Cybersecurity amendments passed in the House – The Royal Gazette
Michael Weeks, the Minister of National Security (File photograph by Blaire Simmons)
Amendments to strengthen the Government’s cybersecurity measures were passed yesterday in the House of Assembly.
Several MPs, however, emphasised that efforts to provide answers and fixes to last year’s government hack were taking much too long.
Another said that the Cybersecurity Act 2024 should have been amended years go when the opportunity presented itself.
Amendments to the Act, provided by Michael Weeks, the Minister of National Security, sought to upgrade Bermuda’s framework for protecting government computer systems against cyber threats.
The amendment would seek to rename the Cybersecurity Governance Board, made up of public and private representatives to advise the Government on best practices, to the Cybersecurity Advisory Board.
It will remain separate from the advisory board meant to analyse the 2023 government hack.
The amendment will also mandate the creation of a national cybersecurity incident response team and set up a framework to ensure this team meets cybersecurity standards.
New legislation will give the Minister of National Security the authority to issue policy directions or codes to ensure cyber protections.
The Bill will also establish a Cybersecurity Unit, which Mr Weeks said would add “an additional layer of protection” by overseeing the Government’s internal security programmes and providing yearly performance reviews.
Craig Cannonier, the Shadow Minister of Tourism and Public Works, accused the Government of “scrambling” to put forward an amendment despite knowing about the problem for months.
He said that the House and public had been waiting for almost a year for clarity over what information was lost and whether a ransom was paid.
Mr Cannonier added that consultants had been hired before to give information on what should have been done, making these proposed groups redundant.
He said: “Corporate entities have been getting attacked for donkey’s years and they’ve been dealing with it.
“In fact, some of them probably offered their services to help when Government had this cyberattack.”
Susan Jackson, the Shadow Minister of Transport and Seniors, echoed Mr Cannonier’s sentiments.
She added that she was “quite disappointed” that the PLP Government, which she said came to power under the guise of an “IT-savvy” party, took this long to put the amendments into practice.
Ms Jackson said: “We should have been debating on this in 2018.”
She said that the Government neglected to put advice from several international groups into legislation and added that, had these measures been in place, Bermuda could have better handled last year’s hack.
Ms Jackson said: “They gave us an assessment, and they wrote out pages and pages of recommendations.”
She added: “Good intentions are seed of good deeds. They need to be watered with actions and good deeds, and I am becoming frustrated.”
Zane DeSilva, a PLP backbencher, defended the timing of the amendment.
He explained that passing an amendment took time and were seen frequently in House of Assembly meetings.
Mr DeSilva added that the present state of the Cybersecurity Act should not be judged poorly for its time and further praised the amendments for laying down a solid bedrock for protecting the country.
He said that Bermuda would have been hard-pressed to defend itself against hackers regardless of when the amendment was passed.
Mr DeSilva explained that many private companies faced debilitating cyberattacks despite having cybersecurity that rivalled Bermuda’s.
He added: “This is a very sensitive situation, and I think the Premier said that many times right after it happened.”
Jason Hayward, the Minister of Economy and Labour, applauded the new legislation, saying that it brought Bermuda in line with modern times.
He said: “Every country should have a national cybersecurity advisory board and a national cybersecurity unit.
“We are becoming a more technologically advanced economy, and as a result, the risk of cyberattacks on our jurisdiction or cyber threats from threat actors is becoming more prominent in societies throughout the world.”
Mr Hayward said that the framework laid out was “a logical and practical step” for strengthening the island’s security.
He added that these amendments were going to happen regardless of the September hack.
Wayne Caines, a PLP backbencher, requested amendments to Section 4 of the legislation on the make-up of the cybersecurity advisory board.
He wished to have the National Disaster Co-ordinator in the Ministry of National Security removed from one clause and have private sector specialists listed in another clause rather than as it stands with the generic “two private sector cybersecurity advisers”.
Mr Caines, the chief executive of Belco, said: “The proposal is that if you look at this section it is very government heavy.
“What we want to do is get people in the private entities and to have them specifically named.
“What we are proposing is to say the chief information security officer for telecommunications, then the next one to be the chief information security officer for energy and then for it to say the chief information security officer for banking.”
Derrick Burgess, the Speaker of the House, told Mr Caines: “You are taking it a bit far right now.
“If you were asking for two or three words that’d be fine, but you are asking for quite a bit of a section.”
Mr Burgess asked if it had been discussed with the minister. Mr Caines did not respond, but Mr Weeks made the point that amendments need to be put in writing.
He said: “There has been no formal consultation with me whether or not I was going to take anything out or put anything in.”
The amendment was rejected.