No-bid consultant hired after earlier digital breach on Government
The devastating hack of the Government’s IT infrastructure a year ago today came after an earlier cyberattack that was not made public, The Royal Gazette can reveal.
Records released under public access to information show that a senior civil servant hired a foreign consultant on a no-bid, $29,000-a-month contract soon after there were “issues with cybersecurity”. He wrote that the consultant was needed to “reduce the risk of another unscheduled outage of IT services”.
Daron Raynor, the Chief Information Officer at the Department of Information and Digital Technologies, told the Office of Project Management and Procurement that he needed to bring in a Chief Information Security Officer on a three-month contract for just under $100,000.
“Considering our recent issues with cybersecurity where we were breached, it has become necessary to add additional resources for added protection against eminent and ongoing threats,” Mr Raynor wrote on June 21, 2022.
“IDT does not have a structured or adequate security system in place within IDT to prevent such breaches.”
The public was told about a system failure that affected the Government’s e-mail network in May 2022 and a report was commissioned to find out how it happened.
However, the Gazette understands there was a cybersecurity breach a month later, which Mr Raynor referred to in his e-mail.
Mr Raynor wrote that the consultant he wished to hire would help IDT to “eliminate and/or identify as many risks as possible identified in the May 2022 confidential risk report”.
The Government kept the June 2022 cyberattack a secret, a course of action not possible after the September 20, 2023 hack, when there was massive disruption to public services.
A Cabinet Office spokeswoman said yesterday of the June 2022 breach: “A server experienced an issue. However, this incident was effectively mitigated, causing no major interruptions to public services.”
The Royal Gazette contacted Mr Raynor, but he said he was unable to comment because of the terms of his Civil Service contract.
Last year’s incident is still to be investigated by a parliamentary joint select committee, though an initial, external assessment was done and a report produced, which the Cabinet Office has said will not be shared with the public.
The Pati disclosure showed that Mr Raynor asked for a waiver in June 2022 to avoid having to seek competitive bids for the cybersecurity contract, citing the “situation IDT/Government is in” as the reason for not putting it out to tender.
Elaine Blair-Christopher, OPMP director, responded by questioning what tasks the contractor would do and noting that she had spoken with the security manager at the Ministry of National Security, who asked if the work could not be done internally or, at least, using a local firm.
The consultant, Christopher Warner, of Canadian firm Cyberdine, was eventually hired with the approval of Derrick Binns, then the Head of the Public Service. Cyberdine’s short-term contract was repeatedly renewed, with almost $420,000 estimated to have been spent on it to date.
The Royal Gazette can reveal it was the second time Mr Raynor brought in an overseas IT firm for a contract without a competitive bidding process.
According to records released under Pati, the previous time, in 2021, he was reported to Dr Binns by Ms Blair-Christopher for allegedly breaching the Government’s procurement code by signing a high-value contract with Info-Tech Research Group, also of Canada, without seeking a waiver to allow it to be “single source” rather than subject to a competitive bids process [see separate story].
The code requires the OPMP director to make a report if she determines any code requirements have been waived without adherence to proper procedures. The Head of the Public Service “must decide whether disciplinary action or report to another agency may be appropriate”.
In the correspondence released, the CIO later explained the “oversight” was because he had not realised he needed to get additional permission from the OPMP.
The Government’s procurement code exists to ensure best value for money and quality of services for taxpayers when contractors are used, as well as to stamp out nepotism and cronyism.
The rules were brought in by former premier Paula Cox under the Good Governance Act more than a decade ago to bring about tighter control of public purse strings.
One of the rules is that civil servants must seek three written quotes for contracts worth $100,000 or more. Single-source contracts above that amount must be approved by the Cabinet.
All procurements worth $250,000 or more, including those tendered, must be approved by Cabinet.
Sole-source waivers to bypass the tender process can be granted by the Office of Project Management and Procurement, but only in exceptional or emergency circumstances. They cannot be given retroactively.
The OPMP pushed back on issuing a waiver for the Cyberdine contract. The Cabinet Office said it was then approved under Section 10.5 of a separate set of rules, government financial instructions, which deals with consultants.
In the financial year 2022-23, waivers for contracts were issued 69 times, according to data released by the OPMP.
In June 2022, Mr Warner was employed by Info-Tech. By asking for the waiver for the Chief Information Security Officer job, Mr Raynor was proposing a second contract for the company.
He wrote: “Working with Info-Tech will provide a great level of consistency as they understand our set-up and systems.”
However, the disclosed documents show that one of the issues raised by the Ministry of National Security official about the CISO contract was that it was with Info-Tech.
