Bahamians are sitting ducks – or seagulls, perhaps – paddling away in our beautiful turquoise waters. The bullseye of an unknown number of global villains is trained on us.
If news reports worldwide are taken into consideration, they’re likely to be plotting to shut off the water that runs in our taps, the power that lights our lives and businesses, the banks and other institutions that provide the cash flow that is critical to our everyday lives.
Why, you might ask? Simply because we have yet to take essential steps to protect ourselves from cyber attacks – and this makes us an easy target.
In fact, according to the International Telecommunications Union’s Global Cyber Security Index 2020, released on June 29, The Bahamas ranks 147 out of 194 countries for its cybersecurity preparedness. Within the region, our rank is 24th out of 35.
The Index measures member states’ cybersecurity commitments across five key areas: legal measures, technical measures, organizational measures, capacity development measures, and cooperation measures. It is intended to serve as a capacity development tool to governments, policymakers, cybersecurity experts and academia in identifying areas for improvement and highlighting best practices for strengthening national cybersecurity.
The Bahamas, despite having a number of legal measures in place, was found to fall down entirely on all the other areas. In its assessment of The Bahamas’ preparedness to deal with cyber threats, ITU recorded no developments of note in any of the other categories – from cooperative partnerships to improve cybersecurity to institutions, policies and strategies to strengthen cybersecurity at the national level; or the existence of a national body or framework to deal with cyber incidents.
At a time when cyber attacks are on the rise worldwide, with major consequences, this is a problem in need of attention. Global losses due to cybercrime are estimated from as low as $1 trillion in 2020, to as high as $6 trillion in 2021.
Most recently, you may have followed the dramatic developments when Russian-backed ransomware attackers disrupted the Colonial Pipeline in the US, and with it, 45 percent of the fuel supply on the US East Coast. There was also the recent attack on JBS, a global meat supplier, which led to meat shortages across from the US to Australia.
Ransomware, a particularly disruptive style of cyber attack, is becoming rampant. Cyber intruders enter businesses and government agencies via their technology systems, locking access to systems and files until a ransom is paid, causing thousands or millions of dollars in damage, in some cases. Recent reports indicate it has increased 63 percent globally since 2019 and saw a 158 percent spike in North America, according to the 2021 SonicWall Cyber Threat Report.
Ransom payments to cyber attackers are soaring. The average ransomware payment in the US, Canada and Europe nearly tripled last year, going from $115,000 in 2019 to $312,000 in 2020. Colonial Pipeline is reported to have paid $4.4 million to its hackers.
The variety of cyber attacks worldwide has also been expanding. One of the most pernicious to small and medium-sized business is phishing attacks. You’ve probably experienced one yourself.
Typically, an employee will receive an email containing a link that if clicked upon, will allow malicious software – malware – to invade their company’s computer systems. This may simply be done to cause disruption, or again, to demand a ransom from the business in return for regaining control over their operations.
Yet, perhaps most problematic of all is the fact that cyber attackers are increasingly training their sights on a country’s critical infrastructure, hitting them with ransomware attacks.
From the perspective of the hacker, it makes perfect sense. Everyone knows that if services like the water or power supply, banking or healthcare are taken offline, disruption can be enormous – and, therefore, the pressure to pay the ransom is proportionately larger.
Such developments have contributed to cyber attacks being deemed the fifth greatest threat facing the world, in the World Economic Forum’s Global Risks Report 2021. Some 39 percent of global survey respondents report that cybersecurity will become a critical short-term threat to the world, ranking only behind infectious diseases (1), livelihood crises (2), and extreme weather events (3).
It is not only The Bahamas that is behind the eight ball. It is just quite a bit further behind than most. Governments worldwide are on the back foot on cyber defenses – as was clearly evidenced by the SolarWinds hack in the US.
This attack, which came to light in December 2020, saw major US government institutions, including the Pentagon, successfully hit by cyber attackers, along with hundreds of major US businesses in the Fortune 500.
The United States government determined that the attack posed a “grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private organizations.”
In The Bahamas and the Caribbean more broadly, cyber incidents are on the rise. A recent Global CEO Survey, PricewaterhouseCoopers (PwC) found that 67 percent of chief executives in the Caribbean see cyber risk as their top threat, followed by pandemics and health crises, The Royal Gazette in Bermuda recently reported. This was attributed to the growth in digitization within businesses, combined with the substantial increase in cybersecurity incidents in 2020, including ransomware attacks.
