Over a month after a suspected cyberattack knocked out emergency services, government emails, and phone lines, many government officials and staff in Vanuatu continue to rely on personal email accounts to conduct day to day business.
Elsewhere, the public sector remains crippled. The staff at Port Vila Central – Vanuatu’s main hospital – resorted to using pen and paper for vital communications through late November.
The issues began when suspicious phishing activity was detected in emails intended for the Ministry of Finance. According to anonymous civil servant sources, the government servers were taken out on November 4.
Cybersecurity staff became aware of the issue after the government servers became inaccessible. Some users were even redirected to pages of groups believed to be behind the attacks.
Professor Matthew Warren, director of the RMIT University Centre for Cyber Security Research and Innovation, told The Diplomat that despite the attacks happening over a month ago, “the malware impacted the government systems and they have not been able to recover from the incident.”
“Government officials are using commercial email systems and manual systems to keep government operations continuing.”
Importantly, he concluded that the incident “does highlight the importance of governments to invest in cybersecurity technologies.”
Many of Vanuatu’s government departments are currently using local computer drives to help store data instead of more secure web servers or the cloud.
However, some were quick to highlight that while these cyberattacks impacted government severs, private businesses and individuals remained mostly unaffected, as internet penetration is low to begin with.
Dr. Amanda H. A. Watson, a research fellow at the Department of Pacific Affairs at Australian National University (ANU), noted that while there have “no doubt been many” consequences after the malware incursions into Vanuatu’s government servers, “the majority of people in Vanuatu would not be directly impacted.”
“Roughly half of the people have a mobile telephone and about half of those are smartphones… there are places where the network coverage is second generation (or 2G),” she told The Diplomat. “It is not suitable for internet access.”
“In short, it’s a very different context to somewhere like Australia where the vast majority of people have access to the internet and use it regularly.”
Guardian Australia reported that no official announcement has been made about whether there was a ransom demand made by the hackers. Further still, despite suspicions of various international players, no one has claimed responsibility for the cyberattack.
Australia’s Pacific Minister Pat Conroy recently visited Vanuatu and noted cyberattacks were a problem for many countries in the region.
“It is very important that the Pacific family works together to make sure that all our systems work properly, and when a system does go down those members of the Pacific family are there to help,” Conroy said.
Vanuatu, like many Pacific nations, has limited resources to deal with cyber issues. The nation of 315,000 people relies heavily on bigger states in the region – namely Australia – to provide aid and security.
The nation occupies an important geopolitical position in the region, having friendly ties with both Australia and China. It has at times been vociferous on issues that make Australia uneasy, such as demanding stronger climate change action, and in regard to West Papua.
Vanuatu has shown a proclivity in recent years to establish greater ties with Beijing diplomatically. The parliament house in Port Vila was built with Chinese investment in the 1990s, as was the local convention center and stadium. Unlike the United States, which has its closest embassy in Papua New Guinea, China has a diplomatic presence in the small nation.
Warren argues that Australia has a “duty of care” to protect its Pacific neighbors from cyberattacks. This means that Australia’s cyber expertise is shared with these countries to enable them to protect themselves.
“A way of dealing with the situation is for [the Australian Department of Foreign Affairs and Trade] to offer cyber foreign aid to countries in the South Pacific to help them increase cyber resilience and prepare for future cyberattacks.”
The lack of cybersecurity isn’t just confined to Vanuatu. Many other Pacific islands suffer from a lack of financing and investment in the area. With the region becoming a hotbed of geopolitical discourse in recent years, this may grow into a serious issue.
Watson attended the National Conference on Information Technology, organized by Fiji National University, this year. She noted that from the speeches and presentations, there was evidence of a “general lack of cybersecurity capacity in Fiji.”
She emphasized a particular talk by Prashil Kumar, senior manager IT operations and cybersecurity at Fiji Airways, who spoke about IT professionals calling him during a cyberattack and asking him for directions.
Watson concluded that she “would imagine that the situation would be similar in other Pacific Island countries.”
Watson’s observation brings into focus the reality that all states are vulnerable to cyberattacks, especially without significant investments in protection. For states such as Vanuatu and other Pacific Island nations, a lack of infrastructure and capacity to respond and trace these attacks means that problems may last longer than in developed states. This, however, does not make larger nations immune.
In recent months, Australian telecommunication company Optus and insurance company Medibank both suffered large-scale data breaches, with over half of Australia’s population impacted. In Indonesia, 1.3 billion SIM card registration details were stolen, with the alleged hacker “Bjorka” highlighting the apparent lack of cybersecurity preparedness on the part of the Indonesian government.
For Vanuatu, the increasingly geopolitical focus on the region makes cyberattacks especially concerning. It remains to be seen how much investment will be provided to better protect the smaller Pacific states from future attacks.