BitDepth#1445

Mark Lyndersay

THE LAST meeting of the OAS discussions between government-level experts on cybercrime took place in December 2016.

On the agenda then were the challenges of prevention, investigation and prosecution of cybercrime and the importance of effective legislation.

Those priorities are still relevant, but in the larger landscape of cybercrime, everything has changed.

According to National Security Minister Fitzgerald Hinds, there have been 205 successful cyberattacks in TT between 2019 and 2023. It’s tempting to add to that the caveats that under-reporting of data breaches is widespread and to further note that the minister did not define what constituted a successful cyberattack.

In the face of the hard rain of reported data breaches by professional ransomware hackers, the Government is preparing a “cybercrime legislative package” that will update existing laws both on the books and still to be proclaimed.

This followed an attack on the Ministry of the Attorney General and Legal Affairs, after which Digital Transformation Minister Hassel Bacchus declared that the Legal Affairs Ministry is “one of the more secure environments” after the attack.

All too often, the revelation of a cybersecurity breach is triggered by a failure of services or exposure by ransomware collectives.

Ricardo Fraser, vice-president of the International Information System Security Consortium (Caribbean and Latin America Chapter), said that, “Organisations bear a crucial responsibility as custodians to safeguard data against unauthorised access. In the unfortunate event of a breach, organisations must prioritise transparency by promptly notifying stakeholders without fear of unwarranted criticism. A cybersecurity breach doesn't necessarily indicate shortcomings in an organisation's established controls; independent investigations are essential to determine any potential negligence.

“Proper reporting of breach incidents is paramount to balance the needs of all stakeholders, including customers, regulators and shareholders. While organisations may initially hesitate to report breaches due to concerns about reputation and shareholder interests, measures should be implemented to ensure individual privacy protection and minimise individual impacts, whether reporting is mandatory or voluntary.”

Shiva Parasram, an ethical hacker and cybersecurity consultant said that, “As a researcher, I spend many hours every day on the dark web. If they make this work illegal, it stifles independent investigation. Then, a lot of companies will suffer because I help many companies this way. I give lots of free advice to the general public.”

“(The 2017 bill) wasn't very well thought out at all. I'm really hoping that some serious thinking gets put into it and that they actually invite people who know what this stuff is about and how it can benefit cybersecurity researchers, particularly what's required with dark web and penetration testing, vulnerability scanning and assessments and ethical hacking. It should really be