This is my first newsletter of 2024, and it’s a long one. I look forward to writing more during the year. I won’t promise they will be sent on a strict schedule, but I’m setting an overall goal to get back into the rhythm of writing these long-form posts here and in newsletter form for this year’s subscribers list.

Enjoy, and let me know your thoughts by email or on Mastodon.

I’ve set up a new site to consolidate all the public writing I’ve been doing. I mentioned it before in the previous emails, but I’ll take the opportunity to plug my site again. I’ve added a page with what is essentially my CV to the site; the idea is to give people an easy one-stop shop to see what projects I have worked on over the last few years. The list isn’t exhaustive; it’s more representative.

An Update on the Newsletter Migration

In the last newsletter email, I talked about the distasteful issues and goings-on at Substack. In that update, I said I would be moving to a different platform and that I had my sights on either WordPress or micro.blog. After a lot of research and discussion with the support at WordPress, I took the plunge and decided to go with a WordPress site. That didn’t turn out to be a good decision for several reasons.

Sadly, WordPress’s idea of a newsletter is not really aligned with mine. Secondly, it was a challenging task to get the site up and running and looking the way I wanted it to. I needed to take a few training sessions to get started before I could get the site edited to look like something I’d be happy with. Domain purchased, WordPress plan purchased, I did the transfer and moved across the entire library of articles I’d written on Substack. The migration was easy enough until I reached a limit of subscriber numbers, which, to be fair, was easily resolved but annoying to run into and be taken completely by surprise.

However, I wasn’t happy with the way things work over at the site. Number one, a subscriber has to create a WordPress account to use the newsletter properly, and I don’t think that should be necessary. Secondly, there is a non-optional amount of tracking performed by sites like WordPress (Substack did this, too), which I didn’t want to keep de facto endorsing. I don’t need to see ‘stats’, and I don’t need them feeding the anxiety bucket. I want to write informed and interesting articles, put them out there and see what happens over time. I don’t need tracking stats to know where you’re from, what you read and when, what you had for breakfast or anything for that matter.

All this to say that I have performed a second migration in the space of one week from WordPress to micro.blog. It is a small and independent company I knew about a few years ago, as I was one of the early backers on Kickstarter to get the platform up and running. For some reason, I didn’t find a use for it back then, but recent events made me reevaluate that, and I’m here now.

You should continue to receive the newsletter as previously, but the look and feel will be a little different, as I noted in the last email from Substack (So long and thanks for all the fish).¹ The new platform doesn’t have all the bells and whistles of Substack, but I’m okay with that, as I think it is the content that is the most important, not the flashiness. I think it speaks more to who I am and what I do.

The Internet’s Past, Present, and the Movement for a More Open Future

I haven’t been as enthusiastic about the Internet since I first started using it back in 1989 when the Internet was a series of clunky command-line tools like Gopher, WAIS, and a few others. It blew my mind back then that I could communicate in almost real-time with a student in San Fransisco from my university DEC VAX VMS terminal in London, UK. But logging on to baymoo.sfsu.edu became a ritual and a pastime that shaped how I used the internet and thought about the future. Shortly after that, ISPs (Internet Service Providers) started popping up in the UK, and I was one of the early clients of a dial-up service based in North London. I even applied for a job with them and went through an interview (and failed), but I remember seeing the hundreds of dial-up modems they had in the office for the connections from their customers like me. I got myself a ‘real’ email address and sent an email to myself from my university account to that personal account, racing home to check I got it as intended. My car didn’t go as fast as electrons, so I lost that race too.

What set the Internet apart at that time was its truly open nature. Open, as in having not walled off, private, or for-profit-only tools. Tools like GOPHER², WAIS³, and TELNET⁴. This presented an almost limitless opportunity in its time for people to develop new ideas and new applications. The most notable of those is the very system that you might be reading this on now, the web, the World Wide Web, or WWW.

In 1991, Tim Berners-Lee and CERN released the HyperText Transfer Protocol (HTTP)⁵ protocol and a rudimentary browser called Nexus.⁶ This transformed the Internet entirely, and its technologies developed into what we have today: visual, virtual spaces on the Internet. It democratised the Internet for anyone able to get online through an ISP by allowing people to create easy-to-navigate, easy-to-use and interactive websites. If you’re interested in the specification of such things, the RFC for HTTP can be found here.

What developed after this amounted to what I would call a Cambrian explosion of websites and innovation on the Internet, which, eventually, made it big enough for the financiers to step in. Slowly but surely, bits of the Internet got walled off. Here and there at first. Little by little, then, all at once. The Internet was no longer an open system. Sure, there are still some open systems, but they are dwarfed by the platforms such as Facebook, Microsoft and Google. All are responsible for intimating and pretending to be open whilst closing down the real openness of the Internet so they could sit in between all Internet things and extract money from anything that happened in either direction —Site to user, user to site.

And that’s where we are today. An Internet with a rich tapestry of site designs, features, and opportunities (primarily for grifters). But it is a sad Internet, one with plenty of bad things despite an enormous amount of innovation and ideas for an open Internet. Most of them are stillborn or are stifled or bought out by giants as soon as they make enough of an impression on the masses and possibly threaten an incumbent. Instagram is the canonical example. It was a lovely app for amateur and professional photographers alike to share ‘olde filtered’ square photos taken using smartphones that had only just gained decent camera parts. It is now a disinformation machine entirely driven by advertising, most of it absolute garbage or downright dangerous. There is only one winner, Mark Zuckerberg. It is now a platform that could be subject to health warnings or regulated to change if some of the proposals to control the platform get implemented. It, and others like Twitter, are being targeted by the EU for abusive privacy practices and flat-out violations of the GDPR. But even that doesn’t stop them trying to squeeze the last drop of cash from people. It’s just a cost of doing business. Take a recent example, Facebook. They recently announced a convenient feature called Facebook Link History. Convenient for who? Facebook, of course. It is essentially a key-logging Javascript injected into every site you visit and monitors everything you type or tap on, including your passwords! It should be illegal. Facebook has ignored GDPR since the law has been in force, believing it is too powerful to be taken down.

