BY NIEL HARPER — Think about the following scenario for a minute:
A Caribbean government deploys a health information system (HIS) with the goal of improving the quality and coordination of patient care in the public health system. For all intents and purposes, expert consultants from Europe and the USA are brought down to implement the system, and to ensure that best practices for securing and protecting sensitive clinical data are used. The project is successfully completed, the consultants leave, and hand off day-to-day management of the system to the government’s IT staff.
The government has no overall IT security policies, procedures or guidelines to ensure that the system and the data housed in it continue to be secure and protected from malicious threats. There are no trained or experienced IT security experts on the government’s payroll. There are no data security standards enforced by the government. There is no data protection legislation in place to provide a control framework for protecting highly confidential healthcare data from being stolen by hackers, or to prevent data from being accidentally lost or leaked.
Eventually, all these weaknesses together result in persistent compromises of the system by hackers, and all the private clinical data of the citizens of the country are posted on the Internet or otherwise made available for the world to see.
Does the above scenario make you shudder? I know it scares me to death. And the Caribbean region is close to making this a reality.
In the past week, the Government of Barbados informed the public of the launch of their Med Data healthcare information system (HIS) and electronic medical records (EMR) scheme. While they are to be commended on this much-needed initiative to drive efficiency and improved standards of care in public healthcare, I have a number of grave concerns about the manner in which this project has been undertaken.
Data protection legislation
First, no data protection legislation has been discussed, ratified, or implemented through Parliament. Simply put, healthcare data must be processed fairly and with the consent of individuals, especially as it pertains to whom data is shared with and in what context. Legislation should address key areas such as mandatory data breach notifications, heightened enforcement, heavy penalties for breaches, and expanded patient rights. Moreover, any data protection legislation should have a broader scope and include the management and protection of data in areas outside of healthcare, namely banking, insurance and law enforcement.
In essence, data protection legislation would hold both private and public institutions accountable and liable for damages in the event of a security breach. It would also make it mandatory that all breaches are reported to the public so that data owners can take steps to protect their identities. And finally, it allows for heavy fines to be levied on any institution that fails to maintain strong security controls for data.
Data security standards
Secondly, there has been no development of data security standards to accompany the legislation and to provide best practice guidance for accessing, exchanging, transmitting, and storing healthcare data in a secure manner. On a broader scale, the Government has no risk management framework, no IT governance processes, and from an operational perspective, no procedures for responding to IT security incidents. There has been an initiative in play for some time now to create a Computer Security Incident Response Team (CSIRT), but it has stalled due to lack of resources (human and financial).
Given the number of security incidents that have occurred in the public sector over the last couple of years, one would think that government officials would be taking data privacy and security more seriously. Key systems at the Royal Barbados Police Force, Inland Revenue, and the Ministry of Foreign Affairs have been hacked in the last couple of years (and these are only the ones that have been made public or that the government are aware of).
But enough criticism of the government; let’s talk about solutions. There is no doubt that IT governance, risk and control (GRC) is an area that requires major attention from the Government of Barbados. The question is: How do we address these deficiencies?
Recommendations
For one, I would suggest that public officials engage local groups such as the Caribbean Cyber Security Center, Information Systems Security Association (ISSA) Barbados Chapter, Institute of Internal Auditors (IIA) Barbados Chapter, and the Barbados IT Professionals Association (BIPA) to assist them in building the necessary competences to improve the control framework and information security posture of the public sector.
Additionally, an online register of consultants should be established to allow the government to create a repository of world-class professionals — not only in IT, but across disciplines — who can assist them in delivering critical initiatives such as the Med Data project. All the expertise does not reside in Europe or North America. We have talent pools (of awesome individuals) across the Caribbean region that remain untapped.
Another area for improvement is around developing policy and legislation. There needs to be greater engagement of the general public and other interested parties in such processes — effective dialogue is constructive. Mechanisms such as e-participation or crowdsourcing can provide the government with a better understanding of the inherent risks, latent issues or knowledge gaps that may exist in program management and project delivery.
Finally, organizational management and intellectual capital development should be foremost on the minds of public officials. The leaders that we have elected need to think more strategically and create organizational structures that are agile and can respond expediently to the needs and demands of the people, and address the key risks that the country is faced with.
Centralized strategic planning and oversight of the tactical and operational aspects of IT are needed. Key positions such as the Chief Information Officer and Chief Information Security Officer must be defined and filled appropriately. Government employees have to be trained in disciplines such as project management, risk management, IT service management, business continuity, and cyber-security.
The aforementioned recommendations are not meant to be a panacea. They are basic parts of a maturity model; one that will permit the government’s risk response mechanisms to evolve to better defend against the threats that exist. But more importantly, they are of critical importance to building trust in the e-government systems that the public are expected to use. They hopefully should also foster a risk-oriented philosophy that pervades throughout the public sector.
