Despite writing a well-received article on cybersecurity and feeling that I had finally cracked it regarding writing and productivity, it all went to shit.
I took a break as several things have been, frankly, overwhelming.
Without going into personal territory, I seem to live between extremes, with very little in the middle zone. It’s either all excellent or all dreadful. There will be some changes to my working week that I’m looking forward to, but I’m not giving up on the dream of writing and producing great articles and even research papers. I’m finishing an essay for a tourism business school, and with some luck, I’ll finish it in the next couple of weeks.
Reading
I finished iWoz, and to be fair, it was dragging on a little and, by the end, was a little bit boring. Although, right until the end, the book sounded just like him, and I’d be surprised to hear that his text had been heavily edited. On the good side, the feeling of computer nostalgia was present till the end, and I loved it. I’d recommend the book to anyone wanting to know a little more about how the computer revolution started and how circumstances and luck played an enormous part.
As a side note, if you want to have the complete story of the Macintosh, try this website that was eventually turned into a book: Revolution in the Valley.
I finished the Foundation series. Very entertaining. Now I’m looking for the next set of novels to read. As I’ve said before, Asimov is one of my favourites, and I still haven’t read everything he has written, so I might start to have a look there. Perhaps the Robot series. They look interesting.
In the meantime, I’ve started to read a book about slavery called A World Transformed. I think it is our duty to try to understand a little more about how, through the most organised system of kidnap and forced labour, the global north has benefited and still benefits to this day on the back of literally millions and millions. Living in the Caribbean only makes this more important and visceral to me.
I’m looking forward to digging in, and it has not disappointed me, with the author not shying away from a very emotive and difficult subject.
I need to pick up the pace on some of the other serious texts I’ve started. I’ll list them here next time, perhaps.
Of note
A new (anti?) social network was birthed between my last note and this one. It is called Threads and is a Twitter rip-off with fewer tools and few Nazis. That will change, of course. I mean both things.
Threads is Facebook’s, I mean ‘Meta’s’, second attempt at a text-based social network leveraging the social graph of Instagram. The first iteration failed spectacularly. This version seems to have gained traction, but there are serious doubts as to the longevity of that. I can’t see into the future, but I suspect this product will live or die on its ability to generate ad revenue.
Zuckerberg is only a one-trick pony. Pushing Ads into people’s faces is all he cares about and can do. Threads will inevitably get ads after its ad-free honeymoon period that is only there to initially trick people onto the site.
Such a drastic change to the user experience might be enough to discourage many away from it. Or its cannibalisation of Instagram might not bring as much revenue to the king of ads. And like most kings, he has not your welfare at heart; he has only his own.
Interestingly, the ‘Metaverse’ has virtually disappeared from his vocabulary recently. I’m not surprised. It was all smoke and mirrors and bluster. As soon as the sums on ads didn’t add up —an exponentially smaller target market— it was dead in the water. A floating corpse winding down a muddy river.
I finally got around to finishing off the newsletter in between training sessions and the odd site visit for a client.
I’m pretty happy with the way it went. It was succinct despite being over 2500 words. I’d originally written it, or at least the basis of it, as a report for a project a year or so ago.
I decide to get it up to date and rewrite a few sections to consider changes in the region.
I then published it in my newsletter and on LinkedIn.
I’m quite surprised how it was received, to be honest. Nearly 2000 views and many reads on the newsletter platform, netting me a few new subscribers.
Reading
For my morning read, I started a book I bought a long time ago that I just didn’t get around to reading. iWoz: Computer Geek to Cult Icon.
It’s a fun book, and as someone who has met Steve Wozniak and got to chat with him for a few minutes, it reads exactly like he talks. I wouldn’t be surprised if this is just a transcript of a recording cleaned up a little for grammar.
For me, it highlights the fundamental difference between those founders of the tech scene and the vile maggots of today.
