The road to a national CERT in Vanuatu

Why a CERT?

The Vanuatu Government has understood cybersecurity to be an important issue for quite some time. In its 2013 National Cybersecurity Policy, the government outlined the role a CERT would play in supporting cybersecurity in Vanuatu. The establishment of a CERT also serves the economy’s Security Peace & Justice objectives, as outlined in the National Sustainable Development Plan 2016 to 2030.

Officials were also encouraged by the success of the establishment of CERT Tonga in 2016, finding the multistakeholder model relevant to their situation.

How was it done?

The momentum behind CERT VU began to grow once several stakeholders started to take action. In 2016:

  • The Office of the Government Chief Information Officer (OGCIO) visited CERT Australia and APNIC to discuss establishing a CERT
  • The Telecommunications and Radiocommunications and Broadcasting Regulator (TRBR) held the second Havannah Regulatory Internet Symposium, with a theme of ‘Embracing Internet Security’, inviting stakeholders from Vanuatu’s government, service provider, ICT and law enforcement communities to discuss Internet security together. At the symposium, APNIC’s Klée Aiken gave a presentation introducing the CERT model.

As a result of the OGCIO’s visits and the TRBR’s symposium, discussions began about what the scope and mandate of a CERT might look like. The TRBR took the next step and invited stakeholder organizations to form a CERT working group. The working group was chaired by Jackson Miake of the OGCIO and included 12 organizations.

The working group progressed towards their goal throughout 2017, inviting APNIC to facilitate desktop security exercises and strategic discussions. APNIC accepted the invitation and conducted a meeting and half-day workshop in November 2017.

APNIC’s engagement was supported and coordinated by the APNIC Foundation with funding from the Australian Department of Foreign Affairs and its Cyber Cooperation Program.

With the pace of development increasing, the CERT working group attended a regional CERT workshop in Tonga in early 2018, where they announced that the CERT would be ready to launch in June. This would mean the CERT would be up and running ahead of the Asia Pacific Regional Internet Governance Forum (APrIGF) meeting in Port Vila that August. At this point, the working group also engaged a consultant to produce the plans, policies and procedural documents required for CERT operations.

APNIC is grateful for the opportunity to help facilitate some of these activities, with the local Vanuatu stakeholders leading the way and doing the necessary work to make things happen.

Multistakeholder effort leads to a successful launch

In mid-June 2018, CERT VU was launched, preceded by an APNIC workshop on incident response for the CERT team and members of government, local telcos and other businesses.

Shortly after the launch of CERT VU, a Memorandum of Understanding (MoU) was made official with the Australian government. The MoU was part of a bilateral security treaty, which also provided CERT VU with AUD 400,000 towards strengthening its capabilities.

The CERT is currently staffed by a single full-time OGCIO engineer and team lead, supported by two contractors. It is expected that dedicated staff will be hired once government resources become available.

The team has established a cybersecurity framework, including both a working strategy and a training roadmap, which will not only help build capacity but expand the team’s human networks. CERT VU Operations Manager Kensly Joses said: “It’s important to know contacts in the region, and to get together and share updates”.

CERT VU continues to develop relationships in the Pacific, participating in PaCSON and APCERT meetings, as well as networking with other regional CERTs at APNIC workshops and events. To date, they have secured MoUs with regional CERTs, security firms, financial and law enforcement bodies, and are in the process of securing further agreements with local and international organizations. These partnerships will boost security and information sharing as well as ensuring cyber threats are monitored effectively on a real-time basis. This global collaboration and networking in cybersecurity helps all parties involved in remaining vigilant.

With the team now well and truly operational, CERT VU is equipped to address security issues that all economies — large or small — need the capacity to handle. As CERT VU Cybersecurity Advisor Jeff Garae adds: “In the Pacific, just because an economy is small population-wise, it doesn’t mean your problem’s different from a developed nation — we’re accessing the same Internet”.

Source: APNIC