Cyber security’s place on government agenda

In the 2024-2024 budget, Finance Minister Colm Imbert included a tax rebate for businesses spending up to $500,000 on cyber security measures.

That may turn out to be far from enough to meet a threat that is becoming increasingly pervasive.

The extent of the revelations of data breaches in the last two weeks alone – including one attack that affected TTPost that the Public Utilities Minister referred to in an offhand comment – is more than enough to give ordinary citizens pause.

But has it been enough to move the government to more decisive action?

The country doesn’t need a hasty proclamation of the clauses of the Data Protection Act that have not been assented to.

The response to that legislation by media houses in 2017 was justified by the chilling effect it would have brought to the practice of journalism, for which an exemption clause is needed, as included in comparable acts overseas. The Data Protection Act (DPA) as presented in 2017 would have made detailed investigation and confirmation of the TSTT breach a crime for working journalists.

But it’s been more than five years since those concerns were raised, and an acceptable suite of amendments hasn’t been presented to fourth-estate stakeholders.

The government brought an amendment to two proclaimed clauses of the DPA in 2021 to make it legal for the state to process personal data without contravening the 2017 law. Amendments to the act were most recently presented in the Senate in March as the final proclamation moves to presidential assent.

The Opposition has called for a national cyber security centre, but the elements of such a project are already present in the legislation or in practice in various forms.

What’s needed is the will to bring legislation before Parliament that would empower agencies such as the TT Cyber security Incident Response Team to do more than offer advice and warnings to affected companies and state agencies, both of which have largely been ignored.

That’s a bit surprising, given the profile that ransomware has assumed in the public record for more than two years now.

On November 7, the Digital Transformation Minister announced that he would do a full audit of the cyber security measures in place at other government utilities. He has also acknowledged that the government’s cyber security profile is uneven; it’s unclear, however, whether he has the authority to change any of that.

What is needed, in any case, is not a Digital Transformation Minister adding to a considerable and largely unfulfilled portfolio, but the real-world appointment of an Information Commissioner (the post exists, but has no appointee) with a team capable of proactively protecting the individual right to privacy and steering effective compliance with the Data Protection Act.