Experts: Government’s info systems wide open to cyberattacks

By The Star Staff

The cybersecurity in the government of Puerto Rico is in a vulnerable state, consulting companies told the House of Representatives Government Committee on Thursday, as officials urged improvements in the technological infrastructure.

Government Committee Chairman Jesús Manuel Ortiz González held a hearing to evaluate security in information systems in government agencies after cyberattack events over the past month against AutoExpreso and the University of Puerto Rico. The STAR published a report in February from Fortinet that stated that Puerto Rico was the target of over 926 million attempted cyberattacks in 2021.

“Puerto Rico’s cybersecurity is in a critical situation,” said NYC Cyber Law Group managing partner Paul McCulloch. “It’s not as bad as it sounds, because there are resources and tools available.”

In a written statement, the information systems architect compiled some news headlines from the past three years to the present that report cyberattacks that occurred in agencies, as well as in banks and hospitals in Puerto Rico.

Given these events, he asserted that the government’s infrastructure is still “exponentially” vulnerable to more cyberattacks.

“When one reads these headlines, one must also keep in mind that these are the incidents that have made the news,” McCulloch said. “There are many other incidents that don’t make it to the newspapers for a number of reasons, including those that have been resolved behind the scenes, or those where the damage is so severe that it is in the public interest not to disclose it.”

The expert indicated that in order to guarantee a solid foundation for cybersecurity in Puerto Rico, the government must adopt the regulatory framework of the National Institute of Standards and Technology of the United States Department of Commerce.

Likewise, he detailed that tools should be implemented to share information, create a cybersecurity incident reporting portal, establish consultation mechanisms and provide that cybersecurity regulators have the ability to impose fines or other sanctions in instances of negligence.

Meanwhile, the founders of the companies Bartizan Security and Sentinel Education emphasized that, in order to prevent future cybercrime, it is necessary to consider meritocracy and governance by those in positions charged with protecting the government’s cyber infrastructure.

The objective must be based on depoliticizing the position of chief information officer and selecting competent people to maintain a secure infrastructure, they said.

“We have to ask ourselves more often, who are we going to put in this position [of cybersecurity official]?” said Jorge Andújar, founder of Sentinel Education and co-founder of Bartizan, in a statement. “It requires a professional person, and he is not someone we can easily find on LinkedIn.”

“On the subject of cybersecurity, one of the main problems is governance. Who is in charge of what and how much time is spent on management so that it achieves adequate acceptance?” he added. “How often does this office change leaders? How do you measure the impact of whoever ran it?”

The founder of Bartizan, José Arroyo, pointed out the lack of direction in the agencies when criticizing the fact that, 15 months [since Feb. 1, 2021] after the creation by the Puerto Rico Innovation and Technology Service of the Government Cybernetics Security Office, a variety of failures have been reported.

Some of them are the lack of standardization, documentation, centralization, updated inventories, control governance, active monitoring, and that “each agency does what it understands is best.”

Arroyo advocated the creation of more public-private partnerships in the field of cybersecurity, stating that nonprofit organizations such as Obsidis Consortia “have been serving the country for many years, and on many occasions with a significantly lower economic impact for the agency.”

The co-founder of Bartizan, Frances Romero, stressed the importance of establishing robust mechanisms to allow administrative or law enforcement agencies to enforce existing laws on violations of privacy rights in the cyber world; set specific metrics on what is considered cyber security; and in the government operation, establish clear employer duties and duties of its personnel with due consequences when cybersecurity requirements are not met.

“It is important to note that it is not possible for any government to completely prevent cyberattacks, and it is entirely possible that the entry of bad actors is not due to the actions or accidents of any user,” Romero said. “But the human factor is most likely what unleashes or enables the bad actor to gain access to government information systems, so establishing robust policies for users is essential for cybersecurity.”

“If an agency dedicated to protecting the infrastructure of the State were established, this agency could be primarily responsible for establishing recurrent and updated education programs as a requirement for all government employees to know how to effectively identify and respond to cyber attacks,” he added.