national cybersecurity policy 2021 - ict.gov.pg

National Cybersecurity Policy Draft - August 2021

NATIONAL

CYBERSECURITY

POLICY

2021


I

FOREWORD BY THE MINISTER

XXXX


II

ABBREVIATIONS

APEC Asia Pacific Economic Cooperation

APNIC Asia Pacific Network Information Centre ASMS Automated Spectrum Management System CBD Central Business Districts CI Critical Infrastructure CII Critical Information Infrastructure CIRT Computer Incidents Response Team COPWG Child Online Protection Working Group CSIRT Computer Security Incidents Response Team CSOC Cybersecurity Operations Centre DCI Department of Communications and Information DDOS Distributed Denial of Service DFA Department of Foreign Affairs DJAG Department of Justice and Attorney General GCA Global Cybersecurity Agenda ICT Information and Communication Technology IFMS Integrated Financial Management System IGIS Integrated Government Information System IoT Internet of Things ISO International Standards Organisation ITU International Telecommunications Union LNG Liquefied Natural Gas MDGs Millennium Development Goals NCPISC National Cybersecurity Policy Implementation Steering Committee NCSC National Cybersecurity Centre NCSAC National Cybersecurity Strategic Advisory Committee NICTA National Information and Communications Technology Authority NID National Identification NIO National Intelligence Organisation NISIT National Institute of Standards and Industry Technology NSAC National Security Advisory Committee NSA National Security Agency NSC National Security Council OCC Office of Chief Censor OSCA Office of Security Coordination Authority PNGCERT Papua New Guinea Computer Emergency Response Team PNGDF Papua New Guinea Defence Force PPP Private Public Partnership RPNGC Royal Papua New Guinea Constabulary SDGs Sustainable Development Goals UN United Nations UNGA United Nations Global Agenda


3

1.0 INTRODUCTION

1.1 Purpose

The purpose of this document is to delineate and describe the National

Cybersecurity Policy for Papua New Guinea (PNG). Cyber-related risks are

evolving rapidly and as PNG becomes increasingly reliant on ICT, it is of

paramount importance that its technical and intelligence capabilities in

cybersecurity be developed to international standards and in accordance with

international best practice in order to provide adequate protection for its critical

infrastructure systems. When critical infrastructure systems or essential

services do not function properly, the Government, economy and society can be

adversely affected.

This National Cybersecurity Policy sets out the Government's approach toward cybersecurity. The Policy defines the Government's vision, goals, objectives, evolving governance and the principles to guide the development of relevant strategies and action plans on cybersecurity. Cybersecurity is a fundamental and integral component of ICT development. Moreover, to manage cyber threats more effectively and efficiently, appropriate laws, rules and procedures as well as structures and proper coordination among key stakeholders is required. This Policy provides for relevant legislations, rules and procedures to be developed as well as the establishment of organisations to support cybersecurity initiatives and enable the Government to assume the lead role in ensuring a safe and secure cyber environment.

The successful implementation of this Policy hinges on effective coordination amongst the implementing agencies and sufficient and sustainable resourcing through Government and industry commitment.

1.2 Background

Governments, businesses and people, in the modern era, are becoming

increasingly reliant on information and communication technology (ICT) or

digital technologies as it enhances their capabilities to perform and achieve

economies of scale in the conduct of their businesses.

The PNG Government recognizes the significance of digital technologies in accelerating economic growth and strengthening social cohesion across its nation. In 2018, PNG hosted the APEC Leaders’ Summit and it called for member economies to “harness inclusive opportunities and embrace the digital future”.

Over the recent past years, PNG has seen a rapid increase in the adoption of digital

technologies across various sectors of the economy. However, the use of digital

technologies inevitably introduces the associated cyber security risks and this will

require a clear Policy direction to address.


4

The PNG National Security Policy 2013 recognizes ‘Cyber-based Threats’ and the

‘National Information Security’ as two of the generic threats to PNG’s survival.

These broader policy goals need to be translated into strategic direction at the

implementation level.

In 2020, the Government adopted a PNG Digital Transformation Policy that

recognizes and sets a path for the Government to support digital transformation

across all sectors of the economy. Cybersecurity was a paramount objective of

the Government under the PNG Digital Transformation Policy. This is considered

paramount as cyber-related risks are evolving rapidly and the country’s

technical and intelligence capabilities must be developed to align it with

international standards/norms and in accordance with international best

practices to protect PNG’s critical infrastructure systems and essential services.

Cyber-attacks have become more sophisticated, targeting specific organisations

in the public and private sector through victim reconnaissance and if the

country’s critical systems and infrastructure cease to function or are

compromised, the Government, economy and the society can be adversely

affected.

Protecting Papua New Guinea’s national security, ensuring the security of cyberspace and promoting the prosperity of the citizen through the use of digital technologies to drive economic growth and raise productivity and living standards for all Papua New Guineans are among top priorities.

Governments have a responsibility to lead by example. Moving more

government services online will make the lives of many PNG citizens easier,

however, citizens need to have confidence that their data is safe, underscoring

the need for government systems and data to be secure. This Policy combined

with the Digital Transformation Policy, the Digital Government Act and future

legislation such as Data Protection/Privacy and Communications Decency, and

a future National Cybersecurity Strategy will strengthen the defences of PNG’s

public sector networks.

The PNG Government is committed to equipping all consumers with the right

cyber security skills and raising levels of cyber security awareness so we can all

benefit from the opportunities in cyberspace. Both government and businesses

have finite resources. The actions outlined in this policy address the most urgent

issues Technology is constantly changing; measures designed to improve

security in today’s online world can be quickly overtaken by new technologies,

systems, software and applications. The landscape, context, vision, goals,

principles, governance and legislation set out in this Policy, is vital in providing

clear direction for the Government to address national cyber issues and shape

the priorities of a future National Cybersecurity Strategy.


5

1.3 Rationale

The domestic information space is vulnerable to the threat of exploitation and

manipulation by external interests. The Country’s ability to manage and control

information inflows and outflows from its jurisdiction is lacking to the extent that

it is unable to safeguard official and critical public information.

The lack of control has allowed other states with interest in PNG’s affairs to

become increasingly knowledgeable on what goes on in the country through

effective use of superior information and communication technology.

Additionally, there is an increase in other nation’s satellite-based eavesdropping

technologies and their strategic value and benefits. The Government is

concerned with its national security, and its ability to institute appropriate

counter measures to secure its jurisdiction and safeguard all sensitive

information and communication. Moreover, the Government must ensure all its

agencies in the information and communication industry and other security

actors are empowered to facilitate the improved information security of the

country.

Cyber adversaries are aggressive and persistent in their efforts to compromise

PNG networks and information. They are constantly improving their tactics to

infiltrate the government, private sector and other networks. They will also

target the weakest link; if the network security of their primary target is robust,

they will move to more easily compromised connected networks that could

provide access to the primary target.

