Prime Minister Andrew Holness on Thursday (February 25), in chairing the monthly National Security Council (NSC) meeting received a comprehensive update on Jamaica’s cyber architecture and a specific report on matters related to the Jamcovid-19 application.
Among the main points of discussion were the steps being taken to build a robust governance framework and infrastructure for cybersecurity embedded in Plan Secure Jamaica (PSJ).
Prime Minister Holness has directed that the plans for building cyber resilience in Jamaica be accelerated, including:
- bringing the new National Cybersecurity Strategy to Cabinet in the second quarter of the upcoming fiscal year;
- launching a new Cyber Academy; and
- intensifying cross-agency cooperation.
Already, a multi-agency cyber analysis team, including eGov, the Cyber Incident Response Team of the Ministry of Science, Energy and Technology (JaCIRT), Major Organized Crime and Anti-Corruption Agency (MOCA), and Communications Forensics and Cybercrimes Division (CFCD) of the Jamaica Constabulary Force, is in place and conducting critical assessments of the existing cyber landscape.
It has been assessed that over the past few weeks there have been increasing instances of malicious cyber activity directed at both Government and private entities. We therefore urge the public to exercise greater care and vigilance through being on the lookout for phishing scams, properly securing and changing passwords, etc.
The Government is taking this opportunity to undertake a comprehensive review of security on all Government websites and networks to ensure compliance with international standards and best practices. This process is underway with 162 website reviews completed and another 100 in progress to date. Any credible vulnerabilities that are identified are concurrently being rectified.
Cyber threats are real, we see that daily not only in Jamaica but in all countries. No one is immune. The most secure systems in the world have had security issues which have required remediation and strengthening. As a society, we have to recognise that these threats represent an inherent risk in the new digital world. Ultimately, this risk cannot be completely eliminated. Digital technology works because it is open, and that openness brings with it risks. What we can do is build our capacity to address and mitigate the risks.
As it relates to the Jamcovid-19 application, the investigations and assessments are concurrently focused on two streams:
- The level of compliance of the security architecture and configuration of the application and related databases with established standards and best practices; and
- The possible activities of any malicious actors in either creating or exploiting any vulnerabilities in the security architecture and configuration and whether such exploitation resulted in data exfiltration.
The findings thus far indicate that, while there is evidence of unauthorised access, there is no evidence of data exfiltration. However, the probe by the multi-agency cyber analysis team is ongoing and the public will be advised further as the investigation progresses. While we acknowledge that there may be persons acting without malicious intent, Jamaican law requires that all instances of unauthorised access be investigated and, in fact, this would be the only way we could determine whether the access was malicious or not. The authorities have reached out to our overseas law enforcement partners for support.
It was emphasized that a critical role of MOCA includes security audits, penetration testing and forensic investigations and that, noting the complexity of matters of this nature, work is undertaken in conjunction with local and international partners as necessary to ensure a robust response.
While the investigation continues, the Government is accelerating plans that were already underway to migrate the Jamcovid-19 database. The cyber analysis team has undertaken a comprehensive review of security of the application and related databases and, in conjunction with the developer, significantly hardened the security of the system. The Jamcovid-19 application continues to be a critical element of our Controlled Entry programme and has served us well in our management of the pandemic. We wish to reassure the public that the Jamcovid-19 application is safe for use.
The Government wishes to assure the public that it is sensitive to the legitimate fears and concerns around data privacy and protection and is committed to pursuing a comprehensive approach to system-wide strengthening of as we move towards the creation of a digital society.