Image credit: Colleen Simon, CC BY-SA 2.0
In all fairness to the Government of Barbados, data protection has been drafted for a couple of years now, but no one seems interested in taking it to Parliament (I am not sure why). Moreover, it is inadequate in many areas such as specifically addressing data protection in banking/insurance, law enforcement, clinical research, etc. It also doesn’t touch on mandated breach disclosures, data security standards, fines for breaches, and individual rights and legal recourse. It is very redundant as well.
See this act… There is enough here to prosecute any hacker…
http://www.oas.org/juridico/spanish/cyb_bbs_computer_misuse_2005.pdf
We still need the data protection act… But not like we need the freedom of information act… Just saying!
Douglas – You are incorrect with your assertion that the Computer Misuse Act 2005 “is enough to prosecute any hacker”. It is actually a woefully inadequate piece of legislation. For one, there is no regional or international harmonization (jurisdiction) with other laws, so even a hacker in St. Lucia or St. Vincent could not be prosecuted for accessing a system in Barbados (farther less someone from Easter Europe — where most of the hackers come from these days). It actually does not address jurisdiction at all.
The Computer Misuse Act 2005 makes it a crime for someone that has been susceptible to a social engineering or phishing attack (and has unknowingly given out passwords or access to sensitive data). It also makes it a crime (and infringes on an individual’s rights) to “cause annoyance, inconvenience, distress or anxiety to the recipient” by sending an electronic communication. This would make many of the discussions and arguments on Facebook illegal — as opposed to just being simple freedom of speech exercises. It also doesn’t address crimes facilitated online, but committed offline such as credit card BIN stealing and card cloning, etc. It doesn’t address botnets or command and control of multiple computers for the purpose of denial of service (DoS) or distributed denial of service (DDoS) attacks. And finally, It doesn’t address online libel in any shape, form, or fashion. It doesn’t speak particularly to viruses or other forms of malicious code. It doesn’t address intellectual property abuses using computers or online piracy. It doesn’t address unsolicited communication (spam). It doesn’t address mobile phone hacking in any manner at all (smartphones are essentially small form factor computers). It also does not address brute force (physical) attacks on computing equipments such as ATMs.
Of great importance as well is that it does not address “chain of custody” which is critical in any computer misuse case, and can render judgment impossible.
And finally, it also hasn’t been updated since 2005, and is out of sync with a constantly evolving threat landscape (advanced persistent threats, spearphishing, spam, mobile threats, etc.).
Here’s an article published in today’s Daily Nation:
http://www.nationnews.com/nationnews/news/59881/charged-misuse-social-media
Remember this exchange Mr. Trotman?
“It also makes it a crime (and infringes on an individual’s rights) to “cause annoyance, inconvenience, distress or anxiety to the recipient” by sending an electronic communication. This would make many of the discussions and arguments on Facebook illegal — as opposed to just being simple freedom of speech exercises.”
I arrest my case!
As to your comment about the Freedom of Information Act, I would say that the Data Protection Act is more important at this time, especially given the implementation of the healthcare information system, and the importance of the banking sector to the economy of Barbados. Overall, the Government of Barbados has done a good job of putting legislation and other government documents online, even if they don’t let people know that these documents are available online (or make it difficult to find them).
And one last thing, the issue in this article is not about having instruments in place to prosecute hackers. My concern is legislation and standards to protect the data from hackers. And then once the data is compromised, mandates to inform the public their data has been compromised, levy fines for failing to protect sensitive data, and to assign liability for damages or expenses to recover a costly data breach (it is very expensive to recover from identity theft or sensitive data disclosure).
I heard a LATAM Cybersecurity technical expert declare recently that he knows many great Trinidadian cybersecuirty experts, but they all live/work in US. I think alot of blame has to stay with the Governments. Public officals throw around the term “capacity building” a lot around the time of CSIRT development or when seeking to introduce cybercrime legislation but does it yiled in tangible results? Are we encouraging growth of a cadre of InfoSec professionals in the Caribbean? Or are we just borrowing piecemeal from first world nations and hoping it will all stay stuck together over time?
Hello Shiva – Like you, I have recognized that most governments across the region have repeatedly failed to invest in adequate training for cybersecurity professionals (and the investment should not be limited to training, but also expanded to technology and process improvements). Most of the strong cyber professionals I know of have developed themselves through rigorous self-study/certification/training, honed their skills in the private sector working for organizations with risk-oriented environments such as banks and telecoms operators, or they have migrated overseas to work for organizations that put a large focus on training and development. I am fortunate enough to fit in all three categories.
That being said, my belief is that there are a number of reasons CARICOM governments are grappling with building out their cybersecurity workforce. For one, they have not defined their needs or created a capabilities matrix which outlines the necessary competencies required for cyber professionals at every level in the public sector (strategic, tactical, and operational). Secondly, there is limited public funding for investment in workforce development — However, there are other ways to obtain financing or reduce the costs of workforce augmentation, such as private-public partnerships, online learning, and international technical assistance (one has to be careful with the last suggestion, as we can fall into the trap you mentioned with regards to superimposing developed country standards on SIDS). Additionally, I am more than certain there is a general lack of understanding within local governments as it relates to the risks and the broad implications of cyber issues, especially in relation to national development. I believe that priorities and mindsets would change and urgency would be heightened if our leaders fully understood the quantitative impacts.
