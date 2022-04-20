The vulnerability of the Puerto Rico government systems was proven this weekend, after an attack was perpetrated on the AutoExpreso platform, managed by a private operator, a situation that could have exposed confidential information of the thousands of citizens who use that platform. service.

The lack of claws of the government over the systems managed by third parties, as well as the absence of recurrent funds that allow the State to acquire updated technology, hire more specialized personnel and replace obsolete equipment, are two of the fundamental factors that could make the government easy prey for hackers.

“In our monitoring systems, all these attacks have tripled, and we are looking at them. We are putting all prevention systems into effect and we are monitoring, being proactive in the agencies,” he said. Ngai Oliverasthe government’s top Cyber ​​Security official, who attributed the rise in such alerts, in part, to the conflict between Russia and Ukraine.

Despite the fact that three years ago the government had the Office of Puerto Rico Innovation and Technology Service (Prits), it was not until April of last year that the agency issued administrative order PRITS -2021-001 to establish the government’s cybersecurity programwhich includes, among other things, the development of public policy to address this absence of claws on systems managed by third parties.

The administrative order, explained Nannete Martinezinterim director of Prits, requires companies that offer services to agencies that the technology they use is owned by the government and “resides” or is kept in the “hosting” of the government, which can be clouds or servers. “We greatly favor the use of the cloud, above all, for what has to do with citizen services”Martinez said.

These private operators must also be certified by a security accrediting agency that guarantees the State that they have the minimum controls required so that events like this cyberattack do not happen.

However, both confirmed that there are still many systems within the government operated by contractors that are not aligned with that policy. “There are various government systems that have to do that migration and make sure they are in compliance, and all those processes take time”Martinez argued. “The administrative order was issued a year ago. However, for some systems it is more complex than for others, for some providers and for some agencies it is more complex than for others,” the official stressed.

Oliveras, for his part, said that they are in the process of holding a meeting with the technology providers certified by Prits to explain the public policy and demand that they have to comply with minimum requirements and controls in order to provide services to the government of Puerto Rico.

In the case of the company Professional Account Management (PAM), operator of the AutoExpreso since 2018, it was clarified that they are not aligned with public policy. No representative of the entity was present at the press conference offered by the government, nor did they express themselves later on the subject.

Yesterday, just as the government reported the details of the “ransomware” attack on the system of the private operator that manages AutoExpreso, it was reported that the University of Puerto Rico (UPR) was also a victim of “hackers” over the weekend, confirmed the interim president of the institution, Dr. Mayra Olavarria Cruz.

The situation was addressed and had no consequences that could affect system users. There was also no data loss, identity theft, or damage to the UPR’s servers or network infrastructure, it was reported.

Ransomware is a type of virus that infects computers, encrypts or hijacks files on system storage (hard drives), and then demands payment to regain access to the information.

They express doubts about the operation

Since its inception and through more than one operator, the AutoExpreso system has been the object of constant criticism from citizens who, for years, have denounced the collection of illegal fines for the use of tolls.

The fear of the irregular imposition of fines for alleged lack of funds is one of the biggest concerns that drivers have expressed since the cyberattack became known, a concern that the executive director of the Highway and Transportation Authority (ACT) tried to clear up yesterday. , Edwin Gonzalez Montalvoby ensuring that no violations will be issued to users until the situation is resolved.

“They will not incur any fines from Saturday onwards. (The collection of fines) has been paralyzed indefinitely until we have total confidence in the system and it is restored”pointed out the director of the ACT.

Since 2018, the PAM company has remained the operator of the AutoExpreso through amendments to the contract -which was valid until July 1, 2019- that do not comply with the fiscal plan, as warned by the Fiscal Supervision Board (JSF) to the ACT in a letter dated February 14, 2022.

After these many amendments, the cost of the contract has risen to $145.1 million. “We take this opportunity to remind the ACT that our contract review policy requires the approval of the Board of certain contracts (and amendments to existing contracts) to ensure that they ‘promote market competition’ and ‘are not inconsistent with the approved fiscal plan’”, claimed the Board.

