national cybersecurity policy 2021 - ict.gov.pg
Post on 04-Oct-2021
7 Views
Preview:
TRANSCRIPT
National Cybersecurity Policy Draft - August 2021
NATIONAL
CYBERSECURITY
POLICY
2021
National Cybersecurity Policy Draft - August 2021
I
FOREWORD BY THE MINISTER
XXXX
National Cybersecurity Policy Draft - August 2021
II
ABBREVIATIONS
APEC Asia Pacific Economic Cooperation
APNIC Asia Pacific Network Information Centre ASMS Automated Spectrum Management System CBD Central Business Districts CI Critical Infrastructure CII Critical Information Infrastructure CIRT Computer Incidents Response Team COPWG Child Online Protection Working Group CSIRT Computer Security Incidents Response Team CSOC Cybersecurity Operations Centre DCI Department of Communications and Information DDOS Distributed Denial of Service DFA Department of Foreign Affairs DJAG Department of Justice and Attorney General GCA Global Cybersecurity Agenda ICT Information and Communication Technology IFMS Integrated Financial Management System IGIS Integrated Government Information System IoT Internet of Things ISO International Standards Organisation ITU International Telecommunications Union LNG Liquefied Natural Gas MDGs Millennium Development Goals NCPISC National Cybersecurity Policy Implementation Steering Committee NCSC National Cybersecurity Centre NCSAC National Cybersecurity Strategic Advisory Committee NICTA National Information and Communications Technology Authority NID National Identification NIO National Intelligence Organisation NISIT National Institute of Standards and Industry Technology NSAC National Security Advisory Committee NSA National Security Agency NSC National Security Council OCC Office of Chief Censor OSCA Office of Security Coordination Authority PNGCERT Papua New Guinea Computer Emergency Response Team PNGDF Papua New Guinea Defence Force PPP Private Public Partnership RPNGC Royal Papua New Guinea Constabulary SDGs Sustainable Development Goals UN United Nations UNGA United Nations Global Agenda
National Cybersecurity Policy Draft - August 2021
3
1.0 INTRODUCTION
1.1 Purpose
The purpose of this document is to delineate and describe the National
Cybersecurity Policy for Papua New Guinea (PNG). Cyber-related risks are
evolving rapidly and as PNG becomes increasingly reliant on ICT, it is of
paramount importance that its technical and intelligence capabilities in
cybersecurity be developed to international standards and in accordance with
international best practice in order to provide adequate protection for its critical
infrastructure systems. When critical infrastructure systems or essential
services do not function properly, the Government, economy and society can be
adversely affected.
This National Cybersecurity Policy sets out the Government's approach toward cybersecurity. The Policy defines the Government's vision, goals, objectives, evolving governance and the principles to guide the development of relevant strategies and action plans on cybersecurity. Cybersecurity is a fundamental and integral component of ICT development. Moreover, to manage cyber threats more effectively and efficiently, appropriate laws, rules and procedures as well as structures and proper coordination among key stakeholders is required. This Policy provides for relevant legislations, rules and procedures to be developed as well as the establishment of organisations to support cybersecurity initiatives and enable the Government to assume the lead role in ensuring a safe and secure cyber environment.
The successful implementation of this Policy hinges on effective coordination amongst the implementing agencies and sufficient and sustainable resourcing through Government and industry commitment.
1.2 Background
Governments, businesses and people, in the modern era, are becoming
increasingly reliant on information and communication technology (ICT) or
digital technologies as it enhances their capabilities to perform and achieve
economies of scale in the conduct of their businesses.
The PNG Government recognizes the significance of digital technologies in accelerating economic growth and strengthening social cohesion across its nation. In 2018, PNG hosted the APEC Leaders’ Summit and it called for member economies to “harness inclusive opportunities and embrace the digital future”.
Over the recent past years, PNG has seen a rapid increase in the adoption of digital
technologies across various sectors of the economy. However, the use of digital
technologies inevitably introduces the associated cyber security risks and this will
require a clear Policy direction to address.
National Cybersecurity Policy Draft - August 2021
4
The PNG National Security Policy 2013 recognizes ‘Cyber-based Threats’ and the
‘National Information Security’ as two of the generic threats to PNG’s survival.
These broader policy goals need to be translated into strategic direction at the
implementation level.
In 2020, the Government adopted a PNG Digital Transformation Policy that
recognizes and sets a path for the Government to support digital transformation
across all sectors of the economy. Cybersecurity was a paramount objective of
the Government under the PNG Digital Transformation Policy. This is considered
paramount as cyber-related risks are evolving rapidly and the country’s
technical and intelligence capabilities must be developed to align it with
international standards/norms and in accordance with international best
practices to protect PNG’s critical infrastructure systems and essential services.
Cyber-attacks have become more sophisticated, targeting specific organisations
in the public and private sector through victim reconnaissance and if the
country’s critical systems and infrastructure cease to function or are
compromised, the Government, economy and the society can be adversely
affected.
Protecting Papua New Guinea’s national security, ensuring the security of cyberspace and promoting the prosperity of the citizen through the use of digital technologies to drive economic growth and raise productivity and living standards for all Papua New Guineans are among top priorities.
Governments have a responsibility to lead by example. Moving more
government services online will make the lives of many PNG citizens easier,
however, citizens need to have confidence that their data is safe, underscoring
the need for government systems and data to be secure. This Policy combined
with the Digital Transformation Policy, the Digital Government Act and future
legislation such as Data Protection/Privacy and Communications Decency, and
a future National Cybersecurity Strategy will strengthen the defences of PNG’s
public sector networks.
The PNG Government is committed to equipping all consumers with the right
cyber security skills and raising levels of cyber security awareness so we can all
benefit from the opportunities in cyberspace. Both government and businesses
have finite resources. The actions outlined in this policy address the most urgent
issues Technology is constantly changing; measures designed to improve
security in today’s online world can be quickly overtaken by new technologies,
systems, software and applications. The landscape, context, vision, goals,
principles, governance and legislation set out in this Policy, is vital in providing
clear direction for the Government to address national cyber issues and shape
the priorities of a future National Cybersecurity Strategy.
National Cybersecurity Policy Draft - August 2021
5
1.3 Rationale
The domestic information space is vulnerable to the threat of exploitation and
manipulation by external interests. The Country’s ability to manage and control
information inflows and outflows from its jurisdiction is lacking to the extent that
it is unable to safeguard official and critical public information.
The lack of control has allowed other states with interest in PNG’s affairs to
become increasingly knowledgeable on what goes on in the country through
effective use of superior information and communication technology.
Additionally, there is an increase in other nation’s satellite-based eavesdropping
technologies and their strategic value and benefits. The Government is
concerned with its national security, and its ability to institute appropriate
counter measures to secure its jurisdiction and safeguard all sensitive
information and communication. Moreover, the Government must ensure all its
agencies in the information and communication industry and other security
actors are empowered to facilitate the improved information security of the
country.
Cyber adversaries are aggressive and persistent in their efforts to compromise
PNG networks and information. They are constantly improving their tactics to
infiltrate the government, private sector and other networks. They will also
target the weakest link; if the network security of their primary target is robust,
they will move to more easily compromised connected networks that could
provide access to the primary target.
