A month after hackers seized the AutoExpreso toll system, the only thing clear about the whole affair is Puerto Rico’s need for a cybersecurity protocol that would prevent this kind of crime from happening again, or at least significantly minimize its consequences.
In the second public hearing of the House Committee on Government about the design and implementation of cybersecurity protocols by government agencies, both witnesses providing testimony coincided that the current situation is “disorganized” and “critical.”
“The fact that the two witnesses today have characterized the current state of the island’s cybersecurity critical and disorganized demonstrates the need to develop a National Cybersecurity Act with concerted support of the Executive and Legislative [branches] and the business sector,” said committee chair Rep. Jesús Manuel Ortiz.
According to NYC Cyber Law Group (NYC-CLG), “cybersecurity infrastructure in Puerto Rico is underdeveloped at almost all levels” primarily because of the “lack of capacity from some organizations to understand and deploy cybersecurity frameworks and communications mechanisms,”
On its part, Bartizan Security stated that almost a year and half after the Puerto Rico Innovation and Technology Services agency was created, its actions are still to be felt.
According to Bartizan, every government agency does “the best they can” regarding cybersecurity, there are no controls, there is no active monitoring or contingency plans, and there is no back up, among a long list of deficiencies plaguing the sector.
The situation seems to get compounded even further when there is no information available about how many cybercrimes have been identified or solved, or what happens when confidential information from citizens is compromised. More specifically, there is no information publicly available about the cyberattack to the Treasury Department in 2016.
Other questions posed by Bartizan were: how quickly does a service recovers after a cyberattack?, who oversees technological implementation?, what penalties are imposed to companies with poor cybersecurity?
NYC-CLG pointed to the benefits of developing a clear cybersecurity posture and communications protocol.
“Insurance agencies in Puerto Rico can start offering clearer cyber insurance packages to businesses… and audit firms would be able to ensure that all entities are operating at a minimum level of security that could help inspire confidence in the technical infrastructure of the island.”
As an additional consideration, the New York based advisory firm, emphasized that a clear cybersecurity framework would help the government to “effectively engage the private sector to promote business development on the island.”
According to the National Institute of Standards and Technology (NIST), said framework should follow specific strategies to: identify, protect, detect, respond and recover from cyber threats.
The NYC-CLG concluded that the government should support establishing “an internal compliance and governance protocol modeled after the NIST framework” and simultaneously deploy “effective information sharing tools among government agencies.”
For Rep. Ortiz, Puerto Rico could improve its technological competitiveness by developing and implementing cybersecurity controls.
“We need to be proactive, but more accurate, in developing and implementing laws that would help to mitigate cybersecurity problems in Puerto Rico. All citizens have a digital life to protect and government must be the shield to protect its citizens’ information,” Ortiz said.
Gloss