Ms Blair-Christopher wrote that the security manager believed “this work should not be given to an overseas consulting firm without considering local individuals and Bermudian businesses”.
She added: “He thought there might be a potential conflict of interest since Info-Tech is developing the [Government’s] IT strategy, providing recommendations regarding what work should be done and then being given contracts to perform the work without any other vendors or local companies allowed to bid.”
Mr Warner was ultimately hired under the banner of Cyberdine Corporation, a company he appears to have registered in Canada the day before his Bermuda Government contract began on August 10, 2022. He told the Gazette he left Info-Tech the same month.
Dr Binns’s approval for the sole-source consultancy was given under government financial rules, which the Cabinet Office said was a different process than obtaining consent from the OPMP.
The Pati disclosure — provided to a requester and shared with the Gazette — included copies of the contracts Cyberdine had since August 2022, with the final one ending on October 15, 2023, a month after the cyberattack.
A public access to information statement published in the Official Gazette by the IDT department in May this year said Cyberdine’s contract ran until December 31, 2023.
The following contracts held by Cyberdine with the Government of Bermuda were released by the Office of Project Management and Procurement, and the Department of Information and Digital Technologies in response to a public access to information requester:
• August 10 to November 15, 2022: $89,500 (about $29,000 a month)
• November 16, 2022 to January 31, 2023: $89,500 (about $35,800 a month)
The first two contracts tally with a Pati notice published in the Official Gazette which lists a Cyberdine contract between August 10, 2022 to January 31, 2023 for $179,000.
Two further contracts were disclosed:
• February 15, 2023 to June 16, 2023: $95,000 ($23,750 a month)
• June 16, 2023 to October 15, 2023: $95,000 ($23,750 a month)
Those contracts totalled $190,000.
A second Official Gazette notice listed Cyberdine’s contract as being from January 1, 2023 to December 31, 2023 for $285,000.
Based on these figures, the Gazette estimates that Cyberdine was paid just under $420,000 over a period of 16 months. It is not known if the contract was extended again in 2024; the Cabinet Office would not comment.
The Royal Gazette asked IDT under Pati in October last year for records related to the Chief Information Security Officer position, the Cyberdine and Info-Tech contracts, and any recommendations made by external consultants about cybersecurity and whether they were implemented. The request was refused on national security grounds.
Mr Warner still gave his job title earlier this week on LinkedIn as the Government of Bermuda’s Virtual Chief Information Security Officer, describing himself as the “primary contact for all cybersecurity-related matters within the Government’s IT department and over 60 agencies”.
However, he said his page had since been removed for editing as it was not up-to-date and he was unable to comment on contracts with the Government or any cybersecurity matters.
“I was a hired individual under contract,” said Mr Warner. “To the best of my knowledge, everything was done appropriately.
“I was hired to do a job; I believe I did it well.”
The Government has previously said Cyberine provided “invaluable support and dedicated resources in the restoration of affected services” after the cyberattack.
The Cabinet Office spokeswoman did not answer questions about whether Cyberdine still had a contract or the total amount paid to the firm.
She wrote in an e-mail: “There were a series of agreements, though the remuneration varied from agreement to agreement.”
The spokeswoman added: “All necessary approvals were granted.
“These contracts were made under financial instructions Section 10.5 and not the procurement code requirements.”
She did not answer a question as to whether Info-Tech was still working for the Government.
“All necessary approvals were granted,” she said of the Info-Tech contract. “Note that no regulations were breached. The procurement code is a policy and not a regulation.”
The services provided by the two firms were, she said, “materially different”.
“Info-Tech's services are akin to those of a physician, who evaluates a situation and provides a 'prescription' or advice for a solution.
“Cyberdine's services were related but different — more like a pharmacist who fills a prescription, they were instrumental in the implementation of the guidance suggested by Info-Tech.”
The Gazette understands that, in addition to Ms Blair-Christopher’s report to Dr Binns, a concerned third party made complaints about the alleged breach of the procurement code to the Auditor-General and the Accountant-General.
Auditor-General Heather Thomas said yesterday: “As the Auditor-General, I am significantly concerned when well-defined processes that promote transparency and accountability in government actions are allegedly bypassed.
“Regarding the Government's activities, and concerns about the use of public monies, I welcome feedback, comment and information. I may initiate an audit because of information received.
“I have to assess if the subject matter is within the Auditor-General’s mandate. I acknowledge receipt of any information received; however, I do not report to individuals who submit information on whether or not I used the information or how it was used.”
Accountant-General Dionne Morrison-Shakir referred queries to the Department of Communications.
