The Cayman Islands government’s information technology infrastructure, in many areas, is not sufficient to protect against either external hacking or internal sabotage, the auditor general’s office reported this week.
Former Auditor General Alastair Swarbrick reviewed IT security in 2012 and found 19 areas in government’s software systems that were judged to be either high- or medium-risk in their vulnerability to attacks on the “confidentiality, integrity and availability” of the government’s systems.
High-risk areas were defined as those that posed an immediate risk and threatened the operations, finances or reputation of the government.
Four “high level” risk areas were generally identified in the auditor’s review as external vulnerabilities from individuals on the Internet accessing data without user names and/or passwords; internal vulnerabilities from users within the government accessing databases they should not have access to; and concerns that cyberattackers were able to gain “administrator-level access” to government computer servers from inside the systems.
The 2012 audit of government computer security issues was not published because of concerns it would have alerted hackers or others who wished to do the Cayman Islands harm. Auditors urged government officials to address the problem at that time.
However, a follow-up review this year found that the problems with government’s IT security had gotten worse.
This year, nine areas in the government IT systems were identified as high risk, and 11 others were considered medium risk. Additional problems included the use of outdated and unsupported software programs and significant vulnerability of sensitive government information to potential cyberattacks.
“Information technology governance and security has not been a priority for government managers,” Mr. Swarbrick noted in his report. “Management had not mitigated the significant risks and vulnerabilities around the confidentiality, integrity and availability of the IT systems and data.”
Another issue identified by auditors was that due to the lack of focus on providing secure IT systems, government “does not know how much it costs to provide IT to all of its entities.”
“There is no overall assessment plan that captures all of the IT purchases across government,” auditors found. “The development and acquisition of IT systems across government is not guided by a strategic plan, leading to ad hoc development/purchase of IT systems.”
A more detailed report on the outcome of specific threats against Cayman’s IT infrastructure was sent to Cabinet and the Ministry of Home Affairs this week, Mr. Swarbrick’s office noted.
The full report was not released, again, due to security concerns. However, Mr. Swarbrick noted that government’s apparent inaction after the 2012 IT evaluation had forced his office to report on the issue simply to put public pressure on government to fix what auditors identified as a huge concern.
“There are monetary repercussions if this goes wrong,” Mr. Swarbrick said Wednesday. “There could be litigation, you could lose data that is sensitive. If government is serious about establishing ‘e-government’ initiatives, this has to be addressed.”
Audit office manager Martin Ruben noted Wednesday that solutions required to repair security vulnerabilities are not a “quick fix” and in some cases could take government years to sort out.
Moreover, separately operating IT systems used by the Royal Cayman Islands Police Service, the court system and the Health Services Authority were not reviewed as part of the 2015 audit, largely because the third-party providers of those software systems did not assent to the review.
The issue of government’s IT security was flagged by Premier Alden McLaughlin during his annual address to the Chamber of Commerce this week.
“I have advised the staff in the Ministry of Home Affairs to ensure that there is a sufficient, urgent focus on data security across government,” Mr. McLaughlin said. “There is no place for complacency or second-best when it comes to security and public confidence.”
The government’s Computer Services Department, which is responsible for the public sector’s IT operations and security, agreed with the findings of the auditor general’s 2015 review.
“The [auditor general’s] findings, while limited in scope and duration, provide a clear and accurate overview of the situation at the time of the audit,” the department indicated in a statement.
The department said it was researching the “root causes” and recommending fixes for the issues identified in the report. The department also noted that the government has set aside funding for IT security training, describing the costs involved as “significant.”
The Ministry of Home Affairs has hired U.K. government cybersecurity expert consultants to evaluate computer services’ work.
“The Ministry…believes that the security flaws discovered by the Office of the Auditor General are unacceptable,” a statement released by the ministry Thursday indicated. “The collective findings point to issues that are systemic and best addressed through improvements in governance, leadership, processes and procedures along with the appropriate technology.”
IT infrastructure found to pose a security risk has been replaced at a cost of $698,551, ministry officials said without identifying what infrastructure had been replaced.
The Cayman Compass has reported on a number of IT security/operation failings in government over the past several years:
Cayman Airways: Internal auditors noted in 2014 that the national airline lacked a formal disaster recovery plan in the event of an IT system crash. Auditors noted the airline’s attempts to back up data failed too often.
Department of Environmental Health: A review of government trash-fee collection in 2014 noted that six department employees were granted “privileged” access to its computerized financial management system – EVMAS – for no apparent reason. In addition, the EVMAS software expired in 2012 and tech support for it ended in 2010.
Department of Agriculture: An internal audit report from February 2014 noted a lack of understanding with regard to basic computer technology that resulted in the potential for anyone in government with sufficient IT know-how to access the department’s financial and personnel files.
RCIPS/Computer Services: Repeated hard drive crashes between late 2013 and early 2014 resulted in some data from the RCIPS Marine Unit being lost. Attempts to recover the records were not successful.