Australian initiative seeks to boost Asia-Pacific cyber security

A group formed of the collaboration between eight Victoria universities is helping Pacific nations to assess and improve their cyber policies.

cyber security lock padlock firewall code breach password
Getty Images

A group that brings together security expertese from eight Victoria universities is helping Pacific nations to assess and improve their cyber policies.

The Oceania Cyber Security Centre (OCSC) was established in 2016 with support from the Victorian government and works with local and international partners from government, non-government, industry and academic sectors to provide advice on cyber security initiatives.

The centre brings together Federation University, Victoria University, the University of Melbourne, Swinburne University, RMIT University, Monash University, La Trobe University and Deakin University.

Currently, the OCSC is focused on two initiatives: The Cybersecurity Capacity Maturity Model for Nations (CMM) in collaboration with the University of Oxford’s Global Cyber Security Capacity Centre, and a domestic industry led academic research cooperation program.

Cybersecurity Capacity Maturity Model

The CMM focuses on assessing the national level of cyber security capacity policy in Pacific nations. 

“One of the things that we find is really important about the CMM is that it doesn’t just consider cyber security to be a technical problem, it also considers cyber security to include strategy and policy, the priority that people give to cyber security, education, training and legislation,” OCSC project lead James Boorman told CSO Australia.

The model also considers the laws a nation has in place, the capacity of the police force that investigates cyber crime (and the ability to successfully prosecute it) as well as standards and technical aspects of security.

“It has this holistic view of cyber security, which correlates well with the understanding of cyber security that we’re finding in the region. So the countries aren’t looking at this as just a technical problem,” Boorman explained.

OCSC has already performed an assessment in Samoa and the report was recently published. “There are a number of recommendations in that report which the Samoa government has agreed to,” OCSC chair Cameron Boardman told CSO Australia. “We now want to identify project partners and funding sources to deliver against those recommendations. And that could be something such as refining the National Cyber Security Strategy, or developing cybercrime legislation, or other projects that’s contained in that report.”

How does the assessment process work?

The OCSC only conducts an assessment after receiving an invitation to do so by a country.

The first step is to meet with the people directly involved in cyber security. Then, to begin to understand the current capacity of each nation, OCSC engages with other stakeholders across government, private sector, academia and citizens.

The data gathered is then analysed alongside other sources of information such as publicly available information and policy documents.

OCSC drafts a report that uses the CMM to assess where the country is from a maturity point of view. Then it provides recommendations to strengthen the cyber security posture.

The entire process can take up to four months.

There are “several hundred measures” inside the CMM, which is divided in five dimensions with one being strategy and policy. OCSC looks at whether a country has a national security strategy which gives that nation a level of maturity, but Boorman explained that this is just one point of analysis.

Additional considerations can be the process by which that strategy has been developed, he said. “Has been developed using multi-stakeholder approach? Is there evidence of there being a consultation process? What’s the content of the strategy? Or is it considering all the different issues with cyber security. And that’s just one element of one factor of one dimension,” Boorman said.

The CMM is the first step on that journey to strengthen the cyber security posture of the nation, he explained.

The next step is to meet with the Australian government and other potential donors to develop a funding pipeline to help the nations deliver against the assessments.

Associate professor for cyber security at Monash University and OCSC director Carsten Rudolph explained that many Pacific countries have digital transformation as part of their strategies and are looking forward to getting subsea cable Internet connectivity but are aware of the risk this brings and so welcome the OCSC engagement.

OCSC expects that with the first report now published, other countries will be able to see what the results look like and how helpful the recommendations can be.

“There is a significant increased regional and international focus on the Pacific and in fact, probably a day doesn’t go by where the Pacific isn’t in the news for various reasons and cyber security, digital enablement and specifically digital infrastructure is one of those recurring themes,” Boardman said. “What we’re seeing with our research and our evidence is that that’s now influencing policymakers.”

He said that the Five Eyes nations—the US, the UK, Australia Canada, and New Zealand—now are committing serious resources to Pacific enablement in the digital space. “The reason for that is that it’s not just essential, but if I don’t do it, someone else will. And I think we all know what that means,” Boardman said. (The Australian government, for example, in 2018 stepped in and largely funded a subsea cable hooking up Papua New Guinea and the Solomon Islands after China’s Huawei was originally slated to connect the Pacific nations.)

A total of 15 countries will have their policies reviewed. Five have already been completed: Samoa, Tonga, Vanuatu, Papua New Guinea and Kiribati. The OCSC wouldn’t reveal the other 10.

“Our ambition is to work with all countries in the region to undertake at least one CMM review. Our initial funding covers 15 countries in the Oceania region, including Australia,” Boorman said. 

“We will be working with the Federated States of Micronesia and the Cook Islands next. The next counties out of the 15 will be dependent on who invites us to conduct a review. We continue to engage with countries in the region to explore their interest.”

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)