GPD Cybersecurity Workshop for Stakeholders in the Pacific session summary by Cherie Lagakali
Earlier
this month PICISOC board members Anju Mangal, Andrew Molivurae and I took part
in a Stakeholder cybersecurity workshop in the Pacific. The one-day event was
organized by Global Partners Digital in collaboration with the University of
South Pacific (CROP ICT); Asia Pacific Network Information Centre (APNIC), the Pacific
Community (SPC) and the Oceania Cyber Security Centre (OCSC).
The keynote
speaker was Hon. Siaosi Sovaleni, Minister for Education and Training, Tonga (Former
Deputy Prime Minister of Tonga). I facilitated the second session called Cybersecurity:
state of play in the region and current priorities.
Participants
broke off into 3 groups to discuss:
- What
is important - What
is being done - What
is missing (gaps)
Below are points from the group discussions:
- What is important:
– Increasing Public awareness
– Stakeholder engagement:
moving away from single reliance on government. Making everyone able and aware
so that they can protect themselves
– High level general awareness
by public and community
– Communication strategies from
the beginning
– Building TRUST
– Educating leaders and
improving their knowledge
– Clarity around the role of
the CERT
– Sharing information
between countries in the region to not duplicate efforts
– The need to continue
collaboration and coordination between funders, implementers and beneficiaries
– Development of
legislative frameworks, such as cybercrime, came up as a priority to further
implementation of national cybersecurity strategies
- What is being done: (Broken down by countries represented)
PNG
Legislation/Policy
- Drafting
cybersecurity policy - Established
cybercrime Act 2014
Infrastructure/institution
- PNGCERT
- Nat
Cyber Sec Center (2018) for APEC – result of MoU w/ PNG & AU
Focus
- Finalize
cybersec policy followed by cyber sec strategy
Awareness
Raising Activities
- Cybercrime
Act but little being done on awareness, need police training - Need
to create awareness of existing institutions - Online
safety; had session w/ PNG Council of Churches - Good
means to spread message - Lots
of concern b/c congregation being bullied - Private-Public
Partnership
Tonga
Update cybercrime bill (last one in
2003)
- Drafted
and with Cabinet at the moment
CERT Tonga established
- MoUs
with other Pacific CERTs, other cybersec institution
Signed Budapest Convention
Capacity
building training (especially with APNIC)
Awareness
Raising Activities
- Mainly
done by CERT team - Within
government - Towards
society - Host
training in villages/outer islands for end-users - Small
CERT team so Women in ICT offer to help assist in awareness raising for schools,
etc - Social
media heavily used for awareness raising
Nauru
2016
Cybersecurity crime act (involved all departments)
2007
User policy Act
No
established international PoC
- just
joined PacSON (last month)
Working to establish int’l CERT
- Cybersecurity
awareness team being created - Work
on RFC 2350
Awareness Raising Activities
- Focus
on awareness raising of govt networks (target of most threats)
– Govt CERT main focus will be to be
poc for all govt
– Give
presentations to departments
– Not do
response, but just awareness for the time being
Samoa
Nat Cyber Sec Strategy 2016-2021
- Ministry
of Police, AG, Regulator… many involved
Midst of launching CERT
- Finalize
to be launched soon
Current chair for PaCSON
- Ministry
of Comms - Technical
Working Group (TWG) – key ICT ppl from each Ministry - Soon
expand to State Owned Enterprises
National ICT Steering Committee
(Chaired by PM)
- Good
to have top level involvement/support
TWG helps to fill CERT functions in
the meantime
Feb? attack on govt network – TWG
mobilized
- No
separate cybercrime law, but under crimes act include misuse of
electronics…/computer crimes
Libel Law 2018 – very controversial
- In
response to a lot of the issues on social media (specifically views on
government/politicians) - Freedom
of Opinion v. Undermining Government/traditional rules of being respectful…
many don’t accept the law
Awareness Raising Activities - Not
many IT policy people, but strong ICT community - Not
wide consultations - tend
to only invite technical people - So
less awareness out there - Need
to include more education/society focused folks - Currently
discussing cyber legislation and confidentiality of info legislation.best to
widely consult - Recently
launched ICT association… awareness included in set of goals…
Key focus: don’t dumb down the users,
first defense in any kind of activity in the Internet
- Ex:
NZ CERT language very easy to digest: need to be very careful about the
language that we use (need comms trainings!) - A
lot of focus on social media, which isn’t CERT area, so need help to keep
conversation towards cybersecurity not content… careful content, script to help
guide discussion - Tendency
for Samoa to contextualize policy… Samoan version to help community to learn
the - Cybersecurity
strategy: no Samoan version so people find it hard to understand it
Vanuatu
2013-16 National ICT Policy
- Activist
push for civil rights and how civil society could use the space to promote what
they do - Policy
currently under review
Govt taking big steps to fight crime
(ex: Chinese nationals deported about last month due to cybercrime activities in VU)
Need more work on bullying
VU active PaCSON member
CERT VU operational
Awareness Raising Activities?
