Why is Jersey introducing a new Cyber Security Law?
Launch of Jersey Cyber Security Centre
In 2021 I took a new role as Director of Jersey's newly formed cyber response unit. We've come a long way from an initial concept as CERT to a full operational capability as Jersey Cyber Security Centre. And I suppose that's a good place to start.
But it's just not going to work unless we change it up.
Why is Jersey different?
In recent year organisations have adopted new technologies and systems faster than ever before. That's even more the case in an innovative digital island such as Jersey - and in doing so, they’ve opened up new opportunities that have benefited our economy and society.
But alongside these new opportunities, there are also new risks. Cyber criminals continually find new ways to extract sensitive data and personal information. And like any other jurisdiction, Jersey is at risk of being a target.
However, the fact that we are an independent jurisdiction means that we have a unique mix of risks. We manage our own power and water supplies, healthcare, and other vital infrastructure. Our economy is built on professional services such as finance - industries whose international reputation is, in part, maintained by their ability build trust and handle sensitive data and information securely.
This means that successful cyber attacks could have significant impacts across the Island. Cyber crime is now one of the world's largest industries, and it does not discriminate. Additionally despite our being a small jurisdiction, there are plenty who wish us harm and plenty who are willing to act outside the law to achieve these ends.
Threats continue to evolve, and artificial intelligence (AI) will help them evolve even faster. New vulnerabilities continue to appear, and malicious actors will find ways to exploit them. Whilst it is never possible to eliminate all risks, organisations need to be vigilant and take steps to prepare. To do this, they need guidance on the standards they should meet. This includes guidance on how and when to share information about any serious cyber incidents.
Our plan to be different
Working harder does not solve the problem; too often in cyber security we build sandcastles on the beach and wait for the tide to come in, then start again. We simply can't continue on this path as it does not solve the problems, but rather creates an illusion of progress as the risks and impacts continue to increase. People lose their life savings to cyber criminals and scammers. Identity theft is sustained by frequent organisational data leaks. Organisations fail due to survivable ransomware. Unfriendly nations sustain their economies and their wars with our funds, with our intellectual property, and by doing us harm.
Nobody seems to be able to put their finger in the dyke, never mind find a sustainable solution to increasing cyber risks.
Whilst we won't fix this over night, we can't keep building our castles in the sand and hoping for the best.
So of course we need to reflect international good practice, but we also need to do something different compared to our traditional regulatory approach to managing systemic risks.
We need a legislative framework for cyber security that sets us up for success: one that enables organisations without creating undue burdens, one that supports and protects citizens by enabling resilient public services, and one that provides practical support rather than firing off penalties.
An approach that respects the things that make our Island special, whilst providing for the future rather than being rooted in the past.
To do that we need the right legal framework for Jersey Cyber Security Centre.
The one we are proposing is different to most other public policy responses to unacceptable risks.
JCSC will have no power to fine or penalise bad behaviour. We will have no power to insist, unless through adoption of our recommendations by an existing business or regulator. No power to name and shame those who don't do their bit. No power to investigate, to force compliance, or to require others to act.
We will in fact have one power, and one power only: the power to share information in confidence, and to have information shared in confidence with us.
And we will have one ability: the ability to help.
But whilst this is certainly going to take effort, it does not make for a weaker regime but rather for a stronger one, as it works together with those who carry this risk on behalf of our island as long as they are willing to work with us.
The draft Cyber Security (Jersey) Law is a key step in introducing this structure: it supports the Island’s overall cyber resilience by introducing support and providing clear expectations, but seeks to do so without creating any unnecessary burden on industry.
What will new new cyber law do?
Firstly, it establishes JCSC as an operationally independent, grant-funded organisation accountable to the Minister for Sustainable Economic Development, and defines what we are here to do. With the right legal structure and a clear basis for our work, we’ll be able to work closely and confidentially with organisations in the event of a cyber incident. It will also allow us to provide independent advice to Government and other local bodies, where appropriate.
Secondly, the draft Law sets out how we should be governed. It establishes a Technical Advisory Council (TAC) which will provide expert advice and guidance to support our decision-making. The Law will also require us to produce an Annual Report and regular Strategic Plan, to ensure transparency around our work.
Finally, and in common with the EU, the Law will introduce new reporting standards for some organisations, defined as Operators of Essential Services (OES). Basically, these are any organisations whose operations are critical for the welfare of islanders, for our economy, or our reputation. Some of these are obvious, such as healthcare, telecoms providers and banks. Others perhaps less so, such as ferry services (we are an island!) and Jersey's world class dairy industry.
OES will need to take appropriate steps to improve and secure their cybersecurity. They’ll also be required to notify JCSC and their customers if they experience a significant cyber incident, so we can learn from it and be alert to emerging threats.
There are however some things we are not looking to do.
Jersey is already a heavily regulated Island. We have a finance regulator, a competition regulator, a data regulator, a health and social care regulator, a telecoms regulator... the list goes on. There's already some thoughts about regulating cyber, and a lot of people so ask me 'where's the stick?'.
But fines and penalties are not the right plan. Every business CISO knows that a compliance mindset has never made for a successful cyber security program. What does make for a successful cyber security program is aligning that program with the objectives of the organisation. So that is exactly what we intend to do, but at jurisdictional scale.
When you contact Jersey Cyber Security Centre, you will do so knowing we are a critical friend who will support you, challenge you when needed, but ultimately keep your private matters confidential and have your back. We are not a law enforcement body, a regulator, or Government. We have no powers to fine you, penalise you, or tell you off. And it would not help if we did, because then it would be hard for you to be honest with us, and then you would not be able to share information with us openly, and we would not be able to help you or to learn from your experience to help others.
In fact, helping is our only power.
It's as superpower.
Because you will know we are only here to help, there is no downside to talking to us.
When you talk to us, magic will happen: in addition to supporting you, the information we learn can be used to protect the whole community.
This is how we stay one step ahead. A comprehensive solution would require a global response, and that we cannot do as an Island jurisdiction. But what we can do is spend less time building castles in the sand, and more time finding small ways to make a difference - just like the Dutch boy in the story who put his finger in the dyke to hold back the sea.
This Law will be a strong first step in moving from managing the status quo towards creating a cyber resilient island.
What, you ask, of those organisations that don't want our help, or bury their heads in the sand?
For some critical organisations, existing regulations and law enforcement will help to bridge the gap between what we can do and what is necessary to protect the island. We will work with these bodies, and where there are gaps we will need to learn together.
For most business however we have to accept that a cyber failure might be OK - after all it's your business not ours, and therefore it's your risk to take as long as others aren't unduly harmed by it. That said experience shows that those who don't talk to use before a cyber incident often engage with us afterwards: assuming of course that they are still around to do so. And if they are not still around to do so, perhaps economics rather than red tape will provide the solution.
We can't fix everything overnight, but we can take a strong step forward into the future and be prepared for what it brings.
And we can do that in a way that is right for our Island community.
You can read more about the proposed Cyber Security (Jersey) Law here.