Malicious cyber activity is a security challenge for all people in PNG. Outside of PNG, many nations, including Australian and US organisations across the public and private sectors have been compromised by state-sponsored or non-state actors. Solar Winds is only one of many such incidents. In many countries, cyber criminals have targeted local governments, airports, hospitals and other critical infrastructure crippling governments and putting the health of people at risk. Large multinational companies and government organisations have been targeted, losing substantial amounts of sensitive commercial and personal information or incurring major damage to their business and reputation.
The differences between some malicious cyber actors—such as organised criminal networks, state-sponsored actors and issue motivated groups—are becoming less and less distinct. For example, activity by some cyber criminals can be more sophisticated than those conducted by many nation states. This growing network of malicious actors is having a global impact. Malicious cyber activities are wide ranging. They include activities designed to compromise the confidentiality, integrity or availability of computer networks or ICT systems or the information on them.
National Cybersecurity Policy Draft - August 2021
6
PNG is extremely vulnerable to the type of cyber-attacks experienced elsewhere in the world. It is thus essential and critical that the Government assume this obligation to support the continuity of essential services in the face of disruptive or sophisticated attacks. The loss of an essential service like electricity, water, hospitals/clinics or transport will have devastating impacts across all of PNG far beyond the targeted business. There is lots more that can be done to raise the overall security posture of critical infrastructure. Some nation states or state-sponsored actors are so sophisticated that an attack may be beyond the capability of a single network owner to handle alone, irrespective of its size, expertise and best efforts.
Being connected is now essential, creating new opportunities for innovation and growth for all people in PNG. To be competitive, businesses need to be online. But being online also brings risks. PNG is increasingly becoming a target for cyber intrusions and cybercrime. Governments, businesses and individuals— need to work together to build resilience to cyber security threats and to protect the country’s critical resources.
It is critical that PNG build its nation’s stock of cyber security skills, which are becoming increasingly essential for life and work in the connected world. To respond to these challenges, Government must elevate cyber security as an issue of national importance. Leadership will be critical to achieving this goal.
The Government of PNG plays a significant role in the protection and enhancement of Cybersecurity in the country. The Government will strengthen its current lead role on cyber security policy and be the central point for policy issues to ensure a simplified Government policy interface for stakeholders.
2.0 CURRENT SITUATION
2.1 Global Trends
PNG is made an integral part of the global society through the internet
connectivity that connects the entire world. The challenges and issues on
cybersecurity that countries all over are encountering equally concerns PNG.
Cyber security threats are increasing. Nation states and state -sponsored
actors and criminals pose serious threats to PNG citizens and businesses. The
global trend indicates that:
⚫ Criminals are using the dark web to buy and sell stolen identities, illicit
commodities, and child exploitation material; ⚫ Social engineering and phishing remain an effective threat to enable other
type of cybercrime;
National Cybersecurity Policy Draft - August 2021
7
⚫ Criminals use innovative methods to increase the volume and sophistication of their attacks and inexperienced cybercriminals carry out phishing campaigns more easily through crime as-a-service;
⚫ Criminals take advantage of national and global pandemic to attack
vulnerable people, as evident in the COVID-19 pandemic, phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19;
⚫ The use of anonymising technologies has made it easier to commit serious
crimes at volume and across jurisdictions, allowing criminals and other malicious actors to operate outside the visibility of law enforcement;
⚫ Ransomware attacks have become more sophisticated, targeting specific
organisations in the public and private sector, including healthcare industry during the COVID-19 pandemic, through victim reconnaissance;
⚫ Criminals have included another layer to their ransomware attacks by
threatening to auction off the compromised data, increasing the pressure on the victims to pay the ransom;
⚫ Child exploitation acts have also grown significantly at the peak of the
COVID-19 crisis as offenders uses innovative methods to hide this crime, such as P2P networks, social networking platforms and using encrypted communications applications;
⚫ Dark web communities and forums are meeting places where participation
is structured with affiliation rules to promote individuals based on their contribution to the community including, recording and posting of child exploitation activities and encouraging others to do the same; and
⚫ Livestreaming of child abuse continues to increase, becoming even more
popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children and in some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Malicious cyber activity is one of the most significant threats impacting the world and PNG is part of the global society impacted by malicious cyber activities. The COVID-19 pandemic highlighted the evolving nature of cyber threats and PNG citizens must have adequate knowledge of these threats to ensure protection against Cyber security is at the heart of the transformation to a digital society.
Nation states and state-sponsored actors seek to compromise networks to obtain economic, policy, legal, defence and security information for their own advantage. Nation states and state-sponsored actors also seek to achieve disruptive or destructive effects against their targets. These actors tend to be sophisticated, well-resourced and patient adversaries, whose actions could impact PNG’s national security and economic prosperity.
National Cybersecurity Policy Draft - August 2021
8
Highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. It is not uncommon for more than 30% of these incidents to try and directly attack a nation’s critical infrastructure providers that deliver essential services including healthcare, education, banking, water, communications, transport and energy.
To counter the cybersecurity challenges, the PNG Government must work closely with its international partners and strengthen and improve the capacity and capabilities of its law enforcement agencies to tackle, investigate and disrupt the volume and anonymity enabled by the dark web and encryption technologies. Encryption is a clear feature of an increasing number of services and tools. Accessing and gathering relevant data for criminal investigations is a principal challenge for law enforcement. The value of being able to access data of criminal communication on an encrypted network is the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
2.2 Domestic Efforts
A minimum requirement for PNG to ensure protection of its critical infrastructure
and cyber environment in general is to have:
⚫ Relevant national policies, laws, rules and procedures to foster
coordination, collaboration and cooperation;
⚫ Specialized cybersecurity technical capabilities;
⚫ Proper institutional structures and skilled personnel;
⚫ Proper mechanism for information sharing and awareness
PNG will need to establish these key requirements and the Government is
committed to ensuring these requirements are established.
PNG’s National Cyber Security Centre (NCSC) was established in 2018, with the
support of the Australian Government. The NCSC provides for training, exercises
and collaboration with industry sectors within the Government. The NCSC also
houses the network operational centre and the PNG CERT (computer emergency
response team)1. The Centre has been providing advice on enforcing incident
reporting regulations in PNG.
1 A CERT is a computer emergency response (or readiness) team and the term is trademarked by Carnegie Mellon
University. A CSIRT is a group that responds to security incidents when they occur. CSIRT stands for a computer
security incident response team and is a generic name for this type of service. The terms CERT and CSIRT are used
interchangeably, despite the important differences. The aim of a CERT/CSIRT is to share information to help other
response teams respond to threats against their own networks. In the PNG context, this means helping all other
sectors in society understand threats. The PNG CERT is currently managed by NICTA.
National Cybersecurity Policy Draft - August 2021
9
The NCSC has taken measures to protect the networks of public organizations. It has rolled out end-point-network protection to certain government departments and agencies and continuously monitoring the networks for threats as well as providing incident response support.
A Steering Committee, comprising key stakeholder agencies, oversees the functions of the NCSC. The Committee is led by the Department of ICT, and also includes Defence, Police, Justice, the National Intelligence Organization, and the Office of Security Coordination and Assessments (OSCA) which falls within the Department of Prime Minister and NEC.
