Tag: digital transformation

Because Instant Matters: A Roadmap for BiMPay’s Success in Barbados

nielharper

Introduction

On June 12, 2026, the Central Bank of Barbados (CBB) will launch BiMPay, a national Instant Payment System (IPS). While the Caribbean has seen high-profile struggles with Central Bank Digital Currencies (CBDCs), specifically the Bahamas’ Sand Dollar, Jamaica’s JAM-DEX, and the Eastern Caribbean’s DCash, BiMPay arrives with a different structural approach.

BiMPay is not a new currency; it is a payment platform designed to facilitate 24/7/365 transactions between existing banks and digital wallets. However, because BiMPay utilizes digital wallets to reach the unbanked, it faces the same “adoption wall” that stalled its regional neighbors. To ensure BiMPay becomes a fixture of daily life rather than a technical footnote, the Government of Barbados must learn from the failures of the prior wave of digital currencies.

Bridging the Gap: Make It Better Than Cash

The regional landscape is a graveyard of “technically sound” projects that failed to reach critical mass.

  • The “Utility Conundrum” (Sand Dollar & JAM-DEX): In the Bahamas and Jamaica, users often asked, “Why do I need this?” If it takes longer to operate the app than to hand over a $10 bill, cash remains king.
  • The “Merchant Friction” (DCash): Merchants were often treated as an afterthought, forced to adopt new hardware or navigate complex settlement delays.
  • The “Trust Deficit”: In several jurisdictions, citizens feared government surveillance of their transactions, leading to a wait and see approach that effectively killed momentum. There is also a deep mistrust across the region when it comes to privacy and security protections in online services, which significantly hampered uptake.
  • The “Onboarding Hurdle”: The enrollment phase must be virtually seamless. Traditional digital wallets require cumbersome identity verification to comply with anti-money laundering regulations. By hooking BiMPay’s onboarding process directly into the Trident ID framework, the system could instantly verify a citizen’s identity remotely via a mobile device.

BiMPay must solve a burning problem for the average citizen. This means moving away from abstract goals like “financial inclusion” and focusing on Instant Settlement, the ability for a street vendor or a ZR driver to receive funds and use them to buy supplies ten seconds later.

Solve the “Merchant Friction” Problem

In Jamaica and the Eastern Caribbean, adoption was crippled because merchants were slow to join. Businesses were often required to invest in new Point of Sale (POS) hardware without clear incentives.

Recommendations:

  • Lower Barriers to Entry: BiMPay’s use of QR codes and aliases (like phone numbers) is a strong start, as it eliminates the need for expensive card readers.
  • Address Cash Flow Directly: The government must highlight BiMPay’s Instant Settlement as its primary selling point for small businesses. In a cash-based economy, a vendor who can access their funds in 10 seconds rather than waiting for a bank clearing cycle has a massive competitive advantage.

Enforce “Radical Interoperability”

DCash suffered when commercial banks were slow to integrate, creating “walled gardens” where users couldn’t send money across different institutions.

Recommendations:

  • Mandatory Participation: The CBB has already taken the vital step of making BiMPay a foundational rail that integrates with all banks and existing digital wallets.
  • Level the Playing Field: The government must ensure that smaller fintechs and credit unions can offer services on par with larger commercial banks. This competition will lower costs for the end-user and drive innovation in the digital wallet space.

Build Trust in the Platform

Previous initiatives often mistook a lack of adoption for a “natural disinterest” in digital tools. In reality, users were simply worried about security, privacy, and resilience.