You should understand that advertising incentives are not aligned with you, the customer, or the seller. If you want to know more about online advertising and understand how the machine actually works and, importantly, why this type of advertising isn’t as efficient as we are led to believe, I’d suggest looking at this EU Commission document. For the record, I don’t subscribe to the notion that you are the product if you’re not paying for it. This is too reductive of an explanation and doesn’t adequately describe what really happens. Advertising giants are squeezing both ends of the value chain, you and the would-be advertiser, by telling you both lies about reach, accuracy, and the other largely made-up metrics.

I believe we should try to get to a modern version of the open Internet of before. I don’t mean dialling back the clock as it is impossible. I don’t believe in the “things were better before” doctrine either. I’m advocating getting back to a point where anyone could have and, this is the crucial part, control their own plot of cyberspace. A more distributed Internet, one that values quality, not quantity. One that values truth, not who can shout the loudest. In trying to explain what I mean in clear terms, I’m thinking about the British Broadcasting Company, the BBC —one of the world’s oldest and most respected media companies.⁷ The Internet link it promotes on its News programs is www.facebook.com/bbcnews. The site and brand is Facebook. Not the BBC! It should only ever be www.bbc.com/news. It should only ever be a space that they control, not a Facebook walled-garden portal.

I’ve been reading a lot about the distributed Internet, and I believe it is a good start. Note: Don’t confuse the web3, crypto, etc model of “distributed” with what I’m thinking about. That is an entirely different “distributed” and a discussion that has somehow damaged the image of distributed in its meaningful form. I want to write more on that in the future as I think it is at the heart of the reason why, in the Caribbean, we don’t have value in using the ccTLDs, with businesses not benefiting from that visibility and attractiveness as in other regions. Anguilla would disagree with me here, but they are the exception currently riding a wave of popularity. The .ai ccTLD is a hot property currently earning the tiny British dependency millions of pounds in revenue.

Harnessing AI Responsibly: Insights from Training Business Leaders

I wanted to mention a little about the new hotness, AI. I’ve been teaching a reasonable number of business leaders about these tools over the last six months.

It is clear to me that I have been surprised by the interest from such a broad range of managers and business leaders for a product that is so technical and so linked to ICT. The OpenAI hype machine has galvanised the public into believing that these tools can make them one hundred or more times as efficient for 100 times less money than they are spending at the moment (on personnel). This, of course, is not true at all, and I find I have to temper expectations and canalise those runaway thoughts they often have about generative AI and how it will make every person redundant.

For the record, I remain enthusiastic about the technology from a basic productivity point of view. I do think it brings something to the table that can be helpful when used responsibly. I liken it to the automated systems on some cars that ensure the correct security distance between you and the vehicle in front without human input. It’s not self-driving. It is just an assistive technology that needs guardrails and human verification. If an accident occurs where you run into the back of the cat in front (despite the technology being activated), who is responsible? The assistant software in the car or you That’s exactly what we’re dealing with when we use these systems. You, the user, remain responsible, and you, the user, should ensure you use it responsibly.

I don’t think discussing accuracy, efficiency or other measures of “intelligence” is helpful at this stage, as these systems are changing rapidly. To give you an example, I have had to modify the training materials no less than ten times in the last six months. I would suggest a wait-and-see approach before integrating them into fundamental or central processes in your businesses that would provoke significant consequences in the case of error or failure. I would also suggest you integrate human-based verification and validation to the output generated to ensure you don’t fall foul of mis and dis-information, obviously wrong answers, and poor analysis that these LLMs can produce. That doesn’t mean that I don’t support the use of them. Please do. However, please don’t rely on them too much, as you may be sorely disappointed and dissatisfied with the results. For once, I’m bullish on Microsoft’s approach, but I would still exercise caution handing over the car keys to Copilot, ChatGPT, Bard and other LLMs.

Thanks for reading, and I hope to email you again soon.

/comittedtodisk

Tolerating intolerance is not a good strategy

When I started this newsletter, I deliberately chose a name that was both specific and generic at the same time. This choice might have felt anodyne then, and perhaps you didn’t even think about it. The title was there to express the feeling that I had about how digital technology was going to become further and further entrenched in our personal and professional lives. On that front, I was not wrong. And if I think about where we were at that time here in the Caribbean, we were only starting to think about these technologies and how they might be brought to reality in the region, but looking far afield at what had been taking place in the United States and Europe and trying to shoehorn procedures, products and services into the local context. However, the truth behind the generic title was that I chose it for a specific reason.

Despite being generally optimistic about technology, but not a techno-optimist, I always felt there was a risk in bringing technology to bear without the checks and balances to ensure we reap the benefits of the technology while minimising potential adverse effects. In other words, I called it The Future is Digital, but I didn’t outline if that future was good or bad. It was a hedge. It was a guess. And it was a feeling that I’ve been harbouring for a long time now, without being able to put my finger on why. The future of The Future is Digital will go into that over the coming months, and I invite you to follow and share your thoughts along the way. I will make mistakes, have bad takes on an idea, and perhaps hit the nail squarely on the head at times. When you do this kind of work, you open yourself up to the possibility of learning something deeply because writing is thinking. If you don’t like my point of view, or you feel my arguments are not good enough, engage with me. I’m open to discussion and will always remain civil in my replies. Online communication has gone to shit over the last few years, so I’d like to promote a little civility.

When I started this newsletter, I took a lot of time researching how I could get it online in a qualitative and non-ad-intrusive way. I settled on a brand new system offering a compelling argument to host my newsletter. It is free to use until you start charging people for subscriber-only access. At which point, they would take 10% + payment processing fees. I signed up to create a Substack when it was still only a niche platform with a handful of writers using it. I’d never intended to stay there indefinitely and hoped to raise enough money to self-host it elsewhere in the future. I felt it would be best to own and control a host fully in the long run, but that idea was a long way off. Hold onto that notion, as it will become more apparent in my future writing for this newsletter. Oh, and while I’m here, apologies for not keeping up a regular writing schedule; more on that later.

So, where is this newsletter as of today? I’ve written just short of 100 posts over the last couple of years and some several hundred thousand words, with a couple of popular articles:

and (unsurprisingly):

These posts were particularly popular compared to the others and elicited discussion between myself and a few people, mostly offline, given that I am not really that online despite being very “digital”. But to cut a long story short, I am about to embark on taking this newsletter to a different place in two respects. Firstly, I’ll be moving off the Substack platform as soon as possible. Then, I will be making an effort to pick up from where I let it slip over the last couple of years.

