Walden University

College of Social and Behavioral Sciences

This is to certify that the doctoral dissertation by

W
Kevin Newmeyer

IE
has been found to be complete and satisfactory in all respects,
and that any and all revisions required by
the review committee have been made.
EV

Review Committee
Dr. Christopher Jones, Committee Chairperson,
Public Policy and Administration Faculty
PR

Dr. Dwight Toavs, Committee Member,

Public Policy and Administration Faculty

Dr. Gema Hernandez, University Reviewer,

Public Policy and Administration Faculty

Chief Academic Officer

Eric Riedel, Ph.D.

Walden University
2014
 Abstract

Cybersecurity Strategy in Developing Nations: A Jamaica Case Study

by

Kevin Patrick Newmeyer

MBA, George Mason University, 2003

MA, Instituto Universitario Ortega y Gasset, 1991

BS, United States Naval Academy, 1983

W
IE
Dissertation Submitted in Partial Fulfillment
EV
of the Requirements for the Degree of

Doctor of Philosophy

School of Public Policy and Administration

PR

Walden University

May 2014
 Abstract

Developing nations have been slow to develop and implement cybersecurity strategies

despite a growing threat to governance and public security arising from an increased

dependency on Internet-connected systems in the developing world and rising

cybercrime. Using a neorealist theoretical framework that draws from Gilpin and Waltz,

this qualitative case study research examined how the government and private sector in

Jamaica, specifically, viewed the state of cybersecurity in the country, and how the

country was currently developing policy to respond to cyber threats. Employing Yins

W
recommended analysis process of iterative and repetitive review of case materials, the

documents and interviews of key public and private sector individuals were used to
IE
identify key themes on Jamaicas current cybersecurity readiness. A similar process
EV
compared the multiple international cybersecurity recommendations and other national

strategies to identify emerging best practices. The studys principal findings were that

Jamaica had initiated the process of developing a cybersecurity strategy, but the gap
PR

analysis indicated the country still needed to adopt several of the recommended

international best practices. The study includes recommendations for the Government of

Jamaica to adopt in order implement a high quality national cybersecurity strategy

aligned with the emerging international best practices. The implications for positive

social change from the implementation of such a strategy will be improved national cyber

governance that will contribute to making Jamaica a more a more attractive business

partner for offshore service delivery and associated Internet-related opportunities which

will assist the nation in its goals of job creation and economic growth.
PR
EV
IE
W
Cybersecurity Strategy in Developing Nations: A Jamaica Case Study

by

Kevin Patrick Newmeyer

MBA, George Mason University, 2003

MA, Instituto Universitario Ortega y Gasset, 1991

B.S., United States Naval Academy, 1983

W
IE
Dissertation Submitted in Partial Fulfillment
EV
of the Requirements for the Degree of

Doctor of Philosophy

School of Public Policy and Administration

PR

Walden University

May 2014
 UMI Number: 3616630

All rights reserved

INFORMATION TO ALL USERS

The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.

W
IE
UMI 3616630
EV
Published by ProQuest LLC (2014). Copyright in the Dissertation held by the Author.
Microform Edition ProQuest LLC.
All rights reserved. This work is protected against
unauthorized copying under Title 17, United States Code
PR

ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
 Dedication

This dissertation is dedicated to my family. Kathy, your support has been essential

to all I have accomplished both academically and professionally. Ryan, Sean, and Kate

you are great kids, always pursue your goals, whatever they may be. Mom and Dad,

thank you for setting the example for me.

W
IE
EV
PR
 Acknowledgments

I am grateful for the guidance and support from my committee chair, Dr.

Christopher Burr Jones for his mentorship throughout my doctoral journey at Walden

University. I also want to express my thanks to Dr. Dwight Toavs and Dr. Gema

Hernandez; your insightful comments strengthened and improved my study.

