I would first like to thank Microsoft for inviting me to attend and participate in this important event. Microsoft has been one of our key partners in developing our cyber capabilities at the OAS. Just last week I was at a similar cyber conference not far from here at FIU sharing the stage with one of your executives. Last month in New York at the offices of the World Economic Forum we launched our Human Trafficking Public Private Partnership toolkit, and one of the first companies to sign on was Microsoft. No, this is not a paid commercial but I do believe in mentioning this to encourage others to join these efforts. To my fellow speakers Wil van Gemert, Deputy Director of Operations, Europol and Joseph M. Demarest, Jr. Director of Cyber Division, FBI I look forward to this dialogue.
Scale and scope
Let me set the table for the challenge that has brought us all here together. Last year I was asked by the WEF to chair one of their 6 Meta Councils in their network of Global Agenda Councils. In my case it was the Illicit Economy Council. Our challenge and mandate is to become the integrator or coordinator on issues; like cyber, corruption, counterfeiting, human trafficking and illicit financial flows to name but a few. Our goal is to bring these issues out of the shadows to understand their scale and scope and to build global partnerships to try and address them. Rather than get lost in a numbers game I see the Illicit economy like that of a large G8 country, some estimates put it at around 3.7 trillion dollars a year, an economy that is growing faster than many of the other legitimate economies or businesses.
This as you can imagine places an enormous stress on our institutions, people and democracies.Put this in the context of a world that has never been smaller; we are hyper-connected at hyper speeds which has without doubt become an enormous engine and opportunity for growth and development. It is estimated that by the end of 2015 over 20 billion devices will be connected to the internet.
Over 3 billion persons are internet users, representing just over half of the world population. In Latin America and the Caribbean alone there are approximately 250 million internet users.
This is not just a rich nation phenomenon either as there are generation jumping possibilities, as seen through the growth of mobile banking systems in Haiti and Kenya, just to name a few. So as some call it “The Internet of things” has arrived. I call it the “Internet of us,” as “we, the people,” are at the heart of these new technologies that connect everything from our bodies to our phones, homes, and cars. The “Internet of things” has made our society hugely dependent on technology, mobility and data. This dependency and the growth of the now generation of society has changed the way we interface with each other and has revolutionized business processes and to a certain degree has contributed to a breakdown in trust.
This has created royal feast for criminals:
There is no doubt that this hyper-connectivity is a powerful development tool that must remain open and accessible. It is an engine of growth and an opportunity for governments, business, and individuals alike. However, this very openness and accessibility and the need for immediacy does come with costs and risks. So imagine the business case for a legitimate social entrepreneur – built on openness, ease of access, with slow institutional or regulatory response and hungry consumers that make an investment low-risk and high-reward. This is the same business case for the criminal entrepreneur.
The Internet has lowered the barriers to entry, both in terms of access and availability, for criminal entrepreneurs to participate in illicit activities while making it more difficult for law enforcement to link the crime to the perpetrator and jurisdiction. As with any business, with such low barriers to entry cyber criminals are flooding the market. As a result, they are now being forced to be even more innovative and adopt tools that create deeper layers in the recesses of the internet.
It is estimated that the annual cost to the global economy from cybercrime is more than $445 billion, including both the gains to criminals and the costs to companies for recovery and defense. Targeted attacks are now a rising trend and according to APT notes repository, these kinds of attacks have grown over the past several years from 3 identified attacks in 2010 to 53 known attacks in 2014 and probably many others still undiscovered. Those that have been successful reaffirm the impact that these targeted attacks can have and makes them more attractive for other criminals to attempt.
Zero-day vulnerabilities, security holes in software such as browser or operating system software that are unknown to software makers or antivirus vendors, are becoming increasingly common due in large part to the emergence of a vast market for buying and selling them, driven primarily by the demand from militaries, intelligence and law enforcement agencies and national governments.