I’d like us to get back to some of that feeling and sentiment of wonder and discovery. And without sounding like an old man shouting at clouds, I think we’ve lost a little of that doing something to push and learn more, share more and try to figure out how and why something is. The money men, startup bro culture and the cancer of adverts have fundamentally polluted the internet, and it is something we’re unlikely to get back.
Nearly two-thirds of the way through the last Foundation book. I’d better start looking for something else to read soon.
Of note
When I met Woz a few years ago, we exchanged business cards, and I have treasured it ever since. It is a sleek metal business card with an interesting design based on punch card holes for his phone number. I’ve never called it and would never disturb someone out of the blue like that.
I’ve been teaching small businesses the uses of GenAI, and I have to say, this is one of the rare times that I have seen such interest and such understanding about how it can be used in business from complete beginners.
I labour the point about laws, copyrights, hallucinations etc, and the response has been really good.
The transcripts of the last communications coming out of the Titan submersible are terrifying. Best to avoid them.
A brief look at the state of affairs and a few recommendations
Sorry for the hiatus. I *really* wanted to write more here, it just wasn’t possible.
To make it up, this one is a fairly long one, despite taking an axe to the original draft. 🤣 I hope you like it, and don’t hesitate to ping me if you want me to expand on any areas that I have deliberately kept brief.
Enjoy!
Thanks for reading The Future is Digital! Subscribe for free to receive new posts and support my work.
Within the last ten to fifteen years, there has been an almost exponential growth in the use of the internet in the Caribbean. Typically internet use had been lagging behind that of many parts of the world. This dramatic change has occurred rapidly and, unfortunately, without the guardrails typically developed during the progressive adoption of the Internet. The Caribbean has gone from a tiny percentage point in adoption to nearly 70% of the population, totally skipping the progressive uptake as we have seen in the US, the UK and the EU.
Internet use in the Caribbean is primarily through a mobile contract, with more mobile phone connections than people in the region. Many people have two or more mobile phones, often with data connections. And even though mobile internet in the Caribbean remains relatively expensive, with certain caveats, mobile internet usage is greater than that of fixed broadband use and is, for many, the only way they interact with the internet through apps or social networking. Once a subscriber gets a smartphone and a data connection, there is an almost 100% signup rate for social media such as WhatsApp, Facebook and Instagram.
As our lives and the economy surrounding us become digitalised with ever-more products, services and processes moving into the virtual world from the physical world, so does the threat of misconduct. In the same way that crime has followed —and, in some cases, driven innovation— our lives are under pressure from actors worldwide that target us based on our weaknesses. The potential for harm is significant, from losing money to becoming unwittingly part of an organised attack on larger targets like state attacks. As the economies of scale of internet use and online life increase, so do the economies of scale of potential for crime.
This has not gone unnoticed, and small businesses and the public are starting to emphasise protection, detection, and clean-up tools in much the same way that we in the Caribbean are aware of environmental and natural disaster risks and planning accordingly. It is estimated that the biggest spenders on cybersecurity over the next three years are micro-sized and small-sized businesses – the backbone of companies in the Caribbean which are estimated to be somewhere in the region of 95% of businesses in Latin America and the Caribbean.
Cybersecurity in the Caribbean is at an early development stage, and specialised service companies that fill the requirements are few and far between. Small businesses and the public need specialised help at affordable costs to ensure they do not fall victim to cybercrime.
Read on.
The Caribbean Context
It will come as no surprise that Cybersecurity is fast becoming one of the most pressing issues for business and society in the coming years. The Caribbean perspective is no different from that of the rest of the world; however, certain specificities make the challenge more delicate and need particular attention.
The distributed and only somewhat-collaborative nature of the Caribbean (the CARICOM members) and the fractured nature of the regional geopolitical situation (French, Spanish and Dutch West Indies sharing the space with the English West Indies) require a more integrated, collaborative and subtle approach.
For the most part, the larger countries in the Caribbean have tended to follow patterns seen in larger countries worldwide. They have become more outspoken in their knowledge and response to the region's cybersecurity issues. As companies in the Caribbean have become more visible to the broader world, thus increasing risk, governments, businesses, and citizens alike have become more aware of those risks and of the need to implement adequate protection systems to fight unwarranted incursions.