Recommendations:

  • Be Transparent About Privacy: Explicitly detail what data is collected and why. Following the lessons of the Sand Dollar, the government should clarify why certain tiers of wallets require identification while others do not.
  • Showcase Security: BiMPay uses multi-factor authentication (MFA) and other layered security controls. Educational campaigns should not just say the system is “secure,” they should demonstrate how these features protect the user’s money. Furthermore, awareness building must be continuous throughout the lifecycle of BiMPay, because treating security as a “one-and-done” fails to account for human psychology and the fast-moving nature of digital threats.
  • Fraud Prevention: The CBB must embed strict, real-time fraud monitoring natively into the central infrastructure of BiMPay to address critical risks like transaction irrevocability, social engineering, phishing, money laundering, and ultimately to preserve sovereign digital trust.
  • Redundancy & Resilience: To prevent a prolonged outage like DCash (54 days), BiMPay must implement an active-active infrastructure across geographically dispersed data centers to provide real-time failover, and network diversification through multiple telecom providers to mitigate localized disruptions. Furthermore, BiMPay should incorporate offline payment capabilities to maintain transaction continuity during Internet or power outages. Regular, mandatory failover testing and continuous health monitoring across all participating financial institutions are essential to maintaining operational resilience.

The WeChat/Grab Model: Building a “Super App” Ecosystem

The most successful peer-to-peer (P2P) platforms, like China’s WeChat and Southeast Asia’s Grab, succeeded because they became “lifestyle companions.” They didn’t just move money; they integrated daily necessities.

Recommendations:

  • Social Integration: WeChat succeeded because it integrated payments directly into the messaging app people were already using. BiMPay must ensure that sending money is as easy as sending a WhatsApp message.
  • The “Network Effect”: The government must incentivize anchor institutions such as utilities, supermarkets, and gas stations to offer BiMPay-exclusive discounts or loyalty rewards.
  • In-App Ecosystem Mini Programs: BiMPay should open its API to allow local businesses to build mini-programs directly into the BiMPay wallet environment. For example, a user could open the BiMPay app, order food from Chefette or another local restaurant, buy a ticket to a Crop Over event, or pay for a taxi, and complete the entire transaction securely via the built-in payment rail without ever leaving the ecosystem.
  • Alternative Credit Scoring: Many unbanked Barbadians struggle to secure financing because they lack a formal credit history. BiMPay could safely aggregate user transaction histories (with strict user consent and privacy controls overseen by the Data Protection Commissioner) to allow local credit unions or fintech lenders to offer micro-loans or flexible insurance policies directly inside the app, based on the user’s real digital footprint rather than rigid banking metrics.
  • Peer-to-Peer Group Splitting and Local Gifting: BiMPay should feature a highly intuitive peer-to-peer (P2P) tool that allows users to seamlessly split dinner bills, crowdsource funding (local version of GoFundMe), or tip local musicians and hospitality workers seamlessly.

Strategic Integration: The Bridge to PayPal, Google, and Apple

For a tourism-dependent economy like Barbados, isolation is the enemy of growth. While BiMPay is a domestic solution, its long-term success depends on its ability to talk to the world.

Why Global Integration Matters:

  • Tourism Tension: A tourist from New York or London shouldn’t have to download a “Barbados-only” app. Future integration with Google Pay and Apple Pay via the BiMPay rail would allow visitors to spend seamlessly at local vendors who currently can’t afford expensive merchant terminals.
  • The Remittance Lifeline: Integration with PayPal would revolutionize how the Barbadian diaspora sends money home. By allowing a PayPal transfer to settle instantly into a BiMPay wallet, the government removes the predatory fees and multi-day delays of traditional remittance services.

Tactical Recommendations for the Government of Barbados

To avoid the fate of the Sand Dollar, the Government must execute on five specific pillars:

Use “G2P” as the Adoption Engine

The government is the nation’s largest payor. To drive adoption, all Government-to-Person (G2P) payments, including pensions, welfare, tax refunds, and student grants, should be defaulted to BiMPay wallets. When 50,000 citizens have “digital money” in their pockets on the first of the month, merchants will be forced to accept it.

Mandate Interoperability

The Central Bank must ensure that the BiMPay Interoperability Hub is truly open. No bank should be allowed to close off its customers. A user with a wallet from a small credit union must be able to send money to a user at a large commercial bank with zero friction.

Zero-Cost Merchant Onboarding

The government should subsidize the “last mile” for small businesses. This includes providing free QR code signage and ensuring that the merchant transaction fees for BiMPay are significantly lower than traditional credit card fees (which can reach 3-5% in the region).

