Академический Документы
Профессиональный Документы
Культура Документы
W
Kevin Newmeyer
IE
has been found to be complete and satisfactory in all respects,
and that any and all revisions required by
the review committee have been made.
EV
Review Committee
Dr. Christopher Jones, Committee Chairperson,
Public Policy and Administration Faculty
PR
Walden University
2014
Abstract
by
W
IE
Dissertation Submitted in Partial Fulfillment
EV
of the Requirements for the Degree of
Doctor of Philosophy
Walden University
May 2014
Abstract
Developing nations have been slow to develop and implement cybersecurity strategies
despite a growing threat to governance and public security arising from an increased
cybercrime. Using a neorealist theoretical framework that draws from Gilpin and Waltz,
this qualitative case study research examined how the government and private sector in
Jamaica, specifically, viewed the state of cybersecurity in the country, and how the
country was currently developing policy to respond to cyber threats. Employing Yins
W
recommended analysis process of iterative and repetitive review of case materials, the
documents and interviews of key public and private sector individuals were used to
IE
identify key themes on Jamaicas current cybersecurity readiness. A similar process
EV
compared the multiple international cybersecurity recommendations and other national
strategies to identify emerging best practices. The studys principal findings were that
Jamaica had initiated the process of developing a cybersecurity strategy, but the gap
PR
analysis indicated the country still needed to adopt several of the recommended
international best practices. The study includes recommendations for the Government of
aligned with the emerging international best practices. The implications for positive
social change from the implementation of such a strategy will be improved national cyber
governance that will contribute to making Jamaica a more a more attractive business
partner for offshore service delivery and associated Internet-related opportunities which
will assist the nation in its goals of job creation and economic growth.
PR
EV
IE
W
Cybersecurity Strategy in Developing Nations: A Jamaica Case Study
by
W
IE
Dissertation Submitted in Partial Fulfillment
EV
of the Requirements for the Degree of
Doctor of Philosophy
Walden University
May 2014
UMI Number: 3616630
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
W
IE
UMI 3616630
EV
Published by ProQuest LLC (2014). Copyright in the Dissertation held by the Author.
Microform Edition ProQuest LLC.
All rights reserved. This work is protected against
unauthorized copying under Title 17, United States Code
PR
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
Dedication
This dissertation is dedicated to my family. Kathy, your support has been essential
to all I have accomplished both academically and professionally. Ryan, Sean, and Kate
you are great kids, always pursue your goals, whatever they may be. Mom and Dad,
W
IE
EV
PR
Acknowledgments
I am grateful for the guidance and support from my committee chair, Dr.
Christopher Burr Jones for his mentorship throughout my doctoral journey at Walden
University. I also want to express my thanks to Dr. Dwight Toavs and Dr. Gema
I would also like to acknowledge the support from the faculty and staff at the
William J. Perry Center for Hemispheric Defense Studies. It has been a pleasure to work
with you. I offer a special thanks to Dr. Fred Nunn for encouraging me to start this
W
process in the first place and to Major George Benson for his assistance in getting the
critically. The 500 word theme from 10th grade has gotten me a long way.
EV
PR
Table of Contents
Background ....................................................................................................................1
W
Research Questions ......................................................................................................11
Assumptions .................................................................................................................18
Limitations ...................................................................................................................19
Summary ......................................................................................................................22
Introduction ..................................................................................................................24
i
Economic Approach to Cybersecurity .........................................................................31
Strategy ........................................................................................................................40
W
Summary ......................................................................................................................55
Methodology ................................................................................................................64
PR
Summary ......................................................................................................................73
Introduction ..................................................................................................................75
Setting ..........................................................................................................................76
Demographics ..............................................................................................................77
ii
Data Analysis ...............................................................................................................82
Evidence of Trustworthiness........................................................................................90
Results ..........................................................................................................................92
practices?................................................................................................. 107
W
Summary ....................................................................................................................113
Limitations .................................................................................................................119
Conclusions ................................................................................................................126
References ........................................................................................................................129
iii
List of Tables
W
IE
EV
PR
iv
List of Figures
Figure 1. How the research questions are mapped to the interview questionnaire...80
W
IE
EV
PR
v
1
Background
The Internet and the increasing extension of connected information systems into
governments worldwide. The challenges are even greater in the developing world, due to
fewer cybersecurity professionals and technical resources (Ellefsen & von Solms, 2010;
Sund, 2007; Tagert, 2010). Unlike the high seas or aerospace, the cyber domain has yet to
develop the full range of internationally-accepted rules and norms to ensure it safe use as
W
a global commons. The World Wide Web began with one website in December 1990, and
IE
exceeded 252 million sites total by December 2011 (Pingdom, 2011). Information and
communication systems are involved in nearly all aspects of daily life (Wegener, 2007).
