Critical Review of the PNG National Cyber Security Policy 2021

-


 By: Dulcie.AWALI

Introduction

In today’s digital era, Papua New Guinea faces various growing national security threats, including cybersecurity risks to its government, economy, and society. Cybersecurity, as defined by Merriam-Webster (n. d.), involves protecting internet-connected systems from unauthorized access. While once a minor concern, increasing cyber threats led to the National Cyber Security Policy (NCSP), developed and endorsed by the Department of Information and Communication Technology (DICT) in November 2021. The policy aims to strengthen cybersecurity in public and private sectors, enhance national resilience, and safeguard critical infrastructure against evolving digital threats.

This review provides my critical reflection of three main components stated in the policy which is regarded as the policy’s strengths and gaps, offering strategic recommendations for long-term improvement. It also evaluates its alignment with the PNG National Security Policy (2013) to ensure a unified approach to national security and cybersecurity governance, supporting PNG’s digital economy.

Summary

The NCSP framework is in alignment with the National Security Policy (NSP). The policy's first three chapters’ outline in detail its purpose, framework, and strategic vision to strengthen PNG’s cybersecurity in alignment with international and regional partners. Chapter four focuses on key areas such as institutional coordination, risk management, legal frameworks, and international cooperation. The final two chapters expand on the implementation, monitoring, and evaluation plans.

Critique:

Firstly, the policy places effective emphasis by engaging two key groups: private and public institutions with cybersecurity capabilities, and international partners. International cooperation is crucial in combating digital threats, especially since many of PNG’s government agencies and local businesses remain vulnerable due to inadequate cybersecurity measures. Therefore, fostering bilateral and multilateral partnerships is at the forefront of the policy, ensuring the implementation of proper mechanisms and frameworks to enhance national cybersecurity such as awareness and training programs to improve local expertise. Since PNG’s National Cyber Security Center is funded and coordinated by Australia, the policy reflects an overreliance on foreign support for its implementation. This raises concerns about long-term sustainability and national ownership of cybersecurity measures. Additionally, the policy places little emphasis on strengthening government agencies or private institutions, largely due to limited awareness and weak enforcement of cybersecurity legislation (National Cybersecurity Policy, p. 21). To address these gaps, the policy should prioritize fostering public-private partnerships to enhance cyber resilience while reducing dependence on international support. Establishing clear steps to build local capacity and improve enforcement mechanisms will be essential for sustainable cybersecurity development such as, providing funding a clear funding strategy to combat cyber based issues this limits reliance on foreign assistance for financial support. Moreover, this aligns with the PNG National Security Policy (2013), which underscores the importance of prioritizing local businesses and SME operations in addressing global challenges. By doing so, the policy can foster a flexible and inclusive environment that benefits all stakeholders.

Secondly, the policy highlights a key element of the national cybersecurity framework, establishing a foundational approach for managing cybersecurity issues effectively. It recognizes the Critical National Information Infrastructure (CNII) as responsible for overseeing operations to address cyberattacks (National Cybersecurity Policy, p.17 & 18). Moreover, the CNII encompasses vital electronic information assets and networking system that needs to be protected from cyberattacks. Consistent risk assessments and monitoring mechanisms is crucial to prevent the disruption of critical information’s such as public health, telecommunication and government services. However, the policy overlooks key CNII sectors that are most vulnerable to cyberattacks today, such as banking, finance, and national defense. For instance, Island Business (2025) reported that PNG’s Independent Revenue Commission has been struck with a major cyber-attack on its network and computer software’s causing a system outage and exposing potential sensitive data belonging to the citizens and businesses to the public. In relation to this, the policy should provide a more comprehensive understanding of the vulnerable sectors within PNG’s public and private sectors that are most susceptible to cyberattacks. To illustrate this, the policy could draw lessons from successful strategies implemented by other nations, such as Australia's Cybersecurity Centre's Essential Eight (Pacific Islands Forum, 2023). Prioritizing risk mitigation through robust cybersecurity measures is essential to prevent future cyber threats and ensure the long-term security of PNG’s digital economy.