Allow Users to Quickly and Conveniently “Cash Out”

Users must not be locked into a digital ecosystem without access to traditional cash. BiMPay should allow users to get physical cash back at any merchant location, reducing dependency on automated teller machines (ATMs).

Privacy-First Communication

Transparency is the only cure for skepticism. The government must effectively communicate that BiMPay uses robust privacy-enabling controls and that, while the system is audited for fraud, it is not a tool for granular government surveillance of lawful private spending.

Operational Independence

To operate most effectively, I recommend that that the government convert BiMPay into an independent public-private corporate structure (somewhat akin to what Denmark has done with NemKonto).

Under this model, the Central Bank retains ownership of the invisible “underground pipe” (the payment rail) to ensure safety and neutrality, but hands day-to-day operations, marketing, and developer relations over to a dedicated, agile management team that operates outside the slow-moving framework of standard civil service.

Recommendations:

  • Technical Agility and Speed: A separate, dedicated corporate entity operates outside the rigid hiring and procurement frameworks of civil service. It can recruit specialized, top-tier cybersecurity and software engineers at market rates, ensuring rapid software updates and preventing prolonged system overshoots like the DCash outage.
  • Dedicated Service Focus: Freed from managing monetary policy, an independent operational team can focus entirely on customer onboarding, merchant marketing, 24/7 technical support, and building open APIs for local fintech startups.
  • Regulatory Neutrality: Spinning off the day-to-day operations ensures that the Central Bank of Barbados can act as a strictly neutral referee. It eliminates conflicts of interest, allowing the CBB to regulate the national payment rail objectively without favoring its own digital wallet product over private innovations.

The Collaborative Layer: The BiMPay Forum

To avoid operating in an authoritarian vacuum, the CBB should establish a BiMPay Forum. This would be a permanent, institutional governance and oversight body.

Recommendations:

  • Plurality & Representation: The Forum would include representatives from traditional commercial banks, credit unions, fintech startups, payment institutions, business associations, consumer groups, academia, and the technical community.
  • Working Groups: The governance framework would utilize specialized sub-committees to improve on the platform. These groups would collaborate on structural components like:
    • Business Models: Designing new transaction methods (e.g., recurring bills).
    • Technical Requirements: Mapping security standards and message formats.
    • Audit & Risk: Dedicated to updating anti-fraud mechanisms, maintaining regulatory compliance, upholding privacy rights, and the monitoring and remediation of other material risks.

Conclusion: Beyond 12 June 2026

BiMPay has the potential to be the most significant upgrade to the Barbadian economy since independence. However, as the failures of the Sand Dollar and DCash have shown, “if you build it, they will come” does not apply to digital finance.

The Government of Barbados must act as an ecosystem curator, not just a software deployer. By focusing on merchant instant-settlement, mandating bank interoperability, and building a roadmap for integration with global giants like Apple, Google and PayPal, Barbados can turn BiMPay from a local project into a global standard for digital excellence.

In the digital age, Instant Matters. And not just for convenience, but for the very survival of the Caribbean economy.

The Facade of Progress: Why GovTech Barbados is Stalling Digital Transformation

nielharper

In the humid corridors of Barbados’ public service, there is a new buzzword circulating with the frequency of a tropical breeze: “GovTech.” Established in late 2023 with the high-octane promise of dragging a paper-clogged bureaucracy into the 21st century, GovTech Barbados Ltd. was heralded as the “silver bullet” for the nation’s digital woes.

However, as we move through 2026, the initial honeymoon period has ended. While the PR machinery hums with talk of “AI-powered prototypes” and “digital champions,” the average Barbadian citizen is still standing in physical lines, clutching paper forms, and wondering when the promised “sweeping transformation” will actually increase the ease of doing business.

The reality is that GovTech Barbados, despite its modern branding and high-profile leadership, is currently a victim of institutional inertia, misplaced priorities, and a “startup” culture that is fundamentally incompatible with the weight of government bureaucracy.