2.3 Policy Landscape
Today, the economic security of PNG is inherently tied to the country’s national
security. As the foundations of our economy are becoming increasingly rooted
in digital technologies, the Government will model and promote best practices
and standards that protect our economic security and reinforce the vitality of all
citizens.
PNG remains vulnerable to Cyber-based crimes as connectivity increases with the landing of the Coral Sea Cable. The incidences of various forms of cybercrimes and cyber espionage will increase. Various policies across different social sector agencies have identified and highlight the need to address cyber safety, cybersecurity, cybercrime, and cyber resiliency. However, there is a need to clearly define these cyber threats and offer suggestions on ensuring the safety of all critical infrastructure, citizens' privacy and data held by these agencies and by the Government.
Policies must clearly identify and classify the PNG’s critical information infrastructure (CII) that supports the ICT sector’s operation, such as assets related to the provision of voice/data communication and internet connectivity, and the critical infrastructure such as power plants, electrical plants, water supply, hospitals, airports and other critical infrastructure that are enabled by digital technologies. These critical national infrastructures require a high level of cyber security protection. CII are key components of any country’s critical national infrastructure. The Government will work with other Government agencies and other providers within the country to identify their critical information infrastructure through a step-by-step approach and establish specific criteria including the size of the potentially affected population, intra-sector and cross-sector dependencies, geographic criteria, and the impact on personal safety and privacy.
Considering the current landscape, this Policy sets a direction for the
Government to:
⚫ work collaboratively across all stakeholder groups, from the private sector
and civil society, to the academic and technical community to promote best
National Cybersecurity Policy Draft - August 2021
10
practices and develop strategies to overcome market barriers to the
adoption of secure technologies;
⚫ improve awareness and transparency of cybersecurity practices to build
market demand for more secure products and services;
⚫ collaborate with international partners to promote open, industry-driven
standards and risk-based approaches to address cybersecurity challenges to
include cloud security, platform and managed service approaches that lower
barriers to secure practice adoption across the breadth of the ecosystem;
⚫ work with the private sector and the ICT community to enhance awareness
and knowledge of cyber security and of proper cyber hygiene;
⚫ work with all Ministries including the Ministry of Education and the Ministry
of Higher Education to create a curriculum that can teach our students cyber
skills so that we can grow and create a cadre of skilled cyber security
professionals within PNG for the future. Growing the cyber security skills
pipeline will ensure all critical infrastructure owners and operators and
businesses have greater access to skilled cyber security professionals with
the right skills to meet demand.
3.0 VISION AND GOALS
3.1 Enabling Innovation
The Government of PNG is committed to enabling digital innovation, growth and prosperity for all Papua New Guineans, empowering citizens to become a smart, networked, and well-informed society. Through the Digital Transformation Policy, the Government hopes to:
● Promote collaboration, interaction, and participation,
● Promote innovation and learning,
● Provide an open and transparent government, and
● Provide citizen-centred services, and knowledge-based industries.
To achieve the goals of the PNG Digital Transformation Policy, the Government will develop and sustain its cybersecurity capabilities that will ensure a safe and secure cyber-environment for its citizens and businesses. 3.2 Vision
The Government envisaged an environment where all citizens interact and
collaborate safely and securely with the Government thus creating a digitally
National Cybersecurity Policy Draft - August 2021
11
innovative and prosperous environment for Papua New Guinea. To achieve this
Vision, the Government has established seven themes of actions for Papua New
Guinea cyber security over the next five years:
Theme 1: A national cyber partnership and collaboration;
Theme 2: Strong cyber defences and cyber resilience;
Theme 3: Cross cutting critical infrastructure that deliver critical
services/functions to the nation;
Theme 4: Global responsibility and influence;
Theme 5: Growth and innovation;
Theme 6: Increasing cyber awareness and education with PNG; and
Theme 7: Expanding efforts to raise awareness of cyber threats.
To create a digitally innovative and prosperous environment for Papua New Guinea will require a collaborative effort and cooperation from all stakeholders.
3.3 Policy Goals
The Government is committed to building and strengthening cyber security capabilities to anticipate and respond to cyber threats. Building the nation’s stock of cyber security skills and competency are becoming increasingly essential for life and work in the connected world. Equally important is to ensure that citizens, visitors, businesses and government agencies enjoy the full benefits of a safe, secure and resilient cyberspace.
The Goals of the National Cybersecurity Policy (NCP) are to:
Goa 1: Create a safe and secure online world;
Goal 2: Build trust in digital services and Papua New Guinea’s digital
economy by supporting businesses’ cyber resilience through sharing
threat information and setting clear expectations of roles for every
stakeholder;
Goal 3: Engage and sustain the participation and cooperation of all stakeholders including government, businesses, communities and regional partners in creating a more cyber secure environment;
Goal 4: Protect the Government’s most critical systems and essential
services from cyber threats;
National Cybersecurity Policy Draft - August 2021
12
Goal 5: Provide law enforcement agencies with greater ability to protect Papua New Guinea’s citizens online;
Goal 6: Develop relevant laws and standards to protect Government, citizens and business data and networks;
Goal 7: Expand the Government’s efforts to raise awareness of cyber security threats and empower the community to practise secure online behaviours;
Goal 8: Forge and maintain partnerships and collaboration with regional and international partners to build capacity on cybersecurity and in addressing cybercrimes;
Goal 9: Build a strong workforce of skilled cyber security professionals as a
key enabler for the growth of digital economy and security 3.4 Policy Principles
The following Guiding Principles will lead PNG towards realizing its Vision and
the Goals:
• Building a strong cybersecurity environment that will guard the ‘Sovereignty’
of our Independence and safeguard the ‘Privacy’ of our citizens as enshrined
in our National Constitution;
• Protecting citizens, visitors, businesses and government agencies and critical
infrastructure by providing the necessary security frameworks, strategies
and guidelines, building national capacity, implementing information sharing
techniques and raising awareness;
• Engaging all stakeholders nationally and internationally in stakeholder
consultations and in other collaborations to ensure all stakeholders
understand the Policy Goals and Objectives;
• Strengthening the current legal framework to ensure that all policies are
updated for the digital economy, including child protection legislation and
privacy and data protection, critical infrastructure protection and e-
Commerce;
• Cultivating strong linkages with the different UN organizations, regional
organizations, international and/or global organizations working in this arena.
National Cybersecurity Policy Draft - August 2021
13
4.0 POLICY ALIGNMENT AND FRAMEWORK
The National Cybersecurity Policy take its cue from the National Constitution
particularly the ‘provisions, relating to the safeguarding of Papua New Guinea’s
national sovereignty. The Goals of the National Cybersecurity Policy are
consistent the main policies of Government with other existing policies of the
Government that point towards security and a safe and secure cyber
environment. The National Cybersecurity Policy aligns with these policies and
guide the Government’s strategy, action plan and roadmap on Cybersecurity
and ensure a coordinated implementation.
4.1 The Papua New Guinea National Security Policy 2013
Provision of cyber services in PNG to the public service and to the wider
community is not uniform and it changes from agency to agency. The lack of
standards, the lack of identification of any particular agency to have control and
authority, the lack of appropriate legislation within the Government, and the
lack of any international protocols that can help out the Government causes lack
of coordination and is a threat to society, threat to the trust held by people in
their government, a threat to the country’s critical infrastructure, a threat to the
privacy and security of citizen’s data and a threat to national security.
