Cloud Security Trends: What Is Cybersecurity Mesh?

“Have you heard of cybersecurity mesh?

Some are calling it one of the more notable trends for cloud security and today’s other cyber concerns. So, what is it, and how does it work? The technology stack is breaking down as more people use architectures based on micro-services.

They’re also using blockchain and other trust models to embrace an information-centric security model that works with distributed services (key to cloud security).”

I recently shared my perspectives on cybersecurity mesh with IBM Security Intelligence.

Check it out and let me know what you think!

Pandemic Democracy: COVID-19 And Election Management

Elections are large, social gatherings that involve masses of individuals and galvanise entire societies. No other national operation presents a similar degree of operational magnitude, legal and procedural complexity, and broad-based participation.

The COVID-19 pandemic has quickly disrupted elections, creating new pressures and challenges on how they are managed. The key public health threat associated with elections stems from the need for voters to cast their ballots in person, at a polling stations, most often on a single day. Caribbean nations are particularly impacted as they don’t generally support absentee voting, provisional balloting, early voting, or e-voting (in-person or online).

On January 9th, I participated in a Town Hall discussion hosted by the University of the West Indies – Cave Hill Campus.

The panel was predominantly made up of very experienced and highly capable election management professionals, with myself being the sole expert focusing on leveraging technology to guarantee the representativity and legitimacy of the democratic process. My contributions were specifically around the following areas:

  • Guaranteeing access to the voter registration list in a secure and privacy enabling manner
  • Ensuring speed and transparency in counting votes by moving to secure, electronic systems
  • Emergency planning in response to situations like national disasters and pandemics
  • Accommodation for hospitalised voters
  • Staffing electoral commissions with key IT and information security resources
  • The need for government investment in the digitalisation of elections

It was a very stimulating discussion, and I want to express my gratitude to the University of the West Indies for inviting me. Additionally, I want to thank the panelists and the moderators (Professor Cynthia Barrow-Giles and Dr. Dalano DaSouza) for sharing their ideas and insights.

Why the Barbados Election List Data Leak is Problematic – And How it Could Have Been Prevented

On 27 December 2021, the Prime Minister of Barbados Mia Amor Mottley scheduled a snap election for 19 January 2022.

On 29 December 2021, a full data dump of all eligible voters in the country was published by the Government of Barbados on the open Internet. This occurred largely because the Representation of the People Act 13(1) states “The [Electoral] Commission shall cause to be prepared and shall publish not later than the 31st day of January in every year a register of electors for each constituency and a register of foreign service electors entitled to vote at any election.” 

In the past, this list was made available in somewhat controlled environments to be queried by election officials, candidates, voters, etc. to ensure that elections accurately reflected the will of the people (in most all cases it was usually printed and held at libraries, constituency offices, polling stations, etc. to be reviewed by interested parties). To limit congregation of individuals in the previously mentioned locations during COVID-19 times, it was decided to publish the full voters list on the Internet to ensure access for all.

The 5250-page list contains approximately 250,000 individual records with the below personally identifiable information (PII). *

  • Last Name
  • First Name
  • National Registration Number (similar to a Social Security Number in the United States)
  • Gender
  • Date of Birth
  • Residential Status
  • Constituency (Voting District)
  • Home Address

* The total population of Barbados currently hovers around 290,000 persons.

Instead of this data being restricted to a few thousand persons in Barbados, it was now accessible by all 4.6 billion Internet users, exposing 250,000 Barbadians to increased risks of data misuse and abuse, fraud, identity theft, and other financial and reputation risks. The information was quickly downloaded and posted on Reddit and a number of hacker/fraudster sites on the Dark Web, making it perpetually available to malicious actors. There is also a high physical risk to individuals with regards to stalking, home invasions, robberies, rape, etc.

PII, also referred to as personal data, covers a wide variety of information that can identify a living individual. If a piece of information is unique to that person, it can lead back to them in several ways, and it is private and needs to be protected with the greatest care.

Why Does Personal Data Need to be Kept Safe?

The reason this type of information requires protection is that it can be used to commit fraud or to steal an individual’s identity.

Depending on what a thief is trying to accomplish, he will need different types of information. To open specific accounts all that is needed is an email address, while in other cases an individual’s name, address, date of birth, a national registration number, and other information may be required.

