No one is an island: How Caribbean states are working together to tackle cybercrime
Members of the Caribbean Community are working through an action plan to harmonise laws, increase investigative skills and broaden international cooperation. PublicTechnology finds out more.
A central axiom of the cybersecurity sector is that digital threats are borderless, and entirely unconstrained by the boundaries that demarcate the physical world.
Perhaps it is no surprise, then, that cyber specialists largely drawn from a group of island nations – most of which have no land borders with other states – would set an example in collaboration from which many other countries could learn.
Marking its 50th anniversary next year, the Caribbean Community – or CARICOM – claims to be “the oldest surviving integration movement in the developing world”.
It is comprised of 15 member states, including Antigua and Barbuda, Bahamas, Barbados, Dominica, Grenada, Jamaica, Montserrat, Saint Lucia, St Kitts and Nevis, St Vincent and the Grenadines, and Trinidad and Tobago. Alongside these island groups, Suriname and Guyana on the South American mainland are also members, as is Belize in Central America, and Haiti, located on the island of Hispaniola.
The organisation’s remit is to enable integration and cooperation across the region. The union operates via a wide range of autonomous institutions, focused on areas such as trade, criminal justice, the environment, and technical standards.
“We needed to have this coordinated response to enhance capabilities and security posture, as well as capacity building within our member states.”
Anselm Charles, CARICOM IMPACS
Among these bodies is the CARICOM Implementation Agency for Crime and Security (IMPACS), which was founded 16 years ago to help set strategy and support regional response to issues of crime and security.
Such issues are, of course, increasingly shaped by cyberthreats.
The CARICOM Cyber Security and Cybercrime Action Plan (CCSCAP) – the implementation of which is overseen by IMPACS – was signed off by the community’s governments in 2017. The plan is intended to help member states address threats and vulnerabilities by codifying a “practical, harmonised standard of practices, systems and expertise for cybersecurity, to which each Caribbean country could aspire”.
Anselm Charles, ICT manager for CARICOM IMPACS, tells PublicTechnology that CCSCAP was created against the backdrop of an expanding threat posed by cybersecurity issues and digitally enabled crime – and a recognition that collaboration would help meet these challenges.
“We needed to have this coordinated response to enhance capabilities and security posture, as well as capacity building within our member states,” he says. “Before that, it's not that activities weren't being done; it's just that there was no coordinated framework – you would have people do something here and there, and we weren't sure what was being done, and what was being achieved.”
CCSCAP picks out five key areas of focus for IMPACS over the coming years: public awareness; building sustainable capacity; technical standards and infrastructure; the legal environment; and regional and international cooperation, covering incident response, cybercrime investigation and capacity building.
The cooperation and oversight fostered by the action plan means that IMPACS can act centrally to direct initiatives to help avoid duplication of effort. This is particular important for a body whose members include both Montserrat, a tiny British Overseas Territory with about 5,000 inhabitants, and Haiti – a nation of almost 12 million people.
“As with any region, you have people who are ahead of the curve, and then you would have people who are in the middle of the curve, and then you'll have the people who are just starting the curve,” Charles says.
The ICT chief adds that IMPACS can help all members work towards their cybersecurity goals but can, in particular, assist in taking initiatives and lessons-learned from larger or more technically mature countries, such as Jamaica, and transposing them onto smaller nations, such as Dominica.
In 2019, the organisation’s objectives were given a boost when it secured funding from the European Union to undertake a ‘Capacity Development’ project across CARICOM nations. The overarching goal of the initiative – which is divided into two tracks, respectively dedicated to cybercrime and asset recovery – is to increase the region’s skills base and, ultimately, its security.
Dale Joseph, a cybercrime policy specialist for IMPACS, led the cyber element of the programme. He tells PublicTechnology that work began with an exercise in “legislation harmonisation within all CARICOM member states”.
“We hired a legal consultant who looked at all the technology-based legislation and all 15 CARICOM member states and we did a comparative analysis [with each other] and with legislation in other jurisdictions. We also mapped it to what is happening in the Budapest Convention on Cybercrime,” he says “[We look at] what happens if, for example, in Trinidad and Tobago, if the criminal offences does not match that in Barbados. And we wanted to share information… to enable investigative continuity. So that was the first phase: we did the legislative gap analysis, and then we did an action plan as to how we could move towards harmonising legislation, with a view of bolstering our ability to prosecute, investigate and prosecute cybercrimes in the region.”
Number of CARICOM member states, ranging from the tiny island of Montserrat to Haiti, a nation of 12 million people
Year in which CARICOM was founded; IMPACS was established in 2006, and the Cyber Security and Cybercrime Action Plan was created in 2017
Expected annual global cost of cybercrime by 2025, according to research firm Cybersecurity Ventures
Trinidad and Tobago
Country set to become first CARICOM member – and the second Caribbean country, after the Dominican Republic – to accede to the Budapest Convention on Cybercrime
Having worked to close gaps in the applicable legislation, the EU-funded project then sought to do the same with the training offered by member states to law-enforcement authorities, members of the judiciary, and senior government officials with oversight of national infrastructure and responsibility for responding to related cyber incidents.
