Friday’s worldwide information technology outage, sparked by a routine software update, has exposed the Caribbean’s digital vulnerabilities, a cybersecurity expert has warned.
The incident has underscored the urgent need to evaluate and strengthen the region’s digital resilience, said Steven Williams, principal consultant with Data Privacy and Management Advisory Services.
Williams expressed grave concerns about the region’s exposure.
“The impact is more of a wake-up call to our vulnerabilities,” he told Barbados TODAY. “At present, we are unaware of the extent to which we are dependent on a similar scenario.”
The global disruption, which affected businesses ranging from airports and banks to retail and law enforcement, was not the result of a cyberattack but stemmed from a flawed update deployed by CrowdStrike, a prominent Texas-based cybersecurity firm. The company, widely used by multi-billion-dollar enterprises and government agencies operating on Microsoft systems, introduced a defect in an update for Windows computers.
Cybersecurity experts are calling it the largest global IT outage in history. Williams cautioned that the Caribbean might be overly reliant on particular technologies or cybersecurity vendors.
“While the region may not be using CrowdStrike specifically, we might be over-reliant on a particular technology or cybersecurity vendor that has captured significant market share in the region,” he said.
“By extension, we would be completely dependent on a single critical infrastructure solution provider or institution, whether it be Flow or Digicel, to be resilient enough to mitigate such disruptions,” he added. “We don’t fully understand our risk, and that’s part of the problem. Until we grasp how vulnerable we are, a similar occurrence could potentially impact the Caribbean, where we could be directly affected by system shutdowns due to our over-reliance on one specific vendor and their ability to manage such risks.”
The consultant highlighted a critical issue in the region: the lack of data-driven decision-making.
“The bigger problem is that we are not a data-driven region. We don’t know what we need to know because we don’t collect the data, and when we do collect it, it’s not widely available or shared”, he explained. “This lack of data creates a significant risk because we cannot protect ourselves against what we don’t understand. Even though we recognise the importance of resilience and having disaster recovery plans, we are unsure of the extent to which these plans need to be developed”.
Williams emphasised the importance of redundancy in IT systems, providing practical examples of how it can mitigate disruptions.
“Let’s be realistic. We can’t have a completely reliable system because it is created by humans, who are inherently imperfect, and thus systems will also be imperfect”, he said. “However, what we can do is ensure that we are able to function even when issues arise”.
He cited a personal experience to illustrate his point: “I went to a popular restaurant today, and they informed me that their card machine was down. I was able to use an ATM to get cash and complete my purchase. This is an example of redundancy in action.”
Looking to the future, Williams sees the current situation as an opportunity for the Caribbean to enhance its digital resilience. “I truly believe this is an opportunity for regional governments, through mechanisms like the Caribbean Telecommunications Union to examine our resilience.
“Although I hesitate to use the term, we need to conduct a thorough study to assess how dependent we are on global digital supply chain platforms such as Amazon Web Services and international institutions like Visa and MasterCard. We need to understand how these platforms might make us vulnerable to their disruptions and the impact it could have on our respective economies.”
He warned of potentially severe consequences if the region’s dependence on external systems is not addressed: “Those countries and networks can afford to experience failures, and we all have to wait for Visa and MasterCard to come back online. However, if a critical regional business or infrastructure system fails due to a lack of resilience against internal errors, mistakes, or disasters, those external entities won’t wait for us.”
“Right now, we are dependent on them to recover, but they may simply bypass us if they find that we cannot respond efficiently or resiliently. We are dependent on them; they are not dependent on us”, he concluded, calling for organisations such as the CTU to take the lead in enhancing the region’s digital resilience.