Reading Time: 4 minutes

Prime Minister Andrew Holness has announced that a comprehensive review is being undertaken into security on all Government websites and networks, noting an assessment determining that over the past few weeks there have been increasing instances of malicious cyber activity directed at both Government and private entities.

Holness’ was commenting in a statement released after the National Security Council today (February 25)received a wideranging update
on Jamaica’s cyber architecture and a specific report on recent alarm bells around the JamCOVID-19 website and app.

The prime minister said the security review of websites and networks was to ensure compliance with international standards and best practices, and that examinations of 162 websites had already been completed with another 100 in progress.

“Any credible vulnerabilities that are identified are concurrently being
rectified,” Holness said.

“Digital technology works because it is open, and that openness brings with it risks. What we can do is build our capacity to address and mitigate the risks.”

Prime Minister Andrew Holness

“Cyber threats are real, we see that daily not only in Jamaica but in all countries. No one is immune. The most secure systems in the world have had security issues which have required remediation and strengthening.”

He added: “As a society, we have to recognise that these threats represent an inherent risk in the new digital world. Ultimately, this risk cannot be completely eliminated. Digital technology works because it is open, and that openness brings with it risks. What we can do is build our capacity to address and mitigate the risks.”

The focus on cybersecurity comes a week after American online media outlet TechCrunch first exposed a security lapse in JamCOVID website that it said had exposed private data related to hundreds of thousands of travellers to the island who used the website to gain authorisation for entry during the COVID-19 pandemic.

Holness said that, with regard to the JamCOVID application, the investigations and assessments were concurrently focused on two streams:

1. The level of compliance of the security architecture and configuration
   of the application and related databases with established standards
   and best practices; and
2. The possible activities of any malicious actors in either creating or
   exploiting any vulnerabilities in the security architecture and
   configuration and whether such exploitation resulted in data exfiltration.

“While we acknowledge that there may be persons acting without malicious intent, Jamaican law requires that all instances of unauthorised access be investigated and, in fact, this would be the only way we could determine whether the access was malicious or not,” Holness said.

The comment appeared to be an attempt quell concerns around speculation that recent utterances from within the Government were veiled threats against good faith actors who revealed the JamCOVID application vulnerability.

“The authorities have reached out to our overseas law enforcement partners for support.”

The prime minister said the findings thus far indicate that, while there was evidence of unauthorised access, there was no evidence of data exfiltration.

However, he stressed, the probe by the multi-agency cyber analysis team was ongoing and the public would be advised further as the investigation progresses.

MOCA HOLDS CRITICAL ROLE IN CYBERSECURITY

In his statement, Holness emphasised that a critical role of the Major Organized Crime and Anti-Corruption Agency (MOCA) includes security audits, penetration testing and forensic investigations and that, noting the complexity of matters of this nature, work is undertaken in conjunction with local and international partners as necessary to ensure a robust response.

“While the investigation continues, the Government is accelerating plans that were already under way to migrate the JamCOVID-19 database. The cyber analysis team has undertaken a comprehensive review of security of the application and related databases and, in conjunction with the developer, significantly hardened the security of the system,” Holness said.

“The JamCOVID-19 application continues to be a critical element of our Controlled Entry programme and has served us well in our management of the pandemic. We wish to reassure the public that the JamCOVID-19 application is safe for use.”

He added: “The Government wishes to assure the public that it is sensitive to the legitimate fears and concerns around data privacy and protection and is committed to pursuing a comprehensive approach to system-wide strengthening of as we move towards the creation of a digital society.”

MAIN POINTS DISCUSSED BY NATIONAL SECURITY COUNCIL

Among the main points of discussion during today’s NSC meeting were the steps being taken to build a robust governance framework and infrastructure for cybersecurity embedded in Plan Secure Jamaica.

Holness said he has directed that the plans for building cyber resilience in Jamaica be accelerated, including:

• bringing the new National Cybersecurity Strategy to Cabinet in the
  second quarter of the upcoming fiscal year;
• launching a new Cyber Academy; and
• intensifying cross-agency cooperation.

Already, he noted, a multi-agency cyber analysis team, including eGov, the Cyber Incident Response Team of the Ministry of Science, Energy and Technology (JaCIRT), MOCA, and Communications Forensics and Cybercrimes Division (CFCD) of the Jamaica Constabulary Force, is in place and conducting critical assessments of the existing cyber landscape.

Pointing to the assessment on increased malicious activity against both public and private networks, Holness urged all to exercise greater care and vigilance through being on the lookout for phishing scams, properly securing and changing passwords, and other methods.

The prime minister’s warning comes the same day Our Today published an article outlining threat research analysis from Fortinet, a global leader in broad, integrated, and automated cybersecurity solutions, which determined that Latin America and the Caribbean experienced 41 billion attempted cyberattacks in 2020.