Executive Summary
Governments, businesses and citizens are increasingly becoming large consumers of Information and Communication Technologies (ICTs) and electronic services, relying more on ICTs in the areas of management, communication, education, commerce, procurement and service provision. The reality of the environment is that for all the opportunities that ICTs bring, security risks are also present. These, if not mitigated and managed, can have a deleterious effect on the reputation of the Government of Trinidad and Tobago, domestically and internationally.
This Strategy seeks to guide all operations and initiatives related to cyber security in Trinidad and Tobago. It is based on the government’s Medium Term Policy Framework, 2011-2014, which underscores the role of ICT in advancing national development.
Its main objectives are as follows:
- To create a secure digital environment that will enable all users to enjoy the full benefits of the Internet;
- To provide a governance framework for all cyber security matters by identifying the requisite organizational and administrative structures necessary, inclusive of human resources, training and capacity building and budgetary requirements;
- To protect the physical, virtual and intellectual assets of citizens, organizations and the State through the development of an effective mechanism that addresses and responds to cyber threats regardless of their origin;
- To facilitate the safety of all citizens by promoting awareness of cyber risks and developing effective and appropriate protective measures to mitigate risks and attacks;
- To help prevent cyber attacks against critical infrastructure and secure information networks by building competency among primary stakeholders and the general public;
- To minimize damage and recovery times from cyber attacks through effective incident management measures; and
- To create a legal and regulatory framework to maintain order, protect the privacy of users and criminalize attacks in cyberspace.
In order to achieve these objectives, five (5) key areas of focus have been identified:
Governance
Trinidad and Tobago’s cyber security efforts must be able to effectively address the dynamic and challenging nature of threats to cyberspace. This requires an overarching governance framework to effectively coordinate and manage a comprehensive cyber security strategy.
Existing vulnerabilities that could create the most disruption to Trinidad and Tobago’s critical systems and infrastructure must be identified and addressed. The Government will promote development of new systems with less vulnerability together with an ongoing assessment of emerging technologies for weaknesses. Common standards for securing ICT infrastructure, services and data repositories will be developed and enforced throughout Trinidad and Tobago. Periodic review of standards, policies and regulations will also be undertaken. Communication between and among Government Ministries and Agencies will also be promoted.
In order to manage the country’s response to ever-evolving cyber threats, and to coordinate the wide cross section of entities with perceived overlapping authority for the management of these issues, it is imperative to establish cohesion between the public sector, the private sector and all key stakeholders. In this regard the implementation of a Governance Framework is required to deliver the infrastructure needed to manage and coordinate all activities related to this response.
The GoRTT will establish the Trinidad and Tobago Cyber Security Agency (TTCSA) by way of legislation which will provide the required services for the following key functions:
The Agency will be responsible for coordinating and or managing the following core functional areas of cyber security:
This governance framework will provide a sustainable structure which can evolve to meet and address the reality of cyber security in Trinidad and Tobago.
Incident Management
In order to secure and strengthen the country’s critical information infrastructure, coordinated efforts should be made to mitigate, and/or control incidents in the quickest and most efficient manner. There is therefore a requirement for an organization which can serve as the national focal point for incident reporting, incident management and incident response.
The GoRTT will establish a Trinidad and Tobago Computer Security Incident Response Team (TT-CSIRT) which will be responsible for:
- dissemination of cyber security information;
- technical guidance and support in the event of a cyber-incident;
- collaboration between and among government entities at the national level, the private sector, academia, and the international CSIRT community.
TT-CSIRT would possess the capabilities to:
TT-CSIRT will be developed and implemented based on industry standards and international best practices, and will ensure the national community is aware of the protocols for reporting cyber incidents.
TT-CSIRT will be housed in the TTCSA.
Collaboration
The protection of cyberspace is a shared responsibility with each individual actor playing a key role in the security chain. If cyber security is truly to be realised, approaches must be pertinent to the local context while also being compatible and interoperable with those at the international level. This underscores the critical importance of national and international cooperation and collaboration.
National Collaboration
A public-private/civil society partnership is essential in securing Trinidad and Tobago’s cyber infrastructure. The GoRTT will partner with the private sector and civil society in the implementation of its cyber security strategy.
