Boosting Pacific cyber capacity

The Australian government’s Cyber Security Strategy (2023–2030) underpins its long-term commitment to investing in the development of sustainable cybersecurity across the Pacific Islands region.

These investments include spending AU$26.2 million on deploying cybersecurity experts to nations in the region and AU$16.7 million on helping these nations identify and address vulnerabilities to cyberattacks.

This commitment reinforces two key points that underpin Australia’s regional security.

First, as a leading regional economic partner and neighbour, Australia’s security and prosperity are intrinsically tied to its Pacific neighbours. Maintaining a strong and active presence is crucial to safeguarding Australia’s interests and preventing states with differing values and strategic goals from dominating the region at Australia’s expense.

Second, Pacific Island nations face entrenched environmental and development challenges, such as their small size, lack of natural resources, geographical remoteness, high telecommunications and transportation costs and inadequate infrastructure.

These factors limit their ability to develop sustainable cybersecurity capabilities without sustained assistance. These challenges expose Pacific Island nations — and by extension, Australian interests — to a heightened risk of cybercrime and cyber-enabled crime.

With the region’s ability to develop cybersecurity capabilities being constrained by these challenges, Australia has a key role to play in both actively promoting its own strategic interests and helping Pacific Island nations enhance their foundational capabilities.

The goal for the Australian government is to invest in regional cybersecurity development strategically, ensuring optimal long-term returns for its national interests and fostering sustainable development across the region.

Australia will need to invest in identifying and remediating cyber vulnerabilities, reducing the likelihood of attacks and mitigating the impacts of attacks. These efforts could be supported by leveraging regional and bilateral frameworks to identify areas of shared cybersecurity capability interest and strengthening domestic legislation in Pacific Island nations to combat cybercrime and cyber-enabled crime.

The Pacific Islands Forum has developed the 2050 Strategy for the Blue Pacific Continent, the 2023 Lagatoi Declaration on Digital Transformation of the Pacific and the 2018 Boe Declaration of Regional Security as consensus-based multilateral frameworks.

Through these mechanisms, Pacific Island governments have pledged to bolster regional cyber resilience, including safeguarding their national critical infrastructure. These pledges empower nations to work together on matters of shared interest while respecting their different levels of cybersecurity policy maturity and capability.

These forums provide an opportunity for Australia to target cybersecurity engagement and collaboration towards areas of mutual interest. Australia can also leverage bilateral agreements including the Fiji–Australia Vuvale Partnership and the Australia–Kiribati Tobwaan Te Reitaki (Nurturing Cooperation) Memorandum of Understanding to focus cybersecurity investment on areas of strategic interest and to reinforce strategic values and priorities.

The likelihood of cyberattacks targeting Pacific Island nations, and consequently Australian interests in the region, is closely tied to the effectiveness of each nation’s cybercrime legislation. Strengthening these laws typically reduces the probability of cyberattacks within a jurisdiction.

Governments that enact robust legislation to combat cybercrime enhance protection for Australia’s regional cybersecurity interests. Conversely, nations with inadequate cybercrime provisions pose higher risks of data compromise affecting Australian interests.

While multilateral declarations commit Pacific Island nations to working together on matters of shared interest, they are not legally binding and rely on nations implementing domestic cybersecurity-related legislation to enact the intent of these declarations.

The state of domestic cybercrime legislation varies across the region. Several nations, including the Federated States of Micronesia and Palau, have not committed resources to developing or uplifting domestic legislation pertaining to cybercrime and cyber-enabled crime. Others, including Tuvalu and Nauru, have established foundational legislation to define cybercrime and related matters.

In contrast, nations including Fiji, Kiribati, Tonga and Australia have partnered with the Council of Europe to collaborate on the creation and improvement of domestic cyber resilience legislation, historically aligned with the Convention on Cybercrime (the Budapest Convention) and its protocols.

Such legislation typically includes definitions of cyber crime and cyber-related crime, the ability to collaborate with law enforcement agencies and permission to exchange information to support cross-border cybercrime investigations.

Cybersecurity capabilities differ among Pacific Island nations, as each country develops its capacity to detect and counter cyber threats independently. Australia should expect that national governments will strengthen their cybersecurity capabilities at varying rates, reflecting their distinct domestic policy focuses and investment priorities.

As nations evolve their ability to address cyber threats, their approach to regional engagement and collaboration on cybersecurity is likely to change. This dynamic relationship has significant implications for cyber diplomacy, especially regarding the targeting of support for cyber capability development, emphasising the importance of demand-driven cybersecurity development assistance.

Nations with an open approach to engagement typically demonstrate a willingness to engage with regional and development partners and are more likely to collaborate on shared interests. These nations prioritise cyber resilience policies that promote domestic self-reliance while aligning with international standards, treaties and conventions.

On the other hand, nations with a closed approach are likely to prioritise the development and maintenance of domestic cyber resilience capabilities over regional engagement and collaboration. These nations are less inclined to identify and collaborate with development partners and other stakeholders on shared interests and instead prioritise cyber resilience policies that promote domestic self-reliance.

Australia’s investment will be best served where it responds to this demand-driven approach by targeting the domestic cybersecurity policy priorities of each partner nation based on their relative cybersecurity capability maturity and approach to collaboration.

Examples of this demand-driven approach in action include the Fiji–Australia Vuvale Partnership and the Australia–Kiribati Tobwaan Te Reitaki (Nurturing Cooperation) Memorandum of Understanding, which each allow Australia to provide targeted bilateral assistance for information sharing, collaboration and cybersecurity capability building that aligns with both nations’ interests.

This article was published by The East Asia Forum.