Shifting from a reactive to proactive cybersecurity means many groups and organizations leverage campaigns like Cybersecurity Awareness Month to foster awareness and education about the growing landscape of cyber risks.
One such group is the new Jersey Cyber Security Centre (JCSC) which aims to bolster the cybersecurity posture of the Channel Island under the leadership of Matt Palmer, director at the JCSC.
Formerly known as Jersey's CERT, the center has undergone significant transformations to meet the ever-changing needs of the digital age and expand its mission beyond incident response.
JCSC is the island’s frontline defense against cybercrime, protecting local businesses, government, and individuals alike.
Palmer’s team now embarks on proactive strategies like public education and security training as well as continuing to provide incident response support.
In this Infosecurity interview, Palmer sheds light on the center’s expanded mission and how Jersey prepares for the next wave of cyber threats.
Infosecurity Magazine: What prompted the decision to establish cybersecurity support services in Jersey, and when did this initiative begin?
Matt Palmer: The desire for a computer emergency and response team (CERT) was borne of a recognition that cybersecurity was critical and someone needed to drive it forward.
The Jersey government’s Cyber Security Strategy, published in 2017, required the creation of a CERT but without defining in detail its responsibilities, so we inherited the name but had the freedom to design the service.
Jersey’s CERT (CERT.JE) was established in 2021 and became the Jersey Cyber Security Centre (JCSC) in 2023.
The language and expectations around a computer emergency response team are often unhelpful.
Firstly, the public doesn’t really understand what a ‘computer emergency’ is, but everyone understands a ‘cyber incident.’ Secondly, an ‘emergency response’ team is just that – responsive. It suggests we should be running around all day dealing with crises. In fact, we should be working calmly and quietly behind the scenes to make cyber security as uneventful as possible.
It required some work to explain this, but once we had done so, I found that ministers and stakeholders immediately appreciated the difference. Prevention is better than cure. We needed a name that reflected this and made sense to the public and us. CERT.JE wasn’t it, but Jersey Cyber Security Centre very much is.
This is also why Cybersecurity Awareness Month is a crucial period for us. This October 2024, we hosted a cybersecurity conference and other side events, and we released a Cyber Security Guide to provide recommendations for the controls Jersey-based organizations should implement to improve their cybersecurity posture.
IM: Could you elaborate on Jersey's distinctive cybersecurity landscape, including the jurisdiction's specific challenges and threats?
MP: Jersey is a small island in the middle of the Channel, but as a British Crown Dependency, we have our own parliament, judicial system and government. We also have our own health service, police, fire service and school system, and we run our own seaport, airport, telecoms providers and utility companies, including electricity, water and gas.
Despite having a population of just over 100,000 on an island measuring only nine miles by five, we have all the complexity and risk of a nation-state. In addition, Jersey is a leading International Finance Centre (IFC), which means having a trusted and well-regulated business environment is very important to us.
Jersey has also had to deal with a number of crises in the last few years, including a gas explosion that killed 10 local residents, the loss of a commercial fishing boat and its crew in a collision with a ferry, a gas outage due to an operational technology (OT) misconfiguration, flooding, a tornado that tore through much of the island.
Following Russia’s invasion of Ukraine, Jersey was named by Moscow as an unfriendly nation in response to sanctions. Previous incidents have included a power outage, a telecoms outage, and connectivity issues when a ship dragged its anchor over an undersea cable. That’s a lot of disruption for a small community, but it has helped us understand the need to integrate cyber response with wider island resilience, and to create a culture of readiness. We do regular jurisdictional risk assessments, and there are clear protocols now for a major incident or emergency.
IM: What specific services does the JCSC provide to businesses and organizations in Jersey?
MP: Our new Jersey Cyber Shield comprises a number of services that work together to protect local businesses and organizations.
