Author: nielharper

Today, March 1 2023, the Electoral & Boundaries Commission (EBC) published a farcical response to my concerns about the Government of Barbados’ overall handling of the privacy and security of its information systems and the personal data of Barbadians.

My comments were labelled as ‘allegations’ and ‘misinformation’ around the security of the Trident ID card, security of the registration information captured and stored by the Electoral and Boundaries Commission and data breaches regarding the electronic publication of the Register of Electors.

This post is designed to fact check the EBC’s response.

FACT CHECK #1

The EBC referred to me as a ‘social media commentator.’ I can assure you that I am much more than that, but please decide for yourself by reading my bio profile on the World Economic Forum’s website and this Nation News article on me.

FACT CHECK #2

It has been said that I referred to the release of the electoral list as a major data breach. I have at NO time in the past or the present referred to the release of the list as a ‘data breach.’ As a subject matter expert (SME), I am very careful with my words, and have always referred to the EBC’s major mistake as a ‘data leak.’ Simply put, a ‘data leak’ is when sensitive data is unknowingly or accidentally exposed to the public, and a ‘data breach’ is an event caused by a cyberattack. That being said, the definition of ‘personal data breach’ in the Data Protection Act is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” From all accounts, the publishing of the electoral list to the Internet was accidental and a loss of control which led to unauthorised access to the personal data of Barbadians by persons who did not have a right to know or a right to access this data. Hence, it is technically still a data breach under the law.

FACT CHECK #3

The EBC claims that they are not at fault because they have followed the letter of the law, namely the Representation of the Peoples Act 2007. Laws are not perfect – especially many of the poorly drafted and outdated ones in Barbados – and must be reinterpreted and updated to remain compatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system. It must also be said that making a physical list publicly available in libraries across Barbados is fundamentally different in terms of reach and risk to making an online list publicly accessible to everyone on the Internet. The EBC doesn’t seem to understand this quite simple fact, and it’s the role of the Data Protection Commissioner to educate them (which she has unfortunately and repeatedly failed to do).

FACT CHECK #4

The Data Protection Act Part IV sets out requirements for the transfers of personal data outside of Barbados. Section 22 states the following:

Personal data shall not be transferred to a country or territory outside Barbados unless that country or territory provides for

(a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data; and

(b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are available, effective legal remedies for data subjects.

By publishing the full electoral list to the public Internet, the EBC essentially transferred the data of Barbadians to 190+ countries across the world. More than 75 of these countries do not have data protection laws that offer adequate protection for the rights and freedoms of data subjects (citizens of Barbados). This also made the personal data of Barbadians available to what amounts to 4 billion Internet users over which the EBC has no control, including hackers, scammers, fraudsters, and other cyber criminals.

Appropriate safeguards must be provided when processing personal data. One of these safeguards is data minimisation, which means limiting the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. The EBC could have accomplished their specified purpose by only publishing the names and addresses of individuals. Instead, they published additional unnecessary information such as national registration number, date of birth, and gender. Countries with strong privacy laws, competent election authorities, and knowledgable Data Protection Commissioners have prohibited the publishing of excessive amounts of data in order to protect voters from fraud, harassment, victimisation, and other harms or violations of their rights. The failings of the EBC with regards to data minimisation, lack of data security, and transfers to inadequate jurisdictions opens them up to legal liability, possibly even a class action lawsuit, in the event that individual(s) experience significant harm or violations of their rights due to the EBC’s negligent actions.

FACT CHECK #5

The EBC and the Minister of Information and Smart Technology continue to pat themselves on the back for the security of the new Trident ID card, repeatedly comparing it to the previous laminated card. My biggest concerns are not and have never been about the security of the card itself, but with the security of the personal data of Barbadian citizens in the online systems used to store and present the bio information on the card (especially when you consider the 30+ government systems that have been hacked in recent years). Debit and credit cards have chip and pin security too, but they still get compromised and people’s cards and bank accounts get hacked every day. So help me to understand how the security of the Trident ID card and related IT systems is so perfect?

As someone who has implemented secure, complex systems in the banking, energy, retail, software, telecoms, and other industries across the world, I can tell you there are several activities that need to be performed. I sent the Minister of Information and Smart Technology and the Prime Minister an email asking them to have the Cyber Security Working Group (CSWG) conduct an assessment of the Trident ID card and present the findings to the general public. You can find a copy of the email HERE, which includes the detailed list of activities that are required to secure digital systems and personal data.

