Independent cybersecurity inquiry is needed
The cyberattack on the Bermuda Government should serve as a reminder that all individuals and institutions are vulnerable to bring crippled by malicious hackers.
It is also a lesson that the further governments advance digitisation and paperless processes, the greater the risk from cyberattacks and the greater the necessity for protection.
David Burt, the Premier, is correct in saying that these attacks are possible for any business or government. One of the fastest-growing segments of the international insurance world, especially in Bermuda, is cyber cover. It’s growing fast because attacks are on the increase.
Despite the severity of the attack, it is welcome news that the Government is restoring digital services. Some companies have been crippled for months.
But that does not mean there is any room for complacency. It is right and fair that questions are being asked about the attack and, as importantly, the Government’s readiness for it. In particular, individuals have the right to know if their personal information has been compromised in any way.
So far, the Government has failed to answer many of the questions, arguing that it would be wrong to do so while the investigation is under way. This is not completely unreasonable, at least for now, but it will not be so for ever.
Regardless of when and to what degree the Government answers the many questions being asked, an independent inquiry should be held.
There are a number of reasons for this.
The first is that the politicians and civil servants responsible for Bermuda’s cybersecurity may be reluctant to admit errors that might have occurred on their watch. It is human nature to want to put the best face on this episode. But because those responsible for Bermuda’s cybersecurity are human, they may tend to be defensive about any flaws in their systems. That’s why an independent and objective inquiry is needed.
Since the attack was successful, it is self-evident there were weaknesses in the Government’s cyber defences. These need to be identified and remedied, regardless of whether the weaknesses could be anticipated or not, and that is something an inquiry should determine.
The second reason for an inquiry is that a cyberattack is technical and complex by its nature, and the average person cannot be expected to understand all of the detail required. Independent expertise is therefore required to test the validity of the Government’s explanations.
Third, independent experts of this kind will also recognise what information may need to be kept confidential and what can be safely put in the public domain. Publicly exposing weaknesses for other bad actors to exploit would clearly be a mistake. But there will be a tendency to try to classify everything as harmful when this is unlikely to be the case.
Assuming that such an inquiry takes places — and the opposition One Bermuda Alliance should be leading the charge in calling for one — there are many questions to be asked.
This begins with the nature of the attack, who was responsible, and what their motivation was. Cyberattacks can occur for a number of reasons. Denial-of-service attacks can be carried out by competitors in business or people who simply want to shut down a government or business. Ransomware attacks — now the most common type — have a financial motivation in which systems are hijacked and frozen until a ransom is paid. Other attacks can be used to get personal information that can then be used for further hacks and crimes.
The public also have the right to know who was behind the attack. Mr Burt initially blamed individuals in Russia — where most cyberattacks emanate from — and has since noted that this has not been contradicted. When the investigation is complete, or is as complete as it can be, the findings should be made public and provided to the inquiry.
The second phase of the inquiry should examine the state of Bermuda’s cyber defences. Why was the attack successful and were there weaknesses in the defences that enabled the hackers to get through? If so, were these weaknesses known or should they have been?
It is not impossible that the hackers had devised new methods of attack that the Government was not aware of or for which no defences have yet been devised. It is fair to say that in this part of the criminal world, hackers are often one step ahead of the defenders. But that may not be the case and the public have the right to know if the defences could reasonably have been more robust.
Finally, the inquiry should determine what steps the Government needs to take in the future and the best practices that should be put in place. As this newspaper has reported, a report in 2019 outlined weaknesses in Bermuda’s cybersecurity policies, but it is not known if they were properly addressed.
An inquiry should also have the teeth to ensure that any future recommendations are implemented, or those who fail to do so should be held responsible.
Fortunately for Bermuda, the re/insurance industry has access to many of the best minds in this business. They need to come forward to ensure that any similar attack in the future stands as little chance of success as possible.
Oscar Wilde famously wrote that to lose one parent is unfortunate, but to lose two is careless. To fall victim to one cyberattack may well be unlucky, but failure to do everything possible to prevent another would be unforgivable.