As the Pacific Islands embrace digital transformation, cybersecurity must become a critical priority. Recent cyberattacks targeting the government of Palau and the Pacific Islands Forum (PIF) Secretariat, carried out by criminal organizations with links to the Chinese government, highlight the vulnerability of the region’s digital infrastructure. The Samoan government’s recent cyber threat advisory on the Chinese-backed cyber group APT40, coupled with China’s willingness to exploit the vulnerabilities of the Pacific’s digital infrastructure, underscores the urgent need for Pacific nations, particularly Tuvalu, to take extraordinary measures to safeguard their digital assets.
As the 2023 Lagatoi Declaration noted, “Digital infrastructure underpins the delivery of digital services” and is “key to the development of the ICT (information and critical technology) sector in the Pacific.” For Tuvalu, the stakes are even higher. The country’s ambitious goal of becoming the first digital nation, which aims to store sensitive information online as a safeguard for its governance, identity, and culture, means it is especially at risk.
Considering the volume and sensitivity of the information that will be stored in Digital Tuvalu, the Falepili Union should be amended to ensure that Australia is obligated to strengthen Tuvalu’s capacity to defend against cyberattacks and committed to responding to any cyberattacks against Tuvalu using its rapid cyber assistance teams.
The PIF’s 2023-2024 Pacific Security Outlook Report highlighted several obstacles to cybersecurity development in the region, including limited operational capacity, inadequate infrastructure, and inconsistent budgets. The report also noted that cyberattacks in the Pacific continue to have a high success rate, driven by the widespread availability of tools and services for conducting such attacks and a generally low level of cyber threat awareness across the region.
China has taken notice of these vulnerabilities and has increasingly exploited them. In February 2024, the PIF Secretariat was the target of a cyberattack aimed at accessing sensitive information about its operations and communications with member states. In response, Australia deployed a team of cyber specialists to Fiji to assist the PIF in addressing the breach and strengthening its defenses. Following an investigation, the Australian Cyber Security Center attributed the attack to state-sponsored hackers linked to the Chinese government. A statement from China’s Embassy in Fiji denied the claim, which it called “purely a made-up story with no basis at all.”
On March 14, 2024, Palau had ransomware executed against it by DragonForce, a Malaysian group believed to have Chinese and Russian ties. The execution disrupted the government’s financial management system, preventing employees from receiving electronic salary payments for five days. It also resulted in the theft of thousands of documents, including crew lists from Japanese Navy ships that visited Palau and records detailing Palau’s relationship with Taiwan.
The attack took place on the same day Palau and the United States celebrated their Compact of Free Association Agreement, leading Palau to believe the attack was politically motivated; however, DragonForce publicly responded on X, formerly known as Twitter, stating that their attack was solely financially motivated. Although the ransomware was executed on March 14, it is probable that the actual infiltration occurred days before, as this is typically the pattern in such incidents.
With its highest point above sea level at just 4.5 meters, Tuvalu is predicted to be one of the first nations in the world to be submerged due to climate change. At COP27, Tuvalu announced plans to construct a digital version of itself, becoming the first nation to explore a digital existence as the impacts of climate change continue to threaten its survival. At COP28, Tuvalu provided an update on the initiative, including plans to develop a digital passport to ensure the continuation of government services, such as elections and referendums. The initiative also aims to preserve the country’s cultural heritage through the digitization of artifacts, language, stories, and dances.
Tuvalu’s decision to digitize its nation is a bold and innovative step, but it also places the small island state in a vulnerable position. As a diplomatic ally of Taiwan, Tuvalu faces heightened risks of cyberattacks, particularly from China. If China were to hack Tuvalu’s digital nation, the consequences could be severe, affecting its national security, governance, and cultural preservation. Sensitive information, such as personal data from digital passports and government records, could be stolen, enabling surveillance or manipulation that undermines the trust between the government and its citizens. A breach could also disrupt essential governance systems, including those facilitating elections and referendums, potentially leading to manipulated outcomes that cast doubt on the legitimacy of Tuvalu’s government.
In addition to governance risks, Tuvalu’s efforts to preserve its cultural heritage in digital form could also be jeopardized. A cyberattack might corrupt or erase digitized records of artifacts, language, stories, and dances, resulting in the loss of invaluable cultural history. Manipulation of this data could misrepresent Tuvaluan culture to the world, diminishing its authenticity.
Tuvalu has taken steps to protect itself from cyberattacks. In October 2023, it launched its National Information and Communications Technology Policy. One of the seven strategic focuses is cybersecurity, which states that the government will pass new cyber laws, strengthen legal frameworks, form a cyber task force, and implement cybersecurity awareness programs. According to the Pacific Region Infrastructure Facility (PRIF), Tuvalu reported having only one self-funded initiative, with four additional programs being undertaken in the country, funded by the Oceania Cybersecurity Center, Pacific Cyber Security Operational Network, Get Safe Online, and the United Nations Development Program. This aligns with the PRIF’s observation that smaller countries rely heavily on regional support. The PRIF also noted that many initiatives are short term.
Given Tuvalu’s limited financial resources, it would likely not be able to handle an attack on its digital infrastructure and therefore requires international assistance. Under the Falepili Union, which was signed in November 2023 and entered into force in August 2024, Australia is committed “to provide assistance to Tuvalu in response to military aggression against Tuvalu.” However, cyberattacks do not fall under the United Nations’ definition of aggression, which defines “aggression” as “the use of armed force by a State against the sovereignty, territorial integrity, or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations, as set out in this Definition.” China could potentially direct third parties to target Tuvalu’s digital infrastructure, as we have seen with the Palau and PIF Secretariat cyberattacks, making it a form of indirect aggression.
Although Australia has announced the establishment of rapid assistance teams to respond to cyberattacks in the Pacific Islands, the significant volume and sensitivity of the data to be stored in Digital Tuvalu highlights the need to amend the Falepili Union. Such an amendment should obligate Australia to actively support the development of Tuvalu’s cyber defense capabilities and ensure a response to cyberattacks targeting Tuvalu utilizing its rapid cyber assistance teams.
Digital Tuvalu represents a forward-thinking response to the existential threats posed by climate change, but it also introduces significant cybersecurity risks. As the Pacific Islands region continues to embrace digital transformation, the increasing vulnerability of smaller nations, like Tuvalu, to cyberattacks becomes a pressing concern. Growing geopolitical tensions, particularly involving China and its cyber capabilities, underscore the need for robust cybersecurity measures.
Despite the steps Tuvalu has taken to strengthen its defenses, including the development of a national cybersecurity policy, the country remains ill-equipped to manage a cyberattack on its own. Given the potential for devastating consequences to Tuvalu’s governance and cultural heritage, it is imperative to amend the Falepili Union to ensure Australia’s commitment to both protecting against and responding to cyberattacks targeting Tuvalu. Protecting Tuvalu’s digital assets is not only a matter of national security but also a critical part of safeguarding the integrity of its future as a digital and sovereign nation.