Cyber Attacks : Escalating ICT to Strategic Level in PNG Public Service

 As many of you will be aware by now, the Government through the Department of Finance (DoF) was hit by a ransomware attack. We understand the following facts to have been established by the Ministry for Finance: – On Friday 22nd October 2021, the ransomware infiltration was detected on DoF server logs.

• Immediately after detection, the Department of Finance took preventative measures and commenced a recovery process.
• By Thursday 28th October 2021, IFMS and its database was restored in full but limited access so as to give time to address cyber security matters.
•  In the process of recovery, NO money was paid to anyone or any entity. At this point in time, I can also confirm that the malware looks to have similar features to that of HIVE Ransomware. For the benefit of the General public: HIVE Ransomware has recently hit health systems across the United States in as early as June 2021. With due respect to the National Security Advisory Committee and National Security Council processes underway last week, I refrained from releasing a statement. However, I am also very sensitive to the views of the PNG ICT Community and since relevant questions have since been raised on the matter of ICT Governance within the Public Service Sector I feel it important to engage. I also share sentiments that we as a Government must be transparent.

 National Response Frameworks on Cyber Attacks

Firstly, questions have been asked whether the Government has a National emergency and incident response framework to deal with cyber security matters.

The answer for the moment is Yes we do.

In 2018, through the initiative of various agencies including the Department of Prime Minister and NEC and the NICTA (ICT Regulator) and the support of the Australian Government, a National Cyber Security Centre Project was initiated. Under the National Cyber Security Centre Project, a Cyber Emergency Response Team (CERT) and a Cyber Security Operations Centre (CSOC). Under the National Cyber Security Centre (NCSC), the Cyber Security Services are offered as ICT Shared services. In addition to this the NCSC offers training to government agencies for level one training for cyber analysts

In 2020, the Department of ICT took operational oversight of the Cyber Security Operations Centre while the CERT continued to be maintained under NICTA.

It is certainly regrettable that the Department of Finance (DoF) did not take up the offer for endpoint protection services from the NCSC nor used the CERT despite multiple Circulars distributed to all public bodies on the NCSC. However, only a thorough ICT Audit can pinpoint where the vulnerabilities and oversights if any are and what preventative measures need to be taken moving forward. On that note, I do commend the Department of Finance for actions taken to recover from this cyber attack. With respect to NCSC services, they remain optional until such time that the Digital Government Bill 2021 is enacted. Once enacted, the Bill will give functions, powers, and enforcement mechanisms for the Department of ICT to strengthen our country’s cyber security measures and capabilities. Work of the NCSC and Progress of the Digital Government Bill 2021 can be found on the DICT website.

Parallel to this is the work of the National Cyber Security Policy. The Cyber Security Policy was initially worked on by NICTA. When I took oversight, I directed for all Policy work to be transferred back to the Department of ICT. The current draft can be found on the DICT website. It is now essential that the Policy is completed to give a clear National vision and implementation framework for cyber security.

Ministry Interventions Post 2019

Now there have been a lot of questions asked to me about what the Department of ICT is doing to address the matter of Cyber Security and for that matter ICT governance within the public sector. To answer this question, I will point back to when I first started. In 2019, when I took oversight of the Ministry, I immediately observed the following:

– The Office of Information and Communication (my then ‘Department’) had no legally mandated powers to define and enforce ICT Governance within the Public Sector.

– This essentially meant that all government agencies and statutory bodies were continuing to operate in Silos. – There was no Technology Blueprint or standards to guide the procurement of digital infrastructure, systems, and services.

In addition, there were no public service ICT standards in place – this includes: data governance standards, cyber security standards, digital services standards, etc. Most importantly, there was no appropriate policy and legislation in place for a whole-of-government approach delivery. An internal assessment on the Integrated Government Information System (IGIS) project, lack of policy and legislation framework partly explains why the initial approach by the Government through the IGIS project to integrate and secure government systems was not successful. Based on this, my Ministerial instruction in December of 2019 was to ‘get the house in order’.