Starting with the platform shift. If you are subscribed, you shouldn’t notice any difference, save the look and feel, and perhaps the need to take a quick dip into your spam mail in the event your mail provider marks my new newsletter as spam. Here’s why.

1. Substack and the paradox of tolerance

Karl Popper’s Paradox of tolerance states:

… that if a society's practice of tolerance is inclusive of the intolerant, intolerance will ultimately dominate, eliminating the tolerant and the practice of tolerance with them.

If you’re unaware of what has been happening at Substack, let me indulge myself in giving you a brief overview in complete fear of invoking Godwin’s Law.

Dave Karpf, along with some two hundred or so writers, sent an open letter to the owners of Substack to ask that they clearly state their position when it comes to platforming Nazis. I think most of us can agree that the correct number of Nazis that you should host and tolerate is zero, or if not zero, then as close to zero as it can be. The paradox of tolerance should perfectly explain why that is. Then there was a particularly cack-handed communication roughly translated as “I didn’t know he was a racist”. If we take that at face value, the fact that he didn’t do his homework (which would have quickly and easily determined his guest’s POV), this a remarkably naive thing to have done and a complete failure on Hamish’s part. Then there was a convenient post by a different bunch of Substack writers who seem to be ok with Nazis being invited to the party and promoted by Substack. Then, after the pressure built with public announcements of several high-profile writers abandoning the platform, Substack finally stated its official position explaining that we should be tolerant of things that we are not comfortable with and therefore tolerate Nazis on the platform. It was as bad as it sounds.

The most egregious part of the stated position is the false ideology that is awash in the tech scene, that all speech is equal and, therefore, should be treated equally. In my view, this is so flagrantly naive that it beggars belief, and I am astounded that while writing those words, they didn’t have a moment of reflection to try perhaps to fully understand the gravity of what they were saying. It is like saying that all cell growth is equal, and therefore, we should give cancer a chance because it should be treated equally to any other cell growth. Cancer is cancer, and we deal with it accordingly within the means we have. Nazis, white supremacists and the like are a fucking cancer and should be dealt with accordingly. Cancerous cells will eventually take over the host, fully consume it, and ultimately kill it. So it is with Nazis. They will consume everything until they, and only they exist. It must be stopped at every opportunity.

Substack is a private platform, and I will defend its right to decide where it wants to position itself. This, however, also means that I will defend the right of writers to criticise it and demand a certain amount of reasonable censorship, transparency and equal application. I would also support anyone wanting to go elsewhere and try to put pressure on the other enablers in the value chain. And I would defend Substack’s right to associate with Nazis. But that will not stop me from expressing that I believe by enabling and promoting Nazis, they become Nazis at worst and Nazi sympathisers at best. I will be doing everything I can to help crush this cancer. I will not tell you what to do with your attention and money; that is up to you, but if you agree that Nazis should not be tolerated, then I would recommend that you unsubscribe from any Substack until such time as they start to do their best to eliminate this cancer. That is what I am doing.

You may ask why I am so uncompromising with this. Well, some of it is about the way Substack operates. Substack’s response is all well and good taken in the first degree, but when you look deeper, you’ll notice they do moderate. For example, pornography is not allowed on the platform, and they do a pretty good job moderating that. They also state clearly in their terms that hate speech and calls for violence are not tolerated. Perhaps I’m a fucking idiot, but the last time I looked, white supremacy ideologies were hate speech. I could go on, but frankly, I’m pretty wound up about this and particularly disappointed with what was once a great platform to help (very) small-time writers like me get out there. I’m going to suck it up and shift to a different platform, of which I haven’t decided yet. I’m torn between micro.blog or WordPress. Both have upfront costs associated (unless I accept ads on WordPress). It’s not a lot, and I’ll probably put it down as a work expense, as this venture was always related to my business and is probably partly responsible for my getting several consultancy opportunities.

Substack is treating us like morons and trying to avoid telling the truth about the reason why they’re taking certain decisions. Fine, go ahead and take money from Nazis and white supremacists. Just don’t expect me and a lot of other people to participate, and do expect a lot of us to find ways to stop the cancer from spreading.

2. Picking up from where I left off

The last two years have been particularly challenging for me personally. It is likely the main reason my writing output has fallen off a cliff for this newsletter. I haven’t not been writing, just not here.

I was recently diagnosed with two neurological conditions. I’d actively sought a diagnosis for one of the conditions, so the result didn’t surprise me; it was the other one that hit me unaware, and despite being grateful to have a formal diagnosis, it hit me much harder than I thought it would. And in true style, as anyone who knows me well enough offline, this happened during the world’s biggest crisis since 1918 and the Second World War. Awesome.

I’m unsure what to do with the information besides understanding it in more detail and interpreting how it affects my daily life. That’s what I’m doing, but honestly, I’m a little lost about that. I know there are mitigation strategies, and I have, over time, naturally built up some of them, but they are nowhere near being as effective as I would like. And at 53 years old, teaching the dog new tricks is harder to do. Not impossible, but a little more challenging.

To give you more detail without giving you access to my medical history, two conditions (that may or may not be related) cause executive functioning difficulties in day-to-day life. Charitably, when you have two, it is called twice exceptional or 2e for short. This is the optimist’s view. I prefer to call it twice-afflicted for the moment. And I would add that I call it thrice-afflicted, as the two contribute substantially to a third difficulty (although not a condition, nevertheless, very difficult in its own right). Again, if you know me well enough offline, you’ll know or have suspected some of this already. I have either discussed a subset of this with you. What I haven’t done is open up generally about it until now. But I’m not going to name them online for obvious reasons. (Yes, you, the morally bankrupt advertising industry on the Internet.) Feel free to reach out if you want to know more. I’ll be happy to discuss.

So, in trying to pick up from where I left off, I hope to gather the bits and pieces and develop a couple of plans to help me write more often. I have been doing some of that already, and I’m seeing some of the fruits of that labour. What I don’t promise to do, however, is write about tech in a sycophantic and all-starry-eyed manner that I was perhaps a little guilty of at first.

Contributing to the third affliction is a feeling of disappointment and an impending sense of tech being co-opted by forces that are not true to the stated ideals of its makers. See Substack above. See also the absolutely shameful bunker being built by Mark Zuckerberg in Hawaii for when the shit hits the fan, and he can say, “Fuck you, Jack, I’m alright thanks to me extracting your wealth to my bank account.”

