Hinds: 205 cyber attacks in Trinidad and Tobago in 5 years

THERE WERE MORE than 200 successful cyber attacks in TT between 2019 and 2023.

The alarming statistics were revealed by National Security Minister Fitzgerald Hinds as he addressed senior public servants and ministry officials at Friday’s cyber crime and cyber security sensitisation workshop.

The workshop was joint hosted by the Ministry of National Security, Caricom Implementation Agency for Crime and Security (Impacs) the European Union.

Hinds said there was a significant increase in cyber security incidents during those five years which affected various sectors but did not say the total number of attempted attacks..

“During this period, there were 205 successful cyber attacks reported to the TT Cyber Security Incident Response Team (TT-CSIRT) in the Ministry of National Security, 52 of which happened in 2023.”

He said the increase is in keeping with global trends and the emergence of cyber security as a national security concern.

“We have the rather interesting penchant for behaving as though what we experience here is unique to TT and happens no place else and could only happen here. And when I, as a public man, make even the slightest reference to another experience in another space, one is condemned to say, ‘I don't want to hear about that. I living in TT is only TT I want to hear about.’ But of course, a lot of these cyber attacks come from outside and involve technologies from outside of TT as well.”

Hinds said work from home arrangements also pose a threat to cyber security for government agencies with data in TT showing a similar trend.

“During the government's urgent effort to implement a work from home technology platform in response to covid19, there was an increase by 125 per cent of the successful cyber attacks (in 2020) as compared to 2019. So the more you make use of the technology, laudable and beautiful and welcome as that is, the more you expose yourself to these risks.”

Hinds said the training session is even more important amid threats by some individuals to “shut down the country.”

He said if those making the threats had the technological capacity to do so then they would.

Hinds said a national cyber risk assessment by TT-CSIRT in 2021 assessed 183 systems across 40 public sector organisations and identified 22 systems that, if subject to a cyber attack, would have significant and negative impact on TT.

He suggested moves have since been made to address these vulnerabilities.

“That is part of the government’s response to this burgeoning threat. In this regard, I can tell you that efforts are being made and resources are being expended to ensure that this country's cyber security position is more robust, more resilient.”

He said the government has been working with regional and international partners to review its national cyber security strategy.

“We have a strategy documented, but of course, it's a living experience, it's a living thing. And the work of reviewing and upgrading is an ongoing work.”

Caricom Impacs executive director Earl Harris said the losses from cyber crime in 2023 were estimated to be eight trillion US dollars, an increase on 2021’s three trillion US dollars.

Harris said this increase in losses is due to several factors including the increasing sophistication of cyber attacks, the growing number of connected devices and the increasing reliance on digital technology.

He said the most common types of cyber crime in the Caribbean region that result in losses include ransomware, phishing and data breaches.

He highlighted recent ransomware attacks at the Telecommunications Services of TT and National Insurance Board as he said the decision to prioritise functionality and speed at the expense of security can leave many companies exposed to cyber threats.

Harris said these attacks affect public confidence in information and communication technologies (ICTs).

“The loss of such trust and confidence undermines the benefits of ICTs as an enabler of global social and economic development.”

“As our physical and cyber worlds overlap, there's an increased need to address the related challenges of ensuring security, human rights, rule of law, good governance and economic development,” he warned.

Meanwhile, cyber security specialists have told Newsday there is a need to implement laws requiring companies to report cyber attacks whether they are successful or not.

Newsday contacted TT-CSIRT to find out the total number of attacks between 2019 and 2023 but was told that is not available as they only have information from companies which report it.

TT-CSIRT ICT security specialist Anish Bachu said companies are under no requirement to provide any information to them about cyber attacks or if the attacks were successful or not.

He said, however, it is important companies share the information about their attacks with them so other companies and government ministries can be warned.

“It’s basically for us to understand what's going on and for us to share the trends with our stakeholders to better protect themselves.”

He said TT-CSIRT has a mailing list to communicate with stakeholders and inform them of possible threats and vulnerabilities.

“Sometimes multiple (emails) could go out for the week, sometimes it might be only one. Everything is anonymous and nothing is done with the company’s name.”

Cyber security consultant Shiva Parasram told Newsday getting information on cyber attacks in TT is “like pulling teeth.”

“The United States has the Securities and Exchange Commission where I believe that breaches need to be reported within 72 hours…and if you don't (report it), you get hefty fine. But because we don't have that in TT, there's absolutely no need to report this. Even when something is reported, you don't get many details about what has actually happened.”

He said TT companies fear reporting cyber security breaches for several reasons.

“Companies might face a backlash and sometimes even public embarrassment, humiliation, loss of confidence, this kind of stuff. So usually this is kept very quiet because in my personal experience with my company, Computer Forensics and Security Institute, what we realise is that for every breach that you might hear about, there's probably at least ten that you don't hear about.”

Parasram said he was not surprised by the increase in cyber attacks during the time public servants were allowed to work from home and said a 125 per cent increase in attacks may be conservative.

He advised companies and ministries to instil a cyber security awareness culture in employees by having regular training and workshops.

“Have regular cyber security awareness training which could be just maybe two hours every quarter. You show examples. ‘This is a phishing email. Don't click on this, don't click on that.’ If somebody is trying to log in to the corporate environment from their personal laptop show them what is the right thing to do and what is the wrong thing to do. Do they have anti-virus (software) on their machine?”

“All of these things have actually statistically shown to be quite effective in preventing a lot of these threats from happening.”