By Deon Olton
CTO Caribbean Cyber Security Center
WARRENS, Barbados -- Caribbean law enforcement must understand that cyber crime has surpassed the international drug trade yet Caribbean businesses, organizations, and governments have done very little to combat this phenomenon. To put this in perspective, last year the FBI announced that revenues from global cyber-crime, which includes the Caribbean, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits.
Additionally, Interpol has reported that organized international gangs are behind most internet scams and that cyber crime’s estimated cost is more than that of cocaine, heroin and marijuana trafficking put together. Many of these organized international gangs have now targeted the Caribbean, using our cultural and political norms in being “slow” to do almost everything.
On a daily basis it is estimated that thousands of attempted attacks against Caribbean organizations, businesses and governments occur, with many going totally undetected or reported to law enforcement. Hackers and cyber criminals consider the Caribbean as ripe for the picking, and know that, if the very small chance occurs that they are caught, due the region’s lack in effective cyber security laws many cases will be difficult to prosecute, “if” they can be found.
The lack of a regional legal framework around cyber-crime and cyber security that law enforcement needs desperately is playing right into the hands of cyber-criminals who are laughing all the way to the bank. While it has been clear for some time now that regionally we “desperately need cyber laws and legislation in place”, government bureaucracy has been largely to blame for our inability to establish effective cyber-crime and security laws and legislation.
So why is this? As we have observed in many Caribbean countries, they are usually a small team of public sector workers with responsibility for writing laws and legislation who are simply overwhelmed with their workload and do not have nor leverage the technical expertise to even know where to begin in writing cyber laws and legislation for cabinet approval. This reality is then further compounded by the rate of change in information and communication technology, which is neither stopping nor slowing for no one, as a result we keep falling further and further begin in protecting critical public and private sector ICT resources and assets all across the region.
Understanding the mounting challenge Caribbean law enforcement is facing, we at the Caribbean Cyber Security Center (CCSC) will continue our mandate to deliver accurate and timely analysis to law enforcement, as a result we have begun by publishing the 2014 Caribbean Cyber Security Predictions for Law Enforcement and will do so every year.
In 2013 the misplaced ideas and opinions that we are safe from cyber-attacks and nobody wants anything that we have in the Caribbean is slowly being eroded by the evidence we see in daily, weekly and monthly reports across the region on cyber related criminal activity.
No one is safe. Once you are online the stakes are high, the challenge is to understanding the phase of the attack cycle your business or organization is in, and the level of security investment and alignment needed to minimize or eliminate the cyber threat. Improving our regional cyber security posture in 2014 will not get any easier, as the cyber threat landscape is rapidly evolving with expanding vulnerabilities in computer hardware/software, android devices, smart phones, servers, switches, routers, firewalls, security policies and the list goes on.
Overall our predictions show that the level of sophistication of attacks will continue to increase and will make identification, detection and remediation harder for systems administrators who are using yesterday’s training and methodologies to address today’s new targeted threats. We can look forward to more web site defacement, more DDOS attacks and more breaches in customer account data across the region. There will be new strains of malware, spyware and crimeware and an increase in the number of botnets in this region.
In some instances these breached systems will be controlled by stealthier command and control centers (CnC) being offered for sale on the black market. Hackers will use botnets and other compromised systems to pivot and launch attacks on neighbouring islands or nation states making it harder to track these perpetrators. And if that wasn’t enough we will see the introduction of malware into BIOS and firmware upgrades making the overall challenges even greater.
However with that said, below are the 2014 “Top 10” Caribbean Cyber Security Predictions for Law Enforcement:
(1) In 2014 law enforcement will identify that systems still running on Windows XP will definitely be common among those systems hacked as Windows XP is no longer being patched by Microsoft. Windows XP users will be the target for many cyber criminals and hackers.
(2) In spite of lagging regional cyber law and legislation, the demand on regional cyber crime units will increase significantly due to a rise in cyber-crime activity.
(3) The malicious insider threat (employees/staff) will remains the greatest cyber threat, but will become more visible and will highlight a need for more digital forensic support regionally in the law enforcement community.
(4) With more and more data breaches in the Caribbean – from theft of trade secrets to loss of customer information – in the headlines, it is our hope the corporate and government leaders will begin to focus on the connection between cyber security and an organization’s financial well-being, especially nothing the current regional economic challenges.
(5) Alignment with a cyber security team of professionals will enable companies and governments to quickly uncover data breaches and react faster, which will increase the demand on regional law enforcement cyber-crime unit.
(6) In 2014 mobile malware will complicate the threat landscape for law enforcement and cyber-crime units, as malware will reach an all-time high as hackers continue to develop ways to gain access to the one thing that all of us use to store confidential data, our smartphones.
(7) Law enforcement will see an increase in cyber related reports as web browser vulnerabilities will become more common as attackers know that behind the firewall on each network there is a system that has a vulnerability that can be exploited. The days of hacking the perimeter defences will diminish as exploiting a web browser that is not patched is an easier way to gain access to a network.
(8) In 2014 we will see cyber criminals increase the use of social media for victim identification and profiling purposes which will lead to an increase in Law enforcement using social media to solve all types of crime.
(9) Unfortunately in the Caribbean there will be a major reported cyber breach that will get regional and international attention, and cause major financial and reputational losses for the organization, business or government.
(10) The true hidden cost associated with migration to cloud technology will be revealed and attackers will now shift attention to cloud data transmission, storage and processing.
Looking down the list of top predictions, it's quite clear that Caribbean law enforcement organizations will be battered by the new threat landscape encompassing an increasing range, impact and frequency of potential vulnerabilities which will demand an appropriately sophisticated response by those charged with cyberdefence -- whether at the family, organisation or national level.
The time for Caribbean businesses and organization to get their cyber security houses in order and for Caribbean law enforcement organizations to improve and enhance their cyber-crime digital forensic capabilities and private sector collaboration, is “NOW”.