It’s also critical to note that accounts of all types can be opened over the phone or via the internet without having to physically visit a location for your identity to be verified. This provides opportunities for criminals with appropriate stolen information to open bank accounts, enter into contractual agreements, or make claims using someone else’s information or identity.

If a criminal is fraudulently using your information, you might not even know it. They may not use the credit card you already own to make purchases (in which case you might catch them by looking at your purchase history). Most often, criminals open up new, separate accounts using the victim’s information, leaving the victim unaware of the damage that is being done until years after the fact. In that time criminals can rack up a lot of debt using your identity.

How Can Identity Thieves Use Your Personal Data?

There are several ways which identity thieves can use your personal data, including but not limited to the following:

  • Open a new credit card account.
  • Create fake social media accounts with your identity (e.g., Facebook, Twitter, Instagram, etc.).
  • Take out a commercial bank loan.
  • Obtain and use your debit card to withdraw funds.
  • Change your billing address so your bills will no longer be delivered.
  • Obtain expensive medical care or procedures.
  • Open new utilities accounts in your name (e.g. electricity, water, natural gas, etc.).
  • Obtain a mobile phone service.
  • Open a bank account, obtain a cheque book, and write bad checks.
  • Obtain a new driver’s license or national ID.
  • Use your information when arrested or in a court action.
  • Engage in bullying, stalking, harassment or otherwise cause fear.
  • Inflict severe reputation damage.
  • Combine it with additional data gathered from the Internet (e.g., Google search, Facebook, Instagram, LinkedIn, etc.) to create even more detailed profiles of individuals.

How Long Does It Take Fraudsters to Use Stolen Personal Data?

In 2017, the Federal Trade Commission (FTC) in the United States demonstrated how criminals can use your personal information within minutes. The FTC developed fake personal data and posted it on a website that hackers use to make stolen information available. It took a mere nine (9) minutes for the fraudsters to access the information, and over 1,200 attempts were made to access email, credit card and payment accounts. The research confirms how valuable personal information is to identity thieves, and if they can gain access to it, they will most definitely use it.

What Should the Government Have Done Instead?

While it’s not an exhaustive list, below are some of the key steps the government should have taken.

From a technology perspective, a searchable database should have been published on the Government Information Service (GIS) portal, where individuals could use personal data which they already knew to confirm that they were on the voters list. The full database could have been provided to election officials and campaign managers using a digital rights management (DRM) solution to control access and distribution of the document. 

The Data Protection Act was approved by Parliament in July 2019 and came into force in March 2021. This statute introduces a strong privacy and data protection regime in Barbados, and its wide-reaching impact on overall data governance across sectors and industries should have triggered key updates to existing legislation, processes and operational guidelines (including the Representation of the People Act and any other legislation involving personal data processing). And this doesn’t even address the urgent need for broader legislative reforms in the country. There are way too many outdated pieces of legislation which are incompatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system.

Appropriate funding should be allocated to the Office of the Data Protection Commissioner to better equip them in investigating and monitoring data breaches and providing other types of regulation involving the public sector. Additionally, these financial resources can be used to deliver privacy awareness training to educate government personnel on how to protect individual privacy in their daily work. Simultaneously, a public campaign should be started to achieve broad public awareness on all issues related to the Data Protection Act and the new legal framework created. The Office of the Data Protection Commission is severely under-resourced at present, making it virtually impossible to implement and enforce the Data Protection Act, which focuses largely on preventing exactly these types of data leakages. For example, adhering to the principle of data minimisation would have significantly reduced the risk and impact of publishing the entire voters list. By this I mean the narrowing of data collection and processing to strictly what is needed – In this case, there is absolutely no reason to publicly release the National Registration Number (NRN) and Date of Birth of all eligible voters.

Why the Electoral and Boundaries Commission (EBC) is Dead Wrong

The Electoral and Boundaries Commission (EBC) has strongly (and wrongly might I add) defended its decision to publish the voters list online. Their position is that “We are obligated to publish the list now electronically so that more people can have access to it.” Chairman of the EBC Queen’s Counsel Leslie Haynes also maintains that “ID numbers are not private” and made reference to them “being published before the introduction of the digital age in public libraries, rum shops, the electoral office and other spaces.” Because a law states that you must publish information electronically doesn’t mean you should make it accessible to 4.6 billion Internet users (including hackers, fraudsters and other cyber criminals). There are numerous laws in Barbados that are outdated, poorly drafted, contradictory to other laws, and incompatible with existing technology – Should we follow them all to the letter or do we comprehensively update them to be more fit for purpose? Moreover, there are numerous technology solutions available for publishing said data online in a controlled manner to reduce the overall risk and exposure. And if they are not at fault, why did government officials remove the voters list from the public websites?