EV
Taking advantage of the opportunity for illicit gains, cybercrime emerged to adapt old
scams for the digital age and to create new crimes that leverage human gullibility or
PR
technical flaws. The Internet security firm Norton estimated cybercrimes direct and
indirect costs exceeded $338 billion in 2010 (Whittaker, 2011). Internet-aided terrorism,
espionage, and critical infrastructure attacks threaten governments around the world. The
United States Secretary of Defense pointed to a potential cyber Pearl Harbor (Bumiller
& Shanker, 2012). Policy development failed to keep pace with both the immense
changes in technology and threat. This policy-governance gap is particularly true in the
developing world where many nations have yet to recognize the risk (Lock-Teng Low,
Fook Ong, & Aun Law, 2011). Cybersecurity is now a national security issue that can
Network and Information Security Agency [ENISA], 2012; Luiijf, Besseling, & de Graff,
2013). Industrialized nations such as the United States, the United Kingdom, Australia,
New Zealand and several European Union member states published national
potential threats to national and individual security (ENISA, 2012). These strategies
W
al. (2013) highlighted the variety of approaches and motivations of nations developing
IE
national cybersecurity strategies. Some strategies stressed national security concerns
values-based strategy commensurate with their perception of their national cyber risk
(Wamala, 2011). This followed the publication in 2009 of the revised Cybersecurity
include in their national cybersecurity policies but only in general terms. These
3
approaches lack the specificity necessary for an effective strategy and provide little
guidance on how to properly tailor the strategy to national realities. If the one size fits all
approach does not work for developed countries (Luiijf et al., 2013; Klimberg, 2012), it is
Caribbean nations to use in developing their own cybersecurity strategies. For small
Caribbean nations to develop, grow, and diversify their economies they need to be
W
connected to their trading partners and a customer base beyond their shores, but without
IE
adequate security strategies these nations and their citizens become exposed to greatly
increased risk of cybercrime, critical infrastructure attack, and other illicit activity
EV
(Deibert & Rohozinski, 2010; Ellefsen & von Solms, 2010; Glennon, 2012). A well-
crafted national cybersecurity strategy aligned with international best practices and
PR
tailored to the political objectives and resources available in Jamaica offers a means to
defining the term. A number of definitions for cybersecurity have been proffered and no
consensus exists at an international level (ENISA, 2012; Lehto, Huhtinen, & Jantunen,
2011; Luiijf, et al., 2013; Klimberg, 2012). These definitional and cultural challenges at
the international level exist is other security fields as well (Aldis, 2008). Cultural and
language differences hinder the direct comparison of definitions (Klimberg, 2012) and
4
reflect how a nation perceives the nature and threat from cyberspace (Lehto et al., 2011).