Regional Initiatives
- PaCSON
- APNIC
Final notes on what is currently being done
- Cultural
tendency to not asserts self: need to say what you want! Not be controlled by
outside agenda - Importance
to translate to local language, but often the words (the very concepts) don’t exist! - A
lot of efforts to do together - Help
assertiveness: series of training that focus on what do you want next and
actual follow-up. Target the same group, something to look forward to - Language
is still too technical, little understanding of wider issues/interests… need to
bring more folks to the table - Little
conversation, so people accuse each other of not working - lots
of work being done, just in silos - Talk
about inclusiveness, but not fully inclusive of villages, especially
illiterate/women/etc
- What is missing
- Incident
Response Teams: Some countries do not have a CERT/CSIRT and whilst there are
government departments or groups trying to fill the gap, they don’t have the
mandate or resources to be effective. - Cybersecurity
awareness is something that still needs to improve, with ad-hoc programs but
need for a coordinated and sustained approach. This needs to target end users
as well as executives and senior officials to try a build a cyber-safety /
cybersecurity mind-set.
- Gap
between the Technical and Non-Technical (Policy) community in terms of
communication and understanding/approach to cybersecurity issues. - More
work is needed to build an appreciation of the scope of cybersecurity and what
it means to be cyber secure for a country.
a. A
view was that Digital Human Security needs to be at the Centre and to determine
what values we need to defend in cyberspace.
b. Also
acknowledgement of the complexity of cybersecurity capacity challenges and that
no single mechanism or intervention can address all issues.
- Absence
of regulatory frameworks - Even
where cybercrime legislation exists, more work is needed to build capacity
across the criminal justice system and law enforcement to enforce such laws. - Challenges
with knowledge development and retention and talent drain from Pacific Island
countries. - Need
for improved regional coordination. - Acknowledging
that some cybersecurity issues are global challenges that require global
solutions.
Cybersecurity Capacity Building /
Awareness Raising
1. Priorities
- Need to complete a vulnerability
assessment in order to inform which cybersecurity capacity building areas
should be prioritise to minimise cyber harm. - Need to address resource constraint
issue.
2. Lessons
- Leveraging mobile technology and
social media to reach large audience for lower cost through Facebook Live
awareness videos - Capacity building needs to be for
both Government and Non-Government actors.
- Challenges
- “Western” Social Media not
compatible with Pacific Island Communications and Decision Making culture and
traditions. - Issues
are manifesting in to physical violence and consequences.
- Need for a regional voice to lobby
and get support from Big Tech to help mitigate the risks associated with
Facebook and other tech adoption.
The session
concluded with presentations from Elvin Prasad (lead of CROP ICT Working Group
at the University of South Pacific) on current cybersecurity trends in the
region and Matthew Griffin (Research Fellow at the Oceania Cyber Security Centre) a summary of
key takeaways from the maturity assessments that the Centre undertook in
countries in the region.
