Government report showed lack of framework to counter cyberattacks
The Government admitted in a report it published four years ago that the island was without a "formal framework for monitoring cyberthreats and for preventing, detecting, and mitigating against cyberattacks“.
The Bermuda Cybersecurity Strategy 2018-2022 revealed a raft of shortcomings and set out a list of “strategic goals, specific objectives and actions” urgently needed to protect the country’s cyberspace.
It is not clear, amid the cyberattack which derailed government IT systems last week and is still affecting public services, how many of those objectives have been met.
The 42-page document, released in September 2019, included a pledge to “develop, enact and maintain appropriate legislation, regulation, policies and procedures to enhance cybersecurity and reduce cybercrime”.
However, in June this year, Michael Weeks, the Minister of National Security, told Parliament a dedicated cybersecurity incident response team was not yet operational and legislation to tighten cybersecurity was still being drafted.
“The cyberthreats we face continue to increase in frequency and sophistication, with potentially devastating effects,” he told MPs, adding that his ministry was “working diligently to help ensure that Bermuda has adequate capabilities to defend” itself.
• Bermuda organisations recognise cybersecurity is a key issue but there is no overarching national cybersecurity programme for the country.
• Bermuda does not have a formal framework for monitoring cyberthreats and for preventing, detecting, and mitigating against cyberattacks.
• Bermuda has identified critical national infrastructure entities but has not categorised their respective critical information infrastructures (CIIs). There is no national risk management framework and contingency plans against cyberattacks to ensure the resiliency of CIIs.
• Bermuda does not have sufficiently adequate and effective legislation, policies and regulations on cybersecurity to address current and future cybersecurity threats. The Computer Misuse Act 1996 is limited in scope and needs updating.
• The Personal Information Protection Act 2016 has not been fully implemented.
• There is inadequate training capacity and lack of specialised expertise in cybersecurity.
• There is limited ability to prosecute cybercrimes. Mutual legal assistance for cybercrime has also proven challenging.
• There is awareness for the use of standards in cybersecurity but it is not mandated and there is no form of national co-ordination on it.
• Source: Bermuda Cybersecurity Strategy 2018-2022
The minister did not detail the cost of the work in his statement and the most recent Government Budget Book does not provide a clear picture of how much has been allocated for cybersecurity in 2023-24 or how much has been spent on it in recent years.
Mr Weeks told the House of Assembly his ministry’s “cybersecurity team and disaster risk reduction and mitigation team” worked with experts from the UK Home Office to conduct a national cyber-risk assessment earlier this year, looking at “nine critical infrastructure sectors”.
He said most of the findings and recommendations in the Home Office’s ensuing report, delivered in March, were already addressed in the Bermuda Cybersecurity Strategy and the Government’s Cybersecurity Programme.
“The areas not already addressed will be considered when we update the Cybersecurity Programme and Strategy during the current fiscal year,” added Mr Weeks.
The Budget Book shows a line item and business unit for “disaster risk reduction and mitigation” within the national security ministry, but the estimated budget for it is given as zero, compared to $20,000 last year and $200,000 in 2021-22.
The unit achieved only 60 per cent of its work on progressing “contingency plans”, according to a section on performance measures.
Mr Weeks also spoke of an internal government Information Systems Risk Management Committee, which would “also work to continue the development and implementation of the Government Cybersecurity Programme to ensure government IT systems are designed, implemented, operated, and maintained with adequate security”.
The Ministry of National Security’s overall $2.7 million budget for this financial year includes $1.6 million on administration.
The information systems risk management programme is listed as being within the administration business unit.
Meanwhile, the Information and Digital Technologies department within the Cabinet Office was allotted $223,000 for security this financial year.
The same amount was initially estimated for 2022-23 but a revised estimate for that fiscal year, based on spending by the time the new budget was drawn up, is given as zero.
The IDT department’s security unit achieved “0 per cent” of the “disaster recovery exercises planned and executed” for 2021-22 and was expected to achieve “0 per cent” in 2022-23.
Ministerial responsibility for keeping Bermuda’s cyberspace safe lies with Mr Weeks, as chairman of the Cabinet Cybersecurity Committee, along with committee members Walter Roban, the Deputy Premier, and Vance Campbell, the Minister of Tourism and the Cabinet Office.
There was no response from the Department of Communications yesterday to a question about whether the objectives in the cybersecurity strategy had been met.
Need to
Know
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service