Amid the maelstrom of public suspicion triggered by allegations of vulnerability of its Jamcovid-19 application, the Government yesterday said it is undertaking a comprehensive review of security on all its websites and networks to ensure compliance with international standards and best practices.

“This process is underway with 162 website reviews completed and another 100 in progress to date. Any credible vulnerabilities that are identified are concurrently being rectified,” the Office of the Prime Minister (OPM) said in a late evening news release.

The office did not say how many vulnerabilities have so far been detected, and attempts to get a number from Government officials were met with deafening silence.

The OPM issued the release after yesterday's monthly meeting of the National Security Council chaired by Prime Minister Andrew Holness. The meeting, OPM said, “received a comprehensive update on Jamaica's cyber architecture and a specific report on matters related to the Jamcovid-19 application”.

OPM said the main points of discussion at the meeting included the steps being taken to build a robust governance framework and infrastructure for cybersecurity embedded in Plan Secure Jamaica — the Government's comprehensive and holistic approach to tackling crime and ensuring a safe and secure society.

“Prime Minister Holness has directed that the plans for building cyber resilience in Jamaica be accelerated, including:

bringing the new National Cybersecurity Strategy to Cabinet in the second quarter of the upcoming fiscal year;

launching a new Cyber Academy; and

intensifying cross-agency cooperation,” OPM said.

“Already, a multi-agency cyber analysis team, including eGov; the Cyber Incident Response Team of the Ministry of Science, Energy and Technology; Major Organized Crime and Anti-Corruption Agency; and Communications Forensics and Cybercrimes Division of the Jamaica Constabulary Force, is in place and conducting critical assessments of the existing cyber landscape,” the release said.

The actions come as the Administration continues to take heavy flak after United States technology magazine TechCrunch reported last week that there were vulnerabilities in the Jamcovid application and website that the Government uses to manage the novel coronavirus pandemic.

According to TechCrunch, files with sensitive data had been left unprotected. However, the Government quickly moved to calm fears, saying it had fixed the problem, which had exposed the data of over 400,000 visitors to the island. It also said that, while there was no evidence to suggest that the vulnerability had been exploited for malicious data extraction prior to it being rectified, the Government had, out of an abundance of caution, “contacted travellers whose data may have been subject to the vulnerability and have assured them that steps have been taken to ensure the integrity and the confidentiality of the data”.

Additionally, the Ministry of National Security said it had initiated a criminal investigation into the matter, stating that when a security vulnerability is identified in respect of a government system, the State has a duty to investigate and rectify it.

Also, on Tuesday this week, Amber Group, the company that developed the app and donated it to the Government, rubbished TechCrunch's claim that a second vulnerability existed.

“The exposed .env file (ie environmental file) that is being described as a second vulnerability is a file that contains expired information, along with links that had been previously made redundant,” Amber Group founder and CEO Dushyant Savadia said in a statement.

Yesterday, OPM said the Jamcovid-19 investigations and assessments are concurrently focused on two streams:

“The level of compliance of the security architecture and configuration of the application and related databases with established standards and best practices; and

“The possible activities of any malicious actors in either creating or exploiting any vulnerabilities in the security architecture and configuration and whether such exploitation resulted in data exfiltration.”

OPM said the findings thus far indicate that, while there is evidence of unauthorised access, there is no evidence of data exfiltration. “However, the probe by the multi-agency cyber analysis team is ongoing and the public will be advised further as the investigation progresses.”

At the same time, the Government said it was “accelerating plans that were already underway to migrate the Jamcovid-19 database”, adding that the cyber analysis team has undertaken a comprehensive review of security of the application and related databases and, in conjunction with the developer, has significantly hardened the security of the system.

Added OPM: “The Government wishes to assure the public that it is sensitive to the legitimate fears and concerns around data privacy and protection and is committed to pursuing a comprehensive approach to system-wide strengthening as we move towards the creation of a digital society.”