Earlier this month PICISOC board members Anju Mangal, Andrew Molivurae and I took part in a Stakeholder cybersecurity workshop in the pacific. This one-day event was organized by Global Partners Digital in collaboration with the University of South Pacific (CROP ICT); Asia Pacific Network Information Centre (APNIC), the Secretariat of the Pacific Community (SPC) and the Oceania Cyber Security Centre (OCSC).
The keynote speaker was Hon. Siaosi Sovaleni, Minister for Education and Training, Tonga. Former Deputy Prime Minister of Tonga.
I facilitated the second session called Cybersecurity: state of play in the region and current priorities.
Participants broke off into 3 groups to discuss:
- What is important
- What is being done
- What is missing (gaps)
Below are points from the group discussions:
- What is important:
– Increasing Public awareness
– Stakeholder engagement: moving away from single reliance on government.
Making everyone able and aware so that they can protect themselves
– High level general awareness by public and community
– Communication strategies from the beginning
– Building TRUST
– Educating leaders and improving their knowledge
– Clarity around the role of the CERT
- Sharing information between countries in the region to not duplicate efforts
- The need to continue collaboration and coordination between funders, implementers
and beneficiaries - Development of legislative frameworks, such as cybercrime, came up as a priority to
further implementation of national cybersecurity strategies
- What is being done: (Broken down by countries represented)
PNG
Legislation/Policy
- Drafting cybersecurity policy
- Established cybercrime Act 2014
Infrastructure/institution - PNGCERT
- Nat Cyber Sec Center (2018) for APEC – result of MoU w/ PNG & AU
Focus - Finalize cybersec policy followed by cyber sec strategy
Awareness Raising Activities - Cybercrime Act but little being done on awareness, need police training
- Need to create awareness of existing institutions
- Online safety; had session w/ PNG Council of Churches
- Good means to spread message
- Lots of concern b/c congregation being bullied
- Private-Public Partnership
Tonga
Update cybercrime bill (last one in 2003)
- Drafted and with Cabinet at the moment
CERT Tonga established - MoUs with other Pacific CERTs, other cybersec institution
Signed Budapest Convention
Capacity building training (especially with APNIC)
Awareness Raising Activities - Mainly done by CERT team
- Within government
- Towards society
- Host training in villages/outer islands for end-users
- Small CERT team so Women in ICT offer to help assist in awareness raising for schools, etc
- Social media heavily used for awareness raising
Nauru
2016 Cybersecurity crime act (involved all departments)
2007 User policy Act
No established international PoC
- just joined PacSON (last month)
Working to establish int’l CERT - Cybersecurity awareness team being created
- Work on RFC 2350
Awareness Raising Activities - Focus on awareness raising of govt networks (target of most threats)
- Govt CERT main focus will be to be poc for all govt
- Give presentations to departments
- Not do response, but just awareness for the time being
Samoa
Nat Cyber Sec Strategy 2016-2021
- Ministry of Police, AG, Regulator… many involved
Midst of launching CERT - Finalize to be launched soon
Current chair for PaCSON - Ministry of Comms
- Technical Working Group (TWG) – key ICT ppl from each Ministry
- Soon expand to State Owned Enterprises
National ICT Steering Committee (Chaired by PM) - Good to have top level involvement/support
TWG helps to fill CERT functions in the meantime
Feb? attack on govt network – TWG mobilized - No separate cybercrime law, but under crimes act include misuse of
electronics…/computer crimes
Libel Law 2018 – very controversial
- In response to a lot of the issues on social media (specifically views on
government/politicians) - Freedom of Opinion v. Undermining Government/traditional rules of being
respectful… many don’t accept the law
Awareness Raising Activities - Not many IT policy people, but strong ICT community
- Not wide consultations
- tend to only invite technical people
- So less awareness out there
- Need to include more education/society focused folks
- Currently discussing cyber legislation and confidentiality of info
legislation.best to widely consult
- Recently launched ICT association… awareness included in set of goals…
Key focus: don’t dumb down the users, first defense in any kind of activity in the
Internet
- Ex: NZ CERT language very easy to digest: need to be very careful about the
language that we use (need comms trainings!)
