Lessons learnt included in cybersecurity legislation
Legislation was tabled in the House of Assembly to beef up cybersecurity in the wake of a crippling cyberattack on the Government last year.
Michael Weeks, the Minister of National Security, tabled the Cybersecurity Act 2024 and the Computer Misuse Act 2024, which he said were “two important pieces of legislation aimed at strengthening our cyber posture in Bermuda”.
A series of measures is expected to strengthen cybercrime laws and provide police and prosecutors “with the legislative tools needed to effectively investigate and prosecute cybercrimes”.
Mr Weeks said the Cybersecurity Act 2024 would:
• Formally establish a cybersecurity advisory board to advise the Government on matters related to cybersecurity
• Designate critical national information infrastructures and the enforcement authorities responsible for ensuring the entities follow best practices in the cybersecurity arena
• Designate a cybersecurity unit within the Ministry of National Security headquarters as the national cybersecurity incident response team
He said the Computer Misuse Act would repeal and replace the existing Computer Misuse Act and was the “first in a series of legislation that will be amended and updated to place Bermuda in position to meet the stipulations of the Budapest Convention on cybercrime”.
The convention is an international treaty that addressed internet and computer crime by harmonising laws.
Mr Weeks acknowledged that the 2018 Throne Speech “recognised that Bermuda’s economic fortunes and potential for growth must be safeguarded by a secure infrastructure and a strong cybersecurity framework”.
He also said that the 2021 Throne Speech “promised to introduce a Cybersecurity Act to establish the appropriate standards of cybersecurity for Bermuda’s critical assets such as energy supply, telecommunications and government data”.
MPs heard: “Since that Throne Speech promise, technical staff within the Ministry of National Security and the Attorney-General’s Chambers, in collaboration with the cybersecurity governance board, have worked diligently to progress the legislation.
“Many of the larger jurisdictions in the Commonwealth, and several comparable jurisdictions in the Caribbean, have not yet developed cybersecurity legislation, or have legislation that is in its infancy stages.
“That has made it even more critical for Bermuda to allow adequate time for stakeholder consultation and extensive research on best practices in cybersecurity that would benefit the development of this legislation.”
Last September, government services were crippled by the cyberattack, with departments affected for weeks or even months.
The Government has remained silent on whether it was a ransomware attack — and if any ransom had been paid.
Mr Weeks told MPs: “Honourable Members will recall that the September 2023 cyberattack on the Bermuda Government was unprecedented and severely tested the Government’s resilience and ability to maintain its business continuity.”
He said the attack highlighted the need for the new legislation.
The minister explained: “Moreover, the attack fortified the Government’s commitment to ensure that Bermuda’s policies, legislation, and capabilities around cybersecurity and cybercrime align with our objective of being a premier financial technology jurisdiction, and that those policies and legislation support our increasing reliance on technology for daily life and day-to-day operations in Bermuda.”
Mr Weeks said the new unit would be responsible for development of the government-wide cybersecurity programme and supporting oversight of the security posture of government departments.
He said when fully staffed, it would also monitor threats to critical information infrastructures on the island and offer help to outside agencies to improve their abilities to protect against, respond to and recover from cybersecurity incidents.
“Funding for staffing has been allocated for the current fiscal year, and recruitment to fill two new posts for the unit will begin soon,” Mr Weeks said.
As well as the legislation tabled today, the minister said in the future there would be amendments to the Electronic Communications Act and the Criminal Code.
He added: “These amendments will strengthen our laws on cybercrime and provide the Bermuda Police Service and the Department of Public Prosecutions with the legislative tools needed to effectively investigate and prosecute cybercrimes.”
Mr Weeks said: “Getting this legislation right has been a priority of the Government.
“As promised in the 2023 Speech from the Throne, the Cybersecurity Act 2024 being tabled incorporates the lessons learnt from the cyberattack.
“We have taken the time to ensure that the legislation can be enacted and enforced in a way that it ensures adequate protection, but does not unduly burden those entities, organisations and individuals that it is meant to protect.
“While cyberattacks and cybercrime do not typically result in physical harm, the financial and emotional havoc caused is tangible.
“The Government is committed to defending against cyber threats whenever possible and responding to cybercrime with the full force of our updated legislation.”
• To see the minister’s full statement as well as the two pieces of legislation, see Related Media.