Finally, national registration number (NRN), date of birth (DOB) and home address are all private information, and there are established technical standards, privacy principles, and national laws or treaties around the globe that assert as much. From a data minimisation perspective, the requirements of the law could have been satisfied without including NRN and DOB.

Where online can you find the social security numbers (SSNs) for all eligible voting Americans? What about the passport numbers or driver’s license numbers for all voting Canadians? What about the national ID numbers for all voters in France, Denmark, Switzerland, Germany, etc.? The answer is NOWHERE!

[UPDATE] Sunday, 2 January 2022 – I have amended the original blog post in response to the EBC’s staunch defence of their decision to publish the voters list on the open Internet.

The UK’s National Cyber Strategy signals a more ‘proactive’ approach to cyber power

The UK government unveiled its long-awaited National Cyber Strategy yesterday, outlining how it plans to improve the resilience of UK institutions and businesses while protecting the country’s interests in ‘cyberspace’. The strategy signals a more interventionist stance from the government, experts told Tech Monitor, which has previously looked to the private sector for leadership. Its commitment to a ‘whole of society’ approach, meanwhile, risks overlooking the need for more diverse perspectives in the cybersecurity workforce.”

I added my quick two cents to a Tech Monitor article on the UK National Cyber Strategy 2022, which can be found here.

Then I provided a more detailed breakdown of the strategy for CircleID…

The 2016 UK Cyber Security Strategy was largely focused on deeper involvement by the government across a broad range of activities, including building cyber offensive capabilities, skills development across key sectors, enhancing coordination and incident response (including the creation of the National Cyber Security Center), promoting innovation, and incubating the UK cyber commercial sector. The 2022 strategy seeks to sustain and build upon the progress from 2016, but taking a ‘cyber ecosystem’ approach that integrates a broader range of stakeholder groups across society in developing cyber risk responses. Think of it as an acknowledgment that cyber security issues are so broad, complex and interlinked that they need to be knitted into the very fabric of national policymaking, including education strategy, regulatory/legal reform, foreign policy, and industrial policy, among others.

The government has come to terms with the fact that it doesn’t have the resources or the depth of skills to tackle all the UK’s cyber-related problems on its own and that private-sector leadership won’t necessarily achieve the desired outcomes. The 2022 Cyber Security Strategy signals the government’s intention to carve out key roles—coordinator, convener, and enabler—in the UK’s cyber ecosystem. The 2016 National Cyber Security Strategy received heavy criticism from the Public Accounts Committee, which maintained there was a lack of evidence and no solid business case to justify the £1.9 billion funding it received—making it nearly impossible to measure success. The ‘whole of society’ approach outlined in the 2022 document illustrates a deeper understanding of cyber issues and brings together the full range of cyber activities domestically and internationally into a seemingly cohesive vision with more measurable outcomes and outputs […]

Feel free to view the entire blog article on the CircleID website.

Five Cybersecurity Takeaways from the ARIN 48 Keynote and Panel

“During the Q&A, Harper also pointed out that the European Union Agency for Cybersecurity (ENISA) has adopted a cybersecurity certification framework where certain Internet of Things (IoT) devices must be validated from a privacy and security perspective, and said the US is working on a similar initiative.”

Insecure IoT devices continue to be major contributors to Internet (in)security, particularly with regards to increasing attack vectors for enterprises, distributed denial of service (DDoS), critical infrastructure (CI) resilience, and personal data protection, among other risk areas.

ENISA is doing some great work with their Guidelines for Securing the IoT Supply Chain, Cybersecurity Certification Framework, Risk Assessment Tool for IoT, and the Good Practice for Connected Cars.

Still, there’s a lot more to be done through increased stakeholder collaboration. I definitely have time for these types of initiatives!

ARIN 48 – Evolving Cybersecurity, Strategies for the New Normal

It was great participating in this panel discussion today, exploring the different ways law enforcement, international organizations, service providers, and standards development organizations are shifting their strategies to address an evolving threat landscape.