There is an increase in risk proportional to the rate of economic development; thus, as the Caribbean becomes more developed, cybercrime becomes a more viable means of extracting money from any unwitting community simply because the perceived potential financial gain is much more significant. Cyber malfeasance is a business! Pure and simple.
Case Study: Costa Rica – State of Emergency
Regrettably, Costa Rica recently saw this when it had to declare a state of emergency after multiple government agencies fell foul to a Conti ransomware attack. Not only had data been rendered inaccessible by AES-256 encryption and an attached US $10 million ransom (subsequently raised to US $12 million), but government data had been extracted over several months and later leaked openly when the government refused to pay the initial ransom demand. As of late April 2022, some 97% of a 672GB data dump was publicly available. Fears for the extent of data included have mounted, and so far, no review has been ordered to determine the risks for citizens and businesses of Costa Rica. But as some of this data appears to have been extracted from health systems, customs systems and other government systems that deal with payments (Social Security and Social Development), the fear is that many may fall foul of the spread of this data in the coming months and years through phishing the general public or through highly targeted attacks on influential or wealthy individuals.
The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) recently observed a sharp increase in malicious cyber activity targeting local and regional entities.1 The TT-CSIRT urges all entities (public and private) to adopt a heightened state of awareness.
The Caribbean has been slow to acknowledge cybersecurity threats to the region. A lack of data and measurement has meant that many successful attacks on business and government have gone unnoticed by the population, exacerbated by a culture of silence. No high-profile witnesses have spoken up about their experience dealing with the initial phases, legal process, and clean up after an incident. Fear of damaging customer confidence is partly responsible for this; however, this only leads to less information on how cybercrime affects the region. It would be safe to say that what is reported is only the tip of the iceberg and that cybercrime is much more prevalent than is generally known.
Recently, governments and institutions have made more effort to address the issues, including public awareness campaigns and working with international NGOs to develop a better cybersecurity posture for people and businesses alike. One example is Get Safe Online. Get Safe Online operates through a network of Ambassadors that organise in-the-community training using the tools and training materials developed by the organisation.
Legislation and cybersecurity strategy
When it comes to cybersecurity law, the picture is not much better. Saint Lucia, for example, has an “in development” National Cybersecurity Strategy, and despite taking the lead compared to its neighbours in the OECS, it somewhat lags behind the international community. Barbados is another country with the ongoing development of cybersecurity legislation. The most significant barriers to establishing and implementing legislation are government capacity and political willingness. A government like Saint Lucia’s faces challenges on many fronts, stretching resources beyond capacity. A general lack of world-class expertise is also apparent in the region, coupled with a general feeling that cybersecurity is only an ICT responsibility, making cross-government and cross-sector priorities challenging to place at the top of the list.
In the wider OECS region, only Saint Vincent and the Grenadines has specific cybercrime legislation with the Cybercrime Act of 2016. In other countries, cybercrime is regulated under Computer Misuse Acts or Electronic Crime Acts. They are primarily focused on how technology is used to commit crimes without explicitly addressing cybersecurity and how to deal with attacks on information systems. Questions remain on the capacity of countries to adequately prosecute this type of crime which relies on having sufficient infrastructure, personnel and accompanying judicial systems. Many lack the right equipment, software, and training to identify cybercrimes correctly.
Regionally, CARICOM IMPACS has sought to establish harmonised standards of practice, expertise and systematic treatment of cybercrime. It has additionally targeted infrastructure capacity-building to increase crime detection, law enforcement investigation and prosecution. RSS, or Regional Security System, is another organisation with a mandate to prevent and defend against cybercrime that has limited scope for responding to cyberattacks, somewhat because of a lack of harmonisation of policies regionally. Like many regional organisations, they, unfortunately, lack funding and capacity to respond adequately to the modern threat landscape.
Latin America and the Caribbean countries with/developing cybersecurity strategies
What about CSIRTS?