To this, he added that the fiscal plan of the ACT itself had September 30, 2021 as the deadline to issue a request for proposals to obtain a new toll operator. That has not happened.

“As you know, the fiscal plan establishes that the permanent operator selected as a result of the tender ‘will install new systems that increase the reliability and speed of transaction processing and maintenance of account balances, better track toll violations and ensure that data collection complies with all applicable security protocols”, details the JSF. The weekend cyberattack raises concerns about that last clause.

Yesterday, during the press conference, the Secretary of the Interior, Noelia Garciaindicated that the government is not satisfied with the AutoExpreso service or with the technology that it is currently offering to the client, and that, precisely as a result of this dissatisfaction, they have begun a process of requesting proposals for the acquisition of new infrastructure and innovate the technology that captures the information.

“The government is executing and as late as this summer this equipment will be identified and in the process of being installed”Garcia said.

Regarding the process for hiring a new operator, García limited himself to saying that “it cannot be just anyone”. “We can’t put a patch on and have the same problems,” he said.

Another possibility that the government is examining is to integrate AutoExpreso into Cesco Digital’s provision of services. “This system is an innovative one and has been tested in times of crisis… The important thing is that the problem was identified, it is being addressed and that it has an expiration date,” Garcia said.

Additional Initiatives

Oliveras indicated that, as part of other efforts, there is the acquisition of technology services offered by the organization “Multi-State Information Sharing and Analysis Center (MS-ISAC)”, contracted by the Department of Defense to ensure government cybersecurity. local and state, including territories.

MS-ISAC already supplies the government with some free services. “These systems that we are going to acquire are going to be monitoring all the devices of the government of Puerto Rico, the PCs, the ‘laptops’, the servers and, then, we are going to have the monitoring of them 24/7, 365 days a week. year… and that is going to significantly reduce the risk because we are going to detect things right away”he explained.

The official also pointed out the need for the government to have recurring funds for cybersecurity, a request that is before the Board. “I need continuity of services, I need to have those funds available to continue recruiting specialized personnel, which is personnel that costs … plus systems, applications and the monitoring center,” he detailed.

“There are thousands and thousands of alerts that we receive daily… In this world of cybersecurity, you receive a lot of false positives, thousands, thousands, and that is why analysts have to be there to figure out if this is a genuine attack”added the executive.

They do not rule out joining

Despite the fact that, at the press conference, the executive director of the ACT assured that the incident was being investigated by the Federal Bureau of Investigation (FBI), the director of the agency in Puerto Rico, Joseph Gonzalezindicated yesterday, during a meeting in La Fortaleza, that they had not received a referral from the state authorities, although they expressed their willingness to collaborate.

“This (cyber attack) was immediately brought to our attention, Prits was notified, FBI personnel were notified. This morning (yesterday), I was interviewed by the FBI, they are aware of everything that is developing, it is something that is under investigation.Gonzalez argued.

Meanwhile, until yesterday at noon, the Secretary of Justice, Sunday Emmanuel, had not received a referral on the matter either. “As soon as it arrives, we have a Cyber ​​Crimes Division. We have the cooperation of the FBI, the Puerto Rico Police, and the Department of Public Safety,” he stated.

They can do business

González Montalvo indicated yesterday that drivers who have fines from the AutoExpreso system for the use of tolls will be able to renew the registration of their vehicle and their driver’s licenses.

The drivers, assured the official, will be able to complete the transaction through the Cesco of the Department of Transportation and Public Works (DTOP) or in independent inspection centers.

“The DTOP will basically be lifting any fine or lien through the fines imposed by AutoExpreso so that citizens can inspect their cars and renew their tags”said the headline.

González Montalvo also assured that citizens who have had their credit card information registered in the system can be “completely calm”, since “preliminary it has not been compromised”. He also asserted that no driver will incur fines for traveling without funds in their account from Saturday, April 16, until further notice, although the system will continue to record tolls.

The Secretary of the Interior added that they will be attentive to additional security measures that they have to take to guarantee the services and any impact on the citizen. Still, she said, there is no information on when access to the AutoExpreso platform can be regained.

