David Jessop | Caribbean cybersecurity response must evolve
COLUMN: FOREIGN POLICY
A few days ago, British Foreign Secretary Jeremy Hunt, a Conservative, began an important address in an unusual way.
Speaking on the subject of Deterrence in the Cyber Age, he quoted Tony Benn, the late left-wing Labour politician and peace activist.
Mr Benn, he observed, had written in his book Arguments for Democracy that there were five questions every citizen should ask of those who hold power: What power have you got? Where did you get it from? In whose interests do you exercise it? To whom are you accountable? And how can we get rid of you’?”
Of these, Mr Hunt said, the most important was the last, noting that in response Mr Benn had said: “If you cannot get rid of the people who govern you, you do not live in a democratic system”.
By invoking the view of someone of a radically different political persuasion, the United Kingdom’s foreign secretary made an essential bipartisan point. Being able to remove politicians should matter, he said, in every nation that believes governments can only be replaced by citizens through free and fair elections.
“The freedom to pass judgement on your leaders and change your government peacefully, through the ballot box, is the defining quality of a liberal democracy,” Mr Hunt also observed.
The foreign secretary went on to place this in the context of having a clear policy and practical responses to malicious cyber attacks which multiple reports suggest now pose a fundamental threat to democracy.
In order to combat the insertion of the interests of third nations into the political process of others, Mr Hunt suggested that closer cooperation was needed between nations that trust one another.
To this end, he said, Britain was increasing the number of ‘cyber attaches’ in its embassies around the world. These women and men would work alongside “host governments to raise the cost of malicious cyber activity and safeguard a free and secure internet”.
Singling out its support for Jamaica, he noted that Britain was now supporting over 100 countries worldwide to help them strengthen their cybersecurity. If democracies did not jointly defend themselves, the political damage, he suggested, would be “perhaps impossible to repair”.
Although much is now known about the use of data harvesting by Cambridge Analytica and others, and the related use of carefully targeted social media stories in some election campaigns, there is so far no evidence of third country interference in the Caribbean electoral process.
Unfortunately, the signs are that this may not last.
A new multidimensional form of cold war is emerging. It involves in part the use of data accumulation, hacking, targeted social media messaging and other subtle external interventions which aim to change legitimate political and electoral outcomes.
If as experts predict, this will become the norm, countries small or large with high internet and social media penetration such as those in the Caribbean, will need to consider what within their competence they can do to protect their democratic systems, as well as their economies and citizens.
For small nations with limited resources this may require alliances and defence arrangements more usually associated with physical security.
As Mr Hunt indicated, there is now an evidence-based understanding of which nations have an interest in skewing electoral outcomes or creating instability and dissent. However, what is lacking according to recent studies is a detailed understanding of the multiple impacts and the responses required.
In February the UK’s Global Cyber Security Centre, the GCSCC, published a report which indicated that as nations become increasingly dependent on technology, understanding the implications and mitigating cyber harm has never been more important.
In her introduction to the study, the Centre’s founding director, Professor Sadie Creese, wrote: “If we do not ensure that cybersecurity capacity exists across the entirety of cyberspace we will inevitably develop cyber ghettos, places where harm is prevalent and where attacks can be successfully deployed and also from where they can easily be launched.”
GCSCC identified areas of potential cyber harm which go far beyond normal definitions of national security. It suggested that these required much more study and a methodology to identify the areas and ways in which states, companies and individuals will in future have to defend themselves, organisations, infrastructure and national values.
At intervals over the past four years, this column has suggested that Caribbean governments and companies ought to take much more seriously the threat posed by cyber attacks and cybercrime.
This has been happening. Over the last two years there has been movement towards much deeper coordination between national security and law enforcement bodies, the Caricom Implementation Agency for Crime and Security or IMPACS, and a number of stakeholders.
However, some involved suggest that technical and practical challenges continue in relation to information sharing, legislation, and co-operation with external government agencies.
Unfortunately, the global cyber threat is growing in ways that may require more rapid and even strategic choices to be made.
In the last few weeks for example, there have been reports that the US is considering restricting in Europe the sensitive information it shares with some of its allies if they decide to use the next generation of Chinese telecommunications technology provided by Huawei. While GCHQ, the agency that manages the UK’s offensive and defensive cyber capacity, says it can manage any such risk, the United States appears not to be so sure.
The potential for cyber harm is evolving rapidly, taking on dimensions that go far beyond previous concerns about violating national security, criminal activity or malicious behaviour.
Helpfully, the Organization of American States, the GCSCC, and others are engaged in identifying the new threats and their implications for the Caribbean and Latin America in a study to be published later this year.
Beyond this, what is needed more generally is an awareness of what potentially is at stake, the changing nature of cyber harm, and the need for regional and international arrangements that ensure the most damaging effects are mitigated.
David Jessop is a consultant to the Caribbean Council.