Gov’t has taken comprehensive approach to cybersecurity management
Dear Editor,
The Ministry of Public Telecommunications takes this opportunity to address the hypocritical attempt of former Minister of Home Affairs, Mr. Rohee, to mislead the nation and more disingenuously scare and dissuade citizens from using government’s online services. I refer here to the letters to the editor in the Kaieteur News (26th February 2019) and Stabroek News (28th February 2019) which falsely claim that the Government of Guyana has disbanded the National Cybersecurity Incident Response Team (NCIRT).
I wish to inform the general public that NCIRT continues to execute its mandate under the Cybersecurity Division of the National Data Management Authority (NDMA). This includes issuing cybersecurity advisories and responding to cybersecurity incidents within the Public Sector. NCIRT can be contacted on Tel.: (592)-231-6860, email: info@cirt.gy and through its website (https://cirt.gy).
Further, Mr. Rohee’s claim that the former staffers of NCIRT were “Left jobless, … [and] went off to seek their fortunes where their skills were needed” is a blatant attempt at deceiving the nation and sowing seeds of discord. The truth of the matter is, Mr. Rohee’s “small, but highly qualified team of computer experts, engineers and programmers” comprised 1 Head, 1 Engineer, and 1 Technician. The Head abandoned NCIRT by tendering her resignation with immediate effect when informed of its merger with the NDMA, while the Technician resigned from NCIRT a mere two months after the merger was effected. The Engineer remains on staff at the NDMA. Permit me Editor to enlighten Mr. Rohee and explain to readers the broader framework under which NCIRT and cybersecurity operate within government.
In recognition of the critical role that ICTs shall play in the development of our country, President Granger in January 2016 established the Ministry of Public Telecommunications. This administration understood that a concerted approach was needed to leapfrog Guyana into the digital age after 23 years of wastage and mismanagement in the ICT sector. The latter is most notably evidenced in the failed over USD5 million Dense Wavelength Division Multiplex (DWDM) Project which involved the laying of fibre optic cable from Lethem to Georgetown, and the USD 32 million eGovernment network which remained un-utilised and rapidly deteriorating for two years.
for its own sensible, pragmatic execution of its own mandate to police the roadways and enforce compliance with existing laws. The GPF can take no solace in this or any other well-meaning efforts of civil society and various agencies to arrest the continuous descent into anarchy on our roadways. And there is no need for the reinvention of the wheel in addressing the issue of road safety and unnecessary deaths of scores of Guyanese each year by traffic accidents, all that is missing is the commitment of the GPF to carry out its mandate in a professional manner. The GPF must also sustain this effort as an integral part of its day to day operations and not view this as a “campaign” designed to net a certain number of perpetrators, passing them through our inefficient court system leading to undetermined and indeterminable results many years from now. The GPF’s efforts to reduce traffic offences must be based on the concept that “prevention is better than cure,” and by the professional and fastidious execution of their duties, demonstrating competence and knowledge of the road traffic laws and regulations, bring about the desired change in the behaviour of road users. But it is difficult to envision such a Police Traffic Department when currently, ranks of the GPF itself have been known to drive recklessly, several having been involved in fatal accidents. Clearly then, the GPF has got to get its own house in order in more ways than one, particularly with respect to the compliance of its own ranks and officers with the road traffic regulations. Additionally, traffic control officers must be subjected to rigorous training and must demonstrate adequate knowledge of our traffic laws and regulations and the rights of road users. The now infamous exchange between a traffic policeman and a practising attorney-at-law was, perhaps, a teachable moment, indicating the need for the GPF to train its officers beyond a cursory knowledge and basic application of traffic laws and
Thankfully, the eGovernment network was salvaged when this coalition Government took office in 2015, however the running of the fibre optic cable to Lethem was so badly conceived and executed that nothing could have been salvaged.