Malicious cyber activity is a security challenge for all people in PNG. Outside of PNG, many nations, including Australian and US organisations across the public and private sectors have been compromised by state-sponsored or non-state actors. Solar Winds is only one of many such incidents. In many countries, cyber criminals have targeted local governments, airports, hospitals and other critical infrastructure crippling governments and putting the health of people at risk. Large multinational companies and government organisations have been targeted, losing substantial amounts of sensitive commercial and personal information or incurring major damage to their business and reputation.

The differences between some malicious cyber actors—such as organised criminal networks, state-sponsored actors and issue motivated groups—are becoming less and less distinct. For example, activity by some cyber criminals can be more sophisticated than those conducted by many nation states. This growing network of malicious actors is having a global impact. Malicious cyber activities are wide ranging. They include activities designed to compromise the confidentiality, integrity or availability of computer networks or ICT systems or the information on them.


6

PNG is extremely vulnerable to the type of cyber-attacks experienced elsewhere in the world. It is thus essential and critical that the Government assume this obligation to support the continuity of essential services in the face of disruptive or sophisticated attacks. The loss of an essential service like electricity, water, hospitals/clinics or transport will have devastating impacts across all of PNG far beyond the targeted business. There is lots more that can be done to raise the overall security posture of critical infrastructure. Some nation states or state-sponsored actors are so sophisticated that an attack may be beyond the capability of a single network owner to handle alone, irrespective of its size, expertise and best efforts.

Being connected is now essential, creating new opportunities for innovation and growth for all people in PNG. To be competitive, businesses need to be online. But being online also brings risks. PNG is increasingly becoming a target for cyber intrusions and cybercrime. Governments, businesses and individuals— need to work together to build resilience to cyber security threats and to protect the country’s critical resources.

It is critical that PNG build its nation’s stock of cyber security skills, which are becoming increasingly essential for life and work in the connected world. To respond to these challenges, Government must elevate cyber security as an issue of national importance. Leadership will be critical to achieving this goal.

The Government of PNG plays a significant role in the protection and enhancement of Cybersecurity in the country. The Government will strengthen its current lead role on cyber security policy and be the central point for policy issues to ensure a simplified Government policy interface for stakeholders.

2.0 CURRENT SITUATION

2.1 Global Trends

PNG is made an integral part of the global society through the internet

connectivity that connects the entire world. The challenges and issues on

cybersecurity that countries all over are encountering equally concerns PNG.

Cyber security threats are increasing. Nation states and state -sponsored

actors and criminals pose serious threats to PNG citizens and businesses. The

global trend indicates that:

⚫ Criminals are using the dark web to buy and sell stolen identities, illicit

commodities, and child exploitation material; ⚫ Social engineering and phishing remain an effective threat to enable other

type of cybercrime;


7

⚫ Criminals use innovative methods to increase the volume and sophistication of their attacks and inexperienced cybercriminals carry out phishing campaigns more easily through crime as-a-service;

⚫ Criminals take advantage of national and global pandemic to attack

vulnerable people, as evident in the COVID-19 pandemic, phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19;

⚫ The use of anonymising technologies has made it easier to commit serious

crimes at volume and across jurisdictions, allowing criminals and other malicious actors to operate outside the visibility of law enforcement;

⚫ Ransomware attacks have become more sophisticated, targeting specific

organisations in the public and private sector, including healthcare industry during the COVID-19 pandemic, through victim reconnaissance;

⚫ Criminals have included another layer to their ransomware attacks by

threatening to auction off the compromised data, increasing the pressure on the victims to pay the ransom;

⚫ Child exploitation acts have also grown significantly at the peak of the

COVID-19 crisis as offenders uses innovative methods to hide this crime, such as P2P networks, social networking platforms and using encrypted communications applications;

⚫ Dark web communities and forums are meeting places where participation

is structured with affiliation rules to promote individuals based on their contribution to the community including, recording and posting of child exploitation activities and encouraging others to do the same; and

⚫ Livestreaming of child abuse continues to increase, becoming even more

popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children and in some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.

Malicious cyber activity is one of the most significant threats impacting the world and PNG is part of the global society impacted by malicious cyber activities. The COVID-19 pandemic highlighted the evolving nature of cyber threats and PNG citizens must have adequate knowledge of these threats to ensure protection against Cyber security is at the heart of the transformation to a digital society.

Nation states and state-sponsored actors seek to compromise networks to obtain economic, policy, legal, defence and security information for their own advantage. Nation states and state-sponsored actors also seek to achieve disruptive or destructive effects against their targets. These actors tend to be sophisticated, well-resourced and patient adversaries, whose actions could impact PNG’s national security and economic prosperity.


8

Highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. It is not uncommon for more than 30% of these incidents to try and directly attack a nation’s critical infrastructure providers that deliver essential services including healthcare, education, banking, water, communications, transport and energy.

To counter the cybersecurity challenges, the PNG Government must work closely with its international partners and strengthen and improve the capacity and capabilities of its law enforcement agencies to tackle, investigate and disrupt the volume and anonymity enabled by the dark web and encryption technologies. Encryption is a clear feature of an increasing number of services and tools. Accessing and gathering relevant data for criminal investigations is a principal challenge for law enforcement. The value of being able to access data of criminal communication on an encrypted network is the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

2.2 Domestic Efforts

A minimum requirement for PNG to ensure protection of its critical infrastructure

and cyber environment in general is to have:

⚫ Relevant national policies, laws, rules and procedures to foster

coordination, collaboration and cooperation;

⚫ Specialized cybersecurity technical capabilities;

⚫ Proper institutional structures and skilled personnel;

⚫ Proper mechanism for information sharing and awareness

PNG will need to establish these key requirements and the Government is

committed to ensuring these requirements are established.

PNG’s National Cyber Security Centre (NCSC) was established in 2018, with the

support of the Australian Government. The NCSC provides for training, exercises

and collaboration with industry sectors within the Government. The NCSC also

houses the network operational centre and the PNG CERT (computer emergency

response team)1. The Centre has been providing advice on enforcing incident

reporting regulations in PNG.

1 A CERT is a computer emergency response (or readiness) team and the term is trademarked by Carnegie Mellon

University. A CSIRT is a group that responds to security incidents when they occur. CSIRT stands for a computer

security incident response team and is a generic name for this type of service. The terms CERT and CSIRT are used

interchangeably, despite the important differences. The aim of a CERT/CSIRT is to share information to help other

response teams respond to threats against their own networks. In the PNG context, this means helping all other

sectors in society understand threats. The PNG CERT is currently managed by NICTA.


9

The NCSC has taken measures to protect the networks of public organizations. It has rolled out end-point-network protection to certain government departments and agencies and continuously monitoring the networks for threats as well as providing incident response support.

A Steering Committee, comprising key stakeholder agencies, oversees the functions of the NCSC. The Committee is led by the Department of ICT, and also includes Defence, Police, Justice, the National Intelligence Organization, and the Office of Security Coordination and Assessments (OSCA) which falls within the Department of Prime Minister and NEC.

2.3 Policy Landscape

Today, the economic security of PNG is inherently tied to the country’s national

security. As the foundations of our economy are becoming increasingly rooted

in digital technologies, the Government will model and promote best practices

and standards that protect our economic security and reinforce the vitality of all

citizens.