Similarly, the state of Cyber Security Incident Response Team (CSIRT) development in the Caribbean lags behind the South American continent and the broader region. Only Barbados, Jamaica and Trinidad and Tobago have implemented funded and functioning CSIRTS. Suriname has restarted a program after having abandoned it a few years ago.
The impact
Small and micro-sized businesses are the backbone of the private economic structure of the Caribbean, and it is precisely these businesses that are the most vulnerable and the least resourced to deal with the complexities of digital security requirements of today. This has been substantially exacerbated by the COVID-19 pandemic, in which new expectations by employees on how, when, and where to work are becoming normalised. Working from home and the expected turn towards a flexible hybrid model for workers have widened the security exposure for companies. In other words, attacks do not need to target one specific network to gain entry to a company; many distributed networks are potential threats. This makes it difficult for understaffed, undertrained and crucially under-financed IT departments to manage such distributed networks in physical and technological terms.
Whilst cloud computing is still in the early development stages in the Caribbean, not all businesses and administrations are advancing simultaneously. Some are more advanced than others, having moved not only low-hanging fruit applications like email and accounting to the cloud but have embraced the possibilities that cloud computing offers, shifting line-of-business applications and identity services and other business-critical services off the on-premises systems. Moving to the cloud changes the security exposure for the entity in question, requiring specialised knowledge to best protect and monitor for breaches and unplanned downtime.
The COVID-19 pandemic has left MSMEs with budgets for investment at historic low levels. MSMEs are typically small businesses with more pressing day-to-day issues, such as immediate revenue generation to pay the bills. With existing relationships with telecom providers, the telecom companies will likely provide cybersecurity offings soon, given the network-based nature of the threat.
The threat landscape (non-exhaustive)
Understanding global threats and their provenance will also play a prominent role in understanding the landscape and developing solutions to minimise those risks. The most common threats to small businesses and administrations in the Caribbean are estimated as follows:
Ransomware
Immediately after a successful penetration of defences, a small application sits in background tasks on the infected computer or computers, slowly encrypting data using a virtually impossible-to-decipher encryption key. Once the data has been fully encrypted, the user is alerted that the data is now inaccessible. A ransom of a significant amount is required to decrypt the data and allow access once again.
Social Engineering or Phishing
Social Engineering or Phishing is a psychological technic to garner an employee's confidence in a company or government office and then exploit that confidence to extract information or gain access to restricted data. It is often the method used to deploy ransomware and is the weakest link in the armour of cybersecurity.
Internal malicious intent
Although relatively rare by most counts, the risk of a disgruntled employee with access to confidential and vital data is manifest. This can be highly disruptive to a business or administration. For example, employees on social media displaying discontent can be the target for exploiting weaknesses to enter a network.
Poorly configured and patched systems
Even the best firewall is only as good as its configuration and patch level. Poorly configured or outdated firmware in IT equipment is a regularly exploited vector for entry into the target network.
Poor credential hygiene
Easy-to-guess passwords, not regularly changed passwords, and sensitive data with poor access controls are easy targets. Sparse use of two-factor authentication also plays a role in allowing those that should not be permitted.
Mitigation Strategies and Policy Guidance
The following is just a small sample of the opportunity to improve the threat landscape in the region. If you’d like more detailed advice, please let me know.
Invest in the expansion and capacity-building of CSIRTs and regional cybersecurity organisations
Only with adequate and ongoing funding will the diverse region be able to fully appreciate its desire to develop world-class cybersecurity services protecting the public of the Caribbean. We would recommend regional, local government, NGO and private sector funding be increased substantially and rapidly. Events in Barbados, Trinidad and Tobago and more recently in Martinique show the threat is here and the consequences substantial.
Development of affordable managed services for the region
Security software of the past that required an initial purchase, installation and configuration to become fully operative and successfully manage that threat cannot deal with today’s ever-changing security threat landscape. Capital purchase of security software is no longer adapted, and the business model has changed.