Ministry of Public Telecommunications is responsible for internet governance, digital skills, digital promotion, digital entrepreneurship, e-government, posts and telecommunications, and ensuring cyber security. One of our first tasks was the harmonization and rationalization of government’s ICT investments and operations. Towards this end a number of ICT initiatives undertaken by the previous administration were brought under the umbrella of the National Data Management Authority (NDMA). These were; the very NCIRT that Mr. Rohee claims is non-existent, One Laptop per Family (rebranded One Laptop per Teacher) and the eGovernment Project Unit. This merger with the NDMA was a deliberate decision on Government’s part to advance its eGovernment agenda. NDMA, created by an Act of Parliament in 1983, is mandated to inter alia see to the “establishment and maintenance of reliable communication linkages in the Public Sector in order to achieve optimal utilization
regulations. Whether or not the attorney’s invective-laced assertions were legally sound, it clearly gave the traffic officer pause, “putting him on the backfoot” as it were (to use a cricketing aphorism). Once the traffic control officers are well trained, knowledgeable about the laws and regulations and exercise awareness and respect for the rights of road users, then such a dramatic turnaround by the GPF is bound to set the stage for the equally dramatic change needed in the behaviour of road users of all classes, but particularly drivers. It stands to reason that if traffic policemen execute their duties professionally, the well-known practice of bullying drivers into paying an unofficial “fine” or giving a “raise” must come to an end. Policemen who own vehicles including mini-buses must also be faced with the same consequences as regular citizens when they run afoul of the traffic laws. Physical traffic controls including medians and roundabouts must also be utilised to create a smooth flow of traffic and reduce congestion. In the meantime, while we wait on these welcome but seemingly unattainable idealistic outcomes (given the overall culture of lawlessness prevailing in Guyana) it is good to see that drivers are being made legally responsible for the deaths that they cause by reckless driving. This fact should be well publicised by the National Road Safety Council in its public awareness campaign. Finally, all mini-bus drivers caught “flying like a plane” should have their licences to operate public transportation vehicles immediately revoked.
and deployment of computer resources.”
In order to help clean-up the mess caused by the previous administration’s mismanagement, my Ministry recruited over 100 professionals including more than 70 ICT engineers and technicians and expended considerable effort and resources to:
Salvage and operationalize the eGovernment network. Establish over 170 community ICT Hubs with free Internet access.
Provide Internet access to over 300 educational institutions (primary, secondary and tertiary).
Provide secure network connectivity and Internet access to over 120 government agencies.
Establish the Public Sector’s first IT Leadership Technical Working Group (TWG).
Additionally, given our now expansive online presence as a result of the Coalition Government’s hard work, we anticipated an increased number of threats to our ICT infrastructure. As such, we have taken several steps to mitigate and adequately respond to these threats whenever they occur.
Establishment of a Cybersecurity technical working group in March 2017 aimed at creating and promoting GoG-relevant cyber security standards, policies, guidelines and best practices to the Ministries, Agencies, and any other relevant governmental bodies. The working group comprises representatives from 12 public sector agencies.
Development of Government cybersecurity incident reporting system to provide resilient and secure mechanisms that enable Government Ministries and Agencies to report cybersecurity incidents. With this measure Government can now adequately assess and monitor Guyana’s cyber-threat landscape so that our available resources can be directed to effectively address cybersecurity issues.
Continually issue cybersecurity tips and guidelines on NCIRT’s and NDMA’s website and social media platforms. Prepare and disseminate cybersecurity brochures in communities across Guyana.
Implement web filtering policies to provide a safe online environment for schools and students connected to the eGovernment network. Provide notification and guidelines to public sector entities to counter new and emergent cybersecurity threats and attacks.
Leveraging our international and regional partnerships (International Telecommunications Union (ITU), LACNIC, OAS-CICTE, IDB, Governments of India, China, Israel, and the United States) to strengthen Guyana’s Cybersecurity capabilities through multi-tiered training of over 60 persons in areas including:
Type specific network security training Unified Threat Management
Log Analysis
Security Awareness
Security Vulnerability Assessment
Incident Response and Threat Intelligence Network Intrusion & Digital Forensics Reducing Cybercrime
Cybersecurity Strategy & Leadership Establishment of our 24/7 cybersecurity and network operations centre to proactively monitor and respond to incidents on our network infrastructure and services. In these instances, the NCIRT team advises and when required, works closely with entities to effect remediation measures.
Acquired Security Incident and Event Management (SIEM) tools to collect, analyse, and correlate logs from our Unified Threat Management system to provide greater visibility and security alert information.
Outsourced services to ensure proactive monitoring of Government’s online presence.
Editor as you can see all of these investments reflect a comprehensive approach to Government’s cybersecurity management which is a far cry from the three-person team lauded in Mr. Rohee’s letter. It is clear that Mr. Rohee fails, through the insufficiency of the advice provided to him, to understand the complexity of what is required in a modern cybersecurity architecture.
With respect to the attack on GPL’s servers, I will say that in this connected world it is not a case of if one will be attacked, but rather when. In this scenario what matters is the preparedness for and response to such attacks.
In closing I wish to draw a parallel between this and a similar attack which occurred on GWI’s infrastructure in January 2017. The investigations carried out indicated that the perpetrators in the GWI incident may have been assisted by staffers of GWI’s IT department, some of whom have close connections with high ranking members of the Opposition. In this era of politically motivated cyberattacks nothing can be ruled out.
Yours faithfully,
Cathy Hughes
Minister of Public Telecommunications