PNG remains vulnerable to Cyber-based crimes as connectivity increases with the landing of the Coral Sea Cable. The incidences of various forms of cybercrimes and cyber espionage will increase. Various policies across different social sector agencies have identified and highlight the need to address cyber safety, cybersecurity, cybercrime, and cyber resiliency. However, there is a need to clearly define these cyber threats and offer suggestions on ensuring the safety of all critical infrastructure, citizens' privacy and data held by these agencies and by the Government.

Policies must clearly identify and classify the PNG’s critical information infrastructure (CII) that supports the ICT sector’s operation, such as assets related to the provision of voice/data communication and internet connectivity, and the critical infrastructure such as power plants, electrical plants, water supply, hospitals, airports and other critical infrastructure that are enabled by digital technologies. These critical national infrastructures require a high level of cyber security protection. CII are key components of any country’s critical national infrastructure. The Government will work with other Government agencies and other providers within the country to identify their critical information infrastructure through a step-by-step approach and establish specific criteria including the size of the potentially affected population, intra-sector and cross-sector dependencies, geographic criteria, and the impact on personal safety and privacy.

Considering the current landscape, this Policy sets a direction for the

Government to:

⚫ work collaboratively across all stakeholder groups, from the private sector

and civil society, to the academic and technical community to promote best


10

practices and develop strategies to overcome market barriers to the

adoption of secure technologies;

⚫ improve awareness and transparency of cybersecurity practices to build

market demand for more secure products and services;

⚫ collaborate with international partners to promote open, industry-driven

standards and risk-based approaches to address cybersecurity challenges to

include cloud security, platform and managed service approaches that lower

barriers to secure practice adoption across the breadth of the ecosystem;

⚫ work with the private sector and the ICT community to enhance awareness

and knowledge of cyber security and of proper cyber hygiene;

⚫ work with all Ministries including the Ministry of Education and the Ministry

of Higher Education to create a curriculum that can teach our students cyber

skills so that we can grow and create a cadre of skilled cyber security

professionals within PNG for the future. Growing the cyber security skills

pipeline will ensure all critical infrastructure owners and operators and

businesses have greater access to skilled cyber security professionals with

the right skills to meet demand.

3.0 VISION AND GOALS

3.1 Enabling Innovation

The Government of PNG is committed to enabling digital innovation, growth and prosperity for all Papua New Guineans, empowering citizens to become a smart, networked, and well-informed society. Through the Digital Transformation Policy, the Government hopes to:

● Promote collaboration, interaction, and participation,

● Promote innovation and learning,

● Provide an open and transparent government, and

● Provide citizen-centred services, and knowledge-based industries.

To achieve the goals of the PNG Digital Transformation Policy, the Government will develop and sustain its cybersecurity capabilities that will ensure a safe and secure cyber-environment for its citizens and businesses. 3.2 Vision

The Government envisaged an environment where all citizens interact and

collaborate safely and securely with the Government thus creating a digitally


11

innovative and prosperous environment for Papua New Guinea. To achieve this

Vision, the Government has established seven themes of actions for Papua New

Guinea cyber security over the next five years:

Theme 1: A national cyber partnership and collaboration;

Theme 2: Strong cyber defences and cyber resilience;

Theme 3: Cross cutting critical infrastructure that deliver critical

services/functions to the nation;

Theme 4: Global responsibility and influence;

Theme 5: Growth and innovation;

Theme 6: Increasing cyber awareness and education with PNG; and

Theme 7: Expanding efforts to raise awareness of cyber threats.

To create a digitally innovative and prosperous environment for Papua New Guinea will require a collaborative effort and cooperation from all stakeholders.

3.3 Policy Goals

The Government is committed to building and strengthening cyber security capabilities to anticipate and respond to cyber threats. Building the nation’s stock of cyber security skills and competency are becoming increasingly essential for life and work in the connected world. Equally important is to ensure that citizens, visitors, businesses and government agencies enjoy the full benefits of a safe, secure and resilient cyberspace.

The Goals of the National Cybersecurity Policy (NCP) are to:

Goa 1: Create a safe and secure online world;

Goal 2: Build trust in digital services and Papua New Guinea’s digital

economy by supporting businesses’ cyber resilience through sharing

threat information and setting clear expectations of roles for every

stakeholder;

Goal 3: Engage and sustain the participation and cooperation of all stakeholders including government, businesses, communities and regional partners in creating a more cyber secure environment;

Goal 4: Protect the Government’s most critical systems and essential

services from cyber threats;


12

Goal 5: Provide law enforcement agencies with greater ability to protect Papua New Guinea’s citizens online;

Goal 6: Develop relevant laws and standards to protect Government, citizens and business data and networks;

Goal 7: Expand the Government’s efforts to raise awareness of cyber security threats and empower the community to practise secure online behaviours;

Goal 8: Forge and maintain partnerships and collaboration with regional and international partners to build capacity on cybersecurity and in addressing cybercrimes;

Goal 9: Build a strong workforce of skilled cyber security professionals as a

key enabler for the growth of digital economy and security 3.4 Policy Principles

The following Guiding Principles will lead PNG towards realizing its Vision and

the Goals:

• Building a strong cybersecurity environment that will guard the ‘Sovereignty’

of our Independence and safeguard the ‘Privacy’ of our citizens as enshrined

in our National Constitution;

• Protecting citizens, visitors, businesses and government agencies and critical

infrastructure by providing the necessary security frameworks, strategies

and guidelines, building national capacity, implementing information sharing

techniques and raising awareness;

• Engaging all stakeholders nationally and internationally in stakeholder

consultations and in other collaborations to ensure all stakeholders

understand the Policy Goals and Objectives;

• Strengthening the current legal framework to ensure that all policies are

updated for the digital economy, including child protection legislation and

privacy and data protection, critical infrastructure protection and e-

Commerce;

• Cultivating strong linkages with the different UN organizations, regional

organizations, international and/or global organizations working in this arena.


13

4.0 POLICY ALIGNMENT AND FRAMEWORK

The National Cybersecurity Policy take its cue from the National Constitution

particularly the ‘provisions, relating to the safeguarding of Papua New Guinea’s

national sovereignty. The Goals of the National Cybersecurity Policy are

consistent the main policies of Government with other existing policies of the

Government that point towards security and a safe and secure cyber

environment. The National Cybersecurity Policy aligns with these policies and

guide the Government’s strategy, action plan and roadmap on Cybersecurity

and ensure a coordinated implementation.

4.1 The Papua New Guinea National Security Policy 2013

Provision of cyber services in PNG to the public service and to the wider

community is not uniform and it changes from agency to agency. The lack of

standards, the lack of identification of any particular agency to have control and

authority, the lack of appropriate legislation within the Government, and the

lack of any international protocols that can help out the Government causes lack

of coordination and is a threat to society, threat to the trust held by people in

their government, a threat to the country’s critical infrastructure, a threat to the

privacy and security of citizen’s data and a threat to national security.