I’ll discuss some of that another time.

Regardless, I hope you have a good holiday. Connect with what is meaningful to you. Connect with family and friends, and enjoy the break. I’ll try to write something in early 2024.

/committedtodisk

A brief look at the state of affairs and a few recommendations

Sorry for the hiatus. I *really* wanted to write more here, it just wasn’t possible.

To make it up, this one is a fairly long one, despite taking an axe to the original draft. 🤣 I hope you like it, and don’t hesitate to ping me if you want me to expand on any areas that I have deliberately kept brief.

Enjoy!

Within the last ten to fifteen years, there has been an almost exponential growth in the use of the internet in the Caribbean. Typically internet use had been lagging behind that of many parts of the world. This dramatic change has occurred rapidly and, unfortunately, without the guardrails typically developed during the progressive adoption of the Internet. The Caribbean has gone from a tiny percentage point in adoption to nearly 70% of the population, totally skipping the progressive uptake as we have seen in the US, the UK and the EU.

Internet use in the Caribbean is primarily through a mobile contract, with more mobile phone connections than people in the region. Many people have two or more mobile phones, often with data connections. And even though mobile internet in the Caribbean remains relatively expensive, with certain caveats, mobile internet usage is greater than that of fixed broadband use and is, for many, the only way they interact with the internet through apps or social networking. Once a subscriber gets a smartphone and a data connection, there is an almost 100% signup rate for social media such as WhatsApp, Facebook and Instagram.

As our lives and the economy surrounding us become digitalised with ever-more products, services and processes moving into the virtual world from the physical world, so does the threat of misconduct. In the same way that crime has followed —and, in some cases, driven innovation— our lives are under pressure from actors worldwide that target us based on our weaknesses. The potential for harm is significant, from losing money to becoming unwittingly part of an organised attack on larger targets like state attacks. As the economies of scale of internet use and online life increase, so do the economies of scale of potential for crime.

This has not gone unnoticed, and small businesses and the public are starting to emphasise protection, detection, and clean-up tools in much the same way that we in the Caribbean are aware of environmental and natural disaster risks and planning accordingly. It is estimated that the biggest spenders on cybersecurity over the next three years are micro-sized and small-sized businesses – the backbone of companies in the Caribbean which are estimated to be somewhere in the region of 95% of businesses in Latin America and the Caribbean.

Cybersecurity in the Caribbean is at an early development stage, and specialised service companies that fill the requirements are few and far between. Small businesses and the public need specialised help at affordable costs to ensure they do not fall victim to cybercrime.

Read on.

The Caribbean Context

It will come as no surprise that Cybersecurity is fast becoming one of the most pressing issues for business and society in the coming years. The Caribbean perspective is no different from that of the rest of the world; however, certain specificities make the challenge more delicate and need particular attention.

The distributed and only somewhat-collaborative nature of the Caribbean (the CARICOM members) and the fractured nature of the regional geopolitical situation (French, Spanish and Dutch West Indies sharing the space with the English West Indies) require a more integrated, collaborative and subtle approach.

For the most part, the larger countries in the Caribbean have tended to follow patterns seen in larger countries worldwide. They have become more outspoken in their knowledge and response to the region's cybersecurity issues. As companies in the Caribbean have become more visible to the broader world, thus increasing risk, governments, businesses, and citizens alike have become more aware of those risks and of the need to implement adequate protection systems to fight unwarranted incursions.

There is an increase in risk proportional to the rate of economic development; thus, as the Caribbean becomes more developed, cybercrime becomes a more viable means of extracting money from any unwitting community simply because the perceived potential financial gain is much more significant. Cyber malfeasance is a business! Pure and simple.

Case Study: Costa Rica – State of Emergency

Regrettably, Costa Rica recently saw this when it had to declare a state of emergency after multiple government agencies fell foul to a Conti ransomware attack. Not only had data been rendered inaccessible by AES-256 encryption and an attached US $10 million ransom (subsequently raised to US $12 million), but government data had been extracted over several months and later leaked openly when the government refused to pay the initial ransom demand. As of late April 2022, some 97% of a 672GB data dump was publicly available. Fears for the extent of data included have mounted, and so far, no review has been ordered to determine the risks for citizens and businesses of Costa Rica. But as some of this data appears to have been extracted from health systems, customs systems and other government systems that deal with payments (Social Security and Social Development), the fear is that many may fall foul of the spread of this data in the coming months and years through phishing the general public or through highly targeted attacks on influential or wealthy individuals.

The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) recently observed a sharp increase in malicious cyber activity targeting local and regional entities.¹ The TT-CSIRT urges all entities (public and private) to adopt a heightened state of awareness.

The Caribbean has been slow to acknowledge cybersecurity threats to the region. A lack of data and measurement has meant that many successful attacks on business and government have gone unnoticed by the population, exacerbated by a culture of silence. No high-profile witnesses have spoken up about their experience dealing with the initial phases, legal process, and clean up after an incident. Fear of damaging customer confidence is partly responsible for this; however, this only leads to less information on how cybercrime affects the region. It would be safe to say that what is reported is only the tip of the iceberg and that cybercrime is much more prevalent than is generally known.

Recently, governments and institutions have made more effort to address the issues, including public awareness campaigns and working with international NGOs to develop a better cybersecurity posture for people and businesses alike. One example is Get Safe Online. Get Safe Online operates through a network of Ambassadors that organise in-the-community training using the tools and training materials developed by the organisation.

Legislation and cybersecurity strategy

When it comes to cybersecurity law, the picture is not much better. Saint Lucia, for example, has an “in development” National Cybersecurity Strategy, and despite taking the lead compared to its neighbours in the OECS, it somewhat lags behind the international community. Barbados is another country with the ongoing development of cybersecurity legislation. The most significant barriers to establishing and implementing legislation are government capacity and political willingness. A government like Saint Lucia’s faces challenges on many fronts, stretching resources beyond capacity. A general lack of world-class expertise is also apparent in the region, coupled with a general feeling that cybersecurity is only an ICT responsibility, making cross-government and cross-sector priorities challenging to place at the top of the list.