The National Government has in the past adopted policies to protect its citizens and to enhance information security. But lack of a data protection and data privacy policy, encryption policies and other related legislation, combined with lack of effective cyber policies, and a lack of a campaign to raise awareness and educate the populace have resulted in this lackadaisical attitude to cyber security, cybercrime, cyber safety and cyber resilience. Policy implementation has been hampered by a failure to design, develop, test, roll- out and regularly maintain and improve a national cyber safety, cyber resilience, cyber security and cybercrime system.
Additionally, the Government is hampered by the lack of any international protocols it can call upon to assist it in its battle to fight cybercrime.
The Papua New Guinea National Security Policy 2013 is an attempt to give policy
guidance. It lists ‘Cyber-based Threats’, and ‘National Information Security’ as
two of the generic threats to PNG’s survival.
Cyber-based Threats is listed as a Level Two Threat. Security threats under this category do not mean that they are any less important but require a lower priority ranking. Depending on circumstances any threat in this category can very quickly be moved to Level One ranking.
National Cybersecurity Policy Draft - August 2021
14
4.2 The Papua New Guinea National Security Policy Strategic Action
Plan 2014-2020
Policy Goal 8 (‘Ensure Technological Security’) of the National Security Policy
Strategic Action Plan
2014-2020: Department of Communications & Information (now Department of Information and Communications Technology) to continue to spearhead a ‘whole-of-Government approach’ to a single National Information Technology Network supporting e-Governance;
4.3 The PNG Digital Transformation Policy 2020
The Papua New Guinea Digital Transformation Policy 2020 identifies Cyber
Safety and cyber resilience as one of its key pillars. It also provides for work to
be done to increase awareness of these critical issues.
The Policy recommends a Data Protection and Privacy legislation to be put in place and for the creation of cyber standards and guidelines to be established and published, including legislative frameworks to identify and ensure protection of critical infrastructure.
4.4 National ICT Policy 2008
The Government of Papua New Guinea (Government) has defined key priorities
with regard to the development of ICT in its 2008 National Information and
Communication Technology Policy (ICT Policy). The ICT Policy paved the way
for the liberalisation of the industry and caters for increased competition in the
telecommunications sector.
The ICT Policy highlights the importance of building confidence and security in our ICT systems2. It underlines the need to protect fundamental rights of citizens as well as enables the investigation and prosecution of crimes. In 2014, the Government introduced the National Cybercrime Policy (Cybercrime Policy) and subsequently in 2016, enacted the Cybercrime Code Act 2016 (Act).
While the ICT policy mentions cyber security, it does not limit security concerns to Cybercrime. It also highlighted that “criminal law is only a small part of the cybersecurity framework” 3 . The Government further elaborated that Government and Private Sector agencies need to cooperate in improving the security of their systems by applying sound security practices, improving and securing the sharing of information, and raising awareness.
2 National ICT Policy 2008 p.36
3 Ibid., p.38 ff
National Cybersecurity Policy Draft - August 2021
15
As outlined in the ICT Policy, access to information is beneficial but it is important to be mindful that the same technology provides access to illegal and harmful content.
The NIO Action of 1984 described below remains the mandated Authority that supports the protection of the Government of the day, all citizens and its legitimate investment and development partners against all forms of undesired threats, economic espionage and terrorism
4.5 The National Intelligence Organization Act 1984
The PNG National Intelligence Organization by virtue of the National Intelligence
Organization Act
The NIO Act of 1984 remains the mandated Authority that supports the protection of the Government of the day, all citizens and its legitimate investment and development partners against all forms of undesired threats, economic espionage, terrorism, transnational crimes involving money laundering, human trafficking and so forth in the long term.
The National Security Council, the National Security Advisory Committee, and the PNG National Intelligence Organization are aligned by virtue of the National Intelligence Organization Act 1984.
4.6 The National Information and Communication Technology Act
2009
Subject to sections 11 and 58 of the National Information and Communication
Technology Act 2009, the National Information and Communication Technology
Authority (NICTA) may vary an individual licence to incorporate government
policy in favour of the deployment of security technology solutions at a licensee’s
Internet Gateway.
4.7 The Classification of Publication (Censorship) Act 1989
The Censorship Board of Papua New Guinea exists to classify the media content
that PNG consumes. It either applies age restrictions to that content, or (in the
case of certain illegal content) bans it entirely.
In 2014, the Censorship Office facilitated drafting of the Classification of Films,
Publication and
Online Service Bill 2014 to amend the Classification of Publication (Censorship) Act 1989 to reflect changing circumstances as technology had become part of everyday life.
National Cybersecurity Policy Draft - August 2021
16
The National Censorship Policy II 2020-2024 captures current trends and developments on matters related to censorship
4.7 The Gaming Control Act 2007
Legality of online gambling such as www.pngbet.com is an ongoing issue and
the National Gaming Control Board may take action under the Gaming Control
Act 2007.
Electronic gambling or lottery by a child is also a cybercrime offence under
Section 14 of the Cybercrime Code Act 2016. A gaming operator may also be
held liable.
4.9 The Lukautim Pikinini Act 2015
Subject to section 13 of the Lukautim Pikinini Act 2015, the Office for Child and
Family Services shall consult with the Department of Information and
Communications Technology and other bodies recognized by the Act that are
capable of assisting in the protection and welfare of children.
4.10 The Cybercrime Code Act 2016
The Cybercrime Code Act 2016 creates powers for constitutional law
enforcement bodies but not the capability to perform those powers. The Royal
Papua New Guinea Constabulary or the Public Prosecutor of the respective
search, production and investigation powers under Part IV of the Act have this
authority but they have not exercised these rules due to technical incapability.
The Cybercrime Act also created legal tests for establishing the criminal liability of ICT Service Providers in PNG under Part V of the Act, which legal tests are heavily reliant on a technical capability on the part of the Royal Papua New Guinea Constabulary to access ICT Service Providers’ data for assessing evidence for commission of an offence or an omission against the Act that are critical to proving cybercrimes.
5.0 CYBERSECURITY FRAMEWORK
5.1 Coordination and Governance Mechanism
The Government will strengthen its existing structures as well as establish an
appropriate specialized body to oversight and maintain various responsibilities
on cybersecurity issues. It will coordinate its effort through the coordination
mechanism as depicted:
National Cybersecurity Policy Draft - August 2021
17
The National Security Council (NSC), chaired by the Prime Minister, is the highest decision-making body on national security issues threatening the sovereignty, security and protection of the Independent State of PNG. The National Security Advisory Committee through the Office of the Security Coordination and Assessment (OSCA) provides technical advisory support to the NSC.
The Government will take these directions:
National Cybersecurity Policy Draft - August 2021
18
5.1.1 A National Cybersecurity Coordinating Agency (NCCA) will
be established to be the coordinating arm of the Government on
matters relating to cyber security.
5.1.2 NCCA will, among others:
⚫ be a platform for interaction with stakeholders and influencers,
external and internal, including the private and public sector that
are seeking cyber security services and support or are seeking to
engage with operational agencies of Government on cybersecurity;
⚫ coordinate and connect stakeholders, influencers and public and
private sector bodies with appropriate functional and operational
agencies, in particular, the operational agencies of Government will
have within their oversight the critical digital infrastructures,
systems and capabilities and any external and or foreign party
seeking to engage with these agencies will enter through NSCA for
check and clearance purposes;
⚫ coordinate research and development in cybersecurity.