I would also like to acknowledge the support from the faculty and staff at the

William J. Perry Center for Hemispheric Defense Studies. It has been a pleasure to work

with you. I offer a special thanks to Dr. Fred Nunn for encouraging me to start this

W
process in the first place and to Major George Benson for his assistance in getting the

final interviews in Jamaica. IE

Finally, I would like to thank Father Daniel Barfield, S.J. for teaching me to write

critically. The 500 word theme from 10th grade has gotten me a long way.
EV
PR
 Table of Contents

List of Tables ..................................................................................................................... iv

List of Figures ......................................................................................................................v

Chapter 1: Introduction to the Study....................................................................................1

Background ....................................................................................................................1

The Difficult Definition of Cybersecurity Strategy .......................................................3

Problem Statement .........................................................................................................8

Purpose of the Study ......................................................................................................9

W
Research Questions ......................................................................................................11

Theoretical Framework ................................................................................................12

IE
Nature of the Study ......................................................................................................14
EV
Operational Definitions ................................................................................................15

Assumptions .................................................................................................................18

Scope and Delimitations ..............................................................................................18

PR

Limitations ...................................................................................................................19

Significance of the Study .............................................................................................21

Implications for Social Change ....................................................................................22

Summary ......................................................................................................................22

Chapter 2: Literature Review .............................................................................................24

Introduction ..................................................................................................................24

Literature Search Strategy............................................................................................25

Literature Related to Theoretical Framework ..............................................................27

i
 Economic Approach to Cybersecurity .........................................................................31

National Security Approach to Cybersecurity .............................................................33

Public Goods/Public Health Approach to Cybersecurity.............................................36

Treaty Approach to Cybersecurity ...............................................................................38

Strategy ........................................................................................................................40

Published National Cybersecurity Strategies ...............................................................42

Caribbean Region National Cybersecurity Strategies..................................................49

Jamaican Laws and Documents ...................................................................................52

W
Summary ......................................................................................................................55

Chapter 3: Research Methodology.....................................................................................58

IE
Introduction ..................................................................................................................58
EV
Research Design and Rationale ...................................................................................59

Role of the Researcher .................................................................................................63

Methodology ................................................................................................................64
PR

Issues of Trustworthiness .............................................................................................68

Ethical Procedures .......................................................................................................71

Summary ......................................................................................................................73

Chapter 4: Results ..............................................................................................................75

Introduction ..................................................................................................................75

Setting ..........................................................................................................................76

Demographics ..............................................................................................................77

Data Collection ............................................................................................................79

ii
 Data Analysis ...............................................................................................................82

Evidence of Trustworthiness........................................................................................90

Results ..........................................................................................................................92

Results related to RQ1: Current view of cybersecurity in Jamaica ...................... 93

Results related to RQ2: How is Jamaica developing and implementing

cybersecurity policy? .............................................................................. 102

RQ3: What does Jamaica need to do to meet emerging international best

practices?................................................................................................. 107

W
Summary ....................................................................................................................113

Chapter 5: Summary, Recommendations, and Conclusions ............................................115

IE
Introduction ................................................................................................................115
EV
Interpretations of the findings ....................................................................................116

Limitations .................................................................................................................119

Recommendations for the Government of Jamaica ...................................................121

PR

Recommendations for Future Study ..........................................................................124

Implications for Social Change ..................................................................................125

Conclusions ................................................................................................................126

References ........................................................................................................................129

Appendix A: Interview Questions ...................................................................................152

Appendix B: National Cyber Security Task Force Terms of Reference .........................153

Appendix C: List of Acronyms ........................................................................................156

Curriculum Vitae .............................................................................................................158

iii
 List of Tables

Table 1. Difference in database results returned based on keyword 25

Table 2. Is cybersecurity an economic or national security issue in Jamaica? 95

Table 3. Recommended elements of national cybersecurity strategy. 109

Table 4. International best practices vs. current practice in Jamaica.. 112

W
IE
EV
PR

iv
 List of Figures

Figure 1. How the research questions are mapped to the interview questionnaire...80

