September 2023: Cyberattack strikes at ‘very heart’ of government
The reverberations from a crippling cyberattack that struck at the “very heart of public services” in Bermuda in mid-September were still being felt as 2023 drew to a close.
The hackers infiltrated the Government’s IT systems on September 20 and the public found out the next day, when a press release was issued about all departments suffering internet, e-mail and phone service interruptions.
David Burt, the Premier, then dropped a bombshell that afternoon at the close of a press conference on upcoming parliamentary business.
“There has been an incident which is affecting not only the Bermuda Government but some other regional governments as well,” he told reporters.
“Our initial indication is that this has come from an external source, most likely from Russia, and we are working with agencies to ensure we can identify any particular challenges and make sure that services are restored as quickly as possible.”
His remarks were brief, but the severity of the situation soon became clear, as did Mr Burt, perhaps caught off-guard, having said more than he should.
The Premier, mentioning Russia twice, said both that it remained to be seen whether this was an “attack” but also that: “We do know at least one other country that has been affected; suspected on the same level of attack.”
Rena Lalgie, the Governor, issued her own statement the next day, confirming it was a “major cyberattack” on the island.
She said: “Whilst there was an early indication of the geographical source of that attack, any further speculation on the possible source or motivation for the attack would be unhelpful.”
Although the crisis, including the impact on public services, dominated headlines for the rest of the month and is still ongoing, nothing further was revealed about the nature of the breach, whether data was stolen or which other country was affected.
Mr Burt left the island for meetings in Washington — a decision he soon received criticism for from the Opposition. Walter Roban, leading the country in his absence as Deputy Premier, told Parliament that civil servants were battling around the clock to restore normal service. “The very heart of public service has been attacked and immobilised,” he said.
Experts said it had all the hallmarks of ransomware, when hackers lock victims out of computer networks and leave ransom notes giving instructions on how to unlock them in exchange for millions of dollars.
Such scenarios often involve the hackers stealing data. Mr Burt said initially it did not appear data was taken, but he revised that in October, saying there was “circumstantial evidence” that it was.
He and ministerial colleagues Michael Weeks and Vance Campbell, all members of the Cabinet Cybersecurity Committee, came under scrutiny as to whether they had implemented measures promised in a 2019 government report which identified that the island was without a “formal framework for monitoring cyberthreats and for preventing, detecting, and mitigating against cyberattacks”.
A month after the attack, Mr Burt told a press conference that improvements were planned before it happened, adding: “But in this particular case and instance, and how this attack happened, it would have been particularly difficult to prevent.”
So who did conduct the attack? Did Bermuda’s taxpayers have to pay a ransom? What data was taken? Which other jurisdictions were targeted? The answers to those and other questions were not given in the weeks and months since September 20, with a police investigation continuing.
The One Bermuda Alliance called for a Commission of Inquiry, but the Premier said a bipartisan parliamentary committee would instead probe the attack.
National security minister Michael Weeks was unable to say in November if Bermuda was part of a new International Counter Ransomware Initiative, whose member governments do not pay ransoms. Government House later confirmed that Bermuda and the other Overseas Territories were “not included at this time”, even though Britain was a signatory.
The cyberattack overshadowed all other news in September, a month that began with the maiden flight of BermudAir and strong winds from Tropical Storm Idalia, which came hot on the heels of Hurricane Franklin.
There was a glancing blow from Hurricane Lee later in the month, as well as two public protests against government policies staged by representatives from the taxi and farming industries and public schools, and a demonstration outside court by a father’s rights group.
Other front-page stories included a claim from Zane DeSilva’s lawyer, denied by the Director of Public Prosecutions, that criminal charges against the MP were dropped after he agreed to abandon a civil lawsuit against the police; teachers criticising the Government over salaries not being paid; and the Governor moving out of Government House owing to the need for “urgent repairs”.