The National Government has in the past adopted policies to protect its citizens and to enhance information security. But lack of a data protection and data privacy policy, encryption policies and other related legislation, combined with lack of effective cyber policies, and a lack of a campaign to raise awareness and educate the populace have resulted in this lackadaisical attitude to cyber security, cybercrime, cyber safety and cyber resilience. Policy implementation has been hampered by a failure to design, develop, test, roll- out and regularly maintain and improve a national cyber safety, cyber resilience, cyber security and cybercrime system.

Additionally, the Government is hampered by the lack of any international protocols it can call upon to assist it in its battle to fight cybercrime.

The Papua New Guinea National Security Policy 2013 is an attempt to give policy

guidance. It lists ‘Cyber-based Threats’, and ‘National Information Security’ as

two of the generic threats to PNG’s survival.

Cyber-based Threats is listed as a Level Two Threat. Security threats under this category do not mean that they are any less important but require a lower priority ranking. Depending on circumstances any threat in this category can very quickly be moved to Level One ranking.


14

4.2 The Papua New Guinea National Security Policy Strategic Action

Plan 2014-2020

Policy Goal 8 (‘Ensure Technological Security’) of the National Security Policy

Strategic Action Plan

2014-2020: Department of Communications & Information (now Department of Information and Communications Technology) to continue to spearhead a ‘whole-of-Government approach’ to a single National Information Technology Network supporting e-Governance;

4.3 The PNG Digital Transformation Policy 2020

The Papua New Guinea Digital Transformation Policy 2020 identifies Cyber

Safety and cyber resilience as one of its key pillars. It also provides for work to

be done to increase awareness of these critical issues.

The Policy recommends a Data Protection and Privacy legislation to be put in place and for the creation of cyber standards and guidelines to be established and published, including legislative frameworks to identify and ensure protection of critical infrastructure.

4.4 National ICT Policy 2008

The Government of Papua New Guinea (Government) has defined key priorities

with regard to the development of ICT in its 2008 National Information and

Communication Technology Policy (ICT Policy). The ICT Policy paved the way

for the liberalisation of the industry and caters for increased competition in the

telecommunications sector.

The ICT Policy highlights the importance of building confidence and security in our ICT systems2. It underlines the need to protect fundamental rights of citizens as well as enables the investigation and prosecution of crimes. In 2014, the Government introduced the National Cybercrime Policy (Cybercrime Policy) and subsequently in 2016, enacted the Cybercrime Code Act 2016 (Act).

While the ICT policy mentions cyber security, it does not limit security concerns to Cybercrime. It also highlighted that “criminal law is only a small part of the cybersecurity framework” 3 . The Government further elaborated that Government and Private Sector agencies need to cooperate in improving the security of their systems by applying sound security practices, improving and securing the sharing of information, and raising awareness.

2 National ICT Policy 2008 p.36

3 Ibid., p.38 ff


15

As outlined in the ICT Policy, access to information is beneficial but it is important to be mindful that the same technology provides access to illegal and harmful content.

The NIO Action of 1984 described below remains the mandated Authority that supports the protection of the Government of the day, all citizens and its legitimate investment and development partners against all forms of undesired threats, economic espionage and terrorism

4.5 The National Intelligence Organization Act 1984

The PNG National Intelligence Organization by virtue of the National Intelligence

Organization Act

The NIO Act of 1984 remains the mandated Authority that supports the protection of the Government of the day, all citizens and its legitimate investment and development partners against all forms of undesired threats, economic espionage, terrorism, transnational crimes involving money laundering, human trafficking and so forth in the long term.

The National Security Council, the National Security Advisory Committee, and the PNG National Intelligence Organization are aligned by virtue of the National Intelligence Organization Act 1984.

4.6 The National Information and Communication Technology Act

2009

Subject to sections 11 and 58 of the National Information and Communication

Technology Act 2009, the National Information and Communication Technology

Authority (NICTA) may vary an individual licence to incorporate government

policy in favour of the deployment of security technology solutions at a licensee’s

Internet Gateway.

4.7 The Classification of Publication (Censorship) Act 1989

The Censorship Board of Papua New Guinea exists to classify the media content

that PNG consumes. It either applies age restrictions to that content, or (in the

case of certain illegal content) bans it entirely.

In 2014, the Censorship Office facilitated drafting of the Classification of Films,

Publication and

Online Service Bill 2014 to amend the Classification of Publication (Censorship) Act 1989 to reflect changing circumstances as technology had become part of everyday life.


16

The National Censorship Policy II 2020-2024 captures current trends and developments on matters related to censorship

4.7 The Gaming Control Act 2007

Legality of online gambling such as www.pngbet.com is an ongoing issue and

the National Gaming Control Board may take action under the Gaming Control

Act 2007.

Electronic gambling or lottery by a child is also a cybercrime offence under

Section 14 of the Cybercrime Code Act 2016. A gaming operator may also be

held liable.

4.9 The Lukautim Pikinini Act 2015

Subject to section 13 of the Lukautim Pikinini Act 2015, the Office for Child and

Family Services shall consult with the Department of Information and

Communications Technology and other bodies recognized by the Act that are

capable of assisting in the protection and welfare of children.

4.10 The Cybercrime Code Act 2016

The Cybercrime Code Act 2016 creates powers for constitutional law

enforcement bodies but not the capability to perform those powers. The Royal

Papua New Guinea Constabulary or the Public Prosecutor of the respective

search, production and investigation powers under Part IV of the Act have this

authority but they have not exercised these rules due to technical incapability.

The Cybercrime Act also created legal tests for establishing the criminal liability of ICT Service Providers in PNG under Part V of the Act, which legal tests are heavily reliant on a technical capability on the part of the Royal Papua New Guinea Constabulary to access ICT Service Providers’ data for assessing evidence for commission of an offence or an omission against the Act that are critical to proving cybercrimes.

5.0 CYBERSECURITY FRAMEWORK

5.1 Coordination and Governance Mechanism

The Government will strengthen its existing structures as well as establish an

appropriate specialized body to oversight and maintain various responsibilities

on cybersecurity issues. It will coordinate its effort through the coordination

mechanism as depicted:


17

The National Security Council (NSC), chaired by the Prime Minister, is the highest decision-making body on national security issues threatening the sovereignty, security and protection of the Independent State of PNG. The National Security Advisory Committee through the Office of the Security Coordination and Assessment (OSCA) provides technical advisory support to the NSC.

The Government will take these directions:


18

5.1.1 A National Cybersecurity Coordinating Agency (NCCA) will

be established to be the coordinating arm of the Government on

matters relating to cyber security.

5.1.2 NCCA will, among others:

⚫ be a platform for interaction with stakeholders and influencers,

external and internal, including the private and public sector that

are seeking cyber security services and support or are seeking to

engage with operational agencies of Government on cybersecurity;

⚫ coordinate and connect stakeholders, influencers and public and

private sector bodies with appropriate functional and operational

agencies, in particular, the operational agencies of Government will

have within their oversight the critical digital infrastructures,

systems and capabilities and any external and or foreign party

seeking to engage with these agencies will enter through NSCA for

check and clearance purposes;

⚫ coordinate research and development in cybersecurity.