In the wider OECS region, only Saint Vincent and the Grenadines has specific cybercrime legislation with the Cybercrime Act of 2016. In other countries, cybercrime is regulated under Computer Misuse Acts or Electronic Crime Acts. They are primarily focused on how technology is used to commit crimes without explicitly addressing cybersecurity and how to deal with attacks on information systems. Questions remain on the capacity of countries to adequately prosecute this type of crime which relies on having sufficient infrastructure, personnel and accompanying judicial systems. Many lack the right equipment, software, and training to identify cybercrimes correctly.

Regionally, CARICOM IMPACS has sought to establish harmonised standards of practice, expertise and systematic treatment of cybercrime. It has additionally targeted infrastructure capacity-building to increase crime detection, law enforcement investigation and prosecution. RSS, or Regional Security System, is another organisation with a mandate to prevent and defend against cybercrime that has limited scope for responding to cyberattacks, somewhat because of a lack of harmonisation of policies regionally. Like many regional organisations, they, unfortunately, lack funding and capacity to respond adequately to the modern threat landscape.

What about CSIRTS?

Similarly, the state of Cyber Security Incident Response Team (CSIRT) development in the Caribbean lags behind the South American continent and the broader region. Only Barbados, Jamaica and Trinidad and Tobago have implemented funded and functioning CSIRTS. Suriname has restarted a program after having abandoned it a few years ago.

The impact

Small and micro-sized businesses are the backbone of the private economic structure of the Caribbean, and it is precisely these businesses that are the most vulnerable and the least resourced to deal with the complexities of digital security requirements of today. This has been substantially exacerbated by the COVID-19 pandemic, in which new expectations by employees on how, when, and where to work are becoming normalised. Working from home and the expected turn towards a flexible hybrid model for workers have widened the security exposure for companies. In other words, attacks do not need to target one specific network to gain entry to a company; many distributed networks are potential threats. This makes it difficult for understaffed, undertrained and crucially under-financed IT departments to manage such distributed networks in physical and technological terms.

Whilst cloud computing is still in the early development stages in the Caribbean, not all businesses and administrations are advancing simultaneously. Some are more advanced than others, having moved not only low-hanging fruit applications like email and accounting to the cloud but have embraced the possibilities that cloud computing offers, shifting line-of-business applications and identity services and other business-critical services off the on-premises systems. Moving to the cloud changes the security exposure for the entity in question, requiring specialised knowledge to best protect and monitor for breaches and unplanned downtime.

The COVID-19 pandemic has left MSMEs with budgets for investment at historic low levels. MSMEs are typically small businesses with more pressing day-to-day issues, such as immediate revenue generation to pay the bills. With existing relationships with telecom providers, the telecom companies will likely provide cybersecurity offings soon, given the network-based nature of the threat.

The threat landscape (non-exhaustive)

Understanding global threats and their provenance will also play a prominent role in understanding the landscape and developing solutions to minimise those risks. The most common threats to small businesses and administrations in the Caribbean are estimated as follows:

1. Ransomware

Immediately after a successful penetration of defences, a small application sits in background tasks on the infected computer or computers, slowly encrypting data using a virtually impossible-to-decipher encryption key. Once the data has been fully encrypted, the user is alerted that the data is now inaccessible. A ransom of a significant amount is required to decrypt the data and allow access once again.

2. Social Engineering or Phishing

Social Engineering or Phishing is a psychological technic to garner an employee's confidence in a company or government office and then exploit that confidence to extract information or gain access to restricted data. It is often the method used to deploy ransomware and is the weakest link in the armour of cybersecurity.

3. Internal malicious intent

Although relatively rare by most counts, the risk of a disgruntled employee with access to confidential and vital data is manifest. This can be highly disruptive to a business or administration. For example, employees on social media displaying discontent can be the target for exploiting weaknesses to enter a network.

4. Poorly configured and patched systems

Even the best firewall is only as good as its configuration and patch level. Poorly configured or outdated firmware in IT equipment is a regularly exploited vector for entry into the target network.

5. Poor credential hygiene

Easy-to-guess passwords, not regularly changed passwords, and sensitive data with poor access controls are easy targets. Sparse use of two-factor authentication also plays a role in allowing those that should not be permitted.

Mitigation Strategies and Policy Guidance

The following is just a small sample of the opportunity to improve the threat landscape in the region. If you’d like more detailed advice, please let me know.

Invest in the expansion and capacity-building of CSIRTs and regional cybersecurity organisations

Only with adequate and ongoing funding will the diverse region be able to fully appreciate its desire to develop world-class cybersecurity services protecting the public of the Caribbean. We would recommend regional, local government, NGO and private sector funding be increased substantially and rapidly. Events in Barbados, Trinidad and Tobago and more recently in Martinique show the threat is here and the consequences substantial.

Development of affordable managed services for the region

Security software of the past that required an initial purchase, installation and configuration to become fully operative and successfully manage that threat cannot deal with today’s ever-changing security threat landscape. Capital purchase of security software is no longer adapted, and the business model has changed.

We recommend that a managed service provider (MSP) starts with a small but highly specialised team incentivised and remunerated on contract signups and renewals. As the business grows, so can the team and the incentive structure.

Develop and deliver targeted education for users, managers and decision-makers

As with much in life, better education is the key to fundamentally understanding and acting on the current context. There is, sadly, not enough specialised education in the region for the general public to fully understand the implications of good cybersecurity practices. Although organisations such as Get Safe Online have been doing some of this over the last few years, we recommend that governments and NGOs invest in developing local training and awareness on specific cyber security issues, such as protecting smartphone use on the internet.

Develop targeted and highly focused services designed for MSMEs

Customers need to quickly see the value of the offering and be onboarded rapidly and without difficulty. Time spent designing simplified services and automating the onboarding process for the customer will allow the customer to take advantage with less apprehension. Particular attention should be given to building modular services, allowing flexibility in the offering tailored to the customer and not the supplier.

Understand where existing services lack and fill those gaps

Conducting a gap analysis of the state of cyber defences in the Caribbean, looking at the state of government or law enforcement’s resources and role in cybersecurity, including participation from the private sector. This will likely identify complementary areas of interest, encouraging the broadest and most efficient development possibilities.

Develop Security-as-a-Service offerings sold as insurance policies

Just as we have cyberattack software as a service, we should have Cybersecurity as a Service. Software as a Service (SaaS) has been a great enabler for small businesses to use enterprise-grade software that was previously out of reach financially and technically. So it should be for cybersecurity. Providing a service offering akin to an insurance contract (leaving the details of the included/excluded services outside the scope of this report) would allow MSMEs to strengthen their defences in the most cost-effective way.

