Bacchus: AG Ministry a model for State's cyber security

ATTEMPTED cyber attacks on the Ministry of Attorney General’s information technology (IT) systems berthed a model for other ministries to follow, says Minister of Digital Transformation (MDT) Hassel Bacchus.

Bacchus and senior representatives at the MDT, including permanent secretary Cory Belfon were questioned by members of Parliament's Social Services and Public Administration Committee during its inquiry into the government’s ongoing response to the recent cyber-attacks on state bodies on Monday.

The committee is chaired by Independent Senator Paul Richards.

Bacchus suggested a cultural shift was needed at all state departments.

“To get the culturalisation of cyber security into the State is not a simple task. It not only involves getting the ICT professionals up to speed, but getting the management of anything up to speed.

“Cyber security,” he said, “is not an ICT problem. It never was.

“Cyber security is an enterprise risk problem, to be managed at that level. It’s not the IT (information technology) guys that have to look at it; it’s in the board rooms, etcetera.

“So as various ministries, divisions and agencies move forward with their digital agendas, add more technology to their portfolios, use it more…the attack surface (increases).”

Bacchus said if the MDT and the Ministry of National Security are unable to convince all public stakeholders about the necessity of robust cyber security, “we’re going to be in some trouble.”

The sensitisation of cyber security has happened, he said, “but to transform from having fairly routine cyber security prevention methods and recovery methods…to what is actually required (today)... we’re not there yet."

Bacchus said that meant some ministries were better protected than others, based on previous threats.

The Ministry of the Attorney General and Legal Affairs, for example, “would be one of the more secure environments, coming out from a successful attack,” he said.

“When the interventions were made (following recent attempted cyber attacks), it wasn’t just about finding out what happened. It wasn’t just about removing the threat. It involved hardening the environment, increasing the security levels of awareness, scanning the dark web for additional credentials that have been in existence,” he said, in addition to putting in automated technology to identify threats.

“All of that speaks to why (the Ministry of the Attorney General) is now in that place. That would not be what I would call ‘universally applied’ across the State, at all.

"That (still) has to happen.”

On Monday, the the committee probed the MDT’s functions including the level of information and communication technology (ICT) support the MDT currently provides to other government ministries, departments and agencies; the level and type of cyber security systems and infrastructure required to more effectively protect the state’s public assets, and combat digital vulnerabilities within the public sector.

It also sought the ministry’s plans to address the human and technical resource deficits affecting the government’s ability to effectively prevent and respond to cyber security breaches; potential regulatory and legislative provisions to more effectively protect the state and its assets; and the status of the proposed cyber security strategy and the extent of protection it is intended to provide.

Bacchus said cyber-security threats are often easily avoidable.

For example, “If you happen to have credentials to log into the Parliament (website), if you go into the dark web and look for it…it should not be, but we keep finding every time we go in, active members of State, with their credentials living in the dark web,” said Bacchus, adding that this is often caused by poor security practices, such as using an old password.

“Cyber Security is something, I think, the whole country must take seriously. All of us are at risk of having some part of what we do…being interrupted or disrupted.

Richards asked Bacchus if the culprits were mostly repeat offenders.

Leon Wessels, the MDT’s deputy national chief digital officer, took the question and replied, “There’s a variety of different actors right now at play. Some of them have a different approach. Some will actually come in, hold your data for ransom. Then, you’ll have to pay the ransom in order to have access to your data.

Others, he said, “ex filtrate your data, use that as leverage for negotiations,” in order to extort or blackmail a company or organisation and its clients.