In the digital era we live in, cybercrime represents a direct threat not only for nations but also for corporations and individuals. Nations that lack development in technology and cybersecurity strategies are especially vulnerable to this type of threat. The recent data leak in Ecuador has highlighted the substantial threat of cybercrime to less technologically developed nations and the enormous impact it can have on their populations’ data protection.
In the 21st century, Cybercrime is one of the most relevant and pressing issues in the digital world. The impact and the influence that it can have over individuals, companies, corporations, and States is alarming. There are more than two billion people with access to cyberspace, all potential victims of cybercrime. Since software products required for hacking can be readily and cheaply obtained online, anyone with a computer and a relative amount of knowledge can become a cybercriminal and affect millions of individuals at once. According to the United Nations, more than “431 million people [were victims] of cybercrime in 2013”[i]. The consequences and costs of this contemporary issue are truly enormous, and growing rapidly as computers, smartphones, tablets, and other electronic devices attempt to produce ever-evolving methods to prevent cybercriminals from their aggressive and increasingly sophisticated attacks[ii].
The effect of cybercrime in the public and private sector is enormous. It is estimated that “by 2016, the average loss annually by a company due to cybercrime was between $2 million and $5 million”[iii]. Further, according to the “Commissioner of the City of London Police, ‘cyber’ fraud costs the United Kingdom £27 billion per year while ‘cyber breaches’ were recorded by 93% of small and medium businesses in the United Kingdom in 2013”[iv]. As a result, cybercrime generates negative impacts on employment as the monetary loss “has the effect of shifting personnel away from the highest value jobs in developed nations”[v]. Whilst the impact of cybercrime is more evident within the European Union and developed countries such as the United States, the United Kingdom, and Japan, countries that are less technologically developed in matters of cybersecurity are also highly exposed to suffer from cybercrime. Digitalisation is often considered as key to economic development, therefore countries striving for this goal may experience resulting vulnerabilities, or simply may not have the necessary resources to deal with cybercrime effectively such as The Republic of Ecuador.
Ecuador has been a victim of cybercrime for a considerable period of time and it is becoming increasingly apparent that this threat exceeds the country’s capabilities. Cybercrime in Ecuador started to be treated as a serious threat in the year 2009, 3,143 cases were registered in the following five years; however, it is estimated that 80% of cybercrimes are not reported[vi]. Furthermore, as Ecuador decided after seven years to withdraw diplomatic asylum from WikiLeaks founder Julian Assange in April 2019 it received more than 40 million cyberattacks from international activist hacker group Anonymous in one day. The attacks affected entities such as Chancellery, the Presidency, the Central Bank of Ecuador, and multiple other ministries[vii].
The problems seem to continue, as on Tuesday 17thof September 2019, the Government of Ecuador announced that it had been a victim of cybercrime as the data of six public entities were leaked through a security breach. According to the BBC, a team of researchers in vpnMentor, a firm specialised in information regarding Virtual Pirate Networks and internet privacy, discovered that the information of about twenty million Ecuadorians had been leaked. This figure exceeds the total population of Ecuador by four million, meaning information of deceased people was also leaked. The data was disclosed from a non-secured server in Miami owned by Novaestrat Company; an Ecuadorian company focused on providing services such as data analysis and strategic marketing. The information contained sensitive data regarding personal, familial, employment, and vehicle-related data which could be used by cybercriminals to commit a diverse range of crimes. Names of relatives, ID numbers, place and date of births, telephone numbers, email addresses, academic histories, professions, job salaries, job positions, civil status’, loan and credit information, credit, were some of the fifty types of data leaked. The data has two origins, public and private. However, most of the stolen information was acquired from the Ecuadorian Institute of Social Security and the Civil Registry of Ecuador[viii].
