Cybersecurity: state of play in the region and current priorities

GPD Cybersecurity Workshop for Stakeholders in the Pacific session summary by PICISOC Board

Earlier this month PICISOC board members Anju Mangal, Andrew Molivurae and Cherie Lagakali took part in a Stakeholder cybersecurity workshop in the Pacific. The one-day event was organized by Global Partners Digital in collaboration with the University of South Pacific (CROP ICT); Asia Pacific Network Information Centre (APNIC), the Pacific Community (SPC) and the Oceania Cyber Security Centre (OCSC).

The keynote speaker was Hon. Siaosi Sovaleni, Minister for Education and Training, Tonga (Former Deputy Prime Minister of Tonga). Cherie facilitated the second session called Cybersecurity: state of play in the region and current priorities.

Participants broke off into 3 groups to discuss:

  • What is important
  • What is being done
  • What is missing (gaps)

Below are points from the group discussions:

  1. What is important:

–       Increasing Public awareness

–       Stakeholder engagement: moving away from single reliance on government. Making everyone able and aware so that they can protect themselves

–       High level general awareness by public and community

–       Communication strategies from the beginning

–       Building TRUST

–       Educating leaders and improving their knowledge

–       Clarity around the role of the CERT

–    Sharing information between countries in the region to not duplicate efforts

–   The need to continue collaboration and coordination between funders, implementers and beneficiaries

–     Development of legislative frameworks, such as cybercrime, came up as a priority to further implementation of national cybersecurity strategies

  • What is being done: (Broken down by countries represented)
    PNG

Legislation/Policy

  • Drafting cybersecurity policy
  • Established cybercrime Act 2014

Infrastructure/institution

  • PNGCERT
  • Nat Cyber Sec Center (2018) for APEC – result of MoU w/ PNG & AU

Focus

  • Finalize cybersec policy followed by cyber sec strategy

Awareness Raising Activities

  • Cybercrime Act but little being done on awareness, need police training
  • Need to create awareness of existing institutions
  • Online safety; had session w/ PNG Council of Churches
  • Good means to spread message
  • Lots of concern b/c congregation being bullied
  • Private-Public Partnership

Tonga

Update cybercrime bill (last one in 2003)

  • Drafted and with Cabinet at the moment

CERT Tonga established

  • MoUs with other Pacific CERTs, other cybersec institution

Signed Budapest Convention

Capacity building training (especially with APNIC)

Awareness Raising Activities

  • Mainly done by CERT team
  • Within government
  • Towards society
  • Host training in villages/outer islands for end-users
  • Small CERT team so Women in ICT offer to help assist in awareness raising for schools, etc
  • Social media heavily used for awareness raising

Nauru

2016 Cybersecurity crime act (involved all departments)

2007 User policy Act

No established international PoC

  • just joined PacSON (last month)

Working to establish int’l CERT

  • Cybersecurity awareness team being created
  • Work on RFC 2350

Awareness Raising Activities

  • Focus on awareness raising of govt networks (target of most threats)

Govt CERT main focus will be to be poc for all govt

– Give presentations to departments

– Not do response, but just awareness for the time being

Samoa

Nat Cyber Sec Strategy 2016-2021

  • Ministry of Police, AG, Regulator… many involved

Midst of launching CERT

  • Finalize to be launched soon

Current chair for PaCSON

  • Ministry of Comms
  • Technical Working Group (TWG) – key ICT ppl from each Ministry
  • Soon expand to State Owned Enterprises

National ICT Steering Committee (Chaired by PM)

  • Good to have top level involvement/support

TWG helps to fill CERT functions in the meantime

Feb? attack on govt network – TWG mobilized

  • No separate cybercrime law, but under crimes act include misuse of electronics…/computer crimes