Even nations with published national cybersecurity strategies do not always define the
term in their documents (Luiijf et al., 2013). Hansen and Nissenbaum (2009) in an article
scientists in the 1990s to weaknesses in networked systems, but the concept morphed
through the greatly increased concerns of attacks on critical infrastructure and potential
Rowe and Lunt (2012) commented that cybersecurity is more than the traditional
W
technical concern of information assurance but the term now reflects the integrations
IE
between the physical world and cyberspace. Moving past the information assurance
and criminal cyber threats (Agresti, 2010). The variance in definitions reflected the
variety of approaches that different nations have taken when developing and drafting
their strategies (Lehto et al., 2011; Luiijf et al., 2013). This study used a qualitative case
only recently started to appear. Tagert (2010) was limited to press articles, interviews,
and a few official documents from governments and international organizations when
completing his dissertation on cybersecurity policy in Rwanda and Tunisia. This study
5
helped to fill part of that gap and assessed the changes of the past few years. Luiijf et al.
ground but only Romania, Uganda, India, and South Africa would be considered lesser
Kingdom (Cabinet Office, 2009), New Zealand (New Zealand Government, 2011), and
W
the United States (Bush, 2003) published national cybersecurity strategies and took steps
IE
toward their implementation. As of May 2012, ten European Union countries published
national cybersecurity strategies (ENISA, 2012) and the European Commission (2013)
EV
urged the remaining European Union members to do so. These nations recognized the
national security and economic risks brought by the technology that is now fully
PR
integrated into their societies (Deibert & Rohozinski, 2010; Lehto et al., 2011; Luiijf et
A few still developing nations such as Malaysia, Colombia, South Africa, and
Uganda publicly disclosed national cybersecurity strategies (ENISA, 2012; Luiijf et al.,
2013; Ministry of Science, Technology and Innovation, n.d; Phahamohlaka, Jansen, van
Vuuren, & Coetzee, 2011) The English-speaking Caribbean region however continued to
lag behind in the publication and adoption of cybersecurity policies. Trinidad and Tobago
One of the major challenges to adoption is that there are multiple, competing
visions on how to achieve cybersecurity or even how to frame the discussion. In his
examination of cybersecurity policy in Africa, Tagert (2010) found two basic paradigms
West. One focused on building national cybersecurity incident response teams often
called CSIRTs or CERTs which would serve as response agencies for cyber incidents.
The alternative strategic approach was to develop a legal and procedural framework
similar to the ones established by G-8 nations which ignored the limited technological
W
and institutional capacity of the majority of developing nations. These two approaches
IE
only address aspects of the problem. Luiijf et al. (2013) found a variety of approaches in
their study of nineteen published strategies with economic, national security, counter-
EV
terrorism, and response to unchecked globalization as motivating factors. Chapter 2
Jamaica.
from the competing paradigms for viewing the problem. The three most commonly
encountered have origins in national security theory, economic theory, or public health
theory (Mulligan & Schneider, 2012). The selection of paradigm is essential to the
formulation of the national strategy. The paradigm determines the framework of the
strategy, the relationship with the private sector, and the means to monitor
implementation. The paradigm selection links the ends, ways, and means and was crucial
7
to determining the optimal strategy recommendations for Jamaica (Bryson, 2011; Luiijf
The national security paradigm reflects the traditional role of the state in securing
the countrys borders and enforcing the rule of law. Harknett and Stever (2009) outlined
the unique nature of the cybersecurity problem as one that encounters the interface of the
seen to be fundamental to the military and economic security of the nation and required
an approached rooted in traditional national security arguments (Harknett & Stever, 2009;
W
the White House, 2009).
IE
The economic paradigm reflects the growing importance of the Internet and
information flow to the economic well-being of the nation. Moore (2009) proposed an
EV
economic theory approach to cybersecurity highlighting the current misalignment of
Rishikof and Lunda (2011) extended this idea beyond the developed world arguing that
global standards are needed in a connected, globalized economy where malware can
Beginning in 2011, several authors advanced the public health model approach to
Originating from the concept that cybersecurity is a public good and that improvements
in any area benefit all participants in the network. Extending from the ideas of
Charney (2012), Mulligan and Schneider (2012), and Rosenzweig (2011) argued for the
8
alternative that seeks to improve the security of each system connected to the global
network. Devices that are connected to the network must be secured to reduce risk for
others in the global common. Each of these paradigms will be explored in greater detail
Problem Statement
During the study, and as of February 2014, Jamaica had not published a national
cybersecurity strategy even though the nations most recent national security strategy
W
identified cybercrime as a major threat (Clayton, 2012). The Caribbean
IE
Telecommunications Union (2011) declared the region to be a breeding ground for
cybercrime (p.7) as the result of the failure of policymakers in the region to comprehend
EV
the growing challenge to law enforcement. Like their counterparts elsewhere (Brechbhl,
Bruce, Dynes, & Johnson, 2010), Caribbean leaders tended to narrowly view
PR
cybersecurity as an issue of identity theft and credit card fraud, failing to recognize the
extent of cyber threat landscape and government responses to it in the Caribbean region
While the full extent of the cyber threat in Jamaica was not known, there was
significant evidence of cybercrime on a massive scale (Clayton, 2012; Dito et al., 2013).
