Last week, Tonga became the first Pacific economy to launch its own national Computer Emergency Response Team, CERT.to.
We share challenges with many other Pacific nations, and look to each other when finding suitable solutions. As such, I wanted to share our experience with establishing and launching CERT.to.
Three steps towards establishing a CERT
The concept of CERT.to was first proposed in 2013 shortly after the Fiji-Tonga submarine cable landed in Nuku‘alofa. Recognizing the potential increase in the use of the fast fibre link, the government established a Cyber Challenge Task Force to strengthen its cybersecurity capabilities. The Task Force’s terms of reference included establishing a national CERT to protect the government, private businesses, and the public.
The first step of establishing CERT.to was to attach it to the Information and ICT department of the Ministry of Meteorology, Energy, Information, Disaster Management, Climate Change and Communications (MEIDECC). This ministry is most aligned with the government’s ICT development, and had the human and technical resources needed to establish such a team.
The second step was to do our homework. We took the time to do study visits to other national CERTs to learn of their establishment and their many accomplishments. This included Sri Lanka CERT and Mauritius CERT, who we were introduced to via the GLACY project from the Council of Europe. We learned from them about how they are organized and their operational procedures, and discussed similarities to our situation here in Tonga – after all, we are all island nations.
The third important step was forming an advisory board to work together with the Department of Information and ICT in formalizing the terms of reference, and the standard operating procedures and framework of the CERT. Other national CERTs and experts from APNIC were also involved in the process of getting all the documentation established.
What resources and relationships are required to establish a CERT?
Because we are starting small, we didn’t have many hardware resources. The main resource we have is staff, who focus on providing basic information on CERT.to and building technical capacity to handle the technical issues heading our way.
In terms of our stakeholders, we obviously have a close relationship with the government. Tonga’s three main ISPs – TCC, Digicel and Tonga Cable Limited – are also main partners of CERT.to. It’s important to have a good relationship with these local providers because they enable all of us here in Tonga to connect to the main cyber highways via their individual networks.
Finally, we have very good relationships with other national CERTs. I mentioned before how we’ve learnt a lot from other CERTs and will continue to do so in the future. What is also important is to try and align your national CERT to international CERT standards so it is easier to be recognized and supported by them.
Overall, it’s taken us just over two and a half years from when CERT.to was first conceived until it was launched. This has allowed us to establish our team, develop our skills and relationships and plan for the future – all important aspects to a sustainable CERT.
Andrew Toimoana is the Director of Information in the Ministry of Meteorology, Energy, Information, Disaster Management, Climate Change and Communications (MEIDECC), Tonga.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Hope APNIC can help establish more CERTs where it’s needed. Heard Nepal also needs to build its CERT… Cheers for all the great activities happening here