Figure 2. RQ 2 code map showing linkages between question and code..84

Figure 3. Quotation map for the code senior leader understanding...85

W
IE
EV
PR

v
 1

Chapter 1: Introduction to the Study

Background

The Internet and the increasing extension of connected information systems into

nearly all aspects of commerce and governance, poses significant challenges to

governments worldwide. The challenges are even greater in the developing world, due to

fewer cybersecurity professionals and technical resources (Ellefsen & von Solms, 2010;

Sund, 2007; Tagert, 2010). Unlike the high seas or aerospace, the cyber domain has yet to

develop the full range of internationally-accepted rules and norms to ensure it safe use as

W
a global commons. The World Wide Web began with one website in December 1990, and
IE
exceeded 252 million sites total by December 2011 (Pingdom, 2011). Information and

communication systems are involved in nearly all aspects of daily life (Wegener, 2007).
EV
Taking advantage of the opportunity for illicit gains, cybercrime emerged to adapt old

scams for the digital age and to create new crimes that leverage human gullibility or
PR

technical flaws. The Internet security firm Norton estimated cybercrimes direct and

indirect costs exceeded $338 billion in 2010 (Whittaker, 2011). Internet-aided terrorism,

espionage, and critical infrastructure attacks threaten governments around the world. The

United States Secretary of Defense pointed to a potential cyber Pearl Harbor (Bumiller

& Shanker, 2012). Policy development failed to keep pace with both the immense

changes in technology and threat. This policy-governance gap is particularly true in the

developing world where many nations have yet to recognize the risk (Lock-Teng Low,

Fook Ong, & Aun Law, 2011). Cybersecurity is now a national security issue that can

touch the lives of individual citizens every day (Klimberg, 2012).

 2

Several industrialized, and a few still developing nations, published national

cybersecurity strategies in an attempt to bridge the technology-policy gaps (European

Network and Information Security Agency [ENISA], 2012; Luiijf, Besseling, & de Graff,

2013). Industrialized nations such as the United States, the United Kingdom, Australia,

New Zealand and several European Union member states published national

cybersecurity strategies to establish government priorities and policies as a response to

potential threats to national and individual security (ENISA, 2012). These strategies

respond to unique national interests involving a globalized cyber environment. Luiijf et

W
al. (2013) highlighted the variety of approaches and motivations of nations developing
IE
national cybersecurity strategies. Some strategies stressed national security concerns

while others focused on predominately economic interests.

EV
The International Telecommunication Union (ITU) published the National

Cybersecurity Strategy Guide in September 2011 recommending governments adopt a

PR

values-based strategy commensurate with their perception of their national cyber risk

(Wamala, 2011). This followed the publication in 2009 of the revised Cybersecurity

Strategy Guide for Developing Countries (Ghernaouti-Hlie, 2009). The Organization of

American States adopted AG/Res. 2004 (XXXIV-O/04) Adoption of a Comprehensive

Inter-American Strategy to Combat Threats to Cybersecurity: A Multidimensional and

Multidisciplinary Approach to Creating a Culture of Cybersecurity at is General

Assembly in June 2004 (Organization of American States, 2004). These international

organizations presented different recommendations for developing nations on what to

include in their national cybersecurity policies but only in general terms. These
 3

approaches lack the specificity necessary for an effective strategy and provide little

guidance on how to properly tailor the strategy to national realities. If the one size fits all

approach does not work for developed countries (Luiijf et al., 2013; Klimberg, 2012), it is

unlikely to work for emerging nations either.

The purpose of this study was to investigate national cybersecurity strategy

development in Jamaica which provided information for similar English-speaking

Caribbean nations to use in developing their own cybersecurity strategies. For small

Caribbean nations to develop, grow, and diversify their economies they need to be

W
connected to their trading partners and a customer base beyond their shores, but without
IE
adequate security strategies these nations and their citizens become exposed to greatly

increased risk of cybercrime, critical infrastructure attack, and other illicit activity
EV
(Deibert & Rohozinski, 2010; Ellefsen & von Solms, 2010; Glennon, 2012). A well-

crafted national cybersecurity strategy aligned with international best practices and
PR

tailored to the political objectives and resources available in Jamaica offers a means to

reduce the risks from the threats noted above.

