PRITS: Enhanced detection capacity behind astronomical rise in cyberattack threats on gov’t

House Government Committee Chairman Jesús Manuel Ortiz González

By THE STAR STAFF

The government of Puerto Rico suffered 753.2 million cyberattack threats in 2022 compared to 13.7 million attempts the previous year, Puerto Rico Innovation and Technology Service (PRITS) Executive Director Nannette Martínez Ortiz said Monday.

Martínez Ortiz made her remarks at a public hearing of the House Puerto Rico Government Committee discussing the implementation of a cyber security law.

Martínez Ortiz said that of the threats identified in 2022, at least 600 prospered but were blocked by PRITS protection systems. So far in 2023, the agency has already seen a significant increase in cyberattack threats due to increased detection capabilities within agencies and monitoring.

“It has to do more with our detection capacity than with incidents, despite the fact that incidents are increasing,” Martínez Ortiz said. “It is part of the trend.”

“This year I can assure you that the detections will be even higher, and the numbers will be shocking, but what I mean by this is that this is not bad. It is good that we can identify it. …” the PRITS director said. “Now the biggest challenge is really going to be to mitigate all those risks.”

Martínez Ortiz also attributed the increase seen in January to PRITS recently introducing protection and monitoring systems into the Department of Education network. At the same time, the official took the opportunity during her presentation to request more recurring funds to recruit specialized personnel despite the limited resources available to implement the legislation.

House Bill 1530, authored by Rep. Jesús Manuel Ortiz González, seeks to create the position of principal cyber security officer, or CISO, and establish the government’s public data security policy. Ortiz González, who chairs the House Government Committee, emphasized during the public hearing that the government is not sufficiently prepared to face the attacks that take place in cyberspace.

“This bill, which seems fundamental to what the government of the present and the future will be, proposes to establish as a principle of public policy that providing security in government data is an essential function,” the legislator said. “We have presented it as a starting point that seems important to us in government and governability.”

Martínez Ortiz said PRITS drew up a plan to identify security needs in each agency’s database and improve and protect systems within the government. For this reason, she reiterated the urgency of establishing an additional budget to execute it and to increase the resources of the Cybersecurity Office attached to the agency.

The measure proposes that, in collaboration with the Puerto Rico Institute of Statistics, PRITS disclose the updated list of all cyberattacks reported in the government, detailing the type of attack and the agency affected.

However, the agency opposed providing this information publicly because it exposes weaknesses in security controls that may exist in the institutions. Martínez Ortiz said the agencies that are most vulnerable to cyberattacks, whether due to outdated systems or misconfigured security policies, have been identified.

“We seek to ensure that the government of Puerto Rico meets the highest security standards with a first-class infrastructure,” she said. “It is certainly a challenge, but we are working hard together with the executive branch to create the necessary scaffolding.”

She also advocated PRITS being given “the claws” to be able to fully regulate the cybersecurity systems in the government.

Cybersecurity experts and analysts reiterated the need for a cyber security law to be implemented in Puerto Rico to establish a regulatory framework related to the security of information managed by the government, particularly that which is exposed to cyberspace.

Juan Pablo Semidey, the president and CEO of IT solutions provider Synapsis, shared the urgency of recruiting more cybersecurity professionals in Puerto Rico and making sure that they work in the government to ensure that the law is as effective as it deserves to be.

Likewise, he encouraged the Legislature to propose other bills that urgently address the issue of privacy from the point of view of giving citizens control over the data that the government collects, stores, manages and shares among different agencies or with third parties.

“House Bill 1530 is a legislative measure that we urgently need to protect information in the hands of the government … [in view] of the multiple and growing threats implied by the use of cyberspace to support public management,” Semidey said.

In a shared presentation, the founders of Bartizan Security and Cyber-LawPR, José Arroyo and Frances Romero, respectively, agreed with Semidey and offered a list of amendments to improve the applicability of the measure.