Review of National Cybersecurity Policy 2021

By Lamonai. Kenny

Introduction:

In today's digital era, Papua New Guinea (PNG) finds itself at a crossroads where information and communication technology (ICT) offers tremendous opportunities alongside a surge in cyber-related threats. In response, the National Information and Communication Technology Authority (NICTA) enacted the National Cybersecurity Policy in 2021. The Department of ICT Minister Honourable Timothy Masiu has emphasized that the purpose of this policy is to safeguard the cybersecurity of Papua New Guineans, ensuring that it aligns with international standards in this digital age. Throughout this policy review, I will summarize the policy clearly outlining how the policy relates to the National Security Policy, as well as share my mixed perspectives on the effectiveness and implications of the policy, exploring both the strengths and areas of improvement to take into consideration.

Summary:

PNG has experienced the rapid increase of ICT, and with the commissioning of the Coral Sea Cable that enables internet connectivity, it has further increased the countries vulnerability to cybersecurity threats. With the PNG Government recognizing these threats, it has prompted them to come up with a robust cybersecurity framework. The framework intends to complement and enhance the existing frameworks in PNG, just to name a few, ‘The PNG Security Policy Strategic Action Plan 2014-2020, The PNG Digital Transformation Policy 2020, and the PNG National Security Policy (NSP) 2013’. The current framework is aligned with the NSP 2013, as it will update the NSP’s discussions and reviews for future references by addressing the current cyber threats. To summarize the policy’s focus areas;

• Government [Chapter 4.1- 4.1.4.7]: Outlines governance structures, policy development, and legal frameworks for effective cyber security management.

• Risk Management [Chapter 4.2- 4.3.2]: Establishes a risk assessment framework and incident response strategies to mitigate cyber threats.

• Capacity building [Chapter 4.4- 4.3.2]: Emphasizes human resource development and infrastructure investments to enhance cyber defence capabilities.

Critique:

To review the policy, I have decided to give my balanced view on the three categories that were mentioned above.

Firstly, to the strengths of the Government under section 4.1, it shows the clear governance structures detailing how they will have a coordinated approach to addressing the issue, the new entities that will be created to coordinate, manage, and implement the National Security Strategies that are already in place, to ensure that accountability and transparency is upheld. Another strength outlined throughout the policy is under section 4.1.4, as the policy emphasizes on stakeholder engagement. It outlines the various government agencies who oversee the functionalities and operations of cybersecurity, fostering a collaborative effort. In support of this, according to the PNG Department of ICT (2024), they have established a National Security Strategy (NCSS) 2024-2030, which introduces a phased implementation approach which has clear timelines such as; Phase 1 outlines foundational strengthening, phase 2 outlines the scaling of cyber maturity, and phase 3 outlines the advanced global cybersecurity. So it can be seen that the NCSS 2024-2030 is the Government’s way through the DICT to improve or strengthen on what they initially proposed for in the National cybersecurity policy 2021. On the other hand, weaknesses identified are in section 4.5.2 which are the lack of resources, can affect policy implementation. Additionally, the limitation in awareness of cybersecurity issues among businesses and individuals pose a challenge on enforcing legislation. To support this, according to Koziel, (2022), the lack of cybersecurity awareness among employees can lead to security breaches.

Secondly, the strengths in section 4.3 include a critically structured risk management approach that explains the step by step method of assessing and managing risks. However, weaknesses identified can be with the rapid evolvement of cyber threats, it can surpass the existing measures in place. In alignment with this, IJCRT (2014) states that with the emerging threats, cybersecurity can exceed the current security measures and that it is necessary for continuous adaptation of security measures.

Thirdly, the strengths under section 4.4 of capacity building, proposes partnership of the Government and stakeholders to provide skills development on cybersecurity professionals in public and private ICT institutions or organizations. However, a limitation seen can be the limited reach of the capacity building’s inadequacy to reach all regions of the country.

Recommendation:

To recommend areas the policy can improve on, I would suggest two things, the first one is in order to enhance public awareness and education, the Government must conduct a nationwide campaign to educate citizens about cyber risks and protective measures through workshops in schools and communities. Another suggestion is in terms of resource allocation, the increase of funding and resources to effectively address evolving cyber threats is fundamental in this technological era.

Conclusion:

Thus, the National Cybersecurity Policy 2021 highlights the vital importance of a robust cybersecurity framework for PNG as the basis of the framework is in alignment with the National Security Policy 2013. By enhancing public awareness and allocating sufficient resources, PNG can strengthen its cybersecurity posture, effectively addressing contemporary challenges and ensuring a safer digital environment for its citizens. The successful implementation of these recommendations will be essential in navigating the complexities of the digital era, ultimately contributing to the nation’s security and development.

References:

Department of ICT. (2021). National Cyber Security Policy 2021.

https://www.bing.com/ck/a?!&&p=8846a6776d8a94c84fdba4621f68d4694a856d39de97d5af54192f55eb0c3995JmltdHM9MTc0MjQyODgwMA&ptn=3&ver=2&hsh=4&fclid=00ad03d2-2abb-6eba-1c48-16642bbb6fe7&psq=Cybersecurity+policy+2021&u=a1aHR0cHM6Ly93d3cuaWN0Lmdvdi5wZy9Qb2xpY2llcy9DeWJlciUyMFNlY3VyaXR5JTIwUG9saWN5L05BVElPTkFMJTIwQ1lCRVJTRUNVUklUWSUyMFBPTElDWSUyMDIwMjElMjAoRmluYWwpJTIwLSUyMDAzMTEyMS0lMjBQUklOVC5wZGY_X3Q9MTY0MTc5MTYyNw&ntb

Department of ICT. (2024). National Cyber Security Strategy 2024-2030.

https://www.bing.com/ck/a?!&&p=10463a733c902c762b5a5825e1adcfc9db7bf2f18e25e77f72553af2a5c1f686JmltdHM9MTc0MjQyODgwMA&ptn=3&ver=2&hsh=4&fclid=00ad03d2-2abb-6eba-1c48-16642bbb6fe7&psq=https%3a%2f%2fwww.ict.gov.pg+National+cybersecurity+strategy+2024-2030&u=a1aHR0cHM6Ly93d3cuaWN0Lmdvdi5wZy9uY3NzLyM6fjp0ZXh0PVRoZSUyME5hdGlvbmFsJTIwQ3liZXIlMjBTZWN1cml0eSUyMFN0cmF0ZWd5JTIwJTI4TkNTUyUyOSUyMGFpbXMlMjB0byxmb3N0ZXJzJTIwaW5ub3ZhdGlvbiUyMGFuZCUyMHByb3NwZXJpdHklMjB3aGlsZSUyMHNhZmVndWFyZGluZyUyMG5hdGlvbmFsJTIwc292ZXJlaWdudHku&ntb=1

Koziel, J. (2022, March 16). Cybersecurity awareness: What it is and how to start.

Cybersecurity Awareness: What It Is And How To Start – Forbes Advisor

Ijcrt.org. (2023, July 7). Emerging cybersecurity threats and countermeasures: A comprehensive review. www.ijct.org