5.1.3 PNG Computer Emergency Response Team (CERT) and

Cybersecurity Operational Centre (NCSC) are an established

technical capability that will provide technical support to the

operational agencies and departments of the Government. These

technical capabilities will be coordinated through the NCCA.

Among the responsibilities of the NCSC are the following:

⚫ conduct defensive cyber security operations;

⚫ promote a secured digital government environment;

⚫ ensure government digital infrastructure contains appropriate

security control technologies;

⚫ promote cyber resilience to ensure services that are essential

for everyday life remain effective and operational during cyber

threats and attacks;

⚫ investigate any breaches of cyber security and escalate security

incidents to appropriate authorities, if necessary, for their

intervention;


19

⚫ monitor and hunt cyber security threats across networks and

endpoints, and ensure that threats attacking data and assets

are contained and eliminated;

⚫ provide the persons to whom the NCSC provides services with

remote incident response and handling support;

⚫ conduct audits on cyber security tracking and monitoring

systems and endpoint devices used by public bodies;

⚫ establish procedures for the persons to whom the NCSC

provides services and other member organizations of the Papua

New Guinea CERT to report cyber-attacks or suspected cyber

security incidents;

⚫ provide regular reports to the persons to whom the NCSC

provides services;

⚫ provide technical support to the Papua New Guinea CERT; and

• create cyber security standards and guidelines and technical censorship support services to a public body responsible for censorship matters.

5.1.4 A National Cybersecurity Strategic Advisory Committee

(NCSAC) comprising of cybersecurity policy and operational

agencies will be established within the NCCA and chaired by the

Office of Security Coordination and Assessment to provide

technical advisory support to the Government. Technical working

group(s) and sub-committee(s) will be formed as and when

required to deal with specific issues on cyber security and

provide strategic directions.

5.2 Key Government Cyber Security Stake-Holders by

Implementation and Operational Functions

There are Government departments and agencies that are oversighting certain

functions and operations on cybersecurity. These functions and operations relate

to:

• development, implementation, monitoring and evaluation of appropriate

policies and strategies on cybersecurity;

• cyber defense and offensive capabilities;


20

• cyber investigation and intelligence; and

• counter-espionage, cybercrime and cyber safety.

The Government will strengthen and equip these institutions with appropriate

capabilities to perform its functions and operations effectively to safeguard

PNG’s cyber environment, its sovereignty and its people:

5.2.1 OSCA’s responsibility is to provide high quality and timely policy advice to

the National Security Council (NSC) for the effective management of

issues of national security, Defence & international relations. As a matter

of national security, the OSCA will continue to maintain strategic oversight

of cyber security matters through its chairmanship of the National Cyber

Security Steering Committee

5.2.1 The Department of Information and Communication Technology as the

Government’s lead agency on ICT policy matters will oversight and lead

the development, implementation, monitoring and evaluation of

appropriate policies and strategies on cybersecurity.

5.2.2 PNG Defense Force will be responsible for PNG’s cyber defense and

offensive capabilities.

5.2.3 National Intelligence Organization will be responsible for cyber

investigation and intelligence service

5.2.4 Police will be responsible for counter-espionage and cybercrime and cyber

safety enforcement.

5.2.4 Department of Justice and Attorney General and the Office of the Public

Prosecutor will be responsible for Mutual Assistance in Criminal Matters

and for prosecution of cybercrime and cyber security related matters.

5.2.5 Office of the Censorship will be responsible for Cyber Hygiene and other

aspects of online safety.

5.3 Cyber Resilience of Critical National Infrastructure

5.3.1 Identifying Critical National Infrastructure CII are key components of any country’s critical national infrastructure. The Government will work with other Government agencies and other providers within the country to identify their critical information infrastructure through a step-by-step approach and establish specific criteria. Among other criteria, CII will be defined based on:


21

• the size of the potentially affected population; • intra-sector and cross-sector dependencies; • geographic criteria; and

• the impact on personal safety and privacy. Critical infrastructure top targets are:

⚫ Public/government, ⚫ Telecommunications, ⚫ Health, ⚫ Academic, ⚫ Manufacturing, ⚫ Power/utility, ⚫ Transportation, and ⚫ General information warfare threats.

5.3.2 Statistical Data on Cyber Security Compromises Better statistical data on the national impact of cyber security compromises is required to enable PNG Government and businesses to make informed decisions when managing cyber risks. Data collection measures will help the Government and the private sector to better make decisions that address cyber security threats to PNG’s economy and security. Government through the Department of Information and Communication Technology will establish and maintain a database on the national impact of cyber security breaches.

5.3.3 Protecting Critical Infrastructure and Businesses

While cyber security is foundational to protecting assets from an attack happening in the first place, cyber resiliency concerns the assurances for a nation that its critical infrastructures will remain effective and operational for it to endure inevitable attacks.


22

Attribution of responsible attackers is a capability enabled by threat intelligence analysis of multiple sources of information to learn tactics, techniques, and procedures used by attackers. This information enhances methods for security and resiliency. Transparency of these capabilities, propensity for risk, and cultures are challenges to national cyber strategies being comparable to protect our tightly woven digital economies.

The Government will develop and actively defend the critical infrastructure that

all PNG citizens rely on, including:

● work with the business community to create a voluntary code of conduct/practice for all products and services that will set out the Government security expectations for Internet-connected consumer devices.

● partner with the private sector, especially large businesses to assist small

and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability.

⚫ work with the private sector to manage risks to critical infrastructure at the

greatest risk;

⚫ develop a comprehensive understanding of national risk by identifying

national critical functions and will mature our cybersecurity offerings and

engagements to better manage those national risks;

⚫ prioritize risk-reduction activities across critical key areas: national security,

energy and power, banking and finance, health and safety, communications,

information technology, and transportation;

⚫ Cyber security obligations for business owners and operators;

⚫ New ways to investigate and shut down cyber-crime, including on the dark

web;

⚫ Stronger defences for networks, computer systems and data;

⚫ Greater collaboration with other international countries to build PNG’s cyber

security skills pipeline.

⚫ Increased situational awareness and improved sharing of threat information.

⚫ Stronger partnerships with industry.

⚫ Advice for small and medium enterprises to increase their cyber resilience.

⚫ Clear guidance for businesses and consumers about securing Internet of

Things devices.


23

⚫ 24/7 cyber security advice hotline for SMEs and families.

⚫ Creating Effective Cyber Security Defences.

⚫ Improved community awareness of cyber security threats.

5.3.4 Private Secure Data Exchange Platform The Government will establish a Private Secure Data Exchange platform to connect the various Government data infrastructure as a best practice to promote security within the Government network. It is critical and essential that these platforms fall under the Government’s critical infrastructure.