I can guarantee the citizens of Barbados that the government HAS NOT securely implemented the Trident ID card solution and associated systems, and that less than 20% of those activities in the list have been done. The Government of Barbados does not have the human, technological, and financial resources to secure basic to highly complex IT systems. If they could not secure the Barbados Police Service, Immigration Department, National Insurance Scheme, Queen Elizabeth Hospital, and many other government systems from hackers (a full list can be found HERE), how have they suddenly developed the capabilities to secure the Trident ID card systems? If they have done such a great job securing the Trident ID systems, then the CSWG can easily review the evidence and provide a public report in 2-3 weeks or less. I will even volunteer to lead them to make sure the job is done correctly.

FACT CHECK #6

The EBC has claimed to have “no reports, no knowledge and certainly no evidence of any theft of the identities of Barbadians. Furthermore, the Commission has no reports, knowledge and/or evidence of the theft of the identities of Barbadians due in any part to the previous publishing the Register of Electors.” They also claim that their “investigations show that there are no such reports before the Anti-fraud Committee of the Bankers Association of Barbados and no such reports before the Central Bank of Barbados.” I am more than certain that none of the above parties track the sale of personal data in Dark Web marketplaces, possess the know how to obtain electronic evidence (e-evidence) of cyber criminal activity from social media platforms and other online services, have access to open source threat intelligence from law enforcement and intelligence agencies, or are privy to advanced fraud intelligence. So how would they know when and where online fraud and cyber crime using the identities of Barbadians are occurring? I would also suggest that the EBC obtain detailed reports on the rise in identity-based fraud in Barbados or targeting Bajans in the last year. I’ll wait…

My LinkedIn, Twitter, Instagram and other social media feeds has been filled with comments from ex-Google, ex-Meta, ex-Microsoft, ex-Amazon, and other laid off tech employees.

First of all, I see you, I empathise with you, and I respect you immensely! Many of you have invested many years of your lives and made several personal sacrifices to make these companies successful. I acknowledge your hurt and your trauma, and feel your sense of loss.

Now that aside, going forward, don’t be surprised when businesses do business things. These companies ARE NOT your family and they definitely ARE NOT your friends. It’s a transactional business arrangement for them, and you should treat it similarly.

Now here’s what you do with your considerable knowledge and experience going forward… OWN IT!

1) Make sure that you enter into a ‘contract for service’ and never a ‘contract of service.’ Know the difference!

2) Always have multiple sources of income. Invest in an Airbnb revenue property. Seek out paid board roles. Find a gig teaching for extra income. Apply for that fractional/part-time or advisory role. There are a lot of options out there!

3) Always have an exit plan for your current employer, and a backup plan for that exit plan (I am so serious!).

4) There is nothing wrong with prospecting and interviewing for your next gig, even when you’re happy with your current gig, or even if you’ve just started a new gig.

5) In your next contract, if possible negotiate for 3-6 months of severance if you’re laid off.

6) Invest in a diversified skill set that prevents you from being ‘locked in.’ For example, I have qualifications and experience in telecoms engineering, IT management, digital law & policy, telecoms regulation, audit, privacy, cybersecurity, IoT and smart cities, sustainability, and risk management. And I am pimping the hell out of these skills!

7) Network, network, network! #nuffsaid

8) Tag me in your job search posts. I will repost for reach and visibility.

9) Feel free to reach out to me if you want to talk, need some advice on career planning, or just want to vent. I promise that I will listen (authentically) and be judgment free.

10) Breathe and live a little – It’s not the end of the world. And always remember, “These companies ain’t loyal!”

I was recently quite critical about the Government of Barbados’ announcement of their participation in a pilot for the Cyber Nations Training Initiative, a programme created in Canada with a mission of training 100,000 people from the Caribbean and African countries as cybersecurity operations analysts, incident responders, and cyber literacy coordinators.

This initiative at face value is highly commendable as it addresses critical national workforce development needs for cybersecurity. Where I believe it goes off the rails is the expectation/objective that a 4-month crash course in cybersecurity will guarantee that the 200 persons trained will obtain remote jobs with Canadian or other foreign businesses making CDN$60k or more per year. This is simply out of touch with the realities of the cybersecurity profession and relevant workforce demands. Moreover, these unrealistic expectations coupled with a requirement that interested parties commit to a BBD$14k (USD$7k) student loan, basically sets individuals up for disappointment and frustration when the government’s promises don’t come to fruition.