The Difficult Definition of Cybersecurity Strategy

Among the challenges in developing cybersecurity strategy is the difficulty in

defining the term. A number of definitions for cybersecurity have been proffered and no

consensus exists at an international level (ENISA, 2012; Lehto, Huhtinen, & Jantunen,

2011; Luiijf, et al., 2013; Klimberg, 2012). These definitional and cultural challenges at

the international level exist is other security fields as well (Aldis, 2008). Cultural and

language differences hinder the direct comparison of definitions (Klimberg, 2012) and
 4

reflect how a nation perceives the nature and threat from cyberspace (Lehto et al., 2011).

Even nations with published national cybersecurity strategies do not always define the

term in their documents (Luiijf et al., 2013). Hansen and Nissenbaum (2009) in an article

discussing the securitization of cybersecurity traced the initial discussion by computer

scientists in the 1990s to weaknesses in networked systems, but the concept morphed

through the greatly increased concerns of attacks on critical infrastructure and potential

terrorist exploitation of the Internet following the attacks of September 11.

Rowe and Lunt (2012) commented that cybersecurity is more than the traditional

W
technical concern of information assurance but the term now reflects the integrations
IE
between the physical world and cyberspace. Moving past the information assurance

approach to cybersecurity based solely on protecting the source, integrity, availability,

EV
and integrity of data, to more holistic visions based on complex threats improved the

ability of cybersecurity advocates to garner the publics attention to critical infrastructure

PR

and criminal cyber threats (Agresti, 2010). The variance in definitions reflected the

variety of approaches that different nations have taken when developing and drafting

their strategies (Lehto et al., 2011; Luiijf et al., 2013). This study used a qualitative case

study approach to assess the situation in Jamaica and to make recommendations to

improve the nations cybersecurity.

Academic research on cybersecurity strategy and policy in developing countries

only recently started to appear. Tagert (2010) was limited to press articles, interviews,

and a few official documents from governments and international organizations when

completing his dissertation on cybersecurity policy in Rwanda and Tunisia. This study
 5

helped to fill part of that gap and assessed the changes of the past few years. Luiijf et al.

(2013) compared nineteen national cybersecurity strategies in an effort to find common

ground but only Romania, Uganda, India, and South Africa would be considered lesser

developed countries (LDC) or emerging nations. Chapter 2 contains an extensive review

of the current scholarship on national cybersecurity strategy with special emphasis on

policies published or aimed at still industrializing nations.

The situation is different in the advanced industrialized world. The United

Kingdom (Cabinet Office, 2009), New Zealand (New Zealand Government, 2011), and

W
the United States (Bush, 2003) published national cybersecurity strategies and took steps
IE
toward their implementation. As of May 2012, ten European Union countries published

national cybersecurity strategies (ENISA, 2012) and the European Commission (2013)
EV
urged the remaining European Union members to do so. These nations recognized the

national security and economic risks brought by the technology that is now fully
PR

integrated into their societies (Deibert & Rohozinski, 2010; Lehto et al., 2011; Luiijf et

al., 2013; Klimberg, 2012).

A few still developing nations such as Malaysia, Colombia, South Africa, and

Uganda publicly disclosed national cybersecurity strategies (ENISA, 2012; Luiijf et al.,

2013; Ministry of Science, Technology and Innovation, n.d; Phahamohlaka, Jansen, van

Vuuren, & Coetzee, 2011) The English-speaking Caribbean region however continued to

lag behind in the publication and adoption of cybersecurity policies. Trinidad and Tobago

is the only nation to have published a national cybersecurity strategy (Inter-Ministerial

Committee for Cyber Security, 2012).

 6

One of the major challenges to adoption is that there are multiple, competing

visions on how to achieve cybersecurity or even how to frame the discussion. In his

examination of cybersecurity policy in Africa, Tagert (2010) found two basic paradigms

for cybersecurity being recommended by international organizations and the developed

West. One focused on building national cybersecurity incident response teams often

called CSIRTs or CERTs which would serve as response agencies for cyber incidents.

