NEW regulations designed to reduce the risk of “complacency” when dealing with cyber security is being proposed.
The proposed Cybersecurity Law would make it compulsory for key services to have cyber security measures in place and report attacks within 24 hours of finding out about them. Making reporting compulsory also means the Jersey Cyber Security Centre will get more access to information about these cyber attacks.
Assistant Economic Development Minister Moz Scott lodged the draft law on Friday with a debate in the States Assembly set for January. A Cyber Security Policy Framework is in place now.
Deputy Scott called the law “a milestone in terms of acknowledging how important technology is to the running of the Island”.
Jersey has seen the impact cyber attacks can have this year, as supermarkets around the Island were impacted by attacks in their UK offices.
She added: “It’s not a matter of if there will be serious cyber attacks on the Island, but when.”
With a number of “state-sponsored” cyber attacks, she added that it was “very, very easy for an individual person to slip up” and become a victim to phishing attacks or ransomware.
She said: “In the Island, we’re used to a degree of safety. We don’t lock our doors, and these sorts of things.”
“Complacency is a real problem here.”
Under the law, some public and private bodies – like water, electricity, emergency and health services – would be classed as “operators of essential services” who would have to put in extra measures to make sure they are protected from cyber attacks.
They would have to report incidents to the Jersey Cyber Security Centre – an arm’s length body. Their role will be to collect that information and find out about trends, while supporting organisations with their cyber security measures. However, the JCSC won’t be made into a regulator or be able to issue fines.
Similar legislation exists in other jurisdictions including the UK and Deputy Scott said adhering to standards would be easier for organisations than having to deal with an attack.
She added that Islanders should use “good hygiene when it comes to using the internet” for example by utilising two-factor authentication.
No-one, she said, should be given access to sensitive systems without training on cybersecurity – including States Members.
“The world has changed, and we are so reliant on technology – we need to accept that we should be using it in a way that minimises a harm to the community,” she said.
Jersey Cyber Security Centre director Matt Palmer said “significant effort” had gone into the legislation and that the JCSC would host workshops for Operators of Essential Services.