5.1.3 PNG Computer Emergency Response Team (CERT) and
Cybersecurity Operational Centre (NCSC) are an established
technical capability that will provide technical support to the
operational agencies and departments of the Government. These
technical capabilities will be coordinated through the NCCA.
Among the responsibilities of the NCSC are the following:
⚫ conduct defensive cyber security operations;
⚫ promote a secured digital government environment;
⚫ ensure government digital infrastructure contains appropriate
security control technologies;
⚫ promote cyber resilience to ensure services that are essential
for everyday life remain effective and operational during cyber
threats and attacks;
⚫ investigate any breaches of cyber security and escalate security
incidents to appropriate authorities, if necessary, for their
intervention;
National Cybersecurity Policy Draft - August 2021
19
⚫ monitor and hunt cyber security threats across networks and
endpoints, and ensure that threats attacking data and assets
are contained and eliminated;
⚫ provide the persons to whom the NCSC provides services with
remote incident response and handling support;
⚫ conduct audits on cyber security tracking and monitoring
systems and endpoint devices used by public bodies;
⚫ establish procedures for the persons to whom the NCSC
provides services and other member organizations of the Papua
New Guinea CERT to report cyber-attacks or suspected cyber
security incidents;
⚫ provide regular reports to the persons to whom the NCSC
provides services;
⚫ provide technical support to the Papua New Guinea CERT; and
• create cyber security standards and guidelines and technical censorship support services to a public body responsible for censorship matters.
5.1.4 A National Cybersecurity Strategic Advisory Committee
(NCSAC) comprising of cybersecurity policy and operational
agencies will be established within the NCCA and chaired by the
Office of Security Coordination and Assessment to provide
technical advisory support to the Government. Technical working
group(s) and sub-committee(s) will be formed as and when
required to deal with specific issues on cyber security and
provide strategic directions.
5.2 Key Government Cyber Security Stake-Holders by
Implementation and Operational Functions
There are Government departments and agencies that are oversighting certain
functions and operations on cybersecurity. These functions and operations relate
to:
• development, implementation, monitoring and evaluation of appropriate
policies and strategies on cybersecurity;
• cyber defense and offensive capabilities;
National Cybersecurity Policy Draft - August 2021
20
• cyber investigation and intelligence; and
• counter-espionage, cybercrime and cyber safety.
The Government will strengthen and equip these institutions with appropriate
capabilities to perform its functions and operations effectively to safeguard
PNG’s cyber environment, its sovereignty and its people:
5.2.1 OSCA’s responsibility is to provide high quality and timely policy advice to
the National Security Council (NSC) for the effective management of
issues of national security, Defence & international relations. As a matter
of national security, the OSCA will continue to maintain strategic oversight
of cyber security matters through its chairmanship of the National Cyber
Security Steering Committee
5.2.1 The Department of Information and Communication Technology as the
Government’s lead agency on ICT policy matters will oversight and lead
the development, implementation, monitoring and evaluation of
appropriate policies and strategies on cybersecurity.
5.2.2 PNG Defense Force will be responsible for PNG’s cyber defense and
offensive capabilities.
5.2.3 National Intelligence Organization will be responsible for cyber
investigation and intelligence service
5.2.4 Police will be responsible for counter-espionage and cybercrime and cyber
safety enforcement.
5.2.4 Department of Justice and Attorney General and the Office of the Public
Prosecutor will be responsible for Mutual Assistance in Criminal Matters
and for prosecution of cybercrime and cyber security related matters.
5.2.5 Office of the Censorship will be responsible for Cyber Hygiene and other
aspects of online safety.
5.3 Cyber Resilience of Critical National Infrastructure
5.3.1 Identifying Critical National Infrastructure CII are key components of any country’s critical national infrastructure. The Government will work with other Government agencies and other providers within the country to identify their critical information infrastructure through a step-by-step approach and establish specific criteria. Among other criteria, CII will be defined based on:
National Cybersecurity Policy Draft - August 2021
21
• the size of the potentially affected population; • intra-sector and cross-sector dependencies; • geographic criteria; and
• the impact on personal safety and privacy. Critical infrastructure top targets are:
⚫ Public/government, ⚫ Telecommunications, ⚫ Health, ⚫ Academic, ⚫ Manufacturing, ⚫ Power/utility, ⚫ Transportation, and ⚫ General information warfare threats.
5.3.2 Statistical Data on Cyber Security Compromises Better statistical data on the national impact of cyber security compromises is required to enable PNG Government and businesses to make informed decisions when managing cyber risks. Data collection measures will help the Government and the private sector to better make decisions that address cyber security threats to PNG’s economy and security. Government through the Department of Information and Communication Technology will establish and maintain a database on the national impact of cyber security breaches.
5.3.3 Protecting Critical Infrastructure and Businesses
While cyber security is foundational to protecting assets from an attack happening in the first place, cyber resiliency concerns the assurances for a nation that its critical infrastructures will remain effective and operational for it to endure inevitable attacks.
National Cybersecurity Policy Draft - August 2021
22
Attribution of responsible attackers is a capability enabled by threat intelligence analysis of multiple sources of information to learn tactics, techniques, and procedures used by attackers. This information enhances methods for security and resiliency. Transparency of these capabilities, propensity for risk, and cultures are challenges to national cyber strategies being comparable to protect our tightly woven digital economies.
The Government will develop and actively defend the critical infrastructure that
all PNG citizens rely on, including:
● work with the business community to create a voluntary code of conduct/practice for all products and services that will set out the Government security expectations for Internet-connected consumer devices.
● partner with the private sector, especially large businesses to assist small
and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability.
⚫ work with the private sector to manage risks to critical infrastructure at the
greatest risk;
⚫ develop a comprehensive understanding of national risk by identifying
national critical functions and will mature our cybersecurity offerings and
engagements to better manage those national risks;
⚫ prioritize risk-reduction activities across critical key areas: national security,
energy and power, banking and finance, health and safety, communications,
information technology, and transportation;
⚫ Cyber security obligations for business owners and operators;
⚫ New ways to investigate and shut down cyber-crime, including on the dark
web;
⚫ Stronger defences for networks, computer systems and data;
⚫ Greater collaboration with other international countries to build PNG’s cyber
security skills pipeline.
⚫ Increased situational awareness and improved sharing of threat information.
⚫ Stronger partnerships with industry.
⚫ Advice for small and medium enterprises to increase their cyber resilience.
⚫ Clear guidance for businesses and consumers about securing Internet of
Things devices.
National Cybersecurity Policy Draft - August 2021
23
⚫ 24/7 cyber security advice hotline for SMEs and families.
⚫ Creating Effective Cyber Security Defences.
⚫ Improved community awareness of cyber security threats.
5.3.4 Private Secure Data Exchange Platform The Government will establish a Private Secure Data Exchange platform to connect the various Government data infrastructure as a best practice to promote security within the Government network. It is critical and essential that these platforms fall under the Government’s critical infrastructure.