We recommend that a managed service provider (MSP) starts with a small but highly specialised team incentivised and remunerated on contract signups and renewals. As the business grows, so can the team and the incentive structure.
Develop and deliver targeted education for users, managers and decision-makers
As with much in life, better education is the key to fundamentally understanding and acting on the current context. There is, sadly, not enough specialised education in the region for the general public to fully understand the implications of good cybersecurity practices. Although organisations such as Get Safe Online have been doing some of this over the last few years, we recommend that governments and NGOs invest in developing local training and awareness on specific cyber security issues, such as protecting smartphone use on the internet.
Develop targeted and highly focused services designed for MSMEs
Customers need to quickly see the value of the offering and be onboarded rapidly and without difficulty. Time spent designing simplified services and automating the onboarding process for the customer will allow the customer to take advantage with less apprehension. Particular attention should be given to building modular services, allowing flexibility in the offering tailored to the customer and not the supplier.
Understand where existing services lack and fill those gaps
Conducting a gap analysis of the state of cyber defences in the Caribbean, looking at the state of government or law enforcement’s resources and role in cybersecurity, including participation from the private sector. This will likely identify complementary areas of interest, encouraging the broadest and most efficient development possibilities.
Develop Security-as-a-Service offerings sold as insurance policies
Just as we have cyberattack software as a service, we should have Cybersecurity as a Service. Software as a Service (SaaS) has been a great enabler for small businesses to use enterprise-grade software that was previously out of reach financially and technically. So it should be for cybersecurity. Providing a service offering akin to an insurance contract (leaving the details of the included/excluded services outside the scope of this report) would allow MSMEs to strengthen their defences in the most cost-effective way.
I didn’t get around to documenting and writing what happened the week before last. And to be fair, it’s probably a good idea. It was a difficult week, to say the least. I’m not inclined to go into any detail here but suffice it to say, I was a little stressed about the happenings despite being totally on the right side of things. I have no idea how it will all play out, but it is behind me now, and I can move on.
The issue largely consumed the week, which is why I didn’t write here.
Last week was a little more pedestrian. Although it’s funny to note that a “pedestrian” week includes getting battered by a tropical storm.🤣
TS Bret was born in the Atlantic Ocean around mid-June. Right behind the wave that turned into a depression, then a storm was another wave that eventually turned into a tropical storm too.
This is the way.
And although not unusual that a tropical wave turns into tropical storm Bret, and to be fair, it had toyed with the idea of becoming a hurricane (link), it was highly unusual that we had not one but two, Cap-Verdian tropical phenomenons in the Atlantic at this juncture of the season.
This just doesn’t happen that often, and it is the first time since something like the 1930s. At some point, we’re going to look at all these data points and finally understand that something is wrong with the climate.🤔
I’m being facetious, of course, however, FFS, things are going to get very bad very soon if our collective self doesn’t act decisively.
That reminds me of the post I saw on Mastodon this morning before writing this. Something along the lines of; learning psychology helps us understand how, individually, we are wonderful creatures but, collectively, utterly vile.
A busy week ahead, but for the first time in a while, I’m starting to see the opportunity to develop. I’ll check back in here in a few months, I guess.
Reading
I cracked and purchased the last book in the Asimov series Foundation. As I’ve said before, it’s not strictly the last book, as it is number five in the seven-book series, having mistakenly read numbers six and seven out of sequence.
I’m on board with the story and enjoying having the cognitive break from whatever else is going on around me. Even a few pages per evening are enough to help me relax and ultimately sleep better.
I’m going through the hundred or so browser tabs open, filing and reading the articles I picked out because of some interest.
I think we owe it to ourselves to learn more about the historical context of the time that gave birth to tech as we know it today.
A prime example would be the recent “uncovering”, if you can call it that, of the fact that the Luddites were not anti-tech as popular delusion would have you believe. Understanding the history, the context and the stakes of that period helps us understand the why and can ultimately help us understand the context of today. Big Tech is going through a reckoning, but I don’t think we are completely there yet, and I think it is going to get uglier before it gets prettier.
