The Jamaica Cyber Incident Response Team (JaCIRT), a division under the Ministry of Science, Energy, Telecommunications and Transport, is undergoing a significant transformation, evolving from a national security operations centre to the nation’s cybersecurity authority.

According to Lieutenant Colonel Godphey Sterling, the head of JaCIRT, the driving force for this transformation came during the COVID-19 pandemic, prompting a shift from reactive incident response to proactive threat detection and vulnerability assessment.

“So we were no longer waiting for people to tell us they had a breach; we’re telling them they had a breach based on what we’re seeing, or telling them they were vulnerable to some of the common vulnerabilities and exploits that exist,” Sterling explained while speaking at a recent Jamaica Observer Business Forum.

JaCIRT’s initial mission was to address cyber threats and responses in line with the Government of Jamaica’s National Cyber Security Strategy of 2015. Presently, it operates outside of statutory provisions, originates from a Cabinet decision, and does not possess an enforcement charter. The ongoing transformation aims to introduce a new level of governance, risk management, and compliance to the sector, enabling JaCIRT to enforce cybersecurity standards and regulations and foster better adherence and compliance among corporate entities, both public and private. He explained that the new regulatory process would be firmly rooted in statute.

“Similar to the Office of the Information Commissioner, it will have a regulatory process that is steeped in statute, so it’s not just about using moral suasion to get companies or individuals to comply but to have a set of standards laid out that you must adhere to and with sanctions for non-compliance,” he said.

In response to evolving cyber threats, JaCIRT plans to monitor and ensure organisations’ readiness by overseeing their IT infrastructure to meet cybersecurity requirements and safeguards. Sterling underlined the challenges posed by cybersecurity companies that claim to offer robust protection but may fall short of the required standards. He stressed the importance of regular checks to ensure the up-to-dateness of IT infrastructure.

“If you have an IT department, then there has to be somebody either in the boardroom, on the management team, or a third party that periodically ensures that your IT infrastructure is where it should be,” he emphasised.

In highlighting other areas JaCIRT plans to look at, Sterling shed light on a common factor in most reported breaches: a lack of proper backup systems. He said the use of offline and off-site backups as a more secure alternative is limited. He mentioned the critical issue of “dwell time”, referring to the period between an attacker gaining network access and being discovered. “The longest dwell time we’ve seen to date is nine months in Jamaica,” Sterling revealed. While he refrained from disclosing the specific company involved, he provided details of the extensive damage caused. The attacker gained network access in October of one year, with the system being encrypted around June or July of the following year, leading to a protracted rebuilding process due to the absence of a viable backup system.

In line with JaCIRT’s ongoing transformation, the organisation has initiated a collaborative effort with the Office of the Information Commissioner (OIC) to enforce the mandatory disclosure of data security architecture by entities during their registration process. To ensure strict adherence to data protection standards, JaCIRT is actively pursuing the authority to prosecute entities that fall short of compliance with the standards outlined in the Data Protection Act, which is set to be implemented on December 1.

“We have just contracted a firm to do research and drafting instructions to the chief parliamentary counsel for the drafting of that Act. We are looking conservatively at two to four years. I am pushing to get it really before Cabinet in the shortest possible time, preferably before elections but we will see what happens,” Sterling said.