends, build your professional network, or just connect with those who share your passion for the Internet, an Internet Society Chapter is the ideal forum.
If you want to make a difference in your community by helping to advance the Internet Society’s mission, a Chapter is the perfect vehicle.
If you want to develop your communications, management, and leadership skills, volunteering for a Chapter creates great opportunities to stretch yourself (and get a high level of visibility among prospective employers or customers).”
How can you help?
At this initial stage, two objectives are of critical importance: building membership and charting the course forward.