Minister for National Security Michael Weekes (photo by Blair Symonds)
An amendment to strengthen the government's cybersecurity measures was passed in parliament yesterday.
But several lawmakers stressed that efforts to provide answers and fixes for last year's government hack are taking too long.
Another said the Cybersecurity Act 2024 should have been amended years ago when there was an opportunity.
The amendments to the Act, proposed by Minister of National Security Michael Weeks, were aimed at improving Bermuda's framework for protecting government computer systems from cyber threats.
The amendment seeks to change the name of the Cybersecurity Governance Committee, made up of public and private representatives to advise the government on best practices, to the Cybersecurity Advisory Committee.
The committee will remain separate from an advisory committee aimed at analyzing government hacks in 2023.
The amendments also mandate the creation of a National Cybersecurity Incident Response Team and establish a framework to ensure that the team meets cybersecurity standards.
The new law will give the Minister of National Security the power to issue policy directives and regulations to ensure cyber protection.
The bill would also create a cybersecurity unit, which Weeks said would add “another layer of protection” by overseeing the government's internal security program and conducting annual performance reviews.
Shadow tourism and public works minister Craig Cannonier accused the government of “rushing” to introduce amendments despite having known about the problems for months.
He said the House and the public had been waiting almost a year to find out what information had been lost and whether a ransom had been paid.
Cannonier added that consultants had previously been hired to provide input on what should be done, making these proposed groups unnecessary.
“Companies have been under attack for many years and have dealt with it,” he said.
“Indeed, when the government was hit by a cyber attack, some of them would probably offer to help.”
Shadow Secretary of State for Transport and Older People Susan Jackson echoed Mr Cannonier's views.
She added that she was “very disappointed” that the PLP government, which came to power under the guise of being a “tech-savvy” party, had taken so long to implement the amendments.
“This should have been a discussion we had back in 2018,” Jackson said.
She said the Government had failed to incorporate advice from several international bodies into the law, adding that Bermuda would have been better able to deal with last year's hacking incident if these measures had been implemented.
“They gave us an evaluation and wrote out several pages of recommendations,” Jackson said.
She added: “Good intentions are the seeds of good deeds. Good intentions need to be watered with action and good deeds, but I'm starting to get annoyed.”
PLP backbencher Zain DeSilva defended the timing of the amendment.
He explained that amendments take time to pass and have become a frequent sight during parliamentary meetings.
DeSilva added that the current state of the Cybersecurity Law should not be judged badly at the time, and commended the amendments for laying a strong foundation to protect the country.
He said regardless of when the amendment had been passed, it would have been difficult for Bermuda to protect itself from hackers.
DeSilva explained that many private sector companies have cybersecurity practices comparable to Bermuda's, yet still face devastating cyber attacks.
He added: “This is a very delicate situation and I think the Prime Minister has said that on a number of occasions since shortly after it happened.”
Minister for Economy and Labour Jason Hayward praised the new legislation, saying it brought Bermuda into line with the modern era.
“Every country should have a national cybersecurity advisory council and a national cybersecurity unit,” he said.
“We are becoming a more technologically advanced economy and, as a result, the risk of cyber attacks on our jurisdictions and cyber threats from threat actors are becoming more prominent in societies around the world.”
Hayward said the framework laid out was a “logical and practical step” to strengthen security on the island.
He added that these changes would be made independently of the September hacking incident.
PLP backbencher Wayne Caines called for an amendment to section 4 of the Act relating to the constitution of the Cyber Security Advisory Committee.
He wanted to remove the Ministry of Homeland Security's national disaster coordinator from one clause and list private sector experts in another, rather than the current generic “two private cybersecurity advisers.”
“When you look at this section, you can see that the proposals are very government-focused,” said Keynes, the Belco chief executive.
“What we want to do is bring together people from private organizations and ask them to come up with specific names.
“What we're proposing is a chief information security officer for telecommunications, then a chief information security officer for energy, and then a chief information security officer for banking.”
House of Commons Speaker Derrick Burgess told Mr Keynes: “You're going a bit too far right now.”
“If they were asking for a couple of words that would be fine, but they're asking for a fairly lengthy section.”
Mr Burgess asked whether he had spoken to ministers – Mr Keynes did not answer, but Mr Weeks pointed out that the amendments needed to be put in writing.
“I was not formally consulted on whether to remove anything or add anything,” he said.
The amendment was rejected.