––––––––––––––––––––––––––––––––

¹ https://ttcsirt.gov.tt/threat-alert-2022/

If you liked (or not) this article, please leave a comment:

Leave a comment

Don’t forget to:

Share The Future is Digital

Writing a paper for an International journal resulted in a better understanding and stopped me in my tracks.

Excuse the rambling. This is written in the true sense of blogging, and it started life as a short blog post idea, transforming into this, for what it’s worth. So I decided to cross-post it here first. I’ll publish it verbatim on my blog soon. That blog is another outlet for my brain, and not exclusively about matters digital.

I wrote a paper proposal for an international hotel industry journal sometime last year. My proposal was accepted, and I started writing in earnest. The paper had a deadline, and I was on track to finish on time, which is extremely rare for me. Sadly, that went south as I progressed and began to formulate a more complete picture of the technology I was writing about and its origins.

The title was:

Is Web 3.0 the next great opportunity in tourism?

The introduction goes like this:

Since the advent of the commercial internet, businesses in the travel and tourism industry have harnessed technology to promote their destinations. Some early tourism websites tried, in vain, to replicate the marketing materials traditionally used to promote destinations, mainly hotels.

This “copy and paste” methodology was seriously limited due to the underlying factors that meant that media-rich websites were near unusable for those with dial-up internet at 56kb/s and invisible for the majority who had not yet become connected to the internet. These simplistic lists of hotels and tourist attractions displaying available amenities neither incited nor informed potential visitors.

Broadband’s wide deployment and adoption enabled a new generation of technologies that would later be named Web 2.0. These technologies allowed media-rich websites to be developed. Many hotel websites today not only market properties in attractive ways but also allow potential visitors to reserve rooms, pay for their stay, and in some cases, simplify check-in and check-out, all achieved automatically without any interaction with reception staff. Today, many of the technologies of Web 2.0 allow hotels to generate first-party data for use elsewhere in their business. For example, for marketing, demand generation or even stock control. It allows benchmarking against other hotels within the same group or in comparison to similar competition. The distinction is important, and it separates these businesses from others that operate through travel agencies, typically providing little or no valuable data for such purposes.

Today, we are at an inflexion point where technology is evolving rapidly, and the adoption is accelerating and becoming more democratised. Technologies like Blockchain, Augmented/Virtual Reality, digital money (through tokens and CDBCs), and the metaverse can allow businesses in the travel and tourism industry to take advantage of this shift. It enables better value and faster client discovery. For example, several key performance indicators, such as the technology acceptance model (TAM), perceived usefulness (PU) and perceived enjoyment (ENJ), showed how virtual reality helped maintain potential visitor interest in destinations cut off by the pandemic and how that technology affected the tendency to visit the actual site (TenAS) (El-Said and Aziz, 2021).

This paper will discuss these technologies and how they may be harnessed so that visitors and non-visitors alike can be incited to visit destinations around the globe, thus generating value for the tourism industry.

Do the new technologies of the Metaverse and web3 provide opportunities for the tourism industry?

Specifically, the following research questions will be addressed:

1. What are the new technologies, and how are they used?

2. What are the opportunities and risks associated with this technology?

3. How can the tourism industry best utilise this technology to its advantage?

The paper’s structure was pretty classic in that there is an introduction (see above), a discussion on what web3 is, a literature review, and a discussion ending with conclusions. All sections are researched and backed up with examples and references.

A lot of it has already been written. Sadly, I started this at possibly the worst possible time for the technology, as it coincided with when web3 began to be exposed for the smoke and mirrors it turned out to be.

I couldn’t faithfully finish the paper as I was becoming increasingly sceptical about the fundamentals of web3, its purported merits and far-right origins. How could I write such a paper and stand by it when I didn’t believe or support most of it?

I have always been crypto sceptical, but I have kept an open mind on blockchain tech and have publicly said so on several occasions here and as a guest on various podcasts. No longer. I’m no longer much of an enthusiast about it.

How did I get here?

Writing a paper is nothing like writing a blog post or firing off a simple observation on social media. For one, papers are generally peer-reviewed before publication. That process starts at the proposal phase, and my proposal didn’t pass on initial inspection, requiring some changes to be considered for publication. Peer review is brutal. If someone doesn’t like or agree with you, they’ll tell you straight and point out why with facts, observations and references as to where you are wrong. When diving deep into a subject, you can quickly build a cognitive bias and eventually see things that aren’t necessarily there or see something that you wish was there (wish casting). During peer review, this is spotted and called out almost immediately.

Secondly, as I researched deeper into the world of web3, I found more things that I couldn’t agree with. It made me uncomfortable and left me dealing with cognitive dissonance. Cognitive dissonances never end well. One example of the things I was struggling with was the criminal amounts of energy wasted by one of the most useless technologies ever conceived. Blockchain. Without getting into the technical details, some blockchains use what is termed Proof of Work. Linked is the Wikipedia article on what that is. Take the time to read it. Reread it if you have already. I refer to it as Proof of Waste, as I have concluded that it is a more accurate term. Blockchains waste disgraceful amounts of energy on slow validations that could easily be done with existing database technology for a fraction of the cost and an order of magnitude faster.

Yes, I know that the new shiny kid on the block is Proof of Stake, and its energy consumption is vastly reduced. But it also goes directly against a central tenet of web3, decentralisation. Proof of stake puts power into the hands of the most invested (as in money). That sounds very distributed and democratic to me. The EU has recommended that Proof of Stake be used instead of Proof of Waste, threatening an outright ban on it. Only one high-profile cryptocurrency has completed the move to Proof of Stake, taking over eight years in the process.

But here’s another aspect that many seem to have misunderstood. Blockchain is directly against the law in the EU, as outlined in the General Data Protection Regulation (GDPR). Of the advertised “advantages” of blockchain is immutability. Blocks are Immutable, i.e., permanent. This is illegal in the EU because the GDPR mandates that people have the right to correct errors and rectify false information through due process. Blockchain doesn’t (can’t) do that. Data on the chain is not erasable. Likewise, illegal. Blockchain prevents ledger data from being deleted. That data is part of the chain. Break the chain, and you break the system.