The content stolen from the Civil Registry, the Internal Tax Office, the Higher Education Secretary, the Ecuadorian Institute of Social Security, the Bank of the Ecuadorian Institute of Social Security, and the National Traffic Agency leave Ecuadorians exposed to a diverse set of crimes such as fraud, phishing, identity theft, financial fraud, theft of goods, extortion, and business espionage. The investigators believe that the databases were stolen or illegally bought from ex-public civil servants that used to work in some of the aforementioned six public entities. It is not yet clear for what purpose the data was stolen whether it be for political, commercial, or criminal objectives. However, what is clear is that Ecuador is not technologically nor legally ready to face the challenge of cybercrime. 74% of Ecuadorian public entities still do not have the security apparatus deemed necessary by the International Organisation for Standardisation to avoid cyberattacks[ix]. Also, according to the Global Cybersecurity Index 2018, Ecuador occupies position 98 out of 175 nations showing a lower position than Ghana, Botswana, or Cameroon and a similar position to Venezuela, Samoa, and Gabon. This demonstrates that Ecuador has a medium level of commitment towards engaging in cybersecurity programs and initiatives to face cyber threats[x]. Ecuador is one of the few countries in the region that have not develop a data protection bill yet, therefore, Ecuadorians have stipulated rights regarding the protection of their data but no laws to regulate it. Furthermore, cyberspace and ICT is continuously changing and being developed, therefore, the necessity for a suitably evolving legal framework that will keep up with cybercriminals is imperative for Ecuador, and the world, to prosecute cybercriminals and address their apparent impunity.
The Ecuadorian Minister of Telecommunications Andrés Michelena has argued that the data of Ecuadorians is ‘well-protected’, but the truth is that in 2019 Ecuador suffered the biggest information leak in its history. Furthermore, as a response to both cybercrime and as a response to the most recent data leak, the Ecuadorian Government announced that a bill regarding data protection has been sent to the National Assembly aiming to support the Integral Criminal Code of Ecuador regarding cybercrimes and that $11 million had been allocated for Ecuador’s data protection[xi].
Despite the efforts of the Ecuadorian government, it seems unprepared to deal with the continuing threat of cybercrime, partly due to the issue simply being neglected. Furthermore, the characteristics of the modern technological era means that cybercrime is considered an asymmetrical threat, especially for countries that are underdeveloped in technical matters such as Ecuador. Different from traditional warfare, where attackers and defenders are on equal ground when confronting one another, in cybercrime such equality between parties does not exist; the cybercriminal has the palpable advantage with regard to both attack and defence[xii]. Hence, the tools that Ecuador has are not enough to defend itself, when information is leaked it is unlikely to be recovered, and for investigators it is almost impossible to determine the perpetrators of cybercrimes. The continuing threat of cybercrime calls for the Ecuadorian government to implement an adaptable response to protect the information of its population.
Sources:
[i]United Nations Office on Drugs and Crime (UNODC), (2013), “Comprehensive Study on Cybercrime”, New York.
[ii]Moskowitz, S (2017) “The Global Cyber Crime Industry”, Butterworth-Heinemann.
[iii]Ahkgar, et al (2014). “Cyber Crime and Cyber Terrorism Investigator’s Handbook”, Waltham: Elsevier.
[iv]Ibid
[v]Ibid
[vi] Zambrano, E, (2016), “Computer Crime. Criminal Procedure in Ecuador”.
[vii] El Universo, (2019), retrieved from: https://www.eluniverso.com/noticias/2019/04/15/nota/7287215/ecuador-ha-recibido-40-millones-ataques-ciberneticos-revela
[viii]BBC News, (2019), “Data on almost every Ecuadorian Citizen leaked, retrieved from:https://www.bbc.com/news/technology-49715478
[ix] Diario El Comercio (2019), retrieved from: https://www.elcomercio.com/actualidad/ecuador-ciberseguridad-region-informe-delitos.html
[x] Global Cybersecurity Index 2018 (GCI), (2019), ITU Publications, retrieved from: https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2018-PDF-E.pdf
[xi]Diario El Comercio (2019), retrieved from: https://www.elcomercio.com/actualidad/gobierno-ecuatoriano-proteccion-datos-ataque.html
[xii]. Moskowitz, S (2017) “The Global Cyber Crime Industry”, Butterworth-Heinemann.