APrIGF Document Platform

How did CERT Tonga respond to the ransomware attack in Tonga:
All incidents should be reported to CERT Tonga but most incidents don’t get reported because the organisation wants to handle it internally by their IT staff. In February 2023, the Medusa ransomware hit one of Tonga’s critical ISP. This was reported to the CERT within 3days as the deadline from the attacker to the victim. Due to limited resources, capacity and technical capability, this was the first time for the CERT o experience such an incident. The CERT reached out to other CERTs in the region for assistance, CERT NZ. The advise was for the victim not to pay the ransomware. For the affected party, their services were not fully compromised and the Tongan government requested emergency response assistance from the Australian government. CERT Tonga was directed to lead the coordination and collaoration of the first cybersecurity incidense response teams to tonga from Australia and New Zealand and Tonga. Cyber CX and teams from Australia were responsible for the investigation, recovery and restoration of services of the affected party and CERT NZ for conducting training for ICT staff, government ministries and public enterprise and private sector as well as the affected parties staff including assistance and advise on communication

Tonga’s computer emergency response team (CERT)was established and effective via a cabinet decision on July 15, 2016. CERT Tonga operates under the Ministry of Meteorology, Energy, Information, Disaster Management, Environment, Climate Change and Communications (MEIDECC). It currently has 3 established staff members, 2 males and 1 female. This 3 staff look after the cybersecurity issue and all cybersecurity related matters for the Kingdom of Tonga. In the area of workforce development, young Tongan tertiarty students are encouraged to consider internship at the CERT if they wish to develop their cybersecurity skills. CERT Tonga also has a cybersecuirty workforce development programme in partnership with the Ministry of Innovations and Trade, New Zealand which will allow them to recruit 3 additional staff. CERT Tong works towards a vision of safe and secure digital environment for the Kingdom of Tonga. Its mission to to coordinationand collaborate amongst stakeholders through awareness to detect and manage cyber threats in the Kingdom of Tonga

Security (physical infrastructure), protection of personal and privacy of information, protection of national critical data are fundamental to the Tongan governments digital strategic goals. The digital government security requirements flow several security principles including protection of confdential information, ienuring the integrity of data and information and ensuring accessibility of information to those with a valid need to know and proper security authentication and authrosation. With the kingdom of Tonga population is importnt to measure the amount of threats, cybersecurity processes that impact the population. Due to isolation, limited resources, there is a need to build resilience towards these impacts.

Stories from the Pacific – the human side of cyber incidents

The successes of digital transformation in the Pacific and increased internet connectivity of Pacific Islands is unfortunately accompanied with greater vulnerability of local IT systems. The recent spike in high profile, publically reported cyber incidents from the Pacific has seen a much welcomed boost in awareness and focus on bolstering technical, organisational, and policy approaches to help increase nations’ cyber resilience.

Technology is being employed as an enabler to build and strengthen services. In Tonga, the Digital Strategic framework from 2019-2024, the strategy sets the use for the governments informtion and communication technology with the ultimate intention to improve government decision making, business process and work flow efficiency. Improving the quality of services timeliness for the people of Tonga while reducing the complexity and cost of government services.

To establish a trusted technology company or original equipment manufacturer (OEM) with the mission of ensuring affordable access to cutting-edge technology at the grassroots level.”

adoption and awareness of “community internet “is other way to improve internet access

“suggested to rephrase”

During APrIGF 2023, a parliamentary track occurred from August 31 to September 1. This track brought together government officials from the Asia-Pacific (APAC) region to deliberate on various Internet and digital-related topics. These discussions included active participation from other stakeholders, including the technical community, academia, people with disabilities, and youth. Additionally, the APrIGF 2023 in Brisbane, Australia, coincided with the 2023 Asia Pacific Youth Internet Forum, the 2023 Pacific Internet Governance Forum, and the 2023 NetThing events.

in the list of Emerging Technologies
add
“Blockchain”
“BioTech”
“Synthetic biology”
“quantum computer”

Since there’s different approach on AI and Data regulations among different jurisdictions. Namely, some on National Security Approach and Personal Security/Privacy Protection approach in major countries.

To simplify for a standard approach that every countries may follow to implement same standards in their jurisdictions, suggest focus on :
Country is responsible to setup AI & Data Governance framework within reasonable timeline, to give a directive on AI & Data Governance towards a “Transparent” & “Fair” approach, that empower individual rights well protected on Safety, Security and Privacy that match with the guildline and standards laid by United Nations framework. Responsible use of all kind of technologies related activities, including AI, data analytics, digital information collection and generation, should comply with reference to EU GDPR standard, and UN SDG17 principal. In order to establish univarsal standards of good practice.

[The imbalance of deployment of technology in the Pacific Islands compared to other developed regions has led to a rise in cyber incidents. ] This is not necessarily true. You coukd say that there is an imbalance but it has not led to the imbalance. It is more accurate to say there is an imbalance and there is a rise and that these gaps in technology etc need to be addressed. everything else sounds fine.