By NEIL HARTNELL
Tribune Business Editor
The Government is "betwixt and between" over the Registrar General's Department's cyber security woes after being forced to again shut down its online database following fresh hacking attempts.
Carl Bethel QC, the attorney general, told Tribune Business that the agency's online portal was closed "last week" after the Royal Bahamas Police Force (RBPF) detected fresh "incursions" that were traced back to Internet Protocol (IP) addresses in two eastern European countries.
While Mr Bethel declined to name the states involved, this newspaper understands from separate sources that the latest efforts to penetrate the Registrar General's Department originated from Russia and Bulgaria - both of which are known as established sources of hacking and cyber crime.
He blamed the latest series of hacks on the former Christie administration's failure to properly implement the recommended security measures when the Registrar General's Department was hacked for the first time, slamming the situation as "inconceivable".
However, these claims were yesterday refuted by his predecessor as attorney general, Allyson Maynard-Gibson. She told Tribune Business that "every technological upgrade" required under her watch was implemented, and that the Minnis administration needs to start taking responsibility given that it was elected to office more than three years ago.
The latest shut down, which comes just months after the Department's database was hacked in a separate January incident, has caused further frustration for the ease and efficiency of conducting business in The Bahamas even though Mr Bethel said it will likely re-open by week's end once "several layers" of new cyber security defences have been deployed.
The Registrar General's Department is the hub around which much of corporate Bahamas and, in particular, the financial services industry functions. It plays a critical role in the incorporation of companies and other Bahamas-domiciled vehicles, such as International Business Companies (IBCs), all of which are key cogs in structures employed by high net worth and institutional financial services clients.
The agency handles annual company filings/returns, and the payment of associated fees and name reservations/searches. Patent applications and approvals; the recording of deeds and documents, such as real estate conveyances; and births, marriages, deaths and adoptions are among its other core functions, meaning the Registrar General's Department touches every Bahamian and resident at some point in their life.
The closure of the online portal and database has thus meant that attorneys and the private sector have been forced, at least temporarily, back to a manual system for performing daily corporate functions, resulting in extra cost and time plus inefficiency. Marlon Johnson, the Ministry of Finance's acting financial secretary, confirmed to Tribune Business that new Business Licence applications are among the processes impacted.
"We shut it down last week," Mr Bethel confirmed of the Registrar General's online portal and electronic database. "We had opened it temporarily, and noticed according to the scans conducted by the police that there were attempted incursions by two IP addresses in eastern European countries.
"I cannot name them, but they are countries in the far east of Europe not in the European Union (EU). That's what our information is. I shut the whole thing down. We put in a drop box service which the whole industry should know about. We're trying to put in several layers of defences as an interim solution, but it will take a week. By this time next [this] week we will be up and running with additional defences."
Tribune Business sources confirmed that the two IP addresses involved were traced by the Royal Bahamas Police Force to Russia and Bulgaria, although Mr Bethel declined to comment on this.
The latest hacking attempts, following so swiftly behind the January incursion by the Distributed Denial of Secrets group, and the 2016 breach by the International Consortium of Investigative Journalists (ICIJ), threaten to spark concerns about the security and integrity of sensitive personal and financial data held in The Bahamas.
This, in turn, could be detrimental to the country's ability to attract fresh business and investment post-COVID-19 even though none of the incursions and attempted penetrations at the Registrar General's Department appear to have seized anything of real value. Both the ICIJ and Distributed Denial of Secrets obtained only companies registry information, including lists and names of directors, that is publicly available for a fee.
However, with cyber security set to assume ever-greater importance in the post-COVID-19 world, Mr Bethel revealed that he was seeking to split up the Registrar General's Department's electronic database into several separate ones based on their functions.
This, he explained, will mean that the companies registry will be separate from that of births, marriages and deaths. With these on separate servers, Mr Bethel said any hacker able to penetrate one of these databases would be unable to access all - as they can presently.
Pledging that the companies registry will have additional cyber security defences "to guarantee the complete integrity of that system", the attorney general revealed that multiple government agencies can currently access the Registrar General's Department's online portal. This, he disclosed, creates extra risk and potential openings for hackers to exploit, noting that the ICIJ intrusion "came through another government agency".