Most notably in The Bahamas, there was the attack on our national public broadcaster, ZNS. This led to challenges broadcasting national news, loss of years of archival footage, and preliminary estimates that damages would run to the hundreds of thousands of dollars.
The Royal Bahamas Police Force, meanwhile, reported an increase of more than a third (36 percent) in hacking and extortion in The Bahamas in the first six months of 2020, compared to the same period in 2019. Undoubtedly, this is only a small snippet of the real number – and of what can be expected if our cyber defenses at the national level and across the private sector remain weak.
Having worked with major international consultancies and insurance companies as they seek to raise awareness among their customers about the need to bulk up their cyber resilience, the consistent message is that all too many organizations have failed to invest in cybersecurity until it’s too late – and the time to act is now.
As the government looks to increase digitization within its agencies, as it must if The Bahamas is to serve its citizens efficiently and effectively and remain competitive as a place to do business, cyber resilience must be built in at the foundational level. This is critical to ensuring the government can continue to provide critical services to citizens.
Similarly, having a framework in place nationally will become increasingly important to ensuring The Bahamas remains attractive as a place to do business and engage in financial services.
This starts with ensuring the government increases its own cyber understanding and capacity, but also includes engaging in public awareness campaigns that can help other businesses and organizations understand the steps they can take to boost their own.
The ITU and other cybersecurity experts recommend that increased cybersecurity awareness programs for small businesses, the private sector in general and government itself is key, along with introducing incentives for organizations to adopt cybersecurity solutions and programs.
Cyber readiness also demands updating legislation. While The Bahamas has three pieces of legislation which govern cyber security to some degree, including the Computer Misuse Act, the Data Protection Act and the Electronic Communication and Transaction Act, we only need to look at the years when these were implemented – 2003 and 2006 – to know they are in need of an overhaul if they are to contend with the exponential advances in technological sophistication and cyber criminality that have occurred since then.
Beyond reviewing and updating this legislation in line with global best practice, the government should look to secure critical infrastructure. The good news is that there’s no need to reinvent the wheel here.
In both the UK, Australia and the US, legislation has been introduced to protect critical infrastructure. These laws, introduced in 2018 and 2020, place obligations on executives and boards within critical institutions to ensure that they have adequate systems and governance procedures in place to limit the likelihood that they will be hit by a cyber attack, but most importantly, that they will suffer disastrous consequences in its aftermath.
Under the UK law, bosses of firms in health, water, energy, transport and digital infrastructure are expected to have robust safeguards in place against cyber threats and report breaches and network outages to regulators within 72 hours or they face multi-million-dollar fines of up to £17 million. In Australia, businesses across industries from electricity to banking and healthcare have been deemed “critical infrastructure”.
According to the ITU, global cybersecurity spending for critical infrastructure is expected to increase to $9 billion over the next year to reach $105.99 billion in 2021. After all, the growing consensus is that being hit by an attack is now a matter of “when” rather than “if”, no matter your country or industry.
The good news is that in March 2021, the ITU and The Bahamas government announced they would work together to strengthen Bahamian cyber capacities – a development that presumably came too late to be reflected in the ITU’s latest index.
According to reports, The Bahamas has launched a project with ITU to set up a national Computer Incident Response Team (CIRT) to help protect critical digital infrastructure and data by building national cybersecurity expertise, closing human resource gaps, and supporting the elaboration of a cybersecurity framework and policies.
With the government committing to digitize more than 200 public administration services over the next five years, Minister of State for Finance Kwasi Thompson rightly noted that there’s a heightened need to be able to identify, defend, manage, and respond to cyber threats. The ITU collaboration is a welcome preliminary step towards this that should be welcomed – and watched keenly.
It’s easy to assume there are more pressing concerns in our island nation than invisible intruders in our computer networks. Unemployment, health, stimulating tourism and protecting the economy are and should remain front and center.
Likewise, the World Economic Forum’s Global Risk Report 2021 highlights extreme weather and climate action failure as the most significant global risks. This is certainly even more true in the case of The Bahamas, a low-lying island nation, and climate mitigation measures and advocacy should rightly be a core government priority.
Yet cybersecurity can no longer be considered an afterthought. Like other nations, the reality we face is that this threat to our national security is only going to become more complex and more problematic. The longer we leave it unaddressed, the harder hit we will be when the attack inevitably comes – and the longer and more costly it will be to recover.
• Do you have feedback on this article? Email the author at email@example.com.