All the above being said, I would like to use this blog post to recommend an alternative approach for cyber capacity building to the government. Hopefully, they’re willing to engage and cooperate with myself and across various stakeholder groups to effectively deliver.

STEP 1: PREPARE

• Identify an executive sponsor in government for cybersecurity workforce development. This person should have authority, be empowered, possess advanced training and a strong understanding of the country’s multi-dimensional cyber workforce needs, and be afforded the necessary human and financial resources to execute.

• Develop and publish a vision for the national ICT workforce, highlighting cybersecurity as a critical priority area.

• Encapsulate cyber capacity building and workforce development into a refreshed national cybersecurity strategy.

• Work with key stakeholder groups to undertake a cybersecurity workforce readiness assessment. Available tools like the Cybersecurity Workforce Planning Capability Maturity Model (CMM) can be used.

• Engage and involve stakeholder groups such as academia, technical community, civil society, and the private sector (especially critical infrastructure providers). From the government perspective, key ministries with cyber-related and national security activities, law enforcement, military, and the judicial service should participate.

STEP 2: PLAN

• Perform a cybersecurity workforce risk assessment to better understand risk exposures and risk tolerance, define mitigating actions, and assign owners and due dates.

• Create an inventory of the existing cybersecurity workforce.

• Determine existing/future needs and address the gaps. Key functional areas should include:
  • IT audit
  • Security management
  • Governance, risk & compliance (GRC)
  • Security awareness and training
  • Security education (e.g., University of the West Indies, Barbados Community College, and private training centres)
  • Judicial officers trained in handling cyber related cases
  • Cyber law and policy experts (e.g., privacy, cyber diplomacy, ethics & technology, emerging technologies, Internet governance, etc.)
  • Law enforcement and military officers trained in cybercrime prevention and cyber defensive/offensive capabilities
  • Incident response 
  • Threat intelligence
  • Penetration testing
  • Security operations
  • Security architecture
  • Application security
  • Computer forensics

• Considerations need to be made for staffing the public sector and private sectors, exporting talent, attracting foreign direct investment (FDI), and creating local cyber-focused startups.

STEP 3: BUILD

• Develop and align positions in a national workforce framework, considering entry-level through advanced positions.

• Ensure that non-technical traits for cyber professionals are also factored into training and development plans.

• University of the West Indies (UWI) and Barbados Community College (BCC) should include mandatory cybersecurity courses in all IT and computer science diplomas and degrees. They should also develop undergraduate majors in cybersecurity and postgraduate specialist degrees in cybersecurity. The UWI Faculty of Law should develop postgraduate qualifications focusing on cyber law, Internet governance, and ICT policy.

• UWI should seek to establish an international cybersecurity research centre and explore twinning with other centres led by world class institutions (e.g., Harvard Berkman Klein Centre, FGV School of Law – Sao Paulo, Stanford University Centre for Internet and Society, Internet Interdisciplinary Institute – Barcelona, Chatham House, Oxford Internet Institute, Strathclyde Center for Internet Law & Policy, etc.).

• Prevailing cybersecurity requirements should be considered in the redevelopment of all general tertiary education curricula.

• Foster private public partnerships (PPPs) to offer cybersecurity scholarships and/or fellowships to high potential students and professionals.

• Partner with global organizations like ISACA, (ISC)2, EC Council, PECB, Global Forum for Cyber Expertise (GFCE), and others to provide industry recognised and broadly accepted training and certification.

• Collaborate with the Organization of American States (OAS), IDB (Inter-American Development Bank), Caribbean Development Bank (EDB), International Telecommunications Union (ITU), European Commission, and others to finance and deliver a broad range of capacity building trainings across key government agencies.

• Accede to the Budapest Convention on Cybercrime to become a priority country for cyber capacity building programs, among other important benefits.

• Train judicial officers (Supreme Court of Barbados) to better oversee computer crime cases and develop local and regional jurisprudence.

• Commit to a dedicated annual cyber education and training budget for the public sector.

STEP 4: ADVANCE

• Public and private sector organizations must develop retention plans for critical cyber resources, and particularly to combat brain drain.

• Create and implement a plan to attract foreign direct investment (FDI) in areas like managed security services, business process outsourcing, and to fund innovative local cybersecurity startups.

• HR departments in public and private organizations should develop career paths to help cyber talent navigate their careers.

• Formulate continuous development opportunities for existing cyber talent.