The growing interest among Pacific economies to establish their own national CERTs has led us to develop a new regional CERT training workshop, which we delivered for the first time in Tonga in May, thanks to support from the Australian Government. Around 24 security practitioners from five economies, including staff from Tonga CERT and PNG CERT, participated in the four-day workshop that focused on packet analysis for cybersecurity investigation.
CERT Vanuatu has taken a slightly different path to its Tongan and PNG counterparts. Having developed a National Cybersecurity Policy in 2013, the Vanuatu Government worked on its cybersecurity strategy which recommended the establishment of a national CERT. In contrast, Tonga and PNG CERTs were established to lead the development of their respective national cybersecurity strategies.
A multistakeholder task force was then established to plan what CERT VU would look like and how it would be launched — APNIC also played a role in this process, assisting in a preliminary working group as well as facilitating a workshop for the task force on best practices for establishing a CERT.
Both paths have their merits; the important factor is that these economies are taking proactive, multistakeholder measures to protect and mitigate against cyber threats. As the Acting Director of the Prime Minister’s Office, Gregoire Nimbtik, stated at the launch last month, the newly established CERT will ultimately “help the government, business organizations, and individuals who are using the Internet in Vanuatu” by providing a central point of online security risk management, control and mitigation.
Developing cybersecurity capacity among non-technical people just as important
Apart from these CERT-focused activities, APNIC security specialists have also been busy conducting several workshops in Samoa, Solomon Islands, Tokelau, Tonga, Tuvalu and Vanuatu for an array of technical and non-technical people.
The inclusion of non-technical people, particularly managers, policymakers, and law enforcement agencies, is a key component in strengthening the region’s overall cybersecurity. This has helped drive the creation of:
- The Pacific Cyber Security Operational Network (PaCSON), which held its first meeting in Brisbane, Australia in May.
- A project led by the ITU, the Global Cyber Security Capacity Centre (GCSCC), and the Oceania Cyber Security Centre (OCSC), which is auditing cybersecurity maturity in the region.
- Workshops for system administrators to help raise security awareness and education (which APNIC has been involved in facilitating).
There’s a lot of basic education requirement in these small island economies — they might not be under threat yet, but they need to have in place systems to be able to monitor for and collect data from attacks to help notify of and investigate attacks in the future.
National CERTs will play an important role in developing this in-country capacity in the future but they need time to develop their own capacity and resources so these and future meetings, workshops and training run by APNIC, CERT Australia and other organizations will assist with developing a basic level of cybersecurity and information security awareness. In addition, the capability and awareness needs to be developed in other entities and sectors outside national CERTs.
As part of the project, we will be holding a second regional CERT workshop in New Caledonia (as part of APNIC 46), in which we hope to involve the same organizations who attended the first workshop in Tonga in May. This workshop will focus on general security topics and participants will also be able to attend a FIRST TC, which will be held prior to the APNIC meeting, furthering participants’ networking opportunities.
A goal of these workshops is not just developing awareness of cyber threats and the capacity to mitigate them. It is also about building relationships and trust between participants from different economies. Ultimately, it is this trust that will encourage public/private system administrators, cybersecurity specialists, and CERTs/CSIRTs to share information, which is a vital ingredient in effective incident response.