Wayne Furbert was the Minister for the Cabinet Office from April 2019 to October 2022. There was no response to a request for comment from him, the Premier, David Burt, or national security minister Michael Weeks.
• October 2020: Daron Raynor is appointed Chief Information Officer for the Department of Information and Digital Technologies. Publicly available information shows he was previously Information Technology Programme Manager for Montgomery County, Ohio, earning $82,829. His role with the Government of Bermuda attracts a salary of $179,853
• March 2021: Mr Raynor signs a three-year contract between the Government and a North American company, Info-Tech, with whom he had previously worked, to provide cybersecurity, as well as staff and budget management, process/policy development and more. The contract is to begin on April 1 and is worth $281,210 to the company for the first year
• June 17, 2021: Mr Raynor writes to Elaine Blair-Christopher, the Director of the Office of Project Management and Procurement, to request a waiver for Info-Tech so that the contract does not have to go through a competitive tender process. In that e-mail, he does not mention the contract has already begun
• July 5, 2021: the CIO submits a waiver request to OPMP for the full three-year amount estimated at $886,512.95, acknowledging that the contract has been in effect since April 1
• August 2021: Ms Blair-Christopher rejects the request, raising concerns about the contract. Crown Counsel Brian Myrie, in the Attorney-General’s Chambers, tells the OPMP that the contract is invalid and has no protections for the Government. Mr Myrie suggests it be terminated and another agreement be drawn up
• September 7, 2021: Ms Blair-Christopher reports Mr Raynor’s breach of the procurement code to Derrick Binns, the Head of the Public Service
• October 8, 2021: the then acting Financial Secretary, Cheryl-Ann Lister, reviews a revised waiver for Info-Tech and says she has no further objection after receiving “much more comprehensive” information about why the services are required
• June 21, 2022: Mr Raynor asks the OPMP for another sole-source waiver for Info-Tech, this time to engage a Chief Information Security Officer at a cost of $99,500 for three months. The amount is $500 less than the $100,000 threshold requiring Cabinet approval. The CISO will be Canadian Christopher Warner, who works for Info-Tech
• June 30, 2022: the OPMP director notes that the Ministry of National Security’s security manager has concerns about the contract for Mr Warner including conflict of interest concerns because Info-Tech is developing the Government’s IT strategy
• August 9, 2022: infrastructure engineers at IDT are told the new consultant has been delayed and that Mr Warner has left Info-Tech and launched his own cybersecurity company, Cyberdine. The same day, Mr Warner registers Cyberdine as a company in Canada
• August 10, 2022: a three-month contract between the Government and Cyberdine begins
• December 13, 2022: a public access to information notice in the Official Gazette lists a contract between the Government and Cyberdine, between August 10, 2022 and January 31, 2023, worth $179,000 (about $29,000 a month). It lists a one-year contract for “research” with Info-Tech, from April 1, 2022, to April 1, 2023, for $295,270
• April 13, 2023: a Cabinet Office spokeswoman says Cyberdine has a four-month government contract for $23,750 a month for the “provision of cybersecurity services”. She confirms Mr Warner is working remotely from Canada and says all “relevant procedures were followed, inclusive of being in compliance with the OPMP Code of Practice” in relation to the awarding of the contract
• April 19, 2023: The Royal Gazette reports on the contract. The same spokeswoman then says Cyberdine was hired “in order to fill an interim need” and that Mr Raynor “followed all the appropriate and relevant approvals” to engage a consultant by getting approval from Dr Binns. She says the job of Chief Information Security Officer will soon be advertised
• May 19, 2023: Mr Raynor requests a renewal for Cyberdine’s CISO contract, with added deputy chief information officer duties. Mr Warner had already listed the DCIO job on his LinkedIn profile several months earlier
• September 20, 2023: the Government’s IT system is attacked by hackers, causing disarray to public services and taking many months to fix
• December 4, 2023: Mr Warner is listed as the contact person for a government request for quotations for a “vendor capable of conducting external penetration tests on specific systems” to start work in early January
• May 21, 2024: a Pati notice in the Official Gazette lists a one-year contract for a CISO consultant with Cyberdine for $285,000 ($23,750 a month) from January 1, 2023 to December 31, 2023. A one-year contract for “research” with Info-Tech for April 1, 2023 to March 31, 2024 for $147,635 is also listed
• September 2024: a parliamentary committee to look into the national security breach, promised by the Premier, David Burt, last November, is expected to be appointed
• On occasion The Royal Gazette may decide to not allow comments on a story that we deem may inflame sensitivities. As we are legally liable for any libellous or defamatory comments made on our website, this move is for our protection as well as that of our readers