The Prototyping Trap: Appearance vs. Reality

The most visible “achievement” of GovTech Barbados so far has been the rollout of rapid “prototyping.” Using AI to turn a paper form into a digital interface in “minutes” sounds like a revolution. It makes for excellent LinkedIn posts and impressive demos for the Ministry of Industry, Innovation, Science and Technology (MIST).

But a prototype is not a service.

The “Prototyping Trap” occurs when an organization prioritizes the UI (User Interface) over the UX (User Experience) and the underlying backend processes. Turning a paper form into a digital PDF or a web form is the easiest 5% of digital transformation. The difficult 95% involves:

  • Integrating with the national identity system.
  • Automating backend approvals so a human doesn’t have to print the digital form to file it.
  • Introducing workflow management tooling to handoff tasks between different government departments or control points.
  • Updating the 40-year-old legislation that still requires a physical signature.

By focusing on what they believe to be “tangible outputs” to win public confidence, GovTech is essentially painting the windows of a house that has no plumbing. Citizens may fill out a form online, but if the “transformation” stops there, the inefficiency is simply moved from the front counter to a back-office inbox. Instead of focusing on throughput (how many forms can we digitize?), GovTech Barbados needs to focus on outcomes (how much time and money can we save the citizen?). It’s also quite telling that the GovTech team has neither the deep expertise nor a visible focus on ICT law and business process reengineering.

The CEO Dilemma: A Startup Mindset in a “Legacy” Environment

Mark Boyce, hired in July 2024, has brought a seemingly more tech savvy energy to the role. His background, marked by a vocal critique of the “safe” career paths of doctors and lawyers in Barbados, suggested he was the disruptor the island needed. However, in reality, Mr. Boyce does not have the qualifications or experience to lead a major national digital transformation initiative like GovTech Barbados. He has never led complex enterprise or government implementations which include cloud computing, interoperability layers, cybersecurity, e-commerce, digital identity, and big data. Unfortunately, neither has the majority of his key hires.

Digital transformation in a government setting is less like a tech startup and more like an organ transplant. The “host body” (the existing Civil Service) often rejects the “new organ” (GovTech) if the cultural and legislative prep work isn’t done.

I can’t help but to think that GovTech is operating as an isolated island of innovation. While Boyce and his team speak the language of “The Radical How” and “agile execution,” the rest of the government still speaks the language of “The General Orders” and “Financial Rules.” This cultural mismatch has led to a bottleneck where GovTech builds prototypes that sit in limbo for months because the “human review process” in traditional ministries remains unchanged.

The Sovereign Cloud and the “Hardware Hubris”

One of GovTech’s early and most controversial claims was that Barbados was “on the brink” of a sweeping transformation fueled by a Tier 3 data center and a “sovereign cloud.”

As I noted in a previous blog post, this often feels like “déjà vu.” Barbados has a history of announcing expensive infrastructure projects that fail to deliver service-level improvements. It’s important to note that:

  • Costs are astronomical: A greenfield Tier 3 data center can cost upwards of $20 million in capital expenditure, with millions more in annual operating costs.
  • Infrastructure vs. Service: A data center is just a room with servers. If the software running on those servers is poorly designed or the data remains siloed in different ministries, the “Sovereign Cloud” is just a very expensive local hard drive.

Furthermore, the focus on building local infrastructure ignores the global trend toward public cloud utilization (AWS, Azure, Google Cloud), which offers better security, scalability, and disaster recovery than a small island nation can typically manage on its own. The obsession with “sovereign hardware” often masks a lack of “sovereign software” capability.

A better approach would be a hybrid cloud model with a smaller footprint sovereign data center hosting “mission critical” and “secret” data (e.g., Digital ID, Electronic Patient Records, BimPay, etc.) and leveraging the public cloud for non-sensitive, high-scale applications (e.g., public-facing websites, information portals).

Missing the “Human” in the Human Firewall

For a “GovTech” agency, there has been a glaring lack of focus on the digital literacy of the civil service. Digital transformation is 10% technology and 90% people.

While GovTech talks about “Digital Champions” within ministries, these individuals are often overstretched civil servants with no formal technical training and no authority to change the processes they are “championing.” Without a massive, nationwide upskilling program for the thousands of government workers who actually process the forms, GovTech’s tools will remain shiny toys that no one knows how to play with.