$0.02
Niel you make some excellent points. I know it might sound negative, but it is true – when it comes to the internet and modern computer technology we tend to put the cart before the horse. The cart is the high internet penetration, BYOD, cloud Computing, Mobile computing, and e-government. The horse is Data Protection legislation, breach notification legislation, privacy legislation, computer security standards for government, information security management systems, risk management frameworks, cyber security planning, a national CERT/CSIRT etc.
No Neil, I’m not incorrect… Domestic legislation is exactly what it says it is. This act reaches into another jurisdiction to treat with Barbadians who have breached if the breach is also a breach of the laws of that other jurisdiction. As to non Barbadians who commit a cybercrime on data held “in Barbados” other principles of law will apply to determine which state has jurisdiction to try the individual. Actions may also be brought in Tort.. As several of the early cases demonstrate.
A statute does not operate in a vacum. There is no denying that the legislative framework can be improved but it is not as bad as you think. Clear cut legislation is what you are asking for and that will take time. You show me the hack and I’ll show you the legal response, criminal or civil…under Barbadian law.
Douglas, I strongly believe that you are conflating the issues here. First of all, this article is not about cybercrime legislation. I have specifically addressed data security and online privacy legislation, which essentially does not exist in Barbados. The closest thing we have to data protection legislation is the Statistics Act 1984, and this instrument only provides coverage for census or statistical data. It does not cover electronic medical records or detail any requirements pertaining to data security standards. Are we in agreement on this point?
“This act reaches into another jurisdiction to treat with Barbadians who have breached if the breach is also a breach of the laws of that other jurisdiction.” This sounds good in theory, but cybersecurity and related legislation are emerging areas and many developing countries have very poorly drafted laws or no laws at all as it relates to cybercrime. We also have to speak to the “dual criminality” rule that essentially means that one cannot force (or even request) a country’s law enforcement agencies to pursue or cooperate in the pursuit of an individual who is breaking a law in our country, but not in theirs. Hence, there’s no guarantee that a criminal case would even be possible in such instances (even if the individual is a Barbadian).
“As to non-Barbadians who commit a cybercrime on data held “in Barbados” other principles of law will apply to determine which state has jurisdiction to try the individual.” This is an interesting response; I would love to hear what principles of law apply in determining jurisdiction for criminal action with regards to cybercrime. Essentially, international harmonization of national laws is treaty based. The Budapest Convention on Cybercrime is the only treaty with any reach or eminence in the context of harmonizing national cybercrime laws, and outside the Council of Europe (COE) members, only Canada, Japan, USA, South Africa, Australia, Mauritius, Dominican Republic, and Panama have acceded to the treaty. Hence, there would be supreme difficulties around obtain cooperation from law enforcement in a number of countries as it relates to cybercrime.
Additionally, there are several countries that have no extradition laws such as Croatia, Kazakhstan, United Arab Emirates, Bhutan, Somalia, and a host of others. Moreover, there are countries that have no bilateral extradition treaties with Barbados. Furthermore, pursuing action in the jurisdiction where an individual is domiciled can be both expensive and/or hardly feasible in many cases.
As it relates to common law, matters of tort/delict are generally dealt with in the courts of the place where the harm occurred. Taking this into consideration, Barbados would have tremendous challenges prosecuting someone domiciled in the numerous “safe havens” that exist with regards to cross-border crimes such as hacking. Extradition is pretty much out of the question for such countries, thus enforcing a judgment in absentia would be an exercise in futility. Moreover, most of the hackers that reside in countries that have extradition treaties with Barbados would not even have the money to settle a case where substantive damages have been awarded.
So to accept your “show me the hack” challenge, here are a couple of scenarios:
A hacker domiciled in Azerbaijan compromises 500,000 computers (none of them located in Barbados), and use them as part of a command and control botnet to initiate an email-based Distributed Denial of Service (DDos) attack on the email servers of all government departments in Barbados. This action literally prevents government from communicating for days. There may not be any direct financial loss involved, but the indirect operational costs are staggering. What’s the legal response under Barbadian law?
A software engineer in Nigeria develops a virus that he sends to the email server of Massy Group of Companies in Barbados. The virus has a malicious payload and is spread throughout the company, encrypting all the documents where the companies 2015-18 business strategy is detailed. Key files on desktops and servers are also encrypted and this basically stalls the business’ operations for a prolonged timespan. The hacker demands that USD$1 million be wired to his account in Nigeria for him to decrypt the files and permit the business to resume operations. These types of attacks are known as ransomware. What is the legal response under Barbadian law?
A hacker in Bhutan exploits numerous cross-site scripting and SQL injection weaknesses on CIBC FirstCaribbean’s Internet Banking platform, and successfully sends a wire of USD$750,000 to his bank account that is held within a local indigenous bank in Bhutan. Bhutan has no cybercrime, computer misuse, or anti-money laundering legislation. Remember, there are also no extradition laws. What’s the legal response under Barbadian law?