Wednesday, 30 October 2024

The Organization of American States' Caribbean Regional Cybersecurity Symposium DR 2024


*** Simposio de Ciberseguridad de la OEA


Cyber Pirates of the Caribbean.
Sorry, couldn't help myself.
In September I got an invite to sit on a panel at the GFCE's annual meeting. Then the Organization of American States got in touch and asked if I'd sit on their emerging tech panel at the regional pre-meeting. I guess that went well because they then asked if I'd be willing to cover for their quantum cyber specialist who couldn't make a Cybersecurity Symposium in the Dominican Republic at the end of the month. My approach to this sort of thing is to always say yes; that's how I found myself in Ghana last year.

Most Canadians think of Punta Cana and an all inclusive week on a resort when it comes to the Dominican Republic, but I was headed to Santo Domingo which can be a bit rough around the edges. It was an intense week of coming to understand the cybersecurity needs of a region facing the results of climate instability head on while also rapidly developing their digital economy.

Our panel was set to go on the first day, which was good - I like to get them done sooner. Co-panelist Heather happened to be coming in on a flight right behind mine so we met at the airport and shared a cab across the city to the hotel, which felt a bit like the first 20 minutes of Fury Road. Having not eaten since 5am, I sat in the empty hotel restaurant and ate a poor club sandwich that cost an eye watering $30USD while wondering what I was doing here. There is nothing like hunger and exhaustion to make you doubt yourself.

I finally got into the room and collapsed for a couple of hours and awoke feeling more like my usual, confident self; food and rest resolves most anxiety. I went for a wander around the hotel and found Heather on the pool deck watching the sun going down (dramatic sunsets in the DR). She works in AI research and we had a good chat about how it's being used in cybersecurity and both left with enough context to take on the panel in the morning.

Our moderator got switched right before the event but Donavon was agile, knowledgeable and did a great job chasing down themes as they came up rather than following a script. The conversation dove into AI but also left space for IoT and quantum in a cyber context.


I came away from the GFCE event in DC earlier in the month cognisant of the need to keep technical detail out of these kinds of high level talks, especially if you're talking to most of the people in the room through a translator. The technical side of cyber isn't necessarily what you need to focus on because it doesn't really change how most people interact with it. An easier to grasp example might be to ask if you need to have a strong understanding of the metallurgy involved in casting your car's engine in order for you to drive it. This isn't to say you need to simplify the the point of absurdity, but getting into the technical weeds tends to be an academic back-patting exercise rather than being helpful to the audience.


On this panel (as I've done in all of them), I don't pretend I'm something I'm not. I'm a teacher, an I.T. technician and a cyber operations instructor and often refer to anecdotal cyber teaching situations to land a point. People seem to appreciate this approach because presenting material as a teacher is something everyone can relate to, and there is enough intellectual intimidation in cyber as it is. There is also enough marketing misinformation that a clear eyed, education focused approach resonates.

Our talk mainly focused on artificial intelligence but quantum did get some airtime, though many questions (as at the GFCE) orbited the complexities of trying to teach cybersecurity. As mentioned at the Serious Play Conference in August, teaching a subject that few people have the basic digital media literacy to even contextualize is a challenge. The fear that arises from this ignorance is real and makes teaching cyber especially difficult.

I'm always conscious of the Canadian perspective I bring to an international event like this. Canada seldom participates at the international cybersecurity events I've attended. We fund a lot of them (including this one), but finding Canadians willing to make the trip and talk the talk seems difficult. I was the only Canadian on any of the panels at this one too, though I'm hoping to change that. If international cooperation is about relationships, having Canadians talking at events like these is essential.

When asked about IoT threats I brought up two Canadian instances that resonated with the room (I was asked about them repeatedly across the week). One was my visit to the Canadian Institute for Cybersecurity in Fredericton last spring which included a look at their IoT lab. The curiosity this generated has me wondering if an OAS event in Fredericton at UNB wouldn't go amiss. Does Canada ever host these things?

The second Canadian cyber challenge was the rash of car thefts Canada is experiencing. It's tempting to define this under traditional criminal activity but these are new vehicles with 'state of the art' electronics that are being hacked, making this an IoT cyber problem. When you know enough about cybersecurity you start to think differently about how it's integrated into your day to day life. My cunning solution is to drive manual vehicles that are 'pre-smart'. They're unhackable and also undrivable for most thieves. If you don't expect technology to do everything for you, you're not beholden to its weaknesses.