The Transparency Deficit

Meaningful digital transformation requires trust. Yet, GovTech Barbados must be questioned for its approach to:

  • Cybersecurity: Barbados continues to score poorly on the ITU Global Cybersecurity Index. Announcing “AI-powered” government services without a robust, transparent cybersecurity framework or government-wide AI governance standard is a recipe for a national data disaster.
  • Data Protection: As GovTech moves to “release public datasets” to spur local tech growth, there are unanswered questions about how citizen privacy is being protected under the Data Protection Act. Where is the Open Data Policy? What about Freedom of Information (FOI) legislation? What will be the overarching data governance framework? Is the Data Protection Commissioner being continuously engaged?
  • Procurement: Is GovTech empowering local startups, or is it becoming a middleman for expensive foreign “turnkey” solutions that don’t fit the local context?
  • Digital Identification: Considering the existence of the Trident ID system, why haven’t centralized and federated digital ID been prioritized? GovTech should have already built a “Single Sign-On (SSO)” for all government portals. Instead of having separate logins for Taxes (TAMIS), NIS, and the Land Registry, a citizen uses one verified Trident identity. GovTech can also act as a “Trust Broker.” For example, local banks should be mandated to use the Trident ID API to verify a new customer’s identity instantly, rather than requiring them to visit a branch with a passport. Banking customers should also be able to login to their Internet and mobile banking applications with the Trident digital ID.

Notwithstanding a clear lack of transparency, GovTech Barbados has been granted a multi-million dollar budgetary increase in the 2026–2027 Estimates. The public must now ask: how is this agency being held accountable for its results – or the evident lack thereof?

The Verdict: Is it Transformation or Decoration?

As of early 2026, GovTech Barbados has achieved Digital Decoration. It has made the government look more modern, but it hasn’t made it work more efficiently.

For GovTech to move from a PR success to a systemic success, it needs to stop focusing on “tangible prototypes” and start doing the “unsexy” work of:

  1. Legislative Reform: Working with the Attorney General to kill the “physical signature” requirement once and for all.
  2. Interoperability: Forcing ministries to share data through a central API, so citizens don’t have to provide their birth certificate to five different departments.
  3. Radical Transparency: Publishing real-time KPIs on service delivery times, not just “how many forms we digitized.”

If GovTech continues down its current path, it risks becoming just another “State-Owned Enterprise (SOE)” – a well-funded agency that produces beautiful reports and prototypes while the people of Barbados continue to wait in the sun for a service that should have been a website click years ago.

Barbados’ Digital Aspirations: A Reality Check

nielharper

In a recent Barbados Today article, the CEO of the newly minted GovTech Barbados stated with confidence that the country is “on the brink of a sweeping digital transformation, with a particular focus on enhancing its cybersecurity infrastructure.” While the ambition is commendable, it’s crucial to examine these claims with a critical eye. As someone deeply involved in the tech sector for almost 30 years, I find several elements of this grand vision questionable at best, and potentially misleading at worst.

The ‘Conundrum’ of the Tier 3 Data Center

The government’s plan to establish a Tier 3 National Data Center sounds impressive on paper. However, this claim ignores several fundamental realities of Barbados’ infrastructure, market conditions, and human capacity.

Costs

With a monopoly electric company serving the entire island, is it even possible to achieve the redundancy and reliability required for a Tier 3 facility in a cost effective manner? Tier 3 data centers demand multiple, independent power distribution paths. In the Uptime Institute tier model, onsite power is the only reliable source of power – it is completely within the span of control of the organization, with no conflicting external entity’s profitability goals. Given the high costs of commercial power in Barbados ($0.33 per KWh – one of the highest in the world), and the even higher costs associated with operations and maintenance for onsite generated power, has the government properly assessed the overall costs of delivering the power requirements for a Tier 3 data center?