5.4 Role of a Government Cloud Platform in Cyber Security

Cloud security is now essential in any new cyber policy4. Cloud Security

involves the procedures and technology that secure cloud computing

environments against both external and insider cyber security threats. Cloud

security and security management best practices designed to prevent

unauthorized access are required to keep data and applications in the cloud

secure from current and emerging cybersecurity threats.

Many public service agencies, responsible for official government information

and services, are already using public cloud-based infrastructure and services,

driven by business requirement cost efficiencies. This comes with a challenge of

government and citizens' data at the risk of being exposed to malicious 3rd party

intermediaries unknowingly, with or without citizens’ concerns and awareness

of the exposure and associated risks that may be outside government

jurisdiction to administer or intervene in event of any breach. This can be

addressed through appropriate and relevant government policies, standards,

and guidelines to guide the deployment and use of cloud-based infrastructures

and services.

A Digital Government Legislation is vital to pave the way for development of standards and guidelines for the Government’s private Government Cloud. The cloud platform provides access to many powerful tools and services such as big data analysis, artificial intelligence, that are very useful for intended purposes or can be disruptive against standing government constitutional boundaries, policies, including data protection and privacy if such government and personal data fall in wrong hands in the cloud environment.

The Government recognizes that ICT providers within PNG are in a unique position to help the Government to detect, prevent, and mitigate risk before it impacts customers,

4 Cloud computing, which is the delivery of information technology services over the internet, has become a must for

businesses and governments seeking to accelerate innovation and collaboration.


24

The Government will:

⚫ develop appropriate and relevant government policies, standards, and

guidelines to guide the deployment and use of cloud-based infrastructures

and services.

⚫ work with the private sector to manage risks to critical infrastructure at the

greatest risk;

⚫ develop a comprehensive understanding of national risk by identifying

national critical functions and will mature our cyber security offerings and

engagements to better manage those national risks;

⚫ prioritize risk-reduction activities across critical key areas: national security,

energy and power, banking and finance, health and safety, communications,

information technology, and transportation;

⚫ work with ICT providers to improve ICT security and resilience in a targeted

and efficient manner while protecting privacy and civil liberties;

⚫ work to strengthen our efforts to share information with ICT providers to

enable them to respond to and remediate known malicious cyber activity at

the network level;

⚫ encourage reporting of intrusions and theft of data by all victims, especially

critical infrastructure partners. The prompt reporting of cyber incidents to the

Government is essential to an effective response and prevention of future

incidents;

⚫ work to update electronic surveillance and computer crime statutes to

enhance law enforcement’s capabilities to lawfully gather necessary evidence

of criminal activity, disrupt criminal infrastructure through civil injunctions,

and impose appropriate consequences upon malicious cyber actors.

5.5 Best Practices

The policy goals, principles, and vision spell out how the Government plans to

change its practices, educate its workforce and the general population, partner

and collaborate with others so that it can strengthen and harden its

infrastructure and improve its cyber resilience.

Internet security requires a combination of several products and technologies to

properly safeguard data. The Government will develop an internet security

strategy that will take into consideration key tactics to safeguard its data

including, among others:


25

⚫ Browser selection: Each browser has its own security measures in place,

but some can have serious flaws that allow hackers and cybercriminals to

exploit and invade. Ensure that you're using a secure browser to reduce the

risk of compromising your computer or network.

⚫ Multi-factor authentication (MFA): MFA is a method of controlling

computer access by requiring several separate pieces of evidence to an

authentication mechanism. Websites and email accounts can be made more

secure by requiring at least two factors of authentication by a user.

⚫ Email security: Email creates a wave of opportunity for viruses, worms,

Trojans, and other unwanted programs. Establishing a multi-layered and

comprehensive email security strategy will help significantly reduce exposure

to emerging threats. Email messages can also be protected by using

cryptography, such as signing an email, encrypting the body of an email

message, and encrypting the communication between mail servers.

⚫ Firewalls: Firewalls act as filters that protect devices by allowing or denying

access to a network. By applying a specific set of rules to identify if something

is safe or harmful, firewalls can prevent sensitive information from being

stolen and keep malevolent code from being embedded onto networks.

Educating and creating awareness on cyber safety is a best practice that many

nations have adopted as a priority. PNG Government will adopt the following

approach on educating and creating awareness on cyber safety:

⚫ educate its workforce;

⚫ work closely with the private sector to build up cyber resilience;

⚫ introduce cyber safety into the educational curriculum of primary, secondary

and higher education;

⚫ collaborate with international organizations including the Global Cybersecurity

Alliance, Get Safe Online, and other groups and ensure all toolkits, best

practices, and resources are translated into Tok Pisin;

⚫ develop a ‘best practice guidelines’ for use in schools and workplaces and for

citizens.


26

5.6 Collaboration

Cooperation and collaboration with other partners is critical. The Government

recognizes that no Government can unplug itself from the world or exist in its

own silo. It requires collaboration and partnership both with the private sector,

NGOs, technical community as well as with international organizations and other

governments. The Government will work with other governments and increase

partnership and becoming members of international organizations working in

the cyber security arena.

A coordinated approach led by the Government is a key step towards Cybersecurity preparedness and resilience to counter cyber threats and attacks. In this vein, the Government will coordinate more collaboration with the private sector, technical communities, international cybersecurity bodies and other governments to; ⚫ Create common standards and practices on Cybersecurity within Government,

and guidelines to businesses; ⚫ Develop appropriate and relevant legal and regulatory frameworks to define

and support common standards, practices and guidelines; ⚫ Strengthen institutions responsible for cybersecurity with adequate capacity

to lead and enhance Cybersecurity activities; ⚫ Encourage national co-leadership and cross-sectoral partnerships to foster

strong cybersecurity.

5.7 International Cooperation

The Government will work with its allies, donors, international partners and in

the technical community to assist in strengthening PNG’s capacity to prevent or

respond to malicious cyber activity, including in response to sophisticated actors.

PNG is a member of the Global Forum on Cyber Expertise, PaCSON and APEC,

and the Government will assess and join other related cyber organizations in

order to strengthen its capacity to protect PNG’s cyber environment.

PNG will enter into bilateral and multilateral partnership on Cyber Security Cooperation.

The partnership will focus on areas of:

a. Developing and enhancing cyber security governance and best practice

frameworks;


27

b. Building capacity in incidence response, forensic analysis and crisis

management;

c. Establishing and equipping PNG’s cybersecurity technical institutions to

monitor the protected networks for threats and provide incident response

support;

d. Enhancing PNG CERT capacity (CERTs are the “first responders” during a

cyber incident) by providing regular training at the NCSC.

6.0 LEGAL AND REGULATORY FRAMEWORK

6.1 Legislation

There are various policies the Government has adopted that both provide a

framework for cybersecurity and act as an anchor for the Government’s National

Cybersecurity Policy. The Legislative Acts listed in this Section are the key

critical legislations that the Government will enact to lay out and describe the

cybersecurity standards that will be required and provide clear guidance for

Public and Private sector on cybersecurity.

These legislations will give effect to Government’s policies, strategies, action

plans and roadmaps on cyber security and ensure a structured, collaborative

and coordinated approach towards effectively addressing national cyber security

challenges.

