Joshua Seemu­n­gal

Se­nior Re­porter

joshua.seemu­n­gal@guardian.co.tt

There have been more than 200 re­port­ed cy­ber­at­tacks in the coun­try since 2019, man­ag­er of the Na­tion­al Se­cu­ri­ty Min­istry’s Cy­ber­se­cu­ri­ty In­ci­dent Re­sponse Team An­gus Smith said yes­ter­day.

At a Spe­cial Joint Se­lect Com­mit­tee (JSC) hear­ing on the state’s re­sponse to re­cent cy­ber­at­tacks, Smith said there were 80 in­ci­dents re­port­ed from the pub­lic sec­tor and around 100 or 105 re­ports from the pri­vate sec­tor. He said there did not ap­pear to be any spe­cif­ic or­gan­i­sa­tions that were be­ing re­peat­ed­ly tar­get­ed.

“In 2023, we’ve had 22 pub­lic sec­tor in­ci­dents and then 29 pri­vate sec­tor in­ci­dents. These are in­ci­dents that have been re­port­ed to us,” he said.

Smith ac­knowl­edged that there is no re­quire­ment for pri­vate sec­tor or­gan­i­sa­tions to re­port to the Na­tion­al Se­cu­ri­ty Min­istry. He es­ti­mat­ed that the re­sponse team is aware of be­tween 80 per cent to 85 per cent of in­ci­dents - with the ma­jor­i­ty per­pe­trat­ed by for­eign ac­tors.

How­ev­er, con­trary to the Cy­ber­se­cu­ri­ty In­ci­dent Re­sponse team’s claim that it is aware of most cy­ber­at­tacks, the head of the T&T Po­lice Ser­vice’s Cy­ber and So­cial Me­dia Unit Amos Sylvester said his unit can­not say the same. He said there is a great de­gree of un­der­re­port­ing of cy­ber crimes to the TTPS.

The TTPS Head of In­for­ma­tion Tech­nol­o­gy lament­ed the lack of leg­is­la­tion.

When he was asked if the ab­sence of leg­is­la­tion meant cy­ber­at­tacks do not con­sti­tute a crim­i­nal of­fense in T&T, he said: “There are in­ci­dents, but to say the word crime is al­most wrong.

“The on­ly thing we have in this coun­try is the Com­put­er Mis­use Act of 2000, which was 23 years ago. That Act nev­er had sight of the kind of crimes we have now. So­cial me­dia now and so­cial me­dia then are two dif­fer­ent things, in terms of the land­scape of tech­nol­o­gy.

“All that Act deals with is unau­tho­rised ac­cess. It doesn’t go in­to phish­ing or web de­face­ments, so if even peo­ple make the re­ports, there’s noth­ing for us to pur­sue. In re­ly­ing on the leg­is­la­tion, we need to go to the for­eign ju­ris­dic­tion to get the in­for­ma­tion. With­out hav­ing leg­is­la­tion on our side, we can­not ac­tu­al­ly use the Mu­tu­al As­sis­tance Treaty which re­quires you to have your leg­is­la­tion in place. All the way around, we don’t have the req­ui­site tools,” he said.

Sylvester said the TTPS has been work­ing with the Min­istry of Na­tion­al Se­cu­ri­ty since 2009 to up­date leg­is­la­tion but the leg­is­la­tion “nev­er got off the ground.’”

Cy­ber­se­cu­ri­ty In­ci­dent Re­sponse Team ICT Se­cu­ri­ty Spe­cial­ist An­ish Bachu said the team man­aged the South West Re­gion­al Health Au­thor­i­ty (SWRHA) cy­ber at­tack and con­duct­ed as­sess­ments.

“When we look at the South West in­ci­dent what re­al­ly hap­pened was the ex­ploita­tion of a re­mote ac­cess sys­tem, so it was a le­git­i­mate set up. The threat ac­tors com­pro­mised cre­den­tials and ac­cessed the sys­tem us­ing a le­git­i­mate mea­sure...They de­ployed ran­somware sub­se­quent­ly,” he said.

Bachu said while it could not be con­firmed de­fin­i­tive­ly, it ap­peared that the at­tack orig­i­nat­ed from Eu­rope.