In addition, a Tier 3 data center requires the installation of redundant systems in terms of uninterrupted power (UPS), direct current battery plants, diesel-based power generators, and HVAC systems, including heating (H), ventilation (V) and precision air conditioning (AC). Below is an overview from Kio (a global data center company) in US dollars of the costs of building out such facilities.

With regards to network connectivity, a Tier 3 data center must have multiple Internet service provider connections and dedicated fiber optic cabling. This is particularly challenging as telecoms costs in Barbados are phenomenally high when compared to the global average. Furthermore, a mile of fiber optics can cost upwards of $250,000 USD. Then there are the incremental costs for perimeter control/fencing, access control systems, metal detectors, video monitoring, fuel tanks, telecoms grounding and lightning protection, fire suppression, racking hardware, networking equipment, server infrastructure, tier certification, etc. I will address the costs for staffing in greater detail in the next section.

The capital expenditure (CapEx) and operational expenditure (OpEx) can quickly skyrocket. My conservative estimation is CapEx of approximately USD$20 million for the greenfield build-out of the Tier 3 facility and USD$5-10 million in annual OpEx to successfully run it.

Taking into consideration that Tier 3 data centers usually have a commercial model, it would be good if the government can explain to the general public how the build-out is being funded, whether taxpayers will be expected to cover the costs, will more loans and increased debt be involved, how will the return on investment (ROI) be achieved, what does the total cost of ownership (TCO) look like over a 5-10 year period, and other related financing and cost recovery details.

Talent

Another area worth a deeper dive is the talent associated with the operations and maintenance of a Tier 3 data center. For operational sustainability, staffing must be divided into three (3) categories.

  • Headcount: The number of personnel needed to meet the workload requirements for specific maintenance activities and shift presence. Assuming a 24x7x365 operation, headcount will be needed to cover daily administration, preventative maintenance, corrective maintenance, vendor support, project support, and tenant work orders.
  • Qualifications: The degrees, certifications, technical training, and experience required to properly maintain and operate the wide array of installed infrastructure.
  • Organization: The reporting structure for escalating issues or concerns, with roles and responsibilities defined for each group.

Most of the persons on-island that meet these requirements are employed by Digicel, Flow, or commercial banks. The remaining talent would have to be sourced from overseas. What is the government’s strategy for attracting and retaining this level of talent? How will they do so in a fiscally responsible manner? Has a skills gap analysis been performed for the public sector? Is there a talent management and professional development plan to ensure that this digital initiative is adequately resourced from the human capital perspective? 

Environmental Impact

Data centers are responsible for an enormous negative environmental impact: their gluttonous annual consumption of electricity, greenhouse gas emissions, heavy water consumption, generation of toxic electronic waste, and other types of direct and indirect ecological harms are of a major concern. In conformity with the United Nations Sustainable Development Goals (UN SDGs), the potential environmental impact of data centers should be numerically assessed to compare to the environmental capacity and chart a plan towards sustainability.

Has the government completed an environment impact assessment (EIA) for the data center facility? Have they engaged surrounding residents to discuss the known issues with data centers, including noise pollution and drought risks? Given the government’s commitment to climate change, what are their plans for the Tier 3 facility vis-a-vis carbon-neutrality, carbon offsetting, and investment in renewable energy systems like wind and solar? What is the government’s broader toxic electronic waste disposal strategy? 

The “Sovereign Cloud” Misnomer

The term “sovereign cloud” has been tossed around, but it appears to be more buzzword than substance. In the tech world, a sovereign cloud typically refers to public cloud services that treat workloads as if they’re in the client’s home country, even when physically hosted elsewhere.  Sovereignty requirements mandate that customers’ usage of what’s typically understood as public cloud must be immune from the impact of foreign laws and mandates; sovereignty overall is then a key requirement for consideration alongside other controls requirements such as security, resilience, data residency, and privacy. These factors generally apply when a government or international organization is purchasing services from an overseas-based cloud provider.

What GovTech Barbados is proposing is simply a government-owned data center located on Bajan soil. It’s inherently sovereign, but a “sovereign cloud” it isn’t – it’s just a standard approach to local data hosting. By misusing this term, are they trying to make a normal infrastructure upgrade sound more innovative than it really is?