The cross-cutting theme that was evident in each presentation was COLLABORATION. More specifically, each panelist repeatedly emphasised the importance of cross-border, cross-sectoral collaboration in effectively combating cybercrime. 

It is essential that both businesses and governments anticipate and incentivise collaboration and accountability through strong public-private partnerships (PPPs), which will make it more difficult for threat actors to commit criminal acts online. For the private sector, it’s essential for business to enhance information-sharing relationships, within industry and with the public sector, to deliver a more all encompassing approach to incident response, threat management and disruption of cybercrime.Through collaboration and cooperation, and creating implementing mechanisms for information-sharing and tactical collaboration, the good guys will make successful inroads into the fight against global cybercrime.

Thanks to the American Registry for Internet Numbers (ARIN) for the opportunity to share my thoughts!

Ransomware: To Pay or Not to Pay? And… How Not to Pay!

I very much enjoyed this amazing panel discussion with the brilliant Larry Whiteside Jr. and the thoughtful and engaging Andrew Hay. I also have to mention the excellent moderation by James Coker.

We discussed a range of topics from ransomware trends to cyber insurance to holistic incident response/disaster recovery to public-private partnerships in support of better overall industry response to ransomware attacks.

I hope the audience participants had as great a time as I did.

Finally, I want to extend my humblest thanks to Infosecurity Magazine for inviting me to speak at their Online Summit!

The on-demand video of the session can be found here. Check it out!

Caribbean Security & Resilience Awards Winners Announced

The winners of the 2021 Caribbean Security & Resilience Awards have been announced!

Congratulations to the other award recipients:

  1. Peter Bäckman (Dominican Republic)
  2. Kwailan M. Bridgewater (Trinidad & Tobago)
  3. Lysandra Capella (Curacao)
  4. Rosa Damaris Diaz de Tejada (Dominican Republic)
  5. Gavin Dennis (Jamaica)
  6. David Gittens (Barbados)
  7. Stevez Gomes (British Virgin Islands)
  8. Garth Gray (Jamaica)
  9. Norval West (Jamaica)

I was quite surprised to be recognised for my contributions in the Caribbean region, and deeply humbled to be in such esteemed company.

Thank you all for what you do day in and day out to keep the Caribbean region #cybersecure!!!!

The official announcement on the International Security Journal’s website can be found here.

8 Pitfalls That Undermine Security Program Success

“Some of the biggest breaches have come down to small mistakes.

Hackers used a compromised password to access the company network via a virtual private network in the May 2021 Colonial Pipeline attack. A widely known vulnerability that hadn’t yet been patched was the entry point for the 2017 Equifax attack. And a bitcoin scam on Twitter started with spear phishing attacks on Twitter employees.

Of course, there’s no such thing as a perfect security program, but such events show that cybersecurity teams can’t afford to overlook anything.”

In this CSO Online article, I joined a number of security leaders to discuss eight easy-to-overlook pitfalls that can undermine an otherwise successful security strategy.

You can access the full article here!

ARIN/CaribNOG Technical Community Forum

The COVID-19 pandemic continues to impact networks, economies and societies across the Caribbean. More than ever, keeping critical systems secure, resilient, and accessible is a collective responsibility. This year’s Forum presented the opportunity for participants to understand the role the American Registry for Internet Numbers (ARIN) and other Internet development focused organizations play in supporting critical Internet Infrastructure in the Caribbean. It also facilitated the networking of people necessary to truly support and strengthen our technical community in the region.

ARIN has been collaborating closely with CaribNOG, a volunteer-based network operators’ community, to strengthen technical capacity in the region. This forum assembled some of the leading experts in the region and from around the world to address the fourth staging of our Technical Community Forum.

As the first featured speaker, the topic of my address was ‘Global Cybersecurity Trends and Implications.’ I first discussed the global shortage of cyber security personnel and encouraged the Caribbean to focus on the development of cybersecurity experts to support local, regional, and global demand (and also as a key element of national cyber workforce development). I also touched on other topics such as developing cybersecurity programs with constrained budgets, coordination and cooperation towards increase security resilience, and how to stay on top of developments in an increasingly complex threat landscape.

Many thanks to ARIN and CaribNOG for their invitation to speak!