RUSSIAN criminals linked to President Vladimir Putin’s regime could launch an attack on Jersey’s digital infrastructure ‘at any point’, according to the government’s cyber-security chief.
Matt Palmer, head of the Cyber Emergency Response Team, said Jersey needed to ready its digital defences against the now ‘expected’ threat of state-backed cyber warfare.
He said: ‘What we don’t want to do is stand down to a lower level of readiness, because the reality is that Russia could choose – at any point – to use cyber to attack beyond the boundaries of Ukraine.
‘We have seen attacks on satellite infrastructure, attacks that have impacted the whole of Europe – some of which are quite advanced – so we know that the interest is there. However, what has happened is that this has moved from being an emergency response situation to a chronic problem.’
He explained the Island was now in a situation where it should ‘simply expect’ state-backed cyber attacks to attempt to ‘exercise their influence beyond their boundaries’.
‘It’s an assumption – that wasn’t the case a few years ago but it most definitely is now. We know this stuff is coming we just don’t know what and when, so all we can do is prepare for it and be ready for it,’ he added.
‘It’s now about making sure we improve our controls and readiness over the medium term so that we are in a good position to respond when attacks do come.’
He noted that, during the early stages of the conflict in Ukraine, the Island had seen an increase in ‘reconnaissance attacks’.
‘That is where organisations or individual hackers are taking a look at the systems in Jersey to see where they can find vulnerabilities,’ he said, adding that there had been a further increase after the Island was included on a list of ‘unfriendly’ jurisdictions published by the Kremlin.
The warning comes amid the launch of a government consultation on proposed new cyber defence legislation, regarding CERT’s role and responsibilities.
Mr Palmer said: ‘This proposed legislation is an essential step to better protect Islanders, our public services and our economy from cyber criminals and malicious hackers as well as rogue nations.
‘We have learned a lot over the last year through incident readiness exercises, our response to the war in Ukraine, and from recent social engineering and ransomware attacks on industry and public services. We’ve also had the opportunity to work collaboratively with countries around the world to protect Islanders from global threats. It’s now time to make sure we have the tools to do the job well into the future, and that is what this legislation is about.’
Proposed changes include changing its name to the Cyber Security Centre for Jersey and turning it into an independent, grant-funded team operating at arm’s length from regulators, law enforcement and the government.
The legislation could also introduce mandatory reporting of cyber security incidents within 48 hours, which would apply to essential services such as food distribution, infrastructure and financial firms, among others.
Six separate briefing meetings on the proposed legislation – for the public and stakeholder groups – will be held in early January at the CERT operations centre and online, with booking now available via the Eventbrite website.
Islanders can also submit their responses by email to economy@gov.je with the subject heading ‘Cyber Law Consultation’, or by post to FAO Elisabeth Blampied, Department for the Economy, 19-21 Broad Street, St Helier, JE2 3RR.