The vast majority of the government’s public sector computing environment is based on traditional client-server architecture and on-premise data processing. There’s nothing specifically “cloud-centric” about it. Bearing that in mind, it would be good to better understand the government’s future state cloud architecture. How will cloud-related skills be obtained in the public sector where they currently don’t exist? What’s the overall enterprise architecture model? How will they transform deeply antiquated, siloed and fragmented government systems into a cohesive architecture premised upon modern cloud technologies? What cloud solutions will be used for orchestration, observability, infrastructure, databases, etc.? How will existing infrastructure and applications be refactored to be cloud native? Is their approach based on private cloud, public cloud, or multi-cloud? Have disaster recovery needs been considered? Has the partner/vendor ecosystem been defined? What about third-party risk management (TPRM)? These questions and more need to be answered.

The last 2 questions are especially pertinent given the announced partnerships with Promotech and Fortinet – The former (Promotech) is a consumer electronics retailer with zero credentials in deploying complex, secure, enterprise-scale technologies and the latter (Fortinet), while a solid cybersecurity solutions vendor, requires advanced expertise to properly deploy and manage their equipment. Fortinet is also known to be quite expensive in terms of professional services and they have had a number of security issues in recent times.

Cybersecurity: Promises vs. Reality

The government’s emphasis on cybersecurity is not new. In fact, it’s a tune we’ve been hearing from as far back as 2012. Over the last 10 years, the Government of Barbados has received substantial funding from various international bodies to enhance its cybersecurity posture. Yet, where is our national cybersecurity unit? Why is our cybersecurity maturity so low compared to other developing countries such as Botswana, Cuba, Ethiopia, Ghana, Guyana, Jamaica, and Kenya, among others?

And despite numerous cybersecurity assessments, strategies, and roadmaps conducted by international organizations (e.g., ITU, OAS, European Commission, etc.), we seem no closer to establishing a robust cybersecurity framework than we were a decade ago. 

In the International Telecommunications Union’s (ITU’s) recently released 2024 Global Cybersecurity Index, Barbados scored quite poorly against the Americas regional average (see below).

With this ITU ranking as a backdrop, it has to be said that the GovTech Barbados announcement feels like déjà vu. What’s different this time? How can we trust that these plans will materialize when similar promises have fallen flat repeatedly? Amidst the talk of setting up a national cybersecurity unit, is Mr. Boyce aware that the responsibility for national cybersecurity lies with the Barbados Defence Force (BDF) Cyber Unit? Has he consulted with anyone on what was the mandate, scope, and lessons learned from the government’s failed Cyber Security Working Group (CSWG)? Has someone told him that in recent years, a Barbados Computer Emergency Response Team (BCERT) was funded by international donors, an office location and equipment was setup, but the CERT was never staffed or actually operational? To be frank, he seems quite unaware of what has transpired in the nation’s cybersecurity landscape over the past 5-7 years.

The Spectre of Abuse, Censorship, and Exclusion

While the government touts the benefits of centralized digital infrastructure, we must also consider its darker implications. A nationally controlled data center, pervasive e-government systems, and fully integrated identity-based platforms can easily become powerful tools for abuse of authority, mass surveillance, and oppression. These risks are even more pronounced with GovTech’s proposed use of artificial intelligence (with no regulatory safeguards) and the government’s insistence on implementing poorly drafted and potentially rights-violating cybercrime laws.

Myself and others have raised serious concerns, including worries about how new citizen-centered digital services are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rights. In the context of human rights, the risks are related to the right to privacy, freedom of movement, freedom of expression, and other protected rights. For example, GovTech has stated that they plan on “releasing certain public datasets” in order “to spur the development of new products and services from local tech companies.” Government must be transparent on whether or not personal data will be involved and how these decisions align with the Data Protection Act, including what risk assessments and security countermeasures will be put into place to prevent material harm to individuals.

With all government data and services funneled through a single point, the temptation for overreach becomes significant. Who will oversee this system? What checks and balances will be in place to prevent abuse? The ability to control information flow and access to digital services could be weaponized against dissenting voices or used to manipulate public opinion.