According to a report from the United States Identity Theft Resource Center, there have been 720 major data breaches during 2014, with 304 of them affecting the health industry (42.2%). With the advent of the Internet of things, even more personal data will be stored on a multitude of devices, increasing the volume of opportunities that cyber criminals will have for data theft. Malware on mobile payments is predicted to increase as the ease to make payments online improves. Electronic financial transfers and transactions amounted to nearly US$ 1.5 trillion in 2014, and it will only continue to grow. More online value transactions will create incentives for cyber criminals.
This year also saw a number of platforms attacked through vulnerabilities. Events such as Heartbleed and Shellshock showed how insecure code could be used in large-scale attacks.Cyber security is also a top concern for US electric utilities, with only a third having the proper systems in place to defend against a cyber-attack, highlighting the continued vulnerability of critical infrastructure. US intelligence agencies recently put cyber-attacks from foreign governments and criminals at the top of their list of threats to the country, with online assaults threatening to undermine US economic competitiveness and national security.
Our approach therefore to cyber security must be multidimensional and involve key sectors like the business community, non governmental organizations and the average citizen or consumer. To fight crime, particularly dynamic ones such as cyber threats, it is critical to adopt inclusive models that reinforce horizontal collaboration and rebuild trust within and beyond borders. As Chair of the WEF Meta-Council on the illicit economy, we are attempting just this.
We obviously can’t throw our hands in the air and quit cause it’s too difficult
It is clear that cyber criminals are becoming more creative, turning to the darknet and hidden forums to sell and make profits from stolen information. These forums have only been successfully taken down through collaborative efforts of public-private partnerships and global law enforcement cooperation. For example, Trend Micro and Microsoft both aided in cleaning up the botnet GameOver.
The United States, in addressing cyber threats and ensuring national and economic security, has recognized that affected entities (private and public) must be able to share information on cybersecurity risks and incidents and collaborate in real time response. The President of the United States in addressing this issued the Executive Order (EO) on Improving Critical Infrastructure Cyber Security and the Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience on February 20 of this year. These policies reinforce the need for holistic thinking about security and risk management. There are two significant points in these Orders:
- Increase the volume, timeliness and quality of cyber threat information sharing; and
- Evaluate and mature the public-private partnerships.
According to the recent Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, to address cyber threats private companies, nonprofit organizations, executive departments and agencies, and other private and public entities “must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real-time as possible.” The order explicitly encourages the voluntary formation and strengthening of organizations focused on the sharing of cybersecurity information, regarding risks and incidents, not only supporting the partnership of such organizations with the federal government but among the private sector as well. Such ‘Information Sharing and Analysis Organizations’ (ISAOs) “may be organized on the basis of sector, sub-sector, region, or any other affinity … and may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations.”
These directives make it clear that this is not a venture that can be done alone. Our focus today is on the “need for partnerships between the public and private sectors to meet the challenges of information security in the fight against cybercrime”. In that vein, I will outline the Organization of American States approach in treating this threat by shifting the paradigm from being an emerging threat to an ever-present threat.
The state of the region
As stated earlier, Latin America and the Caribbean have one of the fastest-growing Internet and mobility populations in the world, giving rise to a number of significant cyber security challenges both today and in the future. Fortunately we are now seeing a shift in the preparedness and response of our member states. Some of them have dedicated cyber crime investigation units in their law enforcement agencies. Nevertheless, we have noted that we must continue to strengthen these and support their efforts by passing comprehensive legislation that is in line with internationally recognized practices.
In 2013, many countries made significant strides forward in developing their policy and legal frameworks and building their technical capacities. Many governments made significant headway in establishing or operationalizing a national cyber incident response team or capability. Numerous laws were adopted during the course of the year, strengthening legal frameworks and enabling national authorities to respond better to, investigate, and prosecute nefarious cyber activities or crimes involving the use of ICTs
The work being done by the OAS in Cyber Security
Strengthening cyber security and improving critical information infrastructure protection throughout the Americas is the overarching objective of our Cyber Security Program. Specifically, the program aims to:
- assist OAS Member States to establish robust national and governmental cyber incident response capabilities, including 24/7 “alert, watch, warning and response” groups—CSIRTs—through technical training and capacity-building assistance;
- Facilitate communication, information-sharing and collaboration between national CSIRTs and other cyber security-related authorities, including through an OAS-hosted Secure Hemispheric Network of CSIRTs and other collaborative platforms and information-sharing mechanisms; and
- Promote the development of national cyber security strategies and frameworks in all OAS Member States, in order to ensure that cyber security is addressed in a comprehensive and coordinated way at the national level in each State.
