Cyber protection is everybody’s business
The news gods decreed that I write about cyberspace risks today. Cyberspace is ‘the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers’.
I received the order for my first assignment in December 2009. The result was a two-part article, ‘Many Dangers Lurking in Cyberspace’. It was published the following month.
I learned last Tuesday that October is designated as Cybersecurity Awareness Month. The minister of science, energy, and technology was reported as saying, among other things, that with more access to digital tools comes even greater vulnerabilities. The message was familiar.
More signs were confirming that many of the threats that were identified over a decade ago were not overstated. Their impact, as readers know, is global. Caribbean islands like ours are not insulated from them – as COVID-19 showed. Further, cyberspace risks will not disappear. If anything, they will get worse.
The January 2010 article began: “Individuals and entities in the public and private sectors in Jamaica have become increasingly dependent on information and telecommunication technologies. Digital equipment and devices of all kinds that employ the technologies are being used to communicate, drive, and improve business and other processes and create value. Evidence of this is on our roads, in houses, schools, offices, factories, and other types of organisations of all sizes. As a result, users are exposed to new strains of risks. Some have their equivalents in the real world. Others are specific to the virtual world … some include targeted missions aimed at stealing corporate secrets, customer identities or electronic funds from customer accounts,”
Businesses and other entities have become even more dependent on these technologies since 2010. The dependency accelerated during and after the pandemic.
Michael Morsby, a local cybersecurity expert who advises companies on cybersecurity best practices, recently said that “many companies, as well as individuals, are unaware of how easy it is to be hacked and do not take the necessary precautions”. Hacking is the ‘unauthorised access to or control over computer network security systems for some criminal purpose’.
Sean Thorpe, head of the University of Technology’s School of Computing and Information Technology, agrees. In a letter to the editor dated May 25, 2021, he wrote: “Since the pandemic, the security threats to digital networks have become increasingly hostile and should be zero trusted.”
Joseph Steinberg, in his excellent and easy-to-read book Cybersecurity for Dummies, explains that cybersecurity means different things to different folks in different situations. His examples:
o Individuals: their data is not accessible to anyone other than themselves and others whom they have authorised, and their computing devices are free from malware;
o Small-business owners: ensuring that credit card data is properly protected and standards for data security are properly implemented at point-of-sale registers;
o Firms conducting online business: protecting servers (computer programmes or devices that provide a service to another computer programme and its user, also known as the client) that untrusted outsiders regularly interact with;
o Shared service providers: protecting many data centres that house numerous servers that, in turn, host several virtual servers belonging to many different organisations; and
o Government: establishing different classifications of data, each with its own set of related laws, policies, procedures, and technologies.
Cybersecurity, in the case of the Massy Jamaica ransomware attack, may have meant something other than the five simple definitions that Mr Steinberg listed in his book. On October 17, this newspaper described the ransomware event as “catastrophic”. It was preceded six months earlier by a strike on the company’s Trinidad headquarters. Similar events have been regularly occurring in the Caribbean during the last decade.
A ransomware attack occurs when hackers steal data and demand exorbitant sums for their return. Cybercriminals are also known to copy sensitive files and threaten to post them publicly unless ransom payments are made.
The newspaper report said that seven gigabytes of data – the average smartphone uses this amount of data monthly – was dumped on the Internet by cybercriminals on October 9. Included were customers’ personal information such as names, addresses, taxpayer registration numbers, signatures, videos, and pictures of Massy Jamaica employees and contractors.
A few days ago, this newspaper reported on a Jamaica Public Service Company data breach that occurred in 2020. It led to the exposure of confidential customer information. There is controversy over the scale of the breach. The JPS has 640,000 customers. The same article also provided information about another intrusion on the JamCOVID website and application. “More than 70,000 negative COVID-19 lab results, over 425,000 immigration travel documents authorizing travel to the island – including identity and passport information – and some 250,000 quarantine orders were exposed,” it said.
Data controllers – entities such as JPS, Massy Jamaica and others – are required by the Data Protection Act to process data in compliance with data-protection standards; report non-compliance with the required standards; and report security breaches that occur in their operations that involve personal data to the authorities. They are also required to inform the persons whose data was exposed. Penalties are imposed for non-compliance.
Since January 2009, local police authorities here have received an average of 10 to 15 ‘cyber related’ complaints per month, according to one report. That number has increased sharply over the years. This has led the Government to conduct a review of the Cybercrimes Act 2015 “to keep pace with the evolution of cybercrimes”.
Eliminating or reducing cyberspace risk is tough. A meeting involving representatives from 120 countries is planned to develop a global response. Renee Dudley and Daniel Golden, in their book The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save The World from Cybercrimes, explain how the FBI stumbled in its war against cybercrime, according to a recent issue of the magazine ProPublica. These examples illustrate the scale of the problem facing persons and organisations in small, developing countries like Jamaica.
Dr Daniel A. Pollock, a medical epidemiologist who worked at the US Centers for Disease Control and Prevention for 35 years, recently wrote a paper, ‘COVID-19: Lessons in Ignorance’. It included the following statement: “Among the nation’s earliest and most important pandemic lessons is the immense toll that ignorance can take on human lives.”
In Jamaica, we should not allow ignorance about cyberspace risks to prevent us from using digital tools that can improve lives and livelihoods. We must understand the threats and develop appropriate strategies to manage them. The subject is not only for the techies. Cybersecurity is everybody’s business.
Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com or business@gleanerjm.com