A committee investigating a cyberattack that crippled government services will also examine security in institutions across the island, its chairman said yesterday.

Lawrence Scott, who is leading the joint select committee into the incident in September 2023, broke with normal procedure to speak publicly about how the JSC would work.

He promised monthly updates on the committee’s progress — although he emphasised it would be inappropriate to disclose any findings until its report was tabled in the House of Assembly.

Mr Scott, a Progressive Labour Party MP, said: “We want people to understand that this [process] is parliamentary not party, in the sense that this is not a blame game.

“This is not about who do we point fingers at? Who do we criticise? This is more about understanding the situation, understanding the series of events that led up to what happened.

“This is why we’re going public, so people know what’s going on. We talk about it and then people say, ‘well, I haven't heard anything, so nothing must be happening’.”

Services were severely disrupted last year when the Government fell victim to cybercriminals.

Initially, David Burt announced it was suspected that the disruption came from “an external source, most likely from Russia”, although that has never been confirmed.

The Premier said later it was believed some personal information held by the Government could have been impacted but the amount has never been revealed.

The Government has not confirmed whether it was a ransomware attack and if a ransom was paid.

In the wake of the incident, the Government introduced new legislation on cybersecurity, established a cybersecurity board and later set up the JSC.

Mr Scott said the committee would not be limited in scope to just last year’s incident, although that would be the initial focus.

“We are going back as far as we need to,” he said. “We’re going to speak to the subject matter experts in the civil service, the permanent secretaries, the technical officers, even ministers and former ministers.”

He said the JSC had seen a report from the Government on the attack but had asked for more in-depth information.

“It leaves questions,” Mr Scott revealed. “So there are questions that we are asking.”

He declined to say what those questions were, and added that it would be inappropriate to say.

Since cybercriminals attacked the Government, the island has seen other incidents including at Lindo’s, Bermuda College and The Royal Gazette.

Mr Scott said the JSC’s remit was also to speak to institutions such as banks, the Bermuda Hospitals Board, Belco and the international business sector to see what safeguards against attack were in place, as well as what steps were taken to protect data.

The committee will also look at protections in similar-sized island nations, as well as in Britain.

Asked if the aim was to make sure the country as a whole was protected, Mr Scott said: “That is correct.”

He said the government cyberattack was the catalyst for a wider investigation and added: “We have to investigate the government attack.

“The people of this country, through the representatives in Parliament and the representatives in the Senate, have said, ‘this is what we want, we want this to be investigated, we want answers’.”

The JSC started its work on October 13.

Mr Scott said: “Without giving out too much information, what we have done is we’ve all agreed on the terms of reference.

“We all agreed on the format in which to do this and now we have reached out to persons of interest or entities of interest to present to us.

“Our next phase will be, over the next four weeks, to gather and hear evidence in regards to the government attack and then over the following months we will be getting information from the external organisations.”

It is hoped the committee will finalise its work and present a report to Parliament, with recommendations on cybersecurity best practice, within the next seven months.

Mr Scott said he hoped the JSC could then hold town hall events to help the public understand what the report said.

Speaking on a personal level, Mr Scott said: “What I would like to see is a more interactive electorate, meaning when information is presented to the House of Assembly, it becomes public for people to ask questions.”

Mr Scott said that the JSC’s commitment to provide regular updates on its work was “sort of allowing people to peek behind that parliamentary veil” while “staying within the confines of our system and our rules”.