Lastly, the policy demonstrates a firm commitment to strengthening the legal and regulatory framework for advancing cybersecurity within Papua New Guinea, aligning with the country's constitutional laws, the Medium-Term Development Plans (MDTPs), and the objectives outlined in the NSP. Three primary regulatory frameworks have been identified for legislative action: The Digital Government Legislation, the National Cybersecurity Legislation, and the Critical Infrastructure Legislation. While the policy acknowledges the existence of these legislative structures, it places insufficient focus on the practical implementation of the legislative framework across the region, leaving a critical gap in its effective enforcement and operationalization. For example, specific security protocols for CNII sectors, measures to secure digital information from cyber-attacks and data protection guidelines. In retrospect, a detailed action plan is needed to outline specific and strategic measures to effectively secure the digital space within our economic sector. Hogeveen (2022) reiterates that a national action plan serves as a valuable strategy for establishing a coordinated approach to implementation for any policy or legislative act. Thus, without a detailed implementation roadmap, enforcement will be inconsistent. Furthermore, Galgal (2017) notes that PNG’s cybersecurity framework is still in its infancy, with the government primarily addressing cyber-attacks through online censorship laws that have been implemented with minimal public consultation. This indicates a broader issue: the government’s failure to prioritize comprehensive cybersecurity improvements, compounded by a lack of awareness and education within key institutions. In an increasingly interconnected world, where global challenges are rapidly evolving, it is imperative that PNG take its legislative frameworks seriously such as fast tracking the development of an Action Plan following this policy. Without robust and well-implemented cybersecurity measures, the country risks compromising its economic stability and sovereignty in the face of dynamic national security threats.

Conclusion:

A comprehensive approach is needed to fortify PNG’s digital ecosystem. This includes establishing strong governance structures, improving risk management, securing critical infrastructure, and fostering international collaboration in cybersecurity efforts in alignment with the NSP. However, the policy must evolve to reduce dependency on foreign support, promote transparency and accountability, and implement strategic directives that ensure its effectiveness. This will ultimately ensure that the policy benefits all stakeholders and addresses the nation’s long-term cybersecurity needs.

 

 

References:

Australian High Commission Papua New Guinea (n. d.). PNG Embassy: Launch of the National Cyber Security Centre. https://png.embassy.gov.au/pmsb/784.html

Galgal, K (16 March 2017). Developing PNG’s cybercrime policy: Local contexts, global best practice. Lowy Institute [think tank]. https://www.lowyinstitute.org/the-interpreter/developing-png-s-cybercrime-policy-local-contexts-global-best-practice

Hogeveen, B (22 March 2022). The UN norms of responsible state behaviour in cyberspace. Australian Strategic Policy Institute [blog]. https://www.aspi.org.au/report/un-norms-responsible-state-behaviour-cyberspace

Island Business (13 February 2021). Papua New Guinea’s Internal Revenue Commission hit in major cyber-attack but public only told of ‘system outage’. https://islandsbusiness.com/news-break/papua-new-guineas-internal-revenue-commission-hit-in-major-cyber-attack-but-public-only-told-of-system-outage/

Merriam Webster Dictionary (n. d). Cybersecurity. https://www.merriam-webster.com/dictionary/cybersecurity

National Cyber Security Policy (2021). https://www.ict.gov.pg/Policies/Cyber%20Security%20Policy/NATIONAL%20CYBERSECURITY%20POLICY%202021%20(Final)%20-%20031121-%20PRINT.pdf

Pacific Islands Forum (2023). The Pacific Security Outlook Report 2023-2024. https://forumsec.org/sites/default/files/2024-05/Final%20Pacific%20Security%20Outlook%20Report%202023-24.pdf

Papua New Guinea National Security Policy (2013). https://www.aspistrategist.org.au/wp-content/uploads/2014/08/2013-PNG-National-Security-Policy.pdf

 

 

Comments

Post a Comment

Popular posts from this blog

Critical Policy Review of National Oceans Policy (2021)

-
By Kaylyn Kiwar The National Ocean Policy 2020-2030 is an awesome policy set in place purposely to manage and protect marine life. It was set to make up for the decades of unjust exploitation, deprivation and injustice for marine resources with that being said let me highlight a few important points that was highlighted in the policy before highlighting my recommendations. Let’s not forget the policy’s vision is to create a healthy ocean for sustainable development and the addressing and lessen impacts of climate change, natural disasters, and synthetic waste and land-based sources of pollution. Putting it in other words its vision is to ensure there is a healthy ocean for sustainable development and for the need to address any raising issue that may cause impact on marine life. On the other hand, the policy’s goals is to sustain, develop and manage PNG’s marine resources via a unified ocean management system both within and outside its national jurisdiction followed by five supportin...
Read more

Security Analysis: Rising Sea Levels and Climate Change in Papua New Guinea

-
Image
[ Source: Facebook post by UNDP in PNG in 2020 ] As a Pacific Island nation, PNG is particularly vulnerable to the negative effects of rising sea levels, including coastal erosion, flooding, and saltwater intrusion, which have a cascading effect on infrastructure, human settlements, and food security. Rising sea levels are a major threat to PNG, affecting our national security, economic stability, and social wellbeing. This analysis looks at how rising sea levels affect PNG's national security, the national strategies put in place to address it, regional commitments under the Boe Declaration, and international legal frameworks. Lastly, recommendations will be given for future improvement. Inclusion in the National Security Policy (NSP) The negative impacts of rising sea levels is evident along the coastlines and low-lying islands of PNG causing severe disruption to human livelihoods and food security. Coastal provinces like Gulf has already experienced displacement due to salt-...
Read more