Steps taken by States Departments to ensure the security of servers and computer systems from cyber attack

2015.11.17

3.5   Deputy M.R. Higgins of the Chief Minister regarding steps taken by States Departments to ensure the security of servers and computer systems from cyber- attack:

Will the Chief Minister explain what steps, if any, States departments are taking to ensure that servers and computer systems are secure from cyber-attack by criminals or terrorists and is the proposed reduction in Information Systems staff compatible with these steps?

Senator I.J. Gorst (The Chief Minister):

Cyber security is important, not just for data and systems in government but also for businesses and the Island's critical infrastructure. The Government of Jersey is therefore developing an Island-wide cyber security strategy to ensure that Jersey remains a safe place to live and do business. This strategy draws on a number of reviews and audits. We are now building on the findings from these reviews and in doing so working in partnership with, among others, the critical national infrastructure, the Jersey Financial Services Commission, the police and the private sector. Any changes made after we have of course reviewed the way we provide information services will continue to ensure resilience.

1. Deputy M.R. Higgins:

The reason for my question surprisingly was not as a result of the U.K.'s announcement of trying to beef up cyber security but really stemmed from the hacking of the United States biggest bank, JP Morgan Chase, and a dozen other companies. In the case of JP Morgan Chase, which you would imagine, being the biggest bank of its type in the United States, would have very, very resilient systems, far better than we would have in the States, they lost 83 million customers' details to hackers, which are being exploited around the Island. Can the Chief Minister tell us how much money is going to be spent on cyber security and what sort of guarantees he can give that what he is proposing at the present time is likely to succeed?

Senator I.J. Gorst :

The Deputy knows the premise of his question that it is not possible to give guarantees in this particular area. Officers, overseen by Senator Ozouf in conjunction with the Minister for Home Affairs, and others in the Law Officers' Department, are working on this new cyber security strategy. It is not just about government, I think as the Deputy acknowledges, it is about critical national infrastructure and it is about businesses in our community, making sure that they are resilient when it comes to attack. I think we have an excellent role model in the work that the Jersey Financial Services Commission does. The Deputy is shaking his head, but I think he is slightly out of date in that regard. They are doing excellent work. We need to make sure that other businesses in our community are doing similar work and we, in Government, have a co-ordinated strategy. We do not yet know how much more money it is going to cost, but it will cost more money and I know that negotiations are being entered into with our good friend who is well known for opening the purse, the Minister for Treasury and Resources.

2. Deputy T.A. Vallois of St. John :

The C. and A.G. (Comptroller and Auditor General) produced a report on 18th June this year detailing the information security within the States, and particularly it concluded that an ambitious reform programme and an ambitious eGovernment programme would provide changes to the ways of working and that the States need to have confidence in this. In particular a new inclusive and a corporate approach to information security is adopted so that information security is embedded in ways of working throughout the States. How does the Chief Minister envisage providing us with confidence that this may be the case in the future?

The Bailiff :

You were quoting from a report of the Comptroller and Auditor General, just in case members of the public do not understand C. and A.G. because it is a technical shorthand.

[10:15]

In short, it is going to be a long hard slog because confidence is not where it needs to be in delivering the reform. The Comptroller and Auditor General produced a very good report. As I said, the officers right across State departments are overseen by Senator Ozouf , are working on a new strategy around cyber security and information security. It is being overseen by a programme but it is not just about technology. It is about physical environments as well. The Deputy knows that Treasury and Property Holdings are working on office consolidation. She also knows that work is being undertaken in the eGovernment arena but those works have proved difficult and not to be as fast or delivering in the way that we would like to see. So, in short, it is going to be a hard slog to rebuild confidence.

3. The Deputy of St. John :

With all due respect to the Chief Minister, it may be a hard slog but in terms of providing confidence to the States when we see items in the media about I.T. (information technology) stuff being manoeuvred out and possibly outside firms coming into deal with particularly I.T. systems, I would like confidence in the fact that we are doing this in the appropriate way. Could the Chief Minister ensure that he comes forward with an actual target date for completion and ensure that it is done in an appropriate rounded up way rather than individually and in a piecemeal system?

Senator I.J. Gorst :

When we come to the I.T. outsourcing there are various elements that we are currently undertaking that could legitimately be undertaken at this point in time by external parties. There are other parts of that function which will never be able to be outsourced and then there were other parts that need to have a lot of work on them around systems before they would be able to be outsourced. In response to the Deputy 's question about timeframe, the answer is yes.

4. Deputy A.D. Lewis :

In a number of the Comptroller and Auditor General's reports she has mentioned the fact that culture is an issue within the States of Jersey. Currently she has stated that we are far too trusting in our approach to security. Would the Chief Minister agree with that and feel that cultural change is an absolute pre-requisite within the States of Jersey in order to avoid any such cyberattack, as has been spoken about in this question, and other security issues?

Senator I.J. Gorst :

Yes, I accept that, and that is why the piece of work was started and is being undertaken, and that is why Ministers are taking it seriously.

5. Deputy M.R. Higgins:

Going back to my second question, I think it was. The Chief Minister, there has been talk of obviously reducing the size of the information systems staff quite considerably and outsourcing the work. This undertaking to go through and change culture and basically secure the systems throughout the States is going to take a large effort and personally I do not think that a firm coming in from outside and going round States departments to try and do it is the correct way. Will the Chief Minister reconsider the proposals at the present time to reduce the number of I.S. (Information Systems) staff so that we can have better security sooner rather than later?

Senator I.J. Gorst :

Unfortunately the premise of the Deputy 's question shows that he does not understand the issues that he has been trying to speak about in the Assembly this morning. These are critically important issues ?around cyber security, information security, physical and technological as well. That does not mean to say that the Government has to employ many more staff in the I.T. arena to be able to give that confidence. Perhaps some of the other questions that have been raised this morning would indicate that the right thing to do is to partner with third parties and external organisations to start to give some confidence to the Members of this Assembly.

Deputy M.R. Higgins:

Sorry, if I can just say, no one is against outside consultants coming with expertise but to roll it out in the States you are going to require a lot more people, especially to make it effective.

The Bailiff :

Deputy , that breaches about every Standing Order. You had had your final question, you did not talk through the Chair, you should not have been talking and you carried on talking.

Deputy M.R. Higgins:

I apologise, Sir, but I did enjoy it.