Ministerial Statement: To the House of Assembly By Dr. the Hon. E Grant Gibbons, JP, MP Minister of Economic Development
I rise this morning to talk about the issue of cybersecurity and Government's efforts, along with the private sector, to address this issue on a number of levels.
Honourable Members are undoubtedly aware of the importance of cybersecurity and the potential human, economic and reputational risks that cyberattacks present to Bermuda both as a community and a sophisticated business jurisdiction.
Individuals, businesses and other organisations consider the security of their data and the integrity of their ICT systems to be of critical importance. In some cases businesses and individuals must rely on service providers to have sufficient protective measures in place to prevent a non-authorised third party from stealing or gaining access to their data and records.
Worldwide, we increasingly hear reports of malicious hacking and data breaches and of their resulting economic, human and reputational cost to businesses, organizations and governments. There have been attacks on power grids, hospitals, the military, government agencies and security-related services. Information leaks and cyber-attacks present significant risks to the stability of operations, to the security of intellectual property and to personal information. President Obama called it: “the great irony of our Information Age - the very technologies that empower us to create and to build, also empower those who would disrupt and destroy.” Cybersecurity is therefore a concern that needs to be addressed at the highest levels of any organization.
The Bermuda Government also has a responsibility to ensure that those entities responsible for Critical National Infrastructure understand the potential risks and are adequately prepared to protect against, and potentially recover from, a cybersecurity event. Critical National Infrastructure includes entities, which if lost, or significantly crippled, would have a major impact on Bermuda and our wellbeing. Examples would include the hospital, the airport and BELCO's national grid to name but a few.
We know anecdotally that many organizations and businesses in Bermuda have already taken steps to improve their cybersecurity in order to protect themselves and their clients against breaches and potential economic loss. Banks, insurers and other financial institutions would be examples of entities that are reasonably advanced in this area. However, our information on the scope and degree of preparedness is incomplete when it comes to our critical national infrastructure.
In order to understand how well prepared, or not, Bermuda's critical national infrastructure is against cybersecurity risks it is necessary to survey the state of our current cybersecurity maturity and preparedness.
Last Friday morning, I met with leaders from both the public and private sectors who have responsibility for organizations that could be considered critical national infrastructure, to help launch such a survey. The meeting was organized by the E-Commerce Advisory Board’s Cybersecurity Sub-Committee and the Department of E-Commerce.
As Honourable Members will be aware, the E-Commerce Advisory Board, or ECAB, has a mandate to provide strategic insight and recommendations to the Minister of Economic Development, including the protection of Bermuda's information, communications and technology infrastructure (ICT). ECAB is composed of well-established ICT and security professionals in the private and public sectors and many of them were in attendance last Friday morning. The ECAB’s Sub-Committee on Cybersecurity, chaired by Mr. Ronnie Vieira, has been hard at work studying Bermuda’s cybersecurity landscape and identifying its critical national infrastructure.
The Sub-Committee’s next step, which was unveiled last week, is to gather information from those entities having been identified as part of this critical group, in order to understand their readiness in terms of cybersecurity. Those who attended the meeting have committed to working with the ECAB Cybersecurity Sub-Committee and the Department of E-Commerce to determine the level to which the Island’s information security apparatus as a whole is mature and prepared to face cybersecurity risk. The work is being performed using tools that are in line with industry standards in the US, UK and Canada.
I wish to assure Honourable Members that Government is also actively working on the cybersecurity status of its own ICT assets. Whether virtual or physical, these assets are extremely important to the effective operation of the Bermuda Government's ministries, departments and QUANGOs.
About a year ago, the Premier formally established a Cabinet Cybersecurity Committee under the chairmanship of the Minister of Economic Development. The purpose of the Committee was to better understand, address and, where possible, mitigate cybersecurity risks to the Bermuda Government and its ICT infrastructure. The formation of this Cabinet Committee did two things:
- It sent a message at a very senior level that this was a Government priority and was going to have direct Cabinet-level oversight; and
- It provided support to those in Government who we're already working to address these issues
The Cabinet Cybersecurity Committee has been meeting for the last year and in addition to the Chairman includes, Minister Wayne Scott, Mr. Mike Oatley, Director of the Information Technology Office or ITO, Permanent Secretary of Economic Development, Mr. Bill Francis, with support from Dr. Marisa Stones and the E-Commerce department. During this time, the NIST Cybersecurity framework – National Institute of Standards and Technology – has been adopted to assess our preparedness and direct our mitigation efforts.
The NIST Cybersecurity framework was developed at President Obama’s request to address U.S. cyber concerns and preparedness for U.S. organizations. The framework is based on the core functions of: Identify, Protect, Detect, Respond and Recover.
In other words, under the NIST Cybersecurity framework an organization needs to have cybersecurity procedures in place to:
- Identify critical intellectual property and assets
- Develop and implement procedures to protect them
- Have resources in place to timely identify a cyber breach, and
- Have procedures in place to respond and recover from a breach if and when one occurs
The Government is making good progress having conducted a preliminary risk assessment, which has been mapped to a program of cybersecurity-related activities. This linkage ensures that all cybersecurity projects receive the support and oversight from the highest level of Government. The Cabinet Cybersecurity Committee updates Cabinet regularly on the progress accomplished.
Acknowledging the multitude of cybersecurity risks and preparing to face them is a national priority. The private and public sectors – together – have committed to collaborate for the benefit of the Island’s economic and reputational security.
I wish to thank last Friday’s participants for making the commitment to address this national effort, and the ECAB Cybersecurity Sub-Committee for their important work to date.
Thank you, Mr. Speaker.