Declining to name the culprit, Mr Bethel added: "Every government agency you care to name has access to the portal. NIB, tourism, which needs to count shipboard weddings in Bahamian waters.
"We're betwixt and between. There are two things going on. One is to try and put in some security restrictions and take steps to correct the errors left in place. The errors in 2016 we have corrected as of now, and are trying to put in layers of security to allow us to open.
"I'm also trying to find ways to differentiate the different registries," he continued. "Tourism, which needs to keep track of weddings on cruise ships and persons coming to The Bahamas to be married, will only have access to that part of the registry. NIB, which needs access to births, marriages and adoptions, will only have access to that part of the registry.
"We need segregated databases so that if someone is able to hack one part they can only get into that. We're working on a number of fronts." Mr Bethel said the Government was also developing a "temporary approach" to ensure Business Licences and other related filings could continue.
"That will be on a restricted basis, but hopefully by Monday [today] we will have something that will allow Bahamian entities - in terms of their relationship with the Department of Inland Revenue - to have a certain amount of access."
Mr Johnson, at the Ministry of Finance, confirmed to Tribune Business that the lost access to the Registrar General's Department's online portal had impacted new Business Licence applications as entrepreneurs were delayed in incorporating, reserving business names and ensuring they did not duplicate firms already in existence.
"It's the incorporation and registration of names. They have to search the registry's system when you register a business name," he explained. "It has impacted our Business Licence processes. However, the team has put together a manual work around. It has slowed us down but hasn't stopped us. I'm told they're to the point where it should be rectified."
Mr Bethel, meanwhile, said the COVID-19 pandemic had also delayed the arrival of a company that has been contracted to build a database which captures "historical" companies information going back to a certain year and marries this with current information.
He added that this project, designed to reduce the number of persons coming to the Registrar General's Department to conduct searches, would begin once travel restrictions ease. However, Mr Bethel said the Government's new technology and digital department was "not on the same page" with regard to this project - something he intends to rectify vis a series of meetings over the coming weeks.
Blaming the weaknesses in the Registrar General's Department's defences on the former Christie administration, Mr Bethel said the current government had been under the impression that the weaknesses exposed by the ICIJ had been rectified until it discovered otherwise via the Distributed Denial of Secrets hack.
"None of the measures to defend against future hacks were implemented by the former administration and former registrar general," he told Tribune Business. "Nothing had been done to correct the errors that led to the ICIJ. We were unaware they had not taken the protective measures. None of us were given the information when we came in. We didn't know the circumstance.
"The [Distributed Denial of Secrets] hack started in October 2019, and between then and February they got the information. The system did not have any alert contrary to what we were advised. We were entirely unaware of what was happening until the information was published. That's how drastic it is.
"We cannot afford to make the same mistake twice, or a third time, due to ignorance on our part as to what has been recommended and not implemented. It's inconceivable that, having gone through the embarrassment of the ICIJ hack, these measures were not implemented. Inconceivable."
This, though, was rejected by Mr Bethel's predecessor, Mrs Maynard-Gibson. She said, in a statement to Tribune Business: "So far as I am aware, at all times that I had responsibility for the Registrar General’s Department (RGD) every technological upgrade was done under the recommendation of - and implemented by - the outstanding Bahamian professionals at what was then called the Department of Information Technology (DIT) of the Ministry of Finance and BTC.
"During the course of RGD upgrades, these Bahamian professionals discovered that a previous FNM administration had given sole access to information in the companies registries and other information at RGD to a non-Bahamian vendor. Also, a previous FNM administration had given a Bahamian vendor unimpeded access to the documents at RGD and the Supreme Court Registry.
"The Bahamian professionals at DIT and RGD were concerned about the security of this information. The Bahamian professionals advised that the access to the non-Bahamian vendor should be removed and repatriated to DIT. This advice was accepted and implemented. Also upon their advice, action was taken to obtain the documents (digital and hard copy) from the Bahamian vendor."
The ex-attorney general continued: "It is more than three years since the FNM became government. Its failure to implement further upgrades and act upon the recommendations of the Bahamian experts must fall squarely at its feet and nowhere else.
"Rather than blaming others, time might more productively be spent quickly implementing secure upgrades and improving The Bahamas’ ease of doing business rating. There are many Bahamian entrepreneurs that would be delighted to enter into PPPs (public-private partnerships) to accomplish these goals."