Libel Law 2018 – very controversial

  • In response to a lot of the issues on social media (specifically views on government/politicians)
  • Freedom of Opinion v. Undermining Government/traditional rules of being respectful… many don’t accept the law
    Awareness Raising Activities
  • Not many IT policy people, but strong ICT community
  • Not wide consultations
  • tend to only invite technical people
  • So less awareness out there
  • Need to include more education/society focused folks
  • Currently discussing cyber legislation and confidentiality of info legislation;best to widely consult
  • Recently launched ICT association… awareness included in set of goals

Key focus: don’t dumb down the users, first defense in any kind of activity in the Internet

  • Ex: NZ CERT language very easy to digest: need to be very careful about the language that we use (need comms trainings!)
  • A lot of focus on social media, which isn’t CERT area, so need help to keep conversation towards cybersecurity not content… careful content, script to help guide discussion
  • Tendency for Samoa to contextualize policy… Samoan version to help community to learn the
  • Cybersecurity strategy: no Samoan version so people find it hard to understand it

Vanuatu

2013-16 National ICT Policy

  • Activist push for civil rights and how civil society could use the space to promote what they do
  • Policy currently under review

Govt taking big steps to fight crime (ex: Chinese nationals deported about last month due to cybercrime activities in VU)

Need more work on bullying

VU active PaCSON member

CERT VU operational

Awareness Raising Activities?

Regional Initiatives

  • PaCSON
  • APNIC

Final notes on what is currently being done

  • Cultural tendency to not asserts self: need to say what you want! Not be controlled by outside agenda
  • Importance to translate to local language, but often the words (the very concepts) don’t exist!
  • A lot of efforts to do together
  • Help assertiveness: series of training that focus on what do you want next and actual follow-up. Target the same group, something to look forward to
  • Language is still too technical, little understanding of wider issues/interests… need to bring more folks to the table
  • Little conversation, so people accuse each other of not working
  • lots of work being done, just in silos
  • Talk about inclusiveness, but not fully inclusive of villages, especially illiterate/women/etc
  • What is missing
  • Incident Response Teams: Some countries do not have a CERT/CSIRT and whilst there are government departments or groups trying to fill the gap, they don’t have the mandate or resources to be effective.
  • Cybersecurity awareness is something that still needs to improve, with ad-hoc programs but need for a coordinated and sustained approach. This needs to target end users as well as executives and senior officials to try a build a cyber-safety / cybersecurity mind-set.
  • Gap between the Technical and Non-Technical (Policy) community in terms of communication and understanding/approach to cybersecurity issues.
  • More work is needed to build an appreciation of the scope of cybersecurity and what it means to be cyber secure for a country.

a.       A view was that Digital Human Security needs to be at the Centre and to determine what values we need to defend in cyberspace.

b.        Also acknowledgement of the complexity of cybersecurity capacity challenges and that no single mechanism or intervention can address all issues.

  • Absence of regulatory frameworks
  • Even where cybercrime legislation exists, more work is needed to build capacity across the criminal justice system and law enforcement to enforce such laws.
  • Challenges with knowledge development and retention and talent drain from Pacific Island countries.
  • Need for improved regional coordination.
  • Acknowledging that some cybersecurity issues are global challenges that require global solutions.

Cybersecurity Capacity Building / Awareness Raising

1.         Priorities

  • Need to complete a vulnerability assessment in order to inform which cybersecurity capacity building areas should be prioritise to minimise cyber harm.
  • Need to address resource constraint issue.

2.         Lessons

  • Leveraging mobile technology and social media to reach large audience for lower cost through Facebook Live awareness videos
  • Capacity building needs to be for both Government and Non-Government actors.

3.Challenges

  • “Western” Social Media not compatible with Pacific Island Communications and Decision Making culture and traditions.
  • Issues are manifesting in to physical violence and consequences.
  • Need for a regional voice to lobby and get support from Big Tech to help mitigate the risks associated with Facebook and other tech adoption.

The session concluded with presentations from Elvin Prasad (lead of CROP ICT Working Group at the University of South Pacific) on current cybersecurity trends in the region and Matthew Griffin (Research Fellow at the  Oceania Cyber Security Centre) a summary of key takeaways from the maturity assessments that the Centre undertook in countries in the region.

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.