Step 1: Was to Establish an Overarching Policy Framework

While I was presented with initial work undertaken by my predecessor Hon Rainbo Paita known as the ICT Sector Reform Blueprint, under my leadership we took the position to evolve this work into a National Policy. To this end, my Department commenced the work of the Digital Government Policy or what is now known as the PNG Digital Transformation Policy.

From December 2019 – June 2020, my Department commenced formulating the PNG Digital Transformation Policy and this was endorsed in August 2021 through NEC Decision No 252/2020. The PNG Digital Transformation Policy recognizes the need for Public Service to digitally transform and thus the consequential Cabinet Decision of 252/2020 directed for the Office of Communication and Information to be upgraded to the Department of Information and Communication Technology with an intent to have oversight on ICT Governance within the Public Sector; The Policy can be found on the DICT website also in the Policy Section.

Step 2: Develop a whole-of-government Enforcement Mechanism For the PNG Digital Transformation Policy to be effectively enforced we recognized the need for the Department of ICT to be appropriately elevated and re-structure. The real problem lies in the fact that at the moment, ICT in public service is treated as a support service unit and not as a strategic business unit.

So in putting together the drafting instructions of the Digital Government Bill 2021, we started to look at the models within the eGovernment Act of 2002 in South Korea and the eGovernment Act of 2003 in the United States where we can effectively escalate ICT in the public service. The models we found escalated ICT through the form of a Chief Information Officer in each government agency and reporting to a National Information Council headed by an entity at Central Agency Level and or reporting directly to Executive Government on digital transformation agendas, economic matters, and national security matters.

The real problem lies in the fact that at the moment, ICT in public service is treated as a support service unit and not as a strategic business unit

In following the principles behind these governance models and through consultation with specialists, we came up with a framework of our own which I do not wish to cover at this time but you can find articulated in the Draft Digital Government Bill 2021. As a matter of update I take this time to inform stakeholders that the Drafting Instructions of the Digital Government Bill 2021 was cleared by the Office of the State Solicitor on the 6th of September 2021 (issued a Certificate of Necessity) and was further endorsed by Cabinet on the 6th of October 2021.

Step 3: Restructure the Department of ICT and Development of Data, Security, and Digital Service Standards

 In September 2020, the Department of ICT launched its Corporate Plan which highlighted a proposed structure. A revised downgraded structure proposed by DPM was eventually endorsed and as a result, the Department is recruiting. With the Department undergoing the recruitment phase, we are at a place where we are not formulating appropriate digital standards. First drafts can be found on the DICT website.

What do all these reforms mean for cyber security?

Cyber Security as with all other matters of ICT governance in Public Service is no longer a matter of support service but must be seen as a strategic function of every organization. The government has recognized this through the Digital Transformation Policy. The cyberattack that occurred was bound to happen because we don’t have appropriate mechanisms for enforcement of cyber security standards and a governance framework for ICT functions in public service. It has been happening and it is bound to keep happening if we don’t complete the reform process. The Digital Government Bill 2021 contains the governance framework required to establish and enforce ICT governance across all public bodies.

What are the immediate steps required?

I, as Minister responsible, will continue to push for the Digital Government Bill 2021 to be enacted in the November Parliament Seating.

I will also be pushing for a further escalation/upgrade of the Department of ICT immediately after the enactment of the Digital Government Bill 2021.

To the ICT Community, we need your support and voice to help us escalate the ICT Sector by getting this Bill through. We are holding for the first time a National ICT Summit on 10 – 12 November 2021 and I would like to encourage all stakeholders to attend and participate.

In the meantime, I have directed my Department to conclude work on the National Cyber Security Policy and I will take it to Cabinet immediately with a view to receive directives and funding for ICT Audit across all public bodies and full enforcement of the National Cyber Security Centre and the Cyber Emergency Response Team.

My call specifically for the ICT community is to please support us. We are on the right track to having ICT being legally recognized.

Next:  PNG, Australia to create accessible carbon market for Pacific region