An examination of the performance of 16 Caribbean countries in the latest Global Cybersecurity Index published by the International Telecommunications Union.
Cybersecurity and the state and health of our digital systems and networks have been rising in importance globally as well as in the Caribbean region. Across the region, debilitating cyberattacks have occurred, resulting in the continuing consensus that countries’ security posture is still underdeveloped.
Although there are several practical steps organisations can implement to strengthen their networks and to make them more resilient to incidents, ideally, the government ought to ensure that the enabling environment also emphasises digital security with adequate measures have been implemented. Currently, some effort has been made to develop a framework to assess the cybersecurity readiness of countries. In this snapshot, we are examining the results from the latest Global Cybersecurity Index, which includes the following 16 Caribbean/Caribbean Community countries:
Methodology
The International Telecommunications Union (ITU) has developed the Global Cybersecurity Index (GCI) to monitor the cybersecurity measures implemented across the five work areas of the ITU Global Cybersecurity Agenda (GCA). The GCA, which was launched in 2007, provides a framework for international cooperation, efficiency and collaboration, which is built upon the following strategic pillars:
- Legal Measures
- Technical & Procedural Measures
- Organizational Structures
- Capacity Building
- International Cooperation
Using these five pillars, the GCI is a composite index of indicators, which collectively represents a country’s level of cybersecurity commitments. Exhibit 1 outlines the scope of each of the pillars.
The data used for scoring was collected via a GCI questionnaire administered to the countries, which had to be supplemented by evidence to substantiate their responses and ensure accuracy. The GCI score for each country is assigned a score between 0 and 100, with each pillar weighted at 20 points. As a composite weighted index, each indicator, sub-indicator and micro-indicator is assigned a weight given the relative importance to the indicator group.
In addition to the GCI scores, the ITU has created a tiered system through which to consider country performance. Countries are grouped according to their total GCI score, as shown in Exhibit 2.
Country performance
Across the 16 Caribbean/CARICOM countries included in the assessment, the best-performing countries were the Dominican Republic, which scored 75.67 out of 100 and was followed by Cuba (72.73) and Jamaica (58.20), as shown in Exhibit 3. At the other end of the spectrum, the lowest-scoring countries were (surprisingly!), Antigua and Barbuda, which scored 17.89 out of 100, and thereafter, Grenada (20.15) and Dominica (22.83).
In examining the scores more closely, Caribbean countries generally scored the highest for the Legal Measures Pillar, virtually all of them have some cybersecurity and/or cybercrime legislation in place. However, countries generally scored the lowest for the Technical Measures Pillar, as few of them have established technical institutions, such as Cyber Incident Response Teams (CIRTs), or have adopted standards and frameworks addressing cybersecurity and cybercrime.
In Exhibit 4, which presents the scores countries received by pillar, Antigua and Barbuda, Belize, Grenada, Dominica, Haiti, Saint Lucia, and Saint Vincent and the Grenadines all scored zero (0) for the Technical Measures pillar. Antigua and Barbuda, Grenada and Dominica also scored 0 for the Organisation Measures Pillar, which suggests that there is little to no coordination across institutions on cybersecurity and cybercrime-related policies and strategies.
On the other hand, and to varying degrees, countries have been undertaking capacity development activities to improve the cadre of trained security professionals, especially in the public service, and may also have conducted public education and awareness campaigns. Similarly, most countries have either established or engaged in partnerships and cooperation and information-sharing arrangements, which would have been favourably considered under the Cooperation Measures Pillar.
In categorising countries by performance tiers, most of the Caribbean countries examined fell between Tier 3 and Tier 4, as shown in Exhibit 5, which suggests that there is some government commitment to cybersecurity and moderate measures had been implemented in at least one pillar (for Tier 4) or multiple pillars (for Tier 3).
To be categorised as Tier 5, which was the case with Antigua and Barbuda, it suggests that generally accepted cybersecurity measures were achieved for at least one indicator and/or sub-indicator, but the measures were inadequate to address most of the requirements under any one pillar.
Discussion of findings
The GCI is a useful tool as it provides some insight into the cybersecurity and cybercrime posture of Caribbean countries, specifically, their cybersecurity commitments and capabilities. As the scores and the tier performance reflect, the countries in the region are still deficient in certain areas, especially:
- Having active CIRTs (Technical Measures Pillar)
- Engaging with a regional CIRT (Technical Measures Pillar)
- Establishing frameworks to adopt cybersecurity standards (Technical Measures Pillar)
- Having national cybersecurity strategies (Organisational Measures Pillar)
- Having cybersecurity agencies (Organisational Measures Pillar)
- Establishing and implementing child online protection strategies (Organisational Measures Pillar).
However, it ought to be noted that the above measures and all of those examined to determine a country’s GCI, are unlikely to deter threat actors. Instead, they will make counties more resilient when incidents occur as more comprehensive frameworks and systems would have been implemented, and countries would more easily be able to access national, regional and international support to expedite their recovery.
Image credit: Brian Penny (Pixabay)