The alternative strategic approach was to develop a legal and procedural framework

similar to the ones established by G-8 nations which ignored the limited technological

W
and institutional capacity of the majority of developing nations. These two approaches
IE
only address aspects of the problem. Luiijf et al. (2013) found a variety of approaches in

their study of nineteen published strategies with economic, national security, counter-
EV
terrorism, and response to unchecked globalization as motivating factors. Chapter 2

contains additional examination of the various approaches that could be applied in

PR

Jamaica.

Further complicating the development of national cybersecurity strategy comes

from the competing paradigms for viewing the problem. The three most commonly

encountered have origins in national security theory, economic theory, or public health

theory (Mulligan & Schneider, 2012). The selection of paradigm is essential to the

formulation of the national strategy. The paradigm determines the framework of the

strategy, the relationship with the private sector, and the means to monitor

implementation. The paradigm selection links the ends, ways, and means and was crucial
 7

to determining the optimal strategy recommendations for Jamaica (Bryson, 2011; Luiijf

et al., 2013; Lykke, 2001).

The national security paradigm reflects the traditional role of the state in securing

the countrys borders and enforcing the rule of law. Harknett and Stever (2009) outlined

the unique nature of the cybersecurity problem as one that encounters the interface of the

public-private and economic-defense in a previously unseen manner. Cybersecurity is

seen to be fundamental to the military and economic security of the nation and required

an approached rooted in traditional national security arguments (Harknett & Stever, 2009;

W
the White House, 2009).
IE
The economic paradigm reflects the growing importance of the Internet and

information flow to the economic well-being of the nation. Moore (2009) proposed an
EV
economic theory approach to cybersecurity highlighting the current misalignment of

incentives, asymmetries, and externalities of the traditional security-based approaches.

PR

Rishikof and Lunda (2011) extended this idea beyond the developed world arguing that

global standards are needed in a connected, globalized economy where malware can

spread unchecked across ungoverned network interconnections.

Beginning in 2011, several authors advanced the public health model approach to

cybersecurity (Charney, 2012; Mulligan & Schneider, 2012; Rosenzweig, 2011).

Originating from the concept that cybersecurity is a public good and that improvements

in any area benefit all participants in the network. Extending from the ideas of

immunizations and quarantines to protect the population from contagious disease,

Charney (2012), Mulligan and Schneider (2012), and Rosenzweig (2011) argued for the
 8

public health model as a means of shifting from purely defensive strategies to an

alternative that seeks to improve the security of each system connected to the global

network. Devices that are connected to the network must be secured to reduce risk for

others in the global common. Each of these paradigms will be explored in greater detail

in Chapter 2 and will be used to guide the methodology of the study.

Problem Statement

During the study, and as of February 2014, Jamaica had not published a national

cybersecurity strategy even though the nations most recent national security strategy

W
identified cybercrime as a major threat (Clayton, 2012). The Caribbean
IE
Telecommunications Union (2011) declared the region to be a breeding ground for

cybercrime (p.7) as the result of the failure of policymakers in the region to comprehend
EV
the growing challenge to law enforcement. Like their counterparts elsewhere (Brechbhl,

Bruce, Dynes, & Johnson, 2010), Caribbean leaders tended to narrowly view
PR

cybersecurity as an issue of identity theft and credit card fraud, failing to recognize the

growing risk of critical infrastructure attack or challenges to national security (Caribbean

Telecommunications Unit, 2011). In general there was a limited understanding of the

extent of cyber threat landscape and government responses to it in the Caribbean region

(Dito, Contreras, & Kellermann, 2013).

While the full extent of the cyber threat in Jamaica was not known, there was

significant evidence of cybercrime on a massive scale (Clayton, 2012; Dito et al., 2013).