- A lot of focus on social media, which isn’t CERT area, so need help to keep
conversation towards cybersecurity not content… careful content, script to help guide
discussion - Tendency for Samoa to contextualize policy… Samoan version to help
community to learn the
- Cybersecurity strategy: no Samoan version so people find it hard to
understand it
Vanuatu
2013-16 National ICT Policy
- Activist push for civil rights and how civil society could use the space to promote
what they do - Policy currently under review
Govt taking big steps to fight crime (ex: Chinese nationals deported about last month
due to cybercrime activities in VU)
Need more work on bullying
VU active PaCSON member
CERT VU operational
Awareness Raising Activities?
Regional Initiatives - PaCSON
- APNIC
Final notes on what is currently being done
- Cultural tendency to not asserts self: need to say what you want! Not be controlled by
outside agenda - Importance to translate to local language, but often the words (the very concepts) don’t
exist! - A lot of efforts to do together
- Help assertiveness: series of training that focus on what do you want next and actual follow-
up. Target the same group, something to look forward to - Language is still too technical, little understanding of wider issues/interests… need to bring
more folks to the table - Little conversation, so people accuse each other of not working
- lots of work being done, just in silos
- Talk about inclusiveness, but not fully inclusive of villages, especially illiterate/women/etc
- What is missing
- Incident Response Teams: Some countries do not have a CERT/CSIRT and whilst there are
government departments or groups trying to fill the gap, they don’t have the mandate or
resources to be effective. - Cybersecurity awareness is something that still needs to improve, with ad-hoc programs but
need for a coordinated and sustained approach. This needs to target end users as well as
executives and senior officials to try a build a cyber-safety / cybersecurity mind-set. - Gap between the Technical and Non-Technical (Policy) community in terms of
communication and understanding/approach to cybersecurity issues. - More work is needed to build an appreciation of the scope of cybersecurity and what it
means to be cyber secure for a country.
a. A view was that Digital Human Security needs to be at the Centre and to determine
what values we need to defend in cyberspace.
b. Also acknowledgement of the complexity of cybersecurity capacity challenges and
that no single mechanism or intervention can address all issues. - Absence of regulatory frameworks
- Even where cybercrime legislation exists, more work is needed to build capacity across the
criminal justice system and law enforcement to enforce such laws. - Challenges with knowledge development and retention and talent drain from Pacific Island
countries. - Need for improved regional coordination.
- Acknowledging that some cybersecurity issues are global challenges that require global
solutions.
Cybersecurity Capacity Building / Awareness Raising
- Priorities
a. Need to complete a vulnerability assessment in order to inform which
cybersecurity capacity building areas should be prioritise to minimise cyber harm.
b. Need to address resource constraint issue. - Lessons
a. Leveraging mobile technology and social media to reach large audience for lower
cost through Facebook Live awareness videos
b. Capacity building needs to be for both Government and Non-Government actors. - Challenges
a. “Western” Social Media not compatible with Pacific Island Communications and
Decision Making culture and traditions.
- Issues are manifesting in to physical violence and consequences.
b. Need for a regional voice to lobby and get support from Big Tech to help mitigate the risks
associated with Facebook and other tech adoption.
The session concluded with presentations from Elvin Prasad (lead of CROP ICT Working Group at the
University of South Pacific) on current cybersecurity trends in the region and Matthew Griffin
(Research Fellow at the Oceania Cyber Security Centre) a summary of key takeaways from the
maturity assessments that the Centre undertook in countries in the region.
