Information Technology

BCB cyber-attack raises serious concerns

Summary:

  • BCB is repository for invaluable historical information

  • Stated-owned entity must be transparent on strategy and remedial action

  • Ransomware attack reveals absence or deficient contingency plan

  • Vulnerability test should be commissioned immediately


Full Release:

The DNA notes with great concern, recent reports regarding a cyber-attack on the Broadcasting Corporation of the Bahamas (BCB).  According to media reports, an individual would have caused the encryption of the BCB’s digital library and other data and is attempting to extort funds in the form of Bitcoins as a condition for decryption and restoration.

BCB Chairman Mike Smith, confirmed that international hackers originally demanded $50,000 incremental payments of bitcoins which was eventually negotiated down to $18,000. Subsequently, no further updates have been provided to the Bahamian people and fundamental questions remain unanswered by a government that professes commitment to transparency and accountability.


We appreciate that paying the requested ransom may not be in the overall interest of the BCB and the country as such a payment may be used to fund further cyber criminality or terrorism. However, the Bahamian people remain in the dark on the overall strategy or course of action that the government has adopted to bring normalcy to the BCB’s operations. It is common knowledge that the BCB is a repository of invaluable historical data and materials which document important milestones in our nation’s history. Further, as a state funded entity, an attack on the BCB constitutes an attack on the Government of The Bahamas and its people.  We call on the government to address this matter with the high level of importance, transparency and urgency it deserves. Pertinent details on potential data loss, recovery efforts, impact on operations, compromise of employees’ personal information, vendors’ details and proprietary information should be released forthwith.


The recent ransomware attack also raises serious concerns about the business continuity and disaster recovery framework of the BCB. The Board and management of the BCB must immediately disclose whether a robust Business Continuity Plan (BCP) exists for the organization and its effectiveness. In the absence of such a framework, the BCB should move swiftly to draft and implement a BCP and Disaster Recovery Plan (DRP) which among other things articulates a contingency plan for cyber-attacks and other operational disruptions.  Such a plan may also call for the update of computer and operating systems, installation and updates of anti-virus and anti-malware software, or conversely installation of Artificial Intelligence software, regular backup of important files, proper vetting of vendors and their approach to cyber security as well as relevant insurance coverage among other things.


As a further precaution, we recommend that training sessions are held for staff to alert them to the instance of phishing tactics included in malicious attachments that may come via email or other sources.  Additionally, Information Technology policies should be implemented that address email and internet usage inclusive of blocking non-work-related sites that may be prone to spreading viruses.


We call for the commissioning of a comprehensive vulnerability and penetration test to ascertain the areas of weakness within the BCB’s I.T. systems. The recommendations arising from such a test conducted by competent professionals must be implemented without delay. The DNA believes that these recommendations and information are both useful and instructive to all government agencies and departments, the private sector inclusive of small business and indeed the average consumer who possess a computer in their homes.


The DNA stated in its ‘Vision 2017 and beyond’ platform that we will create a Ministry of Information and Technology.  We strongly believe that the Government of the Commonwealth of The Bahamas must set the pace for data security and protection.  Appropriate laws and regulation are needed to guide and ensure compliance in this sector of our economy. An investigation should be launched, and recommendations made that will serve as directive for all government ministries and departments.  We emphasize that all efforts must be made to increase the resilience of our infrastructure and minimize the probability of a recurrence of this nature.



Samuel Strachan

Spokesperson for Information Technology

Democratic National Alliance