Then there’s the whole thing of NFTs or Non-Fungable Tokens. What a scam! Personified recently by a certain DT, camply cosplayed up as various imaginary Superheros, and a grift so big it could probably be seen from space.

For the paper —getting back to the subject— I’d thought about how destinations and hotels could mint tokens and sell them as souvenirs. I still quite like the idea and think it has some merit, but the ecosystem is not yet there. Regulation is missing. How do you display them? Can you resell them? What governs gains, losses, and value? Do people really want to virtue signal they’ve been to Bali in this way? How do you prevent grifters and scammers?

For the moment, NFTs are essentially simple pump-and-dump scams that prey on the unsuspecting, the vulnerable, and the plain stupid. I don’t think that is a morally acceptable way to run a business. But then again, I’m not a thief.

On the energy aspect, with energy costs rising and no near-term solution to the impending climate crisis, any project that adds to the planet’s burden should be considered illegal. Yes, you can say that my words here are useless and use energy wastefully in their production, distribution (email) and reading. That’s true. But wake me up when this uses the amount of energy of a small European country, and I’ll gladly stop. Wake me up when the sum total of all the WordPress blogs on the internet reaches the same energy levels as that wasted by Bitcoin to “prove” your magic bean is worth something. And don’t forget that there are literally hundreds of thousands of other magic beans out there too!

They presented some of the systems they’d built and yep, we were impressed. Then, with the startup CTO in the room, one of my fellow engineers asked the key question: “All these systems, are there any that wouldn’t work without blockchain?” The guy didn’t even hesitate: “No, not really.”

The above is taken from a blog post by Tim Bray (AWS). Pro blockchain or not, you should read it as it nicely sums up blockchain’s uselessness.

Even more sinister…

Back to the paper. During my research, I happened upon the following book:

The Politics of Bitcoin: Software as Right-Wing Extremism

Here’s an extract:

By far the majority of interest in Bitcoin came from technologists and those who follow and admire the work of technologists. To those of us who were watching Bitcoin with an eye toward politics and economics, though, something far more striking than Bitcoin’s explosive rise in value became apparent: in the name of this new technology, extremist ideas were gaining far more traction than they previously had outside of the extremist literature to which they had largely been confined. Dogma propagated almost exclusively by far-right groups like the Liberty League, the John Birch Society, the militia movement, and the Tea Party, conspiracy theorists like Alex Jones and David Icke, and to a lesser extent rightist outlets like the Fox media group and some right-wing politicians, was now being repeated by many who seemed not to know the origin of the ideas, or the functions of those ideas in contemporary politics. These ideas are not simply heterodox or contrarian: they are pieces of a holistic worldview that has been deliberately developed and promulgated by right-wing ideologues. To anyone aware of the history of right-wing thought in the United States and Europe, they are shockingly familiar: that central banking such as that practiced by the U.S. Federal Reserve is a deliberate plot to “steal value” from the people to whom it actually belongs; that the world monetary system is on the verge of imminent collapse due to central banking policies, especially fractional reserve banking; that “hard” currencies such as gold provide meaningful protection against that purported collapse; that inflation is a plot to steal money from the masses and hand it over to a shadowy cabal of “elites” who operate behind the scenes; and more generally that the governmental and corporate leaders and wealthy individuals we all know are “controlled” by those same “elites.”

David Golumbia continues to outline how Bitcoin embodies extremist ideologies through Cyberlibertarianism and Internet Exceptionalism frameworks. Simply put, governments should not regulate the internet, and the internet is different and can’t be governed by mere mortals that don’t ‘get it’. This is in line with the extreme right’s ideology, which has brought us to world war, mass ethnic killings, and, more recently, the genuine possibility of a wholesale destabilisation of society. Linking these ideas to the Tea Party, the John Birch Society and conspiracists like David Icke and Alex Jones, the book does an excellent job of showing how the definition of “freedom” is less clear when you question it more robustly. Presciently, he mentions how some public figures do not necessarily outwardly declare their adherence to these ideologies but have demonstrated just that. Elon Musk is one such specimen. There are others, but take note of the ongoing (December 2022) train wreck at Twitter for context. Another article cited in the book is that of Langdon Winner (1997). A must-read, in my view, in which is discussed a personality not talked about much outside Silicon Valley. Ayn Rand. She’s a darling of Silicon Valley but was almost certainly a sociopath. If you have access to the BBC, watch “All Watched Over by Machines of Loving Grace” to better understand her and her effect on the Silicon Valley mindset and culture.

To these people, freedom always seems to mean the freedom to do “what I want”, without regard for others.

The Politics of Bitcoin is short —70-odd pages— but I highly recommend it. If you are from a technical background, like me, this will provoke thoughts and perhaps challenge some of your preconceived ideas about tech in the 21st Century. You don’t have to agree, but disagreeing through knowledge is infinitely better than a position to the contrary through ignorance.

Final thoughts

The tourist industry is already under scrutiny for its environmental effects, from ecosystem-damaging hotel developments to carbon waste (mostly travel). I didn’t want to be the author of a paper that promotes or encourages damaging consequences through needless and scam-enabling technologies like crypto and NFTs. Especially not just because it is “cool stuff”. I didn’t want to be part of a group that ignorantly legitimises innovation to extinction.

There may be a future for NFT-type spin-offs once regulation and other parts of the ecosystem are ready, and blockchain might evolve to become genuinely useful. But I suspect that evolution to look remarkably similar to database technology we’ve had for decades.

This experience was enlightening, and I wouldn’t change it for the world because it helped me come to a better, more nuanced understanding. In the near future, I may propose a different paper, although I suspect it might not be accepted. We’ll see.

Share The Future is Digital

Have a great holidays, and I’ll probably write some thoughts in the new year.

Take a peek here...

Rather than whine about how I’ve been busy and haven’t had the time or resources to write too much for this newsletter, I thought I’d share a few of the things I’ve been doing so you can get up to speed. Forgive me for the shameless self-promotion.

I’m currently writing an article on tech regulation. I’m looking at it from a different angle that I think will be interesting. I’ll share it here as soon it is in a decent state.

Reports

Firstly, I co-authored a report for USAID Eastern and Southern Caribbean Mission, entitled “DIGITAL ECOSYSTEM COUNTRY ASSESSMENT (DECA) Eastern and Southern Caribbean”

It can be found here and is publicly available to anyone.