With our panel in the rearview, I made it a point of understanding the context through which Caribbean and Latin American states are tackling cybersecurity. Our very nice hotel provided bottled water because you're not supposed to drink what comes out of the taps. It's astonishing to me that people without available drinking water are going after digital transformation and the cybersecurity that enables it, but if you want to participate in the 21st Century economy that's the price of admission. Perhaps digitization will solve the water problem too.

One of the first speakers at this event did a deep dive into misinformation and how it is generated using the latest in deepfake technology. Extremists are using this tech in propaganda campaigns. The corrosive effect this has on our shared media is interesting. I had a number of chats with Daniel throughout the conference and discovered that his motivating interest is in the nature of online communities and how they work in terms of social norms and expectations. This kind of decentralized, narrow (as opposed to broad) band media transmission is becoming the new norm, yet no one seems to be teaching how it is influencing society in media theory classes. It's something I want to go after in terms of updating digital media education in Canada.

The theme of the symposium was, DisruptX:Redefining the future of cybersecurity in Latin America and the Caribbean", so many of the talks revolved around the impact A.I. is having in cybersecurity. As in most places, it's a force leveller. People writing phishing emails now write with perfect grammar and spelling, and don't use form letters anymore because AI can generate targeted, articulate messages specifically for individuals. This enabling of cyber criminals by automated systems targets our ongoing cyber-illiteracy because that's the easiest target, but that's just the tip of the iceberg. Automated malware as a service can be purchased by anyone who can turn on a computer. The days of technically talented hackers are far behind us as AI serves to elevate anyone looking to create havoc online.

To further complicate the landscape, you've got state actors (including world superpowers) performing offensive cyber operations against governments, businesses and even individuals. At this cost-no-object end of the spectrum you've got cyber militaries operating on budgets in the billions possibly taking aim at your company or government.  If you're a developing economy with minimal digital infrastructure, how do you possibly keep it secure against that? The short answer is you don't, sometimes you just get pwned.


OK, so what do I do, you ask? You've got a couple of options when it comes to protecting your internet facing systems (in this case critical systems that make society work and provide things like electricity):

1) Put money up front building the most secure network you can, but this requires talented people who are in short supply (the cyberskills shortage isn't just happening in Canada). It also means paying up front for something that hasn't happened yet, and can't be guaranteed secure no matter what you throw at it. The case for preemptive cyber capacity building remains a struggle and not just in the Caribbean, it's a problem in Canada too.

2) The other option is to design full backup systems so you can recover when the inevitable happens, but this too requires technical talent, forethought and a willingness to invest in the future - all aspects of cyber that humans everywhere struggle with.


Like the GFCE event in Washington, a lot of time was spent thinking about governance and policy. These frameworks are vital, especially if we want to push back against human nature that isn't likely to invest in anything precautionary. A purely passive/defensive mindset doesn't work in cyber any more than it would in sports. The nature of this one sided game means that some of these limited resources also need to be reserved for active cyber operations, both offensive and defensive. 

I hope there is room in policy and governance to ensure that there are resources left over to support this kind of agility. This 'just-in-time' work often happens in companies and government agencies rather than in university research labs and needs to be more accessible to the people on the ground doing the work. So much of the research funding in Canada is tied to post-secondary institutions and is inaccessible to anyone else. This is an area where developing cyber systems have an advantage.  Agile action research in cyber by practitioners rather than solely by academics is essential if we're to retain the ability to deal with emerging threats.

This confusion around the nature of cybersecurity (is it an apprenticeable skillset or an academic pursuit?) is another one of those evolving understandings still somewhat out of focus as we continue to define what cybersecurity is. It was nice to see one of my favourite cyber graphics come up in one of the RICET education talks reminding everyone that cyber is a complex, multi-modal field of study ranging from apprenticelike hard technical roles through management and logistics to academically intensive legal and human facing work in subjects ranging from policy and HR to education.

Like any other field of study, cybersecurity is full of nuance. We're just not there yet because we're still figuring out what it is.


*** Extracurriculars


Fascinating conversations and an opportunity to network without a schedule or talking points. These 'extracurricular' evening events are often the most informative!

The conference had a couple of extracurricular events where I often hear the most enlightening things. A delegation from the South Pacific was attending this event under the idea that they they are facing many of the same challenges that the Caribbean states are. Tim from the Cook Islands and I had many great talks about the sudden change they are going through. About two weeks before the conference Elon flipped a switch and suddenly everyone on the islands could afford high speed internet for the first time through Starlink. The rest of us have been in the digital pot as the heat has been slowly turned up over the past two decades and don't realize it's boiling. Can you imagine going from 90's dial up to 2024's AI/social media/fake-news cyber-nightmare in one week? Tim's managing the IT there. Someone should be writing a book about this time travelling digital experiment.

