Government IT systems open to 'threats from attack'

The Cayman Islands government’s information technology infrastructure, in many areas, is not sufficient to protect against either external hacking or internal sabotage, the auditor general’s office reported this week. 

Former Auditor General Alastair Swarbrick reviewed IT security in 2012 and found 19 areas in government’s software systems that were judged to be either high- or medium-risk in their vulnerability to attacks on the “confidentiality, integrity and availability” of the government’s systems. 

High-risk areas were defined as those that posed an immediate risk and threatened the operations, finances or reputation of the government. 

Four “high level” risk areas were generally identified in the auditor’s review as external vulnerabilities from individuals on the Internet accessing data without user names and/or passwords; internal vulnerabilities from users within the government accessing databases they should not have access to; and concerns that cyberattackers were able to gain “administrator-level access” to government computer servers from inside the systems. 

The 2012 audit of government computer security issues was not published because of concerns it would have alerted hackers or others who wished to do the Cayman Islands harm. Auditors urged government officials to address the problem at that time. 

However, a follow-up review this year found that the problems with government’s IT security had gotten worse. 

This year, nine areas in the government IT systems were identified as high risk, and 11 others were considered medium risk. Additional problems included the use of outdated and unsupported software programs and significant vulnerability of sensitive government information to potential cyberattacks. 

“Information technology governance and security has not been a priority for government managers,” Mr. Swarbrick noted in his report. “Management had not mitigated the significant risks and vulnerabilities around the confidentiality, integrity and availability of the IT systems and data.” 

Another issue identified by auditors was that due to the lack of focus on providing secure IT systems, government “does not know how much it costs to provide IT to all of its entities.” 

“There is no overall assessment plan that captures all of the IT purchases across government,” auditors found. “The development and acquisition of IT systems across government is not guided by a strategic plan, leading to ad hoc development/purchase of IT systems.” 

A more detailed report on the outcome of specific threats against Cayman’s IT infrastructure was sent to Cabinet and the Ministry of Home Affairs this week, Mr. Swarbrick’s office noted. 

The full report was not released, again, due to security concerns. However, Mr. Swarbrick noted that government’s apparent inaction after the 2012 IT evaluation had forced his office to report on the issue simply to put public pressure on government to fix what auditors identified as a huge concern. 

“There are monetary repercussions if this goes wrong,” Mr. Swarbrick said Wednesday. “There could be litigation, you could lose data that is sensitive. If government is serious about establishing ‘e-government’ initiatives, this has to be addressed.” 

Audit office manager Martin Ruben noted Wednesday that solutions required to repair security vulnerabilities are not a “quick fix” and in some cases could take government years to sort out. 

Moreover, separately operating IT systems used by the Royal Cayman Islands Police Service, the court system and the Health Services Authority were not reviewed as part of the 2015 audit, largely because the third-party providers of those software systems did not assent to the review. 

The issue of government’s IT security was flagged by Premier Alden McLaughlin during his annual address to the Chamber of Commerce this week. 

“I have advised the staff in the Ministry of Home Affairs to ensure that there is a sufficient, urgent focus on data security across government,” Mr. McLaughlin said. “There is no place for complacency or second-best when it comes to security and public confidence.” 

The government’s Computer Services Department, which is responsible for the public sector’s IT operations and security, agreed with the findings of the auditor general’s 2015 review. 

“The [auditor general’s] findings, while limited in scope and duration, provide a clear and accurate overview of the situation at the time of the audit,” the department indicated in a statement. 

The department said it was researching the “root causes” and recommending fixes for the issues identified in the report. The department also noted that the government has set aside funding for IT security training, describing the costs involved as “significant.” 

The Ministry of Home Affairs has hired U.K. government cybersecurity expert consultants to evaluate computer services’ work.  

“The Ministry…believes that the security flaws discovered by the Office of the Auditor General are unacceptable,” a statement released by the ministry Thursday indicated. “The collective findings point to issues that are systemic and best addressed through improvements in governance, leadership, processes and procedures along with the appropriate technology.” 

IT infrastructure found to pose a security risk has been replaced at a cost of $698,551, ministry officials said without identifying what infrastructure had been replaced.  

The Cayman Compass has reported on a number of IT security/operation failings in government over the past several years: 

Cayman Airways: Internal auditors noted in 2014 that the national airline lacked a formal disaster recovery plan in the event of an IT system crash. Auditors noted the airline’s attempts to back up data failed too often. 

Department of Environmental Health: A review of government trash-fee collection in 2014 noted that six department employees were granted “privileged” access to its computerized financial management system – EVMAS – for no apparent reason. In addition, the EVMAS software expired in 2012 and tech support for it ended in 2010. 

Department of Agriculture: An internal audit report from February 2014 noted a lack of understanding with regard to basic computer technology that resulted in the potential for anyone in government with sufficient IT know-how to access the department’s financial and personnel files. 

RCIPS/Computer Services: Repeated hard drive crashes between late 2013 and early 2014 resulted in some data from the RCIPS Marine Unit being lost. Attempts to recover the records were not successful. 

Copy of 27 July Copy of Swarbrick, Alastair_np
Mr. Swarbrick


  1. Is this the same government that would like to issue me a national ID card and be able to track me and my activities across their systems and potentially across the systems used by the private sector?

    We need to wake up!

  2. Is there anything that government does right? After reading the COMPASS every day, I sometimes wonder. (think immigration, crumbling streets, long overdue construction projects, overdue speed limit signs, Mount Trashmore etc)

    I understand there is always money to worry about, but government seems to have the funds for showy things that make it look good for the moment, and all fuzzy and warm (think $35,000 a day for the Turtle Farm). Really, could not some of this money be diverted to something that could cost the country and its citizens untold expense if the systems are broached?

    IT is an expensive necessity in this day and age, and is a constant cost to users of all types. The bigger the system, the bigger the cost. However, having been in the information technology business for over 40 years, I must say that if you don’t spend the money today, you will spend it tomorrow, and then many times over.

    The term "unsupported software" refers to outmoded software (think Windows 95) that is in use, but no longer supported by its developer. Such software works fine, until that one day all of the "moons" align, and then….. disaster strikes. There is no-one to correct the problem, current software is not compatible, and current operating systems are not usable with the older software. What do you do then? In a government system, you can’t simply throw out the computer and go to the local computer store and buy a new one.

    A national policy for this small country could easily be put in place and maintained by responsible, knowledgeable people quickly and effectively. That should be the first step. Then once a policy is in place, it should be enforced, no exceptions and funding provided to support the policy and implementation of it.

    The future of the country is dependent on many things, and good infrastructure is one of them. A safe, effective, scaleable and overarching computer system is part of that infrastructure. I am not knowlegable about the Cayman IT System to advocate for a centralized system. However, I must admit that such systems seldom work. Centralized standards for stand alone systems DO work, however.

    The issues pointed out by the audit should be addresses immediately, and with a spirit of support and commitment to implement the changes for the good of all.

    In closing, just remember the situation of Hillary Clinton in the US. She was assured all of her deleted emails were safe from the eyes of others, as she wanted. Alas, there is always someone smarter and more creative in this business…. and it is no surprise, all those emails she worked so hard to hide, are all there for her opponents to see. In a networked system of computers, all it would take is one user to "click" on a malware application, and soon, slowly but surely the entire network is infected.

    I hope government will give the IT system a serious thought, and responsible consideration.