6.1.1 Digital Government Legislation

The legislation will set the legislative framework for ICT governance particularly digital information management systems in all public bodies in PNG. It will deliver digital infrastructure, digital government, digital skills, innovation and entrepreneurship, digital cyber security and privacy, financial inclusion and information classification across the whole-of-government and sub-nationally for delivery of public services efficiently paving way for transformation of the economy into a digital economy.

The law will:

⚫ Pave way for proper coordination of procuring and use of digital technologies

in the public sector, ensuring highest level of security for government systems and government information and data;

⚫ Establish, define and anchor the functions and powers of the Department of

ICT as lead Government agency to provide oversight on digital transformation processes across the whole-of-government.


28

The Digital Government Legislation will provide the legal basis for the

Government to:

⚫ Streamline national planning and coordination of ICT funding, infrastructure

development and services primarily within the public sector; ⚫ Define and ensure compliance of international best practices, national ICT and

digital standards for all public and statutory bodies; ⚫ Centralize and streamline procurement and usage of ICT products and

services for all public and statutory bodies; ⚫ Compel and facilitate the centralization of all government data and

information, and sharing of data and information between government to government, government to citizen, government to business and vice versa;

⚫ Facilitate and compel cybersecurity standards and compliance for all public

and statutory bodies; ⚫ Facilitate and coordinate digital government services specifically: government

to government, government to citizen, government to business and vice versa, to increase public service delivery efficiency and reduce government expenditure. For example, e-Voting, e-Census, e-Tax, e-Agriculture, e-Police, e-Education, e-Parliament and range of e-services; and

⚫ Facilitate transformation of the economy to digital economy through

development and implementation of other relevant regulations and standards, programs, and projects pertaining to digital skills, digital services, and digital infrastructure.

⚫ Facilitate and coordinate digital information dissemination and communication

for government to government, government to citizen, government to business and vice versa.

6.1.2 National Cyber Security Legislation

A National Cybersecurity Legislation will be developed to implement the goals and objectives of this Policy. Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.


29

Legislation should harmonize with existing national laws and contain provisions

compatible with international standards and best practices in order to enable

and sustain cooperation regionally as well as on an international basis. It should

provide for creation of a specialize cybersecurity agency and a coordination

framework to harmonize efforts across key cybersecurity agencies of

Government and enable collaboration and cooperation among all stakeholders

to ensure protection of:

⚫ digital services and essential services;

⚫ e-identification and trust services; and

⚫ personal data; among others.

Cyber security challenges persist as a result of a number of factors including, among others, lack of a culture of cyber security consciousness and limited awareness on cyber security issues among businesses and individuals; challenge of enforcement of legislation; as well as limited capacity among law enforcement agencies in the detection, investigation and prosecution of internet-facilitated crimes.

Many Government agencies have a minimal understanding of cybersecurity risks

and threats. The private sector has limited awareness of cybersecurity threats

and risks. Moreover, SMEs within PNG have a lack of human capacity and

resources to sufficiently deal with cybersecurity. Nationwide, larger international

NGOs do not consider cybersecurity a priority for them as a result they are

subject to a range of cyber-attacks. Despite having a cert within PNG, the

channels to report cyber incidents are not coordinated. Certification and

accreditation of public sector cybersecurity professionals did not exist.

Cybersecurity laws and regulations tend to cover the most common matters that arise from cyber threats. These matters include a focus on criminal activity, corporate governance, insurance matters, and the jurisdiction of law enforcement. The legislation would establish a new agency to be responsible for all cybersecurity issues. Cybersecurity Authorities within the new Cyber Security agency and will regulate and promote developments within the country and manage and enforce its cybersecurity space. This mandate will see the new Cybersecurity Agency play a key role in preventing, managing, and responding to cybersecurity incidents in PNG. This new Agency or Authority will work closely with the Agency or Department that Manages Critical Infrastructure in terms of cybersecurity activities, services and practices. The Cybersecurity Agency that will be set up will have a very wide mandate in ensuring that PNG is protected from cyber-attacks and breaches. To this end, the Agency will be monitoring cybersecurity threats within and outside PNG, taking measures in response to cybersecurity attacks and breaches, especially


30

those with the potential of threatening PNG’s national security, economy, international relations, and public health.

At the heart of the Cybersecurity Act is the protection of computer systems. A computer system includes a variety of technological devices with computing capabilities such as an operational technology system, or any device which has supervisory control and data acquisition and distribution capabilities.

6.1.3 Critical Infrastructure Legislation

The Government recognizes the need to protect essential critical infrastructure

against natural disasters, terrorist activities and cyber threats. Disaster

preparedness, response and recovery are top priorities. It will develop

legislation to protect PNG’s critical infrastructure and systems.

The legislation would harmonize with existing national laws and contain provisions compatible with international standards and best practices. It will provide a mechanism to identify PNG’s critical infrastructures in respective sectors and provide necessary protection of these infrastructures. It will mandate and empower relevant responsible agencies to take necessary measures towards protecting these critical infrastructures, including measures on disaster preparedness, response and recovery.

Systems that once stood alone managing critical infrastructure operations are

connecting to the Internet and sharing sensitive data. Through convergence,

physical structures are merging with digital structures and are connected to the

Internet making these services becoming vulnerable to attacks.

While this increased reliance on interlinked capabilities helps make the PNG economy more efficient and stronger, it also makes the country more vulnerable to disruption and attack. This interdependent and interrelated infrastructure is more vulnerable to physical and cyber disruptions because it has become a complex system with single points of failure.

The elements of the infrastructure themselves are also considered possible targets of terrorism. Traditionally, critical infrastructure elements have been lucrative targets for anyone wanting to attack another country. Now, because the infrastructure has become a national lifeline, terrorists can achieve high economic and political value by attacking elements of it.

Disrupting or even disabling the infrastructure may reduce the ability to defend the nation, erode public confidence in critical services, and reduce economic strength. Additionally, well chosen terrorist attacks can become easier and less costly than traditional warfare because of the interdependence of infrastructure elements. These infrastructure elements can become easier targets where there is a low probability of detection.


31

The elements of the infrastructure are also increasingly vulnerable to a dangerous mix of traditional and non-traditional types of threats. Traditional and non-traditional threats include equipment failures, human error, weather and natural causes, physical attacks, and cyber attacks. For each of these threats, the cascading effect caused by single points of failure has the potential to pose dire and far-reaching consequences.

PNG’s access to power, electricity, transportation networks, drinking water and many other critical infrastructure services is increasingly at risk from cyber-attacks. These threats can have devastating consequences and could threaten entire communities. The success of critical infrastructure protection initiatives relies on strong and meaningful partnerships being built between governments, the private sector, technical communities, and our development partners. Success also relies on the solutions that are used to manage and implement these initiatives.

7.0 Cybersecurity Emergency Readiness

The Government is committed to introducing measures, adopting legislations, standards and strengthening the institutional framework on cybersecurity to safeguard PNG’s cyber environment.

