Small place, big stakes

By Kaelan Joyce

For the past few decades Gibraltar has enjoyed the benefits of living in a thriving economic bubble, blissfully oblivious to the realities of the wider world, but as society rapidly evolves and transforms into an increasingly complex and sophisticated interconnected digital ecosystem, we can no longer afford to do so.

In my opinion Gibraltar has had it too good, for way too long. With over 60% of the population currently employed by the Government, innovation in the public sector hasn’t really been high on the agenda, and understandably so. When most have stable jobs, earn decent wages, are on summer hours and have no clear incentives to go ‘above and beyond’, it naturally leads to a culture of entitlement and mediocrity.

The comfort zone, as we all know, is a beautiful place, but nothing ever grows there.

TECH ILLUSION

Gibraltar has always embraced the latest technological trends, or at least it has appeared to do so.

Online Gaming, Crypto and Digital Financial Services (including Insurance) are currently key pillars of our economy. These are primarily driven by the private sector though.

Personally, I have never felt like Gibraltar has truly embraced digitisation, but rather simply pretended to do so.

The gap is especially visible within the public sector, where the absence of subject matter experts is troubling.

ULTRACREPIDARIAN

Every other week we seem to have individuals, most from non-technical backgrounds, vocally preaching about the latest tech trends.

Last year Cybersecurity was a hot topic and now they have predictably turned their attention to AI (Artificial Intelligence).

They use buzzwords and industry jargon, but those of us who understand these topics well see them for what they truly are: ultracrepidarians.

These are people who confidently preach on topics they don’t truly understand, many with the best of intentions but not deserving of the platforms bestowed to them.

This issue is particularly concerning in the public sector and areas related to national security where decisions carry far greater consequences.

This ultracrepidarian trend, where ‘influential’ non-experts are publicly pushing to define the national strategy, further justifies my belief that even though Gibraltar professes to be an industry leader in digitisation, once you scratch the surface it becomes increasingly apparent that, aside from pockets within the private sector, we are far from it.

SECURITY, A MUST

A fundamental requirement of modern technology, including AI, is having inbuilt security processes and mechanisms. It is no longer a ‘tick box’ exercise, it is a must.

In my opinion Gibraltar should be putting together specialised units/teams that focus exclusively on security, just like any other country does. This is now standard practice across the world throughout both the private and public sector, but apparently not in Gibraltar.

The Information Technology and Logistics Department (ITLD) in Gibraltar are also the designated National Computer Security Incident Response Team (CSIRT), and as a Cybersecurity professional I find this extremely concerning because skillset specialisation is the norm these days across the industry for both security and tech experts. Long gone are the days of ‘IT Generalists’. Basically, IT Support and Cybersecurity are not the same thing, not even remotely so.

RESOURCES AND ROLES

I do understand though that adequate resource allocation may be an issue in the public sector, unlike the private sector, and that the ITLD do what they can with the funding allocated to them, so I hope (and maybe naively so) that this article serves as a catalyst to get them what they need as specialised talent is required to reliably safeguard Government systems and our national digital infrastructure.

This is because even the cybersecurity field itself is becoming increasingly diverse and dynamic, with traditional roles morphing to meet current trends and demands. For example, Supplier Security Due Diligence and Third-Party Risk Specialist roles are becoming more and more prevalent as organisations continue to outsource many of their core services. You are, after all, only as robust and secure as your weakest link, and as Marks & Spencer recently found out, a third-party breach can be costly, over 300 million pounds to be exact.

AI CHALLENGE

AI is not just a tool, but rather a national security topic because when implemented without proper safeguards it becomes an exploitable vulnerability rather than a strategic advantage.
It is glaringly obvious that AI, via automation, could significantly enhance Government service capabilities, secure its systems and vastly improve efficiency, but its implementation should be carefully evaluated beforehand because as tech becomes more advanced and sophisticated, so do the threats that come associated with it.

I am also acutely aware that gaining a competitive advantage via early adoption of new technologies is a must as Gibraltar does not produce anything and is rapidly running out of land to develop and auction off to private developers. This though does not mean that we should dive in headfirst without taking the required precautions, just because we want to stay relevant in a fast-paced digital world.

In my opinion Gibraltar should not be deploying systems of this nature without careful consideration and due diligence. Egos must be set aside and decisions taken in a calculated and pragmatic manner, machine-like if you may.

Furthermore, it must be noted that even those of us with years of experience in the field struggle at times to keep up; we are human after all. This is why it is quite concerning having to contemplate the thought that those deploying these systems potentially lack the skill sets and knowledge to truly understand the overarching privacy implications and security risks that inherently come with the introduction of systems of this nature… complex, intelligent and supposedly human-like. Definitely not something that should be underestimated or taken lightly because not all that glitters is gold.

HALO EFFECT

Back in 2017, the Gibraltar Chronicle published an opinion piece I wrote titled “Cybersecurity should be a National Security Issue”. At the time I stated as follows in that article… “What we need to do is invest in our youth and assist those willing to develop their skills in such areas. This will enable us to gain the knowledge and relevant experience required to keep Gibraltar and its citizens safe.”

Unfortunately, and even though Gibraltar has admittedly invested more in Cybersecurity since 2017, there are still very few local active professionals working in the field or dedicated resources assigned to the area.

I feel like my rallying call to secure our digital footprint and future proof careers in the area has been ignored.

This might be because the Government still does not seem keen on giving Cybersecurity the importance it deserves, instead focusing on quick wins and visual effects.

The same trend I observed back in 2017 continues to be prevalent, with emphasis placed on seeking guidance from alternative sources instead of recognising and leveraging the expertise of local Cybersecurity professionals, who could play a crucial role in developing Gibraltar’s next generation of Cybersecurity experts and overall National Security Strategy.

I still vividly remember trying and failing to get a highly skilled and renowned local application security expert, working for a well-recognised and established global organisation, to participate at a local Government subsidised Cybersecurity event. She was very keen on speaking at the event, and her organisation had even offered to pay sponsorship fees, yet the event organisers declined to have her on board. I found it perplexing, especially as many of the speakers were being flown over (primarily from the UK) exclusively for the event, and she was far more experienced and well regarded than most.

At times we can be our own worst enemies. The question is: can we afford to keep making the same mistakes when we are so small, still seemingly vulnerable to colonial influence and the stakes are so high? Time will tell…

Kaelan Joyce is Cybersecurity Governance Manager in the private sector who manages a global cybersecurity team, with members based across Europe and the US. He has a masters degree in Information Security from Royal Holloway, University of London, and is a qualified data protection practitioner with 20 years’ experience in the tech sector.