The fortress in colonial Santo Domingo at sunset. The DR's relationship with its past, like Canada's, is complicated and unfinished.

On the final evening we got taken out to the colonial tourist area for a look around Fortaleza Ozama. Being me, I found watching the chaos of the evening commute around the castle distracting. Like the social the night before, this was an opportunity to chat with people working in cyber from many different perspectives. I'd run into Franklin from Suriname who I'd met in Ghana last year and we picked up right where we'd left off. Suriname is about to go through some dramatic changes.

When you find yourself having a drink with the head of Mastercard's security division and the entourage from Columbian cyber, you wonder how you got here. Tim from Cook Islands' wife messaged him asking what he was up to expecting another conference update. His response was, 'I'm drinking rum at a castle at sunset!" Indeed.

The tour included a projection onto the fortress of the DR's history. It reminded me of the projection show they were doing on the Houses of Parliament in Ottawa a few years ago and raised some interesting questions about how digital is insinuating itself into island life.

The seemingly incongruous VR experience at the fortress was complimented by animated digital projections throughout, to the point where it was easy to forget you were in a centuries old fortress, which is the point of being there, isn't it?  A few times in the conference the corrosive effect of AI on regional culture was noted (AI's fixation on large datasets tends to stamp out anything but the biggest producers of data). I suspect digitization (itself a byproduct of globalization) has a generally corrosive effect on people's ability to be where they are. We spend an awful lot of our time taking photos to share online instead of being where we are (like the ones in this post? -ed).





*** RICET


The final day switched gears and became RICET, the Regional Initiative for Cybersecurity Education and Training, put on by the OAS and Florida International University. This focus on education and training is essential if we're to establish sustainable and effective cybersecurity. It's also a vital part of both figuring out what cyber is and framing it so the public better understands it.


I've said it before and I'll say it again, the vast majority of cyber incidents are the result of human failure. No matter how you want to frame it, our current cyber woes arise from a multi-generational failure to develop effective digital media literacy of which cybersecurity is perhaps the most interdisciplinary and complex because it's all about the edge cases. You can't hack something you don't fundamentally understand. You can't defend against those hacks without it either.

We've been fixated on coding as a solution to the digital skills crisis, but digital media literacy is about much more than coding. In cyber you need flexible, stochastic approaches with familiarity across a much wider range of digital technology. I've met too many compsci specialists who are sidelined by simple technical issues to believe that this is the epitome of digital literacy. I also heard the dreaded term 'digital native' during some of these talks, but I'm not going to get into that nonsense again here. 

RICET panels talked about the usual worries around the lack of talent, though like everyone else they spent much of the time on bandaid solutions like adult retraining instead of looking at strategic fixes like implementing nationwide cyber skills talent discovery and development in public schools that would not only address the user negligence problem, but would also resolve our cyber-professional shortage.

We'll never resolve this global digital skilling failure with stop gap solutions. We need both short term and long term strategies, but like the funding for seemingly obvious things like network security and data backups, getting anyone to finance the future is a struggle.


Watching these earnest cyber developers working on shoestring budgets trying to make this work while Canadians literally watch drinkable water go down the toilet has me wondering why we face so many of the same challenges they do. On my way back home I messaged a colleague in cyber education and lamented the fact that cyber expertise in Canada seems to be more about marketing than it does cybersecurity. I summarized the problem with genuine cyber-education in simple terms: there's no money in it.  That observation extends to cyber in general. One of the reasons for the high burnout rate is asking the few people who know what they're doing to do it without the necessary resources.

I enjoyed learning about the regional challenges being faced in the Caribbean, but what always surprises me about these glimpses into international cybersecurity is just how similar the problems we all face are. In a discipline where the bad guys only have to get it right once but the defenders have to get it right every time, the only hope for cybersecurity professionals is to develop connections, build international cyber-diplomacy and work together. Circling the wagons and sharing intelligence, tools and best practices is the only advantage we have against the cyber pirates (see what I did there?) that surround us.  This event was a prime example of that kind of networking. I hope to be a part of future ones and not the only Canadian talking.


Winging out of Santo Domingo at sunrise on Delta's A320 Airbus. What a beautiful country. Wish I'd had the opportunity to see more of it...


The Bermuda Triangle on a sunny Friday morning in October.