Cyberattack JSC likely to be named today
A joint select committee tasked with investigating the crippling September 2023 cyberattack on the Government’s IT systems is expected to be named in the House of Assembly today.
That would see the cross-party membership of the JSC announced exactly a year after the massive security breach, which disrupted many public services and is still shrouded in secrecy.
Dennis Lister, the Speaker of the House, told The Royal Gazette yesterday: “It’s potentially down as one of the items to be done before the House breaks, which is this week and next week.
“There is a very strong possibility that it’s done for tomorrow.”
David Burt, the Premier, is to announce moves as part of his midyear Budget review today in the House of Assembly — with extra support for the Gang Violence Reduction Taskforce, and a co-ordinated Crisis Response Team for the national security ministry.
Changes to the island’s National Heroes legislation are also to go before MPs for debate.
The structure of the naming and recommendation committee will be discussed along with new rules such as making the designation only posthumously applicable.
Lawmakers will consider an amendment to the customs tariff to rate of duty for diesel and fuel oils used by Belco for electricity.
Also up for debate is the Water Resources Amendment Bill 2024, putting in place an enforcement regime to protect public water and seawater from pollution.
Mr Lister said details of the committee would be shared by him during his announcements at the start of the House session, adding that once it was done “they can start meeting as soon as they like”.
The House of Assembly passed a motion in May, after a heated debate, to form a joint select committee to inquire into the hack.
Parliamentarians are expected to look into such issues as how the IT systems were breached, how much data was taken and whether that data was encrypted, as well as assessing the recovery operation.
However, Craig Cannonier, an One Bermuda Alliance MP and former premier, this week questioned whether they would have the technical knowhow or whether an entirely independent review would be preferable.
He said: “My problem with this joint select committee is, who are we to figure out this IT stuff?
“My concern is that this joint select committee, like most joint select committees, will run around in circles without coming to any conclusions in an expeditious timeline.”
On May 31, amendments to strengthen the Government’s cybersecurity measures were passed in the House of Assembly.
On June 12, the Senate was told about the existence of a report delivered in November 2023 on the cyberattack.
Senate Leader Owen Darrell said in the Upper House: “Those who prepared it, external to Government, have had access to the report.”
A Cabinet Office spokeswoman later said the “confidential and sensitive cyber report” would not be made public.
A Cabinet Office spokeswoman said yesterday: “The Government committed to bring a motion to form a joint select committee and delivered on that pledge.”
She added: “The response to the cyberattack was to restore government systems and to harden our cyber defences.
“We look forward to sharing the work that the Government has done with the joint select committee when it is appointed by the Speaker of the House.”
The spokeswoman said the Government had “invested heavily in increasing our cyber defences” as outlined in a press release issued on Wednesday.
The September 20, 2023 cyberattack affected government departments for, in many cases, weeks and, in some cases, months, but the public has been told little about the cause and the long-term consequences.
It was widely suspected to have been a ransomware attack — when hackers lock victims out of computer networks and leave ransom notes giving instructions on how to unlock them in exchange for millions of dollars — though this has never been expressly confirmed by the Government.
However, Vance Campbell, a former Minister for the Cabinet Office, suggested in March that servers were encrypted, the hallmark of a ransomware attack.
He told the House of Assembly a “manual mission critical tool” had been created to “assist and prioritise outages after a cyber incident” and this "assisted with decryption of servers and desktops“ after the hack.
Asked about secrecy surrounding the cyberattack, the government spokeswoman said: “This was a very sensitive incident. The nature of cybersecurity threats often requires a level of confidentiality. This continues.”
She added: “There is no evidence that any personal information was stolen as a result of the attack.”
The official standing orders of the House allow the Speaker to appoint up to seven MPs to join with senators as a joint select committee.
Committee members select their own chairman and have the power to "send for persons, papers and records“ as part of their inquiries.
The orders state: “Subject to any order of the House or resolution of the committee, the sittings of a select committee shall be private.”
JSCs must make a report to the House before the end of a parliamentary session, or, if they find themselves unable to conclude their investigations before the end of the session, to report that fact.