We must demand clear, legally robust safeguards against such misuse. Without them, our journey towards digital transformation may well become a path to digital authoritarianism.

The Bigger Picture

While digital transformation is undoubtedly crucial for Barbados’ future, we must approach these grand declarations with healthy skepticism. Are we genuinely prepared for the scale of change being proposed? Do we have the necessary infrastructure, expertise, and, most importantly, the political will to see these projects through?

Moreover, in our rush to digitize, are we addressing more fundamental issues? Can we talk about advanced data centers when parts of our island still struggle with basic Internet connectivity? Are affordable Internet and telecoms services even attainable when the regulating functions within the Ministry of Industry, Information, Science and Technology (MIST) and the Fair Trading Commission (FTC) are incapable of delivering core consumer benefits (e.g., consumer protection, service quality, diverse product and services offerings, affordable prices, etc.)? Can we really talk about cybersecurity when breaches of government IT systems are the norm as opposed to the exception? Why are the bulk of e-government services still lacking in accessibility features for the differently abled?

Mr. Boyce emphasized that, “The National Data Centre will allow the government to take a more data-driven approach to governance.” Data centers and data governance are both important for the country’s data-driven future, but they have very different focuses, and the links between the two are tenuous. A data center is a physical facility that is used to house IT infrastructure, applications, and related data. Data centers are designed based on technology components: networks, computing, and storage resources that enable the delivery of shared applications and data. Data governance involves the management of data quality, security, usability, and availability. It is oriented towards people and processes – policies, procedures, roles, and metrics which ensure data is leveraged efficiently and effectively. Data governance can help the government and private corporations make better decisions, reduce costs, and comply with regulations such as the Data Protection Act (DPA), General Data Protection Regulation (GDPR), and others. However, one can have a data center and still have poor data governance or you can have no data center and have strong data governance. There are literally no dependencies of either element on the other.

“A key aspect of the digital transformation plan is to integrate digital services, allowing ministries and departments to collaborate seamlessly. Initiatives such as digital identifiers and signatures will enable citizens to access multiple services through a centralized portal, gov.bb, reducing fragmentation in the current system.” This statement from the CEO of GovTech is quite worrisome. Does he know that over the last 4 years there was an IDB-funded e-Services Project with these same objectives that failed spectacularly? Does he realize that the National Digital ID project – another public sector IT project that was poorly executed – was designed to provide centralized identity-based services to citizens, including digital identifiers and signatures?

The fact remains that IT projects for the Government of Barbados seldom fail due to technology-related issues. The technologies are generally sound and fit for purpose. Leadership-related issues are at the core of these repeated failures. A lack of skills in managing complex, large scale IT projects is also a major factor, which leads to a corresponding inclination to rely instead on outsourcing to consulting firms or a heavy dependence on the professional services arms of vendors. The problem here is that government employees lack the capabilities to manage these third-parties, are unable to meet government-owned deliverables, or impose unrealistic / infeasible requirements on experts that actually know what they’re doing. In addition to the absence of skills for managing large IT efforts in general, there are also huge deficiencies in change management skills in particular.

A Call for Transparency and Realism

As citizens, we deserve more than lofty promises and tech jargon. We need a clear, realistic roadmap for digital transformation that acknowledges our current limitations and outlines concrete steps to overcome them.

Instead of grand visions, let’s start with achievable goals. Develop a strategic roadmap that has a long-term arch and practicality that survives biased political motivations and changes in government administrations. Improve our basic digital infrastructure and access to it for all. Invest in education to build a tech-savvy workforce. Ensure that our legal and regulatory framework supports open, accessible, secure, rights upholding, and citizen-centric digital services. Create governance, risk, and oversight mechanisms which guarantee that projects deliver tangible value, not just headlines.

Barbados has the potential to become a digital leader in the Caribbean, but not through wishful thinking. We need honest assessments, pragmatic planning, and, above all, a commitment to turning words into action. Until then, these digital aspirations will remain just that – unfulfilled aspirations.