A Joint Strategic Centre (JSC) will be established to provide ICT support services

for the control and management of a special situation and other related matters.

The responsibilities of the JSC would be to:

⚫ ensure interagency connectivity and resource sharing for emergency

responses and public safety; ⚫ provide emergency systems or digital infrastructure as shared services; ⚫ use software and hardware to provide facial recognition services, vehicle

recognition services and intelligent video recognition services; ⚫ provide human behaviour analysis services for early detection of offenses; ⚫ provide services to eliminate information and communication silos across

public bodies; ⚫ enable efficient collaboration amongst public bodies for data storage, data

sharing, analysis and dispatch to support policy decisions; and ⚫ otherwise enhance the control and management of any special situation and

promote enforcement of any restrictions or other lawful requirements made in response to the special situation.

An Action Plan will be developed to provide a clear path for the Government to

respond to cybersecurity emergencies.


32

8.0 Development of a Cybersecurity Strategy

The Policy provides a directional statement on paths that the Government will

implement. A cybersecurity strategy will be developed to translate the Goals

and directional statements of the Policy into plan of actions.

9.0 Implementation Framework

The institutional and governance arrangements to oversee the implementation

of various directives and technical measures on cyber security as provided in

this Policy will be in phasal approach.

Phase 1 will be for a term of two (2) years from the time the Policy is adopted.

It will build on from the current effort. The Department of Information and

Communication Technology will oversee the National Cyber Security Centre and

provide technical support on cyber security and provide secretariat support to

the National Cyber Security Centre Steering Committee. OSCA will provide

chairmanship to the Committee. Major deliverables in Phase 1 are:

⚫ Development of the Cyber Security Legislation that will establish the National

Cyber Security Coordinating Agency and define the roles of key stakeholders

on cyber security and the working relationship among these stakeholders;

Development of Legislation for Critical Infrastructure to protect PNG’s national

critical infrastructures and assets.

⚫ Maintaining and upgrading the National Cyber security Centre to meet

international standards and best practice requirements;

⚫ Training and capacity building on cyber security for PNG nationals to a

competency level par with international experiences

⚫ Facilitate necessary requirements for the establishment of Cyber Security

Coordinating Agency.

Phase 2 will commence upon the establishment of the Cyber Security Agency.

The following implementation framework will be adopted for the development

and implementation of PNG’s National Cyber Security Strategy and Action

Plan.


33

9.1 Executive Sponsor

The OSCA is the Executive Sponsor of the National Cyber Security Strategy.

OSCA will be primarily responsible for assigning relevant roles and

responsibilities and allocating sufficient human and financial resources. OSCA is

the Agency in the Government that has a clear understanding of the

Government’s broad security, digital and development ambitions.

9.2 Lead Authority

Department of Information and Communication Technology will be the Lead

Authority on cyber security strategy design and coordination of its

implementation.

DICT will:

• lead the development of the cybersecurity strategy;

• be responsible for providing leadership on the culture and values that

shape the strategy’s focus; and

• in its capacity as lead ‘project’ authority, appoint various government

departments to be involved in the design and development of the cyber

strategy development process and implementation of the strategy’s

action plan

9.3 National Cyber Security Centre (NCSC) Steering Committee

A Cyber Security Steering Committee will provide guidance and play a critical

role in quality assurance and assist the lead project authority to overcome any

inherent bias and help avoid intra-government competition for resources. The

Steering Committee will guarantee the transparency and inclusiveness of the

process. Representatives on the Steering Committee will (as a minimum) be the

following departments:

⚫ OSCA to provide chairmanship

⚫ Defence,

⚫ Justice,

⚫ Censorship,

⚫ Police,

The National Intelligence Office and the Department of ICT to provide secretariat

support


34

The Steering Committee will:

• be aided by an advisory committee composed of private sector companies and professionals as well as representatives from the Technical Community, the academic community and any cyber related NGOs in PNG;

• ensure that the Government has the correct Cyber resiliency standards

and guidelines that are needed to protect all infrastructure and essential services from attack;

⚫ work with the respective Ministry, Agency or department to promote the

adoption of common policies and best practices that are risk-based and

able to effectively respond to the pace of ever-changing threats. As

systems are protected, alerts can be issued in real time when events are

detected to help protect networks across the government information

technology enterprise and the private sector. This enterprise approach

will help transform the way federal civilian agencies manage cyber

networks through strategically sourced tools and services that enhance

the speed and cost effectiveness of federal cybersecurity procurements

and allow consistent application of best practices.

⚫ work with its partners to provide Government Agencies with capabilities

and tools that identify cybersecurity risks on an ongoing basis, prioritize

these risks based upon potential impacts, and enable cybersecurity

personnel to mitigate the most significant problems first. It is their goal

to provide adequate, risk-based, and cost-effective cybersecurity and

more efficiently allocate cybersecurity resources.

9.4 Current Stakeholders

Stakeholders from the civil society, the technical community, the private sector,

and academia will be identified to work with the Steering Committee and be

engaged in the development of a cyber security strategy. More stakeholders will

be included as the NCSS is developed.

10.0 Monitoring and Evaluation Framework

Monitoring, evaluation (M&E) and learning from the outcome of M&E are important to ensure effective implementation of this Policy and to ensure relevant agencies and key stakeholders are progressively implementing the objectives and the directions of this Policy.

The Department of Information and Communication Technology, in collaboration with stakeholder agencies, will design and implement a monitoring, evaluation and learning framework to: ⚫ track the progress on implementation of the Cyber Security Policy objectives;


35

⚫ learn about the impact of activities/policy initiatives and the evolving cyber

policy and threat landscape in PNG; and

⚫ provide a status Report to the Government with recommendations where

required to improve implementation.

The designing and the implementation of the Monitoring and Evaluation Framework, among other key areas, will focus on tracking and evaluating the major policy objectives relating to:

⚫ Establishment of the Joint Cybersecurity Strategic Centre;

⚫ Development of Cybersecurity Legislation and relevant associated laws;

⚫ Development of cybersecurity strategy;

⚫ Deployment of critical technical capabilities and measures to safeguard

critical infrastructures and services;

⚫ Awareness and skills development in cybersecurity; among others.

In Addition to monitoring and evaluating the major Policy objectives, the Department of Information and Communication Technology, will collaborate with Joint Cyber Security Centre and key stakeholders to develop a database to capture statistics on cybersecurity breaches, monitor cybersecurity trends globally in order to raise awareness and informing the policy intervention and decision-making process.

The Government is aware that certain international organizations have developed a cyber security index and the Government will assess and use these international cyber security indexes as baseline indicators for monitoring and evaluating cybersecurity preparedness in PNG.

An implementation Report, based on the Policy monitoring and evaluation, will be produced and circulated to stakeholder agencies on a quarterly basis. This


36

will inform the need for Government intervention where required to further strengthen Cyber Security in PNG In addition to the annual monitoring and evaluation exercise and report on the implementation of the Policy, a review of this Policy will be conducted every two (2) years and a mid-term review after five (5) years.

national cybersecurity policy 2021 - ict.gov.pg

Documents