Sat | Apr 17, 2021

Cybersecurity threat level raised to high

Published:Saturday | February 27, 2021 | 12:15 AM

The Cyber Incident Response Team in the national security ministry yesterday raised the island’s cybersecurity threat level in relation to government systems to high. The heightened threat level comes on the heels of a number of weaknesses...

The Cyber Incident Response Team in the national security ministry yesterday raised the island’s cybersecurity threat level in relation to government systems to high.

The heightened threat level comes on the heels of a number of weaknesses discovered within the JamCOVID app and website, which was being used to store critical data regarding travellers and COVID-19 patients in the island.

The website for the Child Protection and Family Services Agency also appeared to have been breached this week and concerns were heightened as the Passport, Immigration and Citizenship Agency’s (PICA) went offline.

“Many GOJ applications process data and store results on back-end database servers, where sensitive data may sit, and thus, there is cause for concern. There are many potential attacks that entities may encounter which may threaten to disrupt business but can also lead to unauthorised access to data,” the Cyber Incident Response Team disclosed.

The digital security system used by PICA, which processes some of the most sensitive personal information on Jamaican citizens, has been strongly defended by National Security Minister Dr Horace Chang.

At a recent Gleaner Editors’ Forum Chang said that “none of the critical associated government points were affected, for example PICA”.

Marsha Grant, PICA business development director, told The Gleaner that that the site was taken offline by PICA, but did not disclose whether other recent cybersecurity events triggered the move. She, however, said that the PICA website was not breached.

Further questions sent to her were not answered up to press time on Friday.

The latest in breach uncovered in the JamCOVID system involves quarantine orders, including personal details such as addresses, issued to residents being publicly accessible on the Internet.

Under the law, most recently amended on February 1, data gathered for electronic monitoring “shall be deleted upon the expiration of the [14-day] quarantine”. That provision in the Disaster Risk Management Act would have been in place from as early as June 15, 2020, well after the roll-out of the application. The vulnerability of the servers is believed to have stretched back to this time.

The Major Organised Crime and Anti-Corruption Agency yesterday said that its investigators have observed persistent attempts to gain unauthorised access to government systems, adding that measures were being taken to bolster their cyber defence.

In the recently tabled Estimates of Expenditure for fiscal year 2021-22, a little over $1 billion to “continue the procurement of software and hardware to build out the cybersecurity capability of the security forces”.

A further $22.9 million has been allocated for cybersecurity service under the Information and Communications Technology Access and User programme, which aims to increase access to, and use of, ICT in all sectors of the economy and to modernise the Government’s governance framework.