Our activities have built momentum since the program started in 2004 with the adoption of the Comprehensive Inter-American Cyber Security Strategy. The Cyber Security Program has promoted the creation of Computer Security Incident Response Teams (CSIRTs), whose numbers have risen from six (6) to nineteen (19) in the last decade. In parallel, countries such as Colombia (2011), Panama (2012), Trinidad and Tobago (2013) and Jamaica (2015) have established national cyber security policies and strategies. In 2014, the OAS initiated the national strategy development process in Dominica and Bahamas, as well as the development of a national cybersecurity action plan for Suriname.
In addition to CSIRT and National Cyber Security Strategies development, the Cyber Security program conducts cyber security crisis management exercises, which have been used for training activities in eight (8) countries through a mobile cyber laboratory built and configured by the OAS.
The OAS Cyber Security Program continually strives to build partnership with various processes and entities such as LACNIC, Anti-Phishing Working Group, and FIRST to name a few, recognizing the need to establish a multi-sectoral approach to building capacity in our member states. Although many of member states have varying realities, we have reached consensus on this complex issue recognizing that as a region we must ensure the capacity is present in all – to respond to this threat.
The OAS has also signed MOUs with private entities such as Microsoft who are also strategic partners with the WEF. The OAS itself is also represented in the WEF community through my involvement as Chair of the Meta-Council on the Illicit Economy.
What else we can do…
The OAS has partnered with several private and public bodies such as Microsoft, OWASP, Interpol, the Government of Estonia and the Global Cyber Security Capacity Centre at the University of Oxford. The added value that we have seen in these partnerships has been mutually beneficial. For example we have partnered for capacity building training in our members states, to produce reports such as the ‘Latin American and Caribbean Cyber Security Trends and Government Responses’ (2013) with Trend Micro and ‘Latin America Cyber Security Trends’ (2014) with Symantec. More recently we have received technical assistance from Microsoft in the preliminary work we are doing with the Global Cyber Security Capacity Centre in partnership with the Inter-American Development Bank on a study this year on the state of cyber security in Latin America and the Caribbean.
One of the original focuses of the OAS Cyber Security Program was to develop a hemispheric network of CSIRTs. The purpose of this network was to facilitate real-time communication and information sharing between CSIRTs in the Americas, as well as to ensure that each country had a designated official point of contact for cyber incident response issues. In addition to serving as a tool for communication, the network will also provide a forum where response teams can correlate logs and eventually perform other incident response processes, possibly including the deployment of sandboxes or other tools.
Finally, the network will be a clearinghouse of information about Member State institutions, legislation, and other relevant details, helpful when trying to determine or understand the often complex nature of a neighboring countries’ cyber organization. In addition to an area whose access will be restricted to a small number of nominated officials from each Member State including law enforcement, there will be a portion of the network that is open to the public. This kind of tool serves as a strong cooperation model which we can extend to international and regional law enforcement bodies such as Europol, Interpol and Ameripol to work collaboratively and trans-regionally with our member states and the OAS on cybercrime issues.
We will also continue to advocate for other relatively simple and practical solutions such as;
- Whitelisting software and hardware applications
- Frequent patches for popular software solutions
- Limiting those with system wide administrator rights.
- Robust dual authentication passwords.
- Proactive disclosure when a cyber incident occurs.
- Robust collaboration amongst all sectors and regions.
The threat from the ever increasing scope and scale of cyber crime is both real and challenging but the OAS is succeeding in laying the groundwork for integrated, multidimensional and multisectoral responses through private-public partnership and the establishment of a network of actors all dedicated to combating the threat that is cybercrime.