5.4 Role of a Government Cloud Platform in Cyber Security
Cloud security is now essential in any new cyber policy4. Cloud Security
involves the procedures and technology that secure cloud computing
environments against both external and insider cyber security threats. Cloud
security and security management best practices designed to prevent
unauthorized access are required to keep data and applications in the cloud
secure from current and emerging cybersecurity threats.
Many public service agencies, responsible for official government information
and services, are already using public cloud-based infrastructure and services,
driven by business requirement cost efficiencies. This comes with a challenge of
government and citizens' data at the risk of being exposed to malicious 3rd party
intermediaries unknowingly, with or without citizens’ concerns and awareness
of the exposure and associated risks that may be outside government
jurisdiction to administer or intervene in event of any breach. This can be
addressed through appropriate and relevant government policies, standards,
and guidelines to guide the deployment and use of cloud-based infrastructures
and services.
A Digital Government Legislation is vital to pave the way for development of standards and guidelines for the Government’s private Government Cloud. The cloud platform provides access to many powerful tools and services such as big data analysis, artificial intelligence, that are very useful for intended purposes or can be disruptive against standing government constitutional boundaries, policies, including data protection and privacy if such government and personal data fall in wrong hands in the cloud environment.
The Government recognizes that ICT providers within PNG are in a unique position to help the Government to detect, prevent, and mitigate risk before it impacts customers,
4 Cloud computing, which is the delivery of information technology services over the internet, has become a must for
businesses and governments seeking to accelerate innovation and collaboration.
National Cybersecurity Policy Draft - August 2021
24
The Government will:
⚫ develop appropriate and relevant government policies, standards, and
guidelines to guide the deployment and use of cloud-based infrastructures
and services.
⚫ work with the private sector to manage risks to critical infrastructure at the
greatest risk;
⚫ develop a comprehensive understanding of national risk by identifying
national critical functions and will mature our cyber security offerings and
engagements to better manage those national risks;
⚫ prioritize risk-reduction activities across critical key areas: national security,
energy and power, banking and finance, health and safety, communications,
information technology, and transportation;
⚫ work with ICT providers to improve ICT security and resilience in a targeted
and efficient manner while protecting privacy and civil liberties;
⚫ work to strengthen our efforts to share information with ICT providers to
enable them to respond to and remediate known malicious cyber activity at
the network level;
⚫ encourage reporting of intrusions and theft of data by all victims, especially
critical infrastructure partners. The prompt reporting of cyber incidents to the
Government is essential to an effective response and prevention of future
incidents;
⚫ work to update electronic surveillance and computer crime statutes to
enhance law enforcement’s capabilities to lawfully gather necessary evidence
of criminal activity, disrupt criminal infrastructure through civil injunctions,
and impose appropriate consequences upon malicious cyber actors.
5.5 Best Practices
The policy goals, principles, and vision spell out how the Government plans to
change its practices, educate its workforce and the general population, partner
and collaborate with others so that it can strengthen and harden its
infrastructure and improve its cyber resilience.
Internet security requires a combination of several products and technologies to
properly safeguard data. The Government will develop an internet security
strategy that will take into consideration key tactics to safeguard its data
including, among others:
National Cybersecurity Policy Draft - August 2021
25
⚫ Browser selection: Each browser has its own security measures in place,
but some can have serious flaws that allow hackers and cybercriminals to
exploit and invade. Ensure that you're using a secure browser to reduce the
risk of compromising your computer or network.
⚫ Multi-factor authentication (MFA): MFA is a method of controlling
computer access by requiring several separate pieces of evidence to an
authentication mechanism. Websites and email accounts can be made more
secure by requiring at least two factors of authentication by a user.
⚫ Email security: Email creates a wave of opportunity for viruses, worms,
Trojans, and other unwanted programs. Establishing a multi-layered and
comprehensive email security strategy will help significantly reduce exposure
to emerging threats. Email messages can also be protected by using
cryptography, such as signing an email, encrypting the body of an email
message, and encrypting the communication between mail servers.
⚫ Firewalls: Firewalls act as filters that protect devices by allowing or denying
access to a network. By applying a specific set of rules to identify if something
is safe or harmful, firewalls can prevent sensitive information from being
stolen and keep malevolent code from being embedded onto networks.
Educating and creating awareness on cyber safety is a best practice that many
nations have adopted as a priority. PNG Government will adopt the following
approach on educating and creating awareness on cyber safety:
⚫ educate its workforce;
⚫ work closely with the private sector to build up cyber resilience;
⚫ introduce cyber safety into the educational curriculum of primary, secondary
and higher education;
⚫ collaborate with international organizations including the Global Cybersecurity
Alliance, Get Safe Online, and other groups and ensure all toolkits, best
practices, and resources are translated into Tok Pisin;
⚫ develop a ‘best practice guidelines’ for use in schools and workplaces and for
citizens.
National Cybersecurity Policy Draft - August 2021
26
5.6 Collaboration
Cooperation and collaboration with other partners is critical. The Government
recognizes that no Government can unplug itself from the world or exist in its
own silo. It requires collaboration and partnership both with the private sector,
NGOs, technical community as well as with international organizations and other
governments. The Government will work with other governments and increase
partnership and becoming members of international organizations working in
the cyber security arena.
A coordinated approach led by the Government is a key step towards Cybersecurity preparedness and resilience to counter cyber threats and attacks. In this vein, the Government will coordinate more collaboration with the private sector, technical communities, international cybersecurity bodies and other governments to; ⚫ Create common standards and practices on Cybersecurity within Government,
and guidelines to businesses; ⚫ Develop appropriate and relevant legal and regulatory frameworks to define
and support common standards, practices and guidelines; ⚫ Strengthen institutions responsible for cybersecurity with adequate capacity
to lead and enhance Cybersecurity activities; ⚫ Encourage national co-leadership and cross-sectoral partnerships to foster
strong cybersecurity.
5.7 International Cooperation
The Government will work with its allies, donors, international partners and in
the technical community to assist in strengthening PNG’s capacity to prevent or
respond to malicious cyber activity, including in response to sophisticated actors.
PNG is a member of the Global Forum on Cyber Expertise, PaCSON and APEC,
and the Government will assess and join other related cyber organizations in
order to strengthen its capacity to protect PNG’s cyber environment.
PNG will enter into bilateral and multilateral partnership on Cyber Security Cooperation.
The partnership will focus on areas of:
a. Developing and enhancing cyber security governance and best practice
frameworks;
National Cybersecurity Policy Draft - August 2021
27
b. Building capacity in incidence response, forensic analysis and crisis
management;
c. Establishing and equipping PNG’s cybersecurity technical institutions to
monitor the protected networks for threats and provide incident response
support;
d. Enhancing PNG CERT capacity (CERTs are the “first responders” during a
cyber incident) by providing regular training at the NCSC.
6.0 LEGAL AND REGULATORY FRAMEWORK
6.1 Legislation
There are various policies the Government has adopted that both provide a
framework for cybersecurity and act as an anchor for the Government’s National
Cybersecurity Policy. The Legislative Acts listed in this Section are the key
critical legislations that the Government will enact to lay out and describe the
cybersecurity standards that will be required and provide clear guidance for
Public and Private sector on cybersecurity.
These legislations will give effect to Government’s policies, strategies, action
plans and roadmaps on cyber security and ensure a structured, collaborative
and coordinated approach towards effectively addressing national cyber security
challenges.