We ingest global and local threat intelligence and vulnerability data relating to Jersey’s IP space and use this to identify which global issues require local alerts and notifications, as well as to notify organizations so they can address vulnerabilities. We also run a vulnerability disclosure program for security researchers to notify vulnerabilities they find in Jersey websites. We validate these and pass them on anonymously to protect the researcher, and if needed we offer advice to organisations on how to fix the issues.
Additionally, when cyber incidents do occur, we coordinate responses with other agencies and internationally; one recent incident involved us working with six other jurisdictions while the issues were being resolved. We also help explain incidents that do occur to policymakers and the public to avoid the traditional fear and panic that often accompanies a major incident.
Occasionally, we will provide direct on-site technical response services, but this is very rare – usually only when there is a public protection imperative. In that way, we’re an incident responder of last resort. What we can’t do is manage your incident for you. Often, what organizations find most valuable is having someone with them at every step of their response, helping and supporting but not judging. We don’t report incidents to law enforcement or regulators, we are confidential so people know they can call us for help.
IM: How do you ensure your team is equipped to handle the evolving cybersecurity landscape?
MP: JCSC includes a team of seven. This includes our operations team led by our Head of Cyber Defence. He is supported by analysts who focus on threat intelligence and incident response.
We have a cyber risk officer who ensures we prioritize effectively and have a shared view with industry and government. We also have a legal officer, her role is to ensure that we are legal and compliant and have the proper agreements and legal provisions to do our job effectively. Finally, our communications officer leads our public engagement program, website and social media activity.
One of the nice things about cyber is that it is a very open field where everyone can make a contribution. It allows for diverse skill sets and perspectives, essential when dealing with international threat actors. Sometimes, it takes the whole team to provide accurate attribution of an incident to an advanced threat actor, for example, or we’ve brought our communication officer in to help with post-incident communication. Technical skills matter, but the key is an inquiring mind, no ego, and an infinite willingness to learn.
Finally, we do lots of training. Everyone in the team, enabling roles such as communication and legal, has been trained in cyber incident response and emergency management. We also run regular exercises with the community. Like any emergency service, the more time we spend preparing the less time we spend responding. And the more we focus on readiness, the more we can reduce the impact of an incident. It’s the impact that matters. Incident response isn’t something you can become perfect at, there’s no such thing as good really – only what you can learn from for next time.
IM: Can you share examples of how JCSC helped organizations in Jersey overcome a cybersecurity challenge?
MP: Recently, we helped a public body respond to and recover from an incident that had compromised a large data set, using an insecure direct object reference (IDOR) attack on a website.
This allowed data to be downloaded that should have been confidential and required a public notification. We were able to work with them, fully integrated into their incident response team, to help them manage and respond to the incident, and analyze the logs to understand access patterns. This helped understand the risk to data subjects.
We were also able to advise on the controls that needed to be put in place. Other incidents have included ransomware attacks on schools and businesses, invoice fraud, CEO fraud, malicious botnets and more.
IM: How does the JCSC collaborate with other organizations, both locally and internationally, to enhance cybersecurity?
MP: Jersey is deeply integrated into the global economy, particularly the City of London. We also work closely with the UK in many areas, such as healthcare. Therefore, what happens in Jersey really matters.
As part of the international cyber defense community, we have been able to notify other jurisdictions of a wide range of threats and incidents, from airports to government services. We’ve also been able to share some of the tools we have developed with other computer security incident response teams (CSIRTs) and CERTs. We can’t be great at everything because we’re small, but because we are small, we can innovate – so we can specialize and make valuable contributions.
We have established local networks for CISOs and cyber security suppliers to help us get their feedback and input on our services and provide them with information and guidance. We also work closely with local Emergency Planning teams, the other Crown Dependencies, and the UK’s National Cybersecurity Centre (NCSC).
Internationally, we are part of CSIRT networks such as the Forum of Incident Response and Security Teams (FIRST) and TF-CSIRT, its European equivalent. We’re also members of the Information Security Forum (ISF).
It is still a developing field with rapid change. It is essential that we learn from others and also share our experiences to help others deliver. Global collaboration is essential to us – we couldn’t do this alone.