Although not strictly reading, I listen to a number of podcasts but have recently stumbled upon a few very interesting productions.
Tech Won’t Save Us is a good example of getting to hear the counterpoints to the tech industry. You should give it a try, even if you don’t fully agree with it.
Of note
I fucking despair. And I mean that in the most strongest of terms.
Two billionaires are going to have a cage fight because they have a “beef” with each other.
GROW THE FUCK UP, YOU PATHETIC CHILDREN.
In other news of note, OceanGate… or is that Ocean Gate?
Big Tech hubris, machoism, and arrogance have lead to the deaths of 4 duped passengers. What the CEO did is fucking inexcusable and his loss of life is one of the consequences. There will be more and investigations into the operations are likely to reveal a rat’s nest of filth behind the operation.
I won’t dwell on it, but it will remain in my consciousness and influence how I deal with that person in the future. Sadly, in business, some are not very honest. This specimen falls in that category. I know I have been upfront and honest and haven’t screwed anyone out of money, and If I’ve made a mistake, I’ve done everything possible to correct it.
On to other matters.
I’ve been asked to train a group about using generative AI in the workplace. I’m putting together a short training course to achieve that goal. I have a tendency to dive deep into subjects like this, so I’m trying to scale back the scope to concentrate on the essentials so the participants can learn a few basic elements and then go on to use them successfully in their office environments. I’m ensuring to include a module on risks and shortcomings, but on the whole, the short course will be useful and interesting and worth the day’s investment.
I’m both optimistic about the utility of generative AI in certain settings and with the right guard rails but quite pessimistic about our capacity to properly safeguard against dishonest and downright dangerous use. I suspect we’ll even invent a category of terrorism based on the use of this technology.
This week I was asked for an interview to talk about cybersecurity in the broader context of the Caribbean and an incident that has shut down local government services for over a month now. It’s the second time in as many weeks that I have been on television. The first time I was petrified, but this time I was much more comfortable. I’d love to do this more often if the opportunity arises.
I need to start the writing up process for my paper that will be included in Vatel’s CIRVATH, which should be published towards the end of the year, should it be accepted. I’m looking forward to providing a research paper that is thought-provoking and useful to all that are in the hotel / travel & tourism sector. It requires a little consistency on my part, but I’m sure with a little effort, I’ll get it done.
A week ago or so, I applied to join another training course targeted at the economy of innovation but was not selected. I’m not too upset, but I do think I would have been a great candidate.
My cybersecurity newsletter didn’t go out. I got distracted, but I’d hope to do something about it this week. It needs a little editing and a little massage to get it into a state that I’d be happy publishing. My kryptonite is that I spend a lot of time reading, and there is virtually no end to the amount I find interesting. At some point, I need to start producing too. Soon come.
How could I finish this post without mentioning Apple’s big day?
Apple’s developer conference, WWDC, took place this week. The keynote presentation was on Monday, and we discovered their new augmented reality headset. Although to be fair to Apple, they didn’t use the terms virtual reality or augmented reality as far as I can remember. They positioned the device as a ‘spatial computer’. Essentially the replacement of your Mac / iPad or perhaps iPhone.
The hardware is really impressive, and clearly, Apple has thought deeply about it. For the moment, aside from an immersive laptop screen extension, I fail to see the killer app or the use case that shows me ‘why’ I need this.
Reading
My paper and book reading continues. I’ve mostly concentrated on finishing the penultimate book in the Foundation series that I managed to do last night.
I’ll be starting a couple of other “serious” books soon too.
Notably, I’ve just bought and downloaded a historical account of the transatlantic slave trade and Chattel slavery called “A world transformed: Slavery in the Americas and the origins of global power” by James Calvin.
I’ve also lined up “Get rich or lie trying” by Symeon Brown.
Of note
I recorded a new podcast episode with my friend Jean-François. I really enjoy these conversations, and I’d love to continue doing them. When you’re confronted with questions, you have to think quickly about your answers, which I really enjoy.