6.1.1 Digital Government Legislation
The legislation will set the legislative framework for ICT governance particularly digital information management systems in all public bodies in PNG. It will deliver digital infrastructure, digital government, digital skills, innovation and entrepreneurship, digital cyber security and privacy, financial inclusion and information classification across the whole-of-government and sub-nationally for delivery of public services efficiently paving way for transformation of the economy into a digital economy.
The law will:
⚫ Pave way for proper coordination of procuring and use of digital technologies
in the public sector, ensuring highest level of security for government systems and government information and data;
⚫ Establish, define and anchor the functions and powers of the Department of
ICT as lead Government agency to provide oversight on digital transformation processes across the whole-of-government.
National Cybersecurity Policy Draft - August 2021
28
The Digital Government Legislation will provide the legal basis for the
Government to:
⚫ Streamline national planning and coordination of ICT funding, infrastructure
development and services primarily within the public sector; ⚫ Define and ensure compliance of international best practices, national ICT and
digital standards for all public and statutory bodies; ⚫ Centralize and streamline procurement and usage of ICT products and
services for all public and statutory bodies; ⚫ Compel and facilitate the centralization of all government data and
information, and sharing of data and information between government to government, government to citizen, government to business and vice versa;
⚫ Facilitate and compel cybersecurity standards and compliance for all public
and statutory bodies; ⚫ Facilitate and coordinate digital government services specifically: government
to government, government to citizen, government to business and vice versa, to increase public service delivery efficiency and reduce government expenditure. For example, e-Voting, e-Census, e-Tax, e-Agriculture, e-Police, e-Education, e-Parliament and range of e-services; and
⚫ Facilitate transformation of the economy to digital economy through
development and implementation of other relevant regulations and standards, programs, and projects pertaining to digital skills, digital services, and digital infrastructure.
⚫ Facilitate and coordinate digital information dissemination and communication
for government to government, government to citizen, government to business and vice versa.
6.1.2 National Cyber Security Legislation
A National Cybersecurity Legislation will be developed to implement the goals and objectives of this Policy. Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.
National Cybersecurity Policy Draft - August 2021
29
Legislation should harmonize with existing national laws and contain provisions
compatible with international standards and best practices in order to enable
and sustain cooperation regionally as well as on an international basis. It should
provide for creation of a specialize cybersecurity agency and a coordination
framework to harmonize efforts across key cybersecurity agencies of
Government and enable collaboration and cooperation among all stakeholders
to ensure protection of:
⚫ digital services and essential services;
⚫ e-identification and trust services; and
⚫ personal data; among others.
Cyber security challenges persist as a result of a number of factors including, among others, lack of a culture of cyber security consciousness and limited awareness on cyber security issues among businesses and individuals; challenge of enforcement of legislation; as well as limited capacity among law enforcement agencies in the detection, investigation and prosecution of internet-facilitated crimes.
Many Government agencies have a minimal understanding of cybersecurity risks
and threats. The private sector has limited awareness of cybersecurity threats
and risks. Moreover, SMEs within PNG have a lack of human capacity and
resources to sufficiently deal with cybersecurity. Nationwide, larger international
NGOs do not consider cybersecurity a priority for them as a result they are
subject to a range of cyber-attacks. Despite having a cert within PNG, the
channels to report cyber incidents are not coordinated. Certification and
accreditation of public sector cybersecurity professionals did not exist.
Cybersecurity laws and regulations tend to cover the most common matters that arise from cyber threats. These matters include a focus on criminal activity, corporate governance, insurance matters, and the jurisdiction of law enforcement. The legislation would establish a new agency to be responsible for all cybersecurity issues. Cybersecurity Authorities within the new Cyber Security agency and will regulate and promote developments within the country and manage and enforce its cybersecurity space. This mandate will see the new Cybersecurity Agency play a key role in preventing, managing, and responding to cybersecurity incidents in PNG. This new Agency or Authority will work closely with the Agency or Department that Manages Critical Infrastructure in terms of cybersecurity activities, services and practices. The Cybersecurity Agency that will be set up will have a very wide mandate in ensuring that PNG is protected from cyber-attacks and breaches. To this end, the Agency will be monitoring cybersecurity threats within and outside PNG, taking measures in response to cybersecurity attacks and breaches, especially
National Cybersecurity Policy Draft - August 2021
30
those with the potential of threatening PNG’s national security, economy, international relations, and public health.
At the heart of the Cybersecurity Act is the protection of computer systems. A computer system includes a variety of technological devices with computing capabilities such as an operational technology system, or any device which has supervisory control and data acquisition and distribution capabilities.
6.1.3 Critical Infrastructure Legislation
The Government recognizes the need to protect essential critical infrastructure
against natural disasters, terrorist activities and cyber threats. Disaster
preparedness, response and recovery are top priorities. It will develop
legislation to protect PNG’s critical infrastructure and systems.
The legislation would harmonize with existing national laws and contain provisions compatible with international standards and best practices. It will provide a mechanism to identify PNG’s critical infrastructures in respective sectors and provide necessary protection of these infrastructures. It will mandate and empower relevant responsible agencies to take necessary measures towards protecting these critical infrastructures, including measures on disaster preparedness, response and recovery.
Systems that once stood alone managing critical infrastructure operations are
connecting to the Internet and sharing sensitive data. Through convergence,
physical structures are merging with digital structures and are connected to the
Internet making these services becoming vulnerable to attacks.
While this increased reliance on interlinked capabilities helps make the PNG economy more efficient and stronger, it also makes the country more vulnerable to disruption and attack. This interdependent and interrelated infrastructure is more vulnerable to physical and cyber disruptions because it has become a complex system with single points of failure.
The elements of the infrastructure themselves are also considered possible targets of terrorism. Traditionally, critical infrastructure elements have been lucrative targets for anyone wanting to attack another country. Now, because the infrastructure has become a national lifeline, terrorists can achieve high economic and political value by attacking elements of it.
Disrupting or even disabling the infrastructure may reduce the ability to defend the nation, erode public confidence in critical services, and reduce economic strength. Additionally, well chosen terrorist attacks can become easier and less costly than traditional warfare because of the interdependence of infrastructure elements. These infrastructure elements can become easier targets where there is a low probability of detection.
National Cybersecurity Policy Draft - August 2021
31
The elements of the infrastructure are also increasingly vulnerable to a dangerous mix of traditional and non-traditional types of threats. Traditional and non-traditional threats include equipment failures, human error, weather and natural causes, physical attacks, and cyber attacks. For each of these threats, the cascading effect caused by single points of failure has the potential to pose dire and far-reaching consequences.
PNG’s access to power, electricity, transportation networks, drinking water and many other critical infrastructure services is increasingly at risk from cyber-attacks. These threats can have devastating consequences and could threaten entire communities. The success of critical infrastructure protection initiatives relies on strong and meaningful partnerships being built between governments, the private sector, technical communities, and our development partners. Success also relies on the solutions that are used to manage and implement these initiatives.
7.0 Cybersecurity Emergency Readiness
The Government is committed to introducing measures, adopting legislations, standards and strengthening the institutional framework on cybersecurity to safeguard PNG’s cyber environment.