I’m immensely proud of the report I co-wrote with a wonderful team. We were 100% online and have still never met in person. Despite this challenge, I think we were all able to put together out some great work within the limitations of the context, but also the limitations a report like this naturally imposes.

We were able to pair it down to 121 pages (don’t be put off, it’s straightforward to read). In reality, we could have all produced around 120 pages each!

From the report, the main findings:

PILLAR 1: INFRASTRUCTURE AND ADOPTION

The broadband and mobile infrastructure for the region is generally good. While networks have appeared to stand up to increased utilization during the shift to online work and school, the COVID-19 pandemic exposed gaps in access to and affordability of the internet. Leveraging universal service funds, testing last-mile technologies, and exploring innovative policy approaches to increase competition could help make mobile data and internet access more inclusive and affordable. Coordinated action across the region may reduce vulnerability among excluded communities and foster online education, training, and work opportunities.

PILLAR 2: DIGITAL SOCIETY, RIGHTS, AND GOVERNMENT

With emerging activities rolling out under CARICOM’s Single ICT Space initiative and digital transformation projects across the region, development actors including USAID can support and coordinate complementary activities. For example, the cybersecurity action plan developed by the CARICOM Implementation Agency for Crime and Security (IMPACS) can strengthen the institutions and systems needed to support digital transformation efforts. With digital identity initiatives, data privacy concerns and misinformation starting to arise in the region, civil society and media play an increasingly important role in fostering institutional accountability. Supporting civil society and media to engage on emerging issues could foster robust and safe engagement for citizens, as digital transformation progresses.

PILLAR 3: DIGITAL ECONOMY

The region boasts some of the first adopters of central bank digital currencies and efforts to utilize new digital financial service technologies. While there have been recent set-backs, particularly with the Organization of Eastern Caribbean States (OECS) DCash pilot, efforts to responsibly pilot new FinTech solutions will inform the global community working to strengthen financial inclusion and resilience. The tech startup environment is steadily expanding. Startups are emerging in myriad sectors, yet entrepreneurs struggle to find investors comfortable with investing in technology solutions. Youth interested in tech have limited options in the formal education system to develop digital workforce skills. E-commerce offers a promising avenue for the region to connect to larger markets and foster innovation. Although the COVID-19 pandemic accelerated e-commerce uptake across the ESC, it continues to be hindered by suboptimal digital payment systems, and the absence of a region-wide strategy and supporting legislation.

I’d like to publicly thank Chelceé, Amy, Ariel, Samantha, Mansfield, and the teams at DAI and USAID that contributed.

I have continued work on the Trade Enhancement for the Eastern Caribbean (TEECA) project. I recently wrote a report on the state of Cybersecurity in the Caribbean and the opportunities in that field. The report is private, but I intend to write something here in the coming weeks.

For the same project, a couple of other reports providing guidance on the tools and services MSMEs can use to leverage cloud and automation have also been provided. Again, these are private, and I cannot share them. As these are pretty focused on the companies involved, I’m not sure I can add much value here in this format. However, if you would like to have some thoughts about those tools and how they can be leveraged, let me know in the comments, and I’ll see if there is enough demand.

I was asked to peer review an upcoming report, and I can say that it is an excellent start and something to look out for when it is out. I’ll let you know, but I can’t say more than that now.

The other big project I’ve been working on is taking shape, and I’d love to share more details about it in the coming weeks.

I’ve been working with a partner, and I think we’ve solved some problems with these reports. This information is so valuable to business that we’d like it to be available to anyone who needs it. That’s the first clue. Don’t ask for others. 😉

I nearly finished a paper on the travel and tourism industries’ potential use of web3 technologies but didn’t finish in time. As I was writing it, the space became very fluid, and the bottom dropped out of many of the (obvious) Ponzi schemes, making my analysis very difficult in such a fast-moving (and not in a good direction) environment.

I’m thinking of picking this up again and re-thinking through, now things have largely settled - or at least the big issues have calmed a little unless some billionaire shitposts something that stirs it all up again!

Podcasts

Since I last published, I have spoken on several episodes of the ICT Pulse Podcast. And today, the latest one is out, where I discuss the USAID report. Please go check it out.

For your convenience, here are all the episodes I’ve featured (latest on top):

ICTP 227: Are we there yet? Understanding the Caribbean region’s digital ecosystem and how developed it is

ICTP 187: Artificial Intelligence, key emerging issues and opportunities, with Matthew Cowen

ICTP 181: Internet Exchange Points and the data scarcity challenge in the Caribbean region

ICTP 160: Understanding how technology perpetuates bias, with Matthew Cowen, of dgtlfutures.com

ICTP 133: Confusing smart with digital, and the challenges of achieving innovative disruption in business

ICTP 080: Discovering Martinique, with Matthew Cowen of dgtlfutures

ICTP 054: Community Chat on ride-hailing services. Can they complement the public transport system in the Caribbean, and what might be their social impact?

I also spoke on the excellent Innovation, Agilité & Excellence podcast with Jean-François Nantel and Éric L’Heureux. This is recorded in French along with my silly accent 🤗. Links here (latest on top):

Épisode 66: Échanges croisés sur la transformation numérique avec Matthew Cowen

Épisode 47: Web 3.0, IA et Blockchain avec Matthew Cowen

Épisode 13: La transformation numérique avec Matthew Cowen

Presentations

A while back, I had a chance to meet with Amazon Web Services in Martinique. We chatted, and I was asked to do a quick presentation on the context of the Caribbean and how it is essential for MSMEs that wish to undertake moves towards Cloud Computing.

I’m waiting to see if the video is available. As soon as I know of a link I’ll share it here.

In the meantime, if you’d like to get a copy of the presentation slides, I’d be happy to post them here with the main talking points annotated. I think the information is useful and quickly gives you an overview of the salient points.

The next presentation share is an older video of a presentation I made for the aforementioned TEECA project. I share the results of an Opportunity Study I wrote back in 2020/2021. Again, I think this is a good summary, and although some data has changed since then (mostly improved), it gives you a good idea of the market in the Eastern Caribbean.

YouTube link here. (French)

Other stuff

I teach Informatique and English (1st year) at Vatel Business School in Martinique. Vatel is an international hospitality management school, and it is a privilege to share some of my experience and knowledge with the bachelor’s students.