Cooperation will be facilitated, through information sharing, participation in technology forums and research and analysis, to provide input for the development and dissemination of best practices for cyber security.
Private enterprises, including Internet Service Providers (ISPs), have an important role in securing cyberspace as they own major networks and computer systems. These entities will be encouraged to evaluate the security of those networks that impact the security of Trinidad and Tobago’s critical infrastructure.
Such evaluations would include:
- Conducting risk assessments and audits;
- Developing continuity plans which consider staff and equipment; and
- Participating in industry-wide information sharing and best practice dissemination
The Ministry responsible for national security will also foster the development of cyber security certification programmes that will be nationally recognized and accepted by the public and private sectors.
International Collaboration
Given the interconnectivity of ICT infrastructures and the global nature of cyber threats, international cooperation and collaboration is required to secure the ICT environment. Such collaboration would involve raising awareness of cyber security, improving the exchange of information sharing of reciprocal data, participating in the formulation of international norms and standards, adopting and adapting such standards and good practices in all dimensions of cyber security; mutual legal assistance and participating in coordinated investigations and prosecutions of cyber criminals.
A key aspect of this international cooperation is the promotion of discussions from the perspective of a Small Island Developing State (SID), especially as it relates to international conventions on cybercrime which may have an economic impact on Trinidad and Tobago and other small states. This will necessitate greater participation in international standard-setting organisations at the regional, hemispheric and international level.
To date, the primary sources of international assistance for Trinidad and Tobago in the area of cyber security have been the Organization of American States (OAS), European Union (EU), Caribbean Telecommunications Union (CTU) and the International Telecommunication Union (ITU). Nonetheless, information exchange and cooperation will be strengthened with other multilateral organizations including the Caribbean Community (CARICOM), the Commonwealth Secretariat and the Council of Europe. Avenues for enhanced bilateral cooperation will also be explored.
Culture
It is recognized that awareness at the national level constitutes a pre-requisite for effective protection in cyberspace. The GoRTT will assume a leadership role in developing a culture of cyber security. This will necessitate the adoption of a multi-disciplinary and multi-stakeholder approach inclusive of awareness- raising, embedding cyber security in the wider aspects of policy formulation and educating all users of ICT and the Internet on their respective roles in cyberspace.
Further, the GoRTT, in coordination with the private sector, will work to educate the general public and small, medium and large businesses on basic cyberspace safety and security issues. The initial focus will be on the elaboration of guidelines and the creation of programmes in cyber safety for primary and secondary school students.
Higher education institutions will also be encouraged to adopt policies and measures necessary to improve system security.
Scientific research and innovation are also critical to ensuring cyber security and development of the national digital economy. Thus, training and ongoing research to develop innovative security tools will be conducted in order to maintain reliable systems while building resistance to current and future threats. The GoRTT will allocate resources for training and education of individuals who can develop such tools and specialise in securing critical information infrastructure.
The Ministries responsible for national security and science and technology will also promote advanced training for cyber security professionals in public and private educational institutions as well as promote the establishment of standards for the certification of qualified ICT security professionals.
The Ministry responsible for national security will encourage private organizations and companies to provide sufficient opportunities for continuing education and advanced training in the workplace to maintain high skill standards and the capacity to innovate. It will also champion the coordination of training programmes between the government and the private sector.
Legislation
One of the objectives of the national policy framework is the expansion of the country’s internet connection capabilities so that every stakeholder will be able to conduct business and have access to a wide range of governmental services. As a corollary to this, it is recognized that the government must play an important role in ensuring that there is clear policy with a regulatory and legal framework in relation to cybercrime. The GoRTT would therefore develop a national cybercrime policy and enact national cybercrime legislation.
Recognizing that strong policing of cybercrime is necessary for the enjoyment of the benefits of the digital environment, the GoRTT will develop a welldefined legal framework to establish and maintain order and security for users of the electronic environment and sanction those who deliberately cause damage to computers and electronic networks.
The legislative framework will:
Through this Strategy, the Government envisions the creation of a secure and resilient cyber environment, based on collaboration among all key stakeholders, which allows for the exploitation of ICT for the benefit and prosperity of all.