A Joint Strategic Centre (JSC) will be established to provide ICT support services
for the control and management of a special situation and other related matters.
The responsibilities of the JSC would be to:
⚫ ensure interagency connectivity and resource sharing for emergency
responses and public safety; ⚫ provide emergency systems or digital infrastructure as shared services; ⚫ use software and hardware to provide facial recognition services, vehicle
recognition services and intelligent video recognition services; ⚫ provide human behaviour analysis services for early detection of offenses; ⚫ provide services to eliminate information and communication silos across
public bodies; ⚫ enable efficient collaboration amongst public bodies for data storage, data
sharing, analysis and dispatch to support policy decisions; and ⚫ otherwise enhance the control and management of any special situation and
promote enforcement of any restrictions or other lawful requirements made in response to the special situation.
An Action Plan will be developed to provide a clear path for the Government to
respond to cybersecurity emergencies.
National Cybersecurity Policy Draft - August 2021
32
8.0 Development of a Cybersecurity Strategy
The Policy provides a directional statement on paths that the Government will
implement. A cybersecurity strategy will be developed to translate the Goals
and directional statements of the Policy into plan of actions.
9.0 Implementation Framework
The institutional and governance arrangements to oversee the implementation
of various directives and technical measures on cyber security as provided in
this Policy will be in phasal approach.
Phase 1 will be for a term of two (2) years from the time the Policy is adopted.
It will build on from the current effort. The Department of Information and
Communication Technology will oversee the National Cyber Security Centre and
provide technical support on cyber security and provide secretariat support to
the National Cyber Security Centre Steering Committee. OSCA will provide
chairmanship to the Committee. Major deliverables in Phase 1 are:
⚫ Development of the Cyber Security Legislation that will establish the National
Cyber Security Coordinating Agency and define the roles of key stakeholders
on cyber security and the working relationship among these stakeholders;
Development of Legislation for Critical Infrastructure to protect PNG’s national
critical infrastructures and assets.
⚫ Maintaining and upgrading the National Cyber security Centre to meet
international standards and best practice requirements;
⚫ Training and capacity building on cyber security for PNG nationals to a
competency level par with international experiences
⚫ Facilitate necessary requirements for the establishment of Cyber Security
Coordinating Agency.
Phase 2 will commence upon the establishment of the Cyber Security Agency.
The following implementation framework will be adopted for the development
and implementation of PNG’s National Cyber Security Strategy and Action
Plan.
National Cybersecurity Policy Draft - August 2021
33
9.1 Executive Sponsor
The OSCA is the Executive Sponsor of the National Cyber Security Strategy.
OSCA will be primarily responsible for assigning relevant roles and
responsibilities and allocating sufficient human and financial resources. OSCA is
the Agency in the Government that has a clear understanding of the
Government’s broad security, digital and development ambitions.
9.2 Lead Authority
Department of Information and Communication Technology will be the Lead
Authority on cyber security strategy design and coordination of its
implementation.
DICT will:
• lead the development of the cybersecurity strategy;
• be responsible for providing leadership on the culture and values that
shape the strategy’s focus; and
• in its capacity as lead ‘project’ authority, appoint various government
departments to be involved in the design and development of the cyber
strategy development process and implementation of the strategy’s
action plan
9.3 National Cyber Security Centre (NCSC) Steering Committee
A Cyber Security Steering Committee will provide guidance and play a critical
role in quality assurance and assist the lead project authority to overcome any
inherent bias and help avoid intra-government competition for resources. The
Steering Committee will guarantee the transparency and inclusiveness of the
process. Representatives on the Steering Committee will (as a minimum) be the
following departments:
⚫ OSCA to provide chairmanship
⚫ Defence,
⚫ Justice,
⚫ Censorship,
⚫ Police,
The National Intelligence Office and the Department of ICT to provide secretariat
support
National Cybersecurity Policy Draft - August 2021
34
The Steering Committee will:
• be aided by an advisory committee composed of private sector companies and professionals as well as representatives from the Technical Community, the academic community and any cyber related NGOs in PNG;
• ensure that the Government has the correct Cyber resiliency standards
and guidelines that are needed to protect all infrastructure and essential services from attack;
⚫ work with the respective Ministry, Agency or department to promote the
adoption of common policies and best practices that are risk-based and
able to effectively respond to the pace of ever-changing threats. As
systems are protected, alerts can be issued in real time when events are
detected to help protect networks across the government information
technology enterprise and the private sector. This enterprise approach
will help transform the way federal civilian agencies manage cyber
networks through strategically sourced tools and services that enhance
the speed and cost effectiveness of federal cybersecurity procurements
and allow consistent application of best practices.
⚫ work with its partners to provide Government Agencies with capabilities
and tools that identify cybersecurity risks on an ongoing basis, prioritize
these risks based upon potential impacts, and enable cybersecurity
personnel to mitigate the most significant problems first. It is their goal
to provide adequate, risk-based, and cost-effective cybersecurity and
more efficiently allocate cybersecurity resources.
9.4 Current Stakeholders
Stakeholders from the civil society, the technical community, the private sector,
and academia will be identified to work with the Steering Committee and be
engaged in the development of a cyber security strategy. More stakeholders will
be included as the NCSS is developed.
10.0 Monitoring and Evaluation Framework
Monitoring, evaluation (M&E) and learning from the outcome of M&E are important to ensure effective implementation of this Policy and to ensure relevant agencies and key stakeholders are progressively implementing the objectives and the directions of this Policy.
The Department of Information and Communication Technology, in collaboration with stakeholder agencies, will design and implement a monitoring, evaluation and learning framework to: ⚫ track the progress on implementation of the Cyber Security Policy objectives;
National Cybersecurity Policy Draft - August 2021
35
⚫ learn about the impact of activities/policy initiatives and the evolving cyber
policy and threat landscape in PNG; and
⚫ provide a status Report to the Government with recommendations where
required to improve implementation.
The designing and the implementation of the Monitoring and Evaluation Framework, among other key areas, will focus on tracking and evaluating the major policy objectives relating to:
⚫ Establishment of the Joint Cybersecurity Strategic Centre;
⚫ Development of Cybersecurity Legislation and relevant associated laws;
⚫ Development of cybersecurity strategy;
⚫ Deployment of critical technical capabilities and measures to safeguard
critical infrastructures and services;
⚫ Awareness and skills development in cybersecurity; among others.
In Addition to monitoring and evaluating the major Policy objectives, the Department of Information and Communication Technology, will collaborate with Joint Cyber Security Centre and key stakeholders to develop a database to capture statistics on cybersecurity breaches, monitor cybersecurity trends globally in order to raise awareness and informing the policy intervention and decision-making process.
The Government is aware that certain international organizations have developed a cyber security index and the Government will assess and use these international cyber security indexes as baseline indicators for monitoring and evaluating cybersecurity preparedness in PNG.
An implementation Report, based on the Policy monitoring and evaluation, will be produced and circulated to stakeholder agencies on a quarterly basis. This
National Cybersecurity Policy Draft - August 2021
36
will inform the need for Government intervention where required to further strengthen Cyber Security in PNG In addition to the annual monitoring and evaluation exercise and report on the implementation of the Policy, a review of this Policy will be conducted every two (2) years and a mid-term review after five (5) years.
top related