Cybersecurity to be beefed up
The island’s ability to fend off cyberattacks will be “greatly enhanced” with new legislation and more staffing in the Government’s cybersecurity unit, the national security minister said yesterday.
Last September, government services were crippled by a cyberattack, with departments affected for weeks or even months.
The Government has remained silent on whether it was a ransomware attack — and if any ransom had been paid.
Michael Weeks, the Minister of National Security, deflected questions on a potential ransom attack, telling shadow minister Michael Dunkley that it was “best answered by our honourable premier, who has addressed this issue previously on a number of occasions”.
Mr Dunkley posed a series of queries on the cyberattack, including asking what restoration remained to be done — with Mr Weeks telling him the answer lay with the Department of Information and Digital Technologies.
However, he said the Government’s IT system were hit by cyberattacks at “a nearly constant pace”, with “the overwhelming majority successfully blocked”.
Mr Weeks added that it would be unrealistic to expect every attempt to get blocked, with attacks always growing in sophistication.
“We must continue to improve our defences.”
In a Budget debate yesterday, Mr Weeks said two additional posts would be filled within the cybersecurity unit, with recruitment starting early in the coming fiscal year.
He said the unit, which he first announced last June, would “assist government departments with implementing security plans for their IT systems, including the identification of threats, vulnerabilities and appropriate safeguards to identify, protect against, detect, respond to and recover from cyberattacks”.
The minister added that in 2024-25 the cybersecurity unit would “establish the Bermuda National Cybersecurity Incident Response Team and implement and operate a cybersecurity operations centre to monitor for cyber threats to Bermuda and our critical national information infrastructures”.
According to last year’s Throne Speech, a Cybersecurity Bill would go before MPs, and Mr Weeks confirmed the legislation had been drafted and will be tabled this year.
“This Act will establish minimum standards for the protection of critical national information infrastructure, formally establish a cybersecurity governance board to oversee the protection of these entities and a national cybersecurity incident response team to assist government and private sector entities with preparing for and responding to cyberattacks.”
The minister told MPs that other legislation was also being drafted to ensure Bermuda met international requirements established by the Budapest Convention on cybercrime, an international treaty addressing internet and computer crime by harmonising laws.
“This legislation will provide modern definitions of cybercrimes and will provide law enforcement and the judiciary with an effective foundation for investigating and prosecuting cybercrimes,” he added.
Michael Weeks, the national security minister, responded to opposition questions on the cybersecurity budget for 2024-25, saying $353,426 had been set aside for three posts.
There was $155,000 budgeted for “third-party assessment and consulting services”, $40,000 for training and conference attendance, $8,000 for penetration testing software and $2,000 covering subscriptions, for a total of $558,426.
Mr Weeks said there was “significant progress” in drafting legislation and job descriptions, with recruitment to fill new cybersecurity posts in 2024-25.
During the 2023-34 financial year, Mr Weeks said, his ministry worked with the chief information officer, the head of the Pati and Pipa units and other members of an IT governance steering group to “support development of IT governance policies, procedures and terms of reference in support of the cybersecurity programme”.
He said the ministry also “continued to advise heads of departments and ministries on cybersecurity threats, vulnerabilities, policies and good practices”.
“National security also provided support to government departments for securing the IT systems, providing guidance for appropriate planning, design and documentation to comply with approved policies and standards and meet security requirements and define security objectives.
“Other services provided included identifying threats to IT systems, components and processes, identifying vulnerabilities impacting IT system designs, architecture, components and data flows, identifying attack factors and assessing the likelihood and impact of attacks.
“This work included providing recommendations for secure design and appropriate administrative operational and technical safeguards to meet security requirements for protecting information and IT systems and preventing, detecting, responding to and recovering from cybersecurity incidents.”
Last month, the chief information and security officer and representatives from the Bermuda Police Service cyber unit attended the British Overseas Territories cybersecurity conference.
A full review of the national cyber-risk assessment, completed in March 2022, was performed, the minister said, and action items developed that “will be used to update the Bermuda cybersecurity strategy and prioritise high-risk areas for protection against cyber threats”.
Mr Weeks added: “We are increasingly dependent on information technology to store sensitive information and provide critical services.
“As was demonstrated in September 2023, cyberattacks represent a significant threat to Bermuda and our economy. We must continue to improve our ability to protect against, detect, respond to and recover from cyberattacks.
“Our cybersecurity strategy provides the appropriate framework for the Government of Bermuda to ensure the information and communications technology systems across all critical segments of our society and economy are designed, implemented, operated and maintained with adequate security.
“In the coming year, with more human resources in our cybersecurity unit and with a legislative framework for the protection of critical national information infrastructure systems, our ability to defend against cyberattacks will be greatly enhanced.
“Our efforts in this space over the next year will provide increased security for our systems.”