The cyber insecurity extended beyond the well documented lotto scam to organized crime

efforts in fraud in the electronic banking sector and even non-financial crime (Chambers
 9

& Turksen, 2010; Dito et al., 2013). While electronic crimes legislation was in force with

the Jamaican Cybercrimes Act of 2010, the enforcement efforts lagged due to limited

resources, limited technical skills, and lack of interagency and international cooperation

(Dito et al., 2013).

Adding to the cybercrime problem, there was limited understanding of

cybersecurity by government officials, law enforcement personnel, and even network

operators across the Caribbean (Dito, et al., 2013). Furthermore, the Caribbean contains

large numbers of internet operated critical infrastructure systems in the financial, utility,

W
transport, and healthcare sectors which remain vulnerable to cyber attack. In 2012, Latin
IE
American and Caribbean nations reported attacks on banking systems which interrupted

international trade, cell phone systems, and national electrical distribution systems (Dito
EV
et al., 2012). As indicated earlier, the focus on cybercrime as the only issue in

cybersecurity results in a lack of understand of the entire risk picture (Caribbean

PR

Telecommunications Union, 2011). The Internet offered the means to growth and

economic development for islands dependent on service sector economies but also

introduced new threats that have challenged the governments of the Caribbean to

respond.

Purpose of the Study

The purpose of the study was to develop insights into cybersecurity policy

development and cybersecurity strategy implementation in Jamaica which may provide

insights for other nations in the region. In the study, I addressed the knowledge gaps in

cybersecurity policy development in Jamaica through the use of a single nation case
 10

study. I answered questions about what policy and strategy options emerging globally can

a developing Caribbean nation such as Jamaica adopt or adapt to improve cybersecurity

for its citizens and nation. The reply needed to be given in the context of size, economy,

and public-private relations applicable to the region and not merely imported from

outside.

The focus was to identify international best practices in cybersecurity policy and

provide recommendations for Jamaica and perhaps other states to adopt. Phahamohlaka et

al. (2011) commented that the needs of developing states for access to connectivity

W
outweighed the protective security concerns of global superpowers. While the U.S.
IE
dependence on cyber systems and networks asymmetrically increased its vulnerability,

emerging nations needed to enter the global cyber commons to reach economic prosperity
EV
(Hamilton, 2010). These lesser developed nations not only needed to satisfy internal

audiences seeking global access to information, goods and services but faced the
PR

challenge of convincing external audiences that their national networks were secure

enough to allow connection for the business and communication needed to access

expanded markets via the Internet (Chabinsky, 2010; Hamilton, 2010; Phahamohlaka et

al., 2011). This is congruent with Sunds (2007) argument that the full potential of the

Internet was hampered due to declining trust as cybercrime continued to increase even

though many existing services are now provided by or dependent upon

telecommunications networks.
 11

Research Questions

In this study, I focused around three primary research questions. Research

Question 1 was: How do the Government and private sector in Jamaica view the state of

cybersecurity in the country? This question was used to identify the current

understanding of the dominate issues in cybersecurity in the nation and included review

of documents and related literature.

Research Question 2 was: How is the Government of Jamaica currently

developing and implementing policy to respond to cyber threats? This question depended

W
on the results of the fieldwork in Jamaica and identified the existing policy frameworks
IE
enacted and envisioned by the government. It was used to determine if the responses to

Lykkes (2001) ends, ways, and means questions regarding cybersecurity strategy
EV
development and implementation were sufficient to reach the countrys goals for

cybersecurity. This strategy model is explained further in the theoretical framework

PR

section of this chapter and in chapter 2.

Research Question 3 was: What additional measures and policies could the

Government of Jamaica implement to incorporate international best practices in national

cybersecurity policy? The responses to the first two questions assessed the current status

which was compared to best practices identified by international organizations, scholars,

and other governments to determine where additional measures may be taken to improve

Jamaicas cybersecurity policy and form the basis for the recommendations in Chapter 5.

Jamaica faces a digital divide and the strategy must consider what policies,

technologies, and infrastructure architectures should be pursued to close the gap (Central