The cyber insecurity extended beyond the well documented lotto scam to organized crime
efforts in fraud in the electronic banking sector and even non-financial crime (Chambers
9
& Turksen, 2010; Dito et al., 2013). While electronic crimes legislation was in force with
the Jamaican Cybercrimes Act of 2010, the enforcement efforts lagged due to limited
resources, limited technical skills, and lack of interagency and international cooperation
operators across the Caribbean (Dito, et al., 2013). Furthermore, the Caribbean contains
large numbers of internet operated critical infrastructure systems in the financial, utility,
W
transport, and healthcare sectors which remain vulnerable to cyber attack. In 2012, Latin
IE
American and Caribbean nations reported attacks on banking systems which interrupted
international trade, cell phone systems, and national electrical distribution systems (Dito
EV
et al., 2012). As indicated earlier, the focus on cybercrime as the only issue in
Telecommunications Union, 2011). The Internet offered the means to growth and
economic development for islands dependent on service sector economies but also
introduced new threats that have challenged the governments of the Caribbean to
respond.
The purpose of the study was to develop insights into cybersecurity policy
insights for other nations in the region. In the study, I addressed the knowledge gaps in
cybersecurity policy development in Jamaica through the use of a single nation case
10
study. I answered questions about what policy and strategy options emerging globally can
for its citizens and nation. The reply needed to be given in the context of size, economy,
and public-private relations applicable to the region and not merely imported from
outside.
The focus was to identify international best practices in cybersecurity policy and
provide recommendations for Jamaica and perhaps other states to adopt. Phahamohlaka et
al. (2011) commented that the needs of developing states for access to connectivity
W
outweighed the protective security concerns of global superpowers. While the U.S.
IE
dependence on cyber systems and networks asymmetrically increased its vulnerability,
emerging nations needed to enter the global cyber commons to reach economic prosperity
EV
(Hamilton, 2010). These lesser developed nations not only needed to satisfy internal
audiences seeking global access to information, goods and services but faced the
PR
challenge of convincing external audiences that their national networks were secure
enough to allow connection for the business and communication needed to access
expanded markets via the Internet (Chabinsky, 2010; Hamilton, 2010; Phahamohlaka et
al., 2011). This is congruent with Sunds (2007) argument that the full potential of the
Internet was hampered due to declining trust as cybercrime continued to increase even
telecommunications networks.
11
Research Questions
Question 1 was: How do the Government and private sector in Jamaica view the state of
cybersecurity in the country? This question was used to identify the current
understanding of the dominate issues in cybersecurity in the nation and included review
developing and implementing policy to respond to cyber threats? This question depended
W
on the results of the fieldwork in Jamaica and identified the existing policy frameworks
IE
enacted and envisioned by the government. It was used to determine if the responses to
Lykkes (2001) ends, ways, and means questions regarding cybersecurity strategy
EV
development and implementation were sufficient to reach the countrys goals for
Research Question 3 was: What additional measures and policies could the
cybersecurity policy? The responses to the first two questions assessed the current status
and other governments to determine where additional measures may be taken to improve
Jamaicas cybersecurity policy and form the basis for the recommendations in Chapter 5.
Jamaica faces a digital divide and the strategy must consider what policies,
technologies, and infrastructure architectures should be pursued to close the gap (Central