Areas targeted for further education – which was delivered in partnership with PublicTechnology sister organisation Dods Training – included law enforcement live data forensics. This involves collecting data from devices that remained switched on at crime scenes.
“The capacity that we saw prevalent in the region was in dealing with devices that are switched off,” Joseph said. “But there's a special skill set to deal with devices that are in the 'on' state… [including] issues such as encryption, and preserving volatile data.”
Cyber incident response units across the region, meanwhile, undertook training on that covered best-practice frameworks and methodologies. Judiciary professionals were guided on the role of digital evidence in court proceedings.
The training programme, which was delivered remotely – incorporated input from a number of regional and international institutions – including UN Women, the Council of Europe, and the Caribbean Court of Justice. Joseph says that running courses virtually enabled content to have extensive reach, and a focus on interactivity.
For Charles, the watchword now is “sustainability”. IMPACS is working with in-country police academies and the University of the West Indies – which has campuses in several CARICOM countries, as well as offering remote learning – to ensure that the curricula developed for the cyber training is taken on and embedded into locally delivered initiatives. This is especially important in an area that changes as rapidly as the threat landscape.
Backed by a more supportive legislative framework across the region and an increased skills base, IMPACS is now developing a digital forensic management platform to collect and share data on malicious activities. Current threats and bad actors will be tracked, and information will be gathered via so-called honeypot systems – which are decoy platforms designed to attract attacks.
“This data will be shared in real time with all first responders and member states, to [improve] protection of our critical infrastructure and share investigative materials with all law enforcement officials to allow for operational continuity,” Joseph says.
In addition to this threat intel, the platform – which is due to go live this year – will also enable users to access and share research and other information related to legislation and investigative techniques. It will also allow IMPACS to monitor and manage skills and resources throughout member states, and help direct these in response to cyber incidents.
“After the platform is completed, we are going to go into each member state and do in-country sensitisation,” Joseph says.
This process will offer an opportunity not only to promote use of the digital forensic management system, but also raise general awareness of cyber issues.
Joseph adds: “We will target everyone from the public up to high-level government officials, [looking at areas like] how do you enact and bolster your personal cybersecurity? How do you enact and bolster your business cybersecurity? How can you contribute to your organisation's cyber profile, cyber capacity and cyber resilience?”
CARICOM IMPACS is also striving to enhance its work beyond the Caribbean and extend the region’s participation in international initiatives.
Created in 2001 by the Council of Europe, the Convention on Cybercrime – popularly known as the Budapest Convention – has been signed and fully adopted by 67 nations. The treaty represents a collective agreement to work on standardising laws while increasing collaboration and boosting law authorities’ ability to purse cybercrime.
Only one active signatory, the Dominican Republic – not a member of CARICOM – is among these.
But, in October last year, Trinidad and Tobago – home to IMPACS’s headquarters – was invited to accede to the convention. This marked the formal start of a five-year process that will be supported by technical assistance from IMPACS and should end with the country joining the other 67 states under the banner of the cooperation agreement.
Charles says that the intention is for Trinidad and Tobago to blaze a trail that other the other nations of CARICOM (the insignia of which is pictured, right) can then follow.
“The Dominican Republic has been the poster child [for cybersecurity] and sometime we bring the members there so they can actually see the benefits of being a signatory,” he says. “But we also know that, because of CARICOM relations, if we were to get a CARICOM country to start going forward, then other countries will follow. We had a list of countries that were closest – because there are some things that you need to have in place before you can ask to start the process. And there are there were a couple of countries that were either fulfilling those requirements, or had to change one or two things that were very minor. So we said: ‘Listen, we're going to not necessarily neglect the others. But we're going to see if we can get one of those countries to start the process’. And working along with our national partnerships, as well as our international colleagues, we were able to get Trinidad and Tobago to actually make this step to go forward.”
He adds: “There are now plans in place currently to go after or to work with the other countries that are on that list, because they have become even closer to the line because of developments and capacity building and so forth. And we are hoping that we can get another country to start that process by the end of 2022.”
For those member states with that may be a little way behind the regional leaders, Charles assures them that IMPACS is “not asking you to make this big leap… we will start small” – and wants to convey another simple message.
“Talk to us – let us know what you need,” he adds. “And we'll attempt to build it or work with you – or even point you in the right direction; because we don't have all the resources, and we don't have all the knowledge. But what we do have is a strong working relationship with our global and regional partners. So that, if we don't have the resources in house, we are able to source those resources to ensure that we meet we always have our eyes on that end goal: to have a better cyber posture.”
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Specialist unit of competition regulator builds staff numbers with legislation to provide it with powers slated for introduction before April 2024
New system will enable agency and online platforms to fulfil respective obligations outlined in Online Safety Bill
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first