On November 6 2022, a new government started its first official day in office on the Pacific island nation of Vanuatu – just as a debilitating ransomware attack shut it out of all state-run computer systems. Unable to restore access, public services quickly atrophied. Taxes went unpaid; medical operations were postponed, then cancelled. Whole ministries reverted to using notepads to transcribe new records, while others hurriedly created new Gmail accounts to communicate with the public. Weeks after the hack, says Glen Craig, chair of the Vanuatu Business Resilience Council, “the entire sovereign nation of Vanuatu was running on personal email.”
It took several months before Vanuatu’s government servers were rebuilt and fortified, thanks in part to the assistance of a specialist cybersecurity team flown in from Australia. It’s not the only nation that’s been held hostage by a cybercriminal gang. In April 2022, Costa Rica’s government was knocked offline when cybercriminal gangs Conti and Hive usurped its systems and demanded millions of dollars in bitcoin to restore access. In the Pacific region, meanwhile, two major telecommunications providers – the Tonga Communications Corporation and Guam’s Docomo Pacific – were laid low by cyberattacks.
Digital transformation has been the cornerstone of the development strategies for many small nations, not only in the Pacific region. The case of Vanuatu, however, shows what the consequences can be for countries that neglect cyber defence within that overall vision, argues Carsten Rudolph, a professor of cybersecurity at Monash University in Australia. Without them, he says, “processes that have been totally local and disconnected from worldwide risks can suddenly become the target of cyberattacks.”
Vanuatu’s cyberattack
For its part, Vanuatu was not completely unprepared for a cyberattack, having employed its own Computer Emergency Response Team (CERT) to react and triage suspected breaches since 2021. “It’s not a lot of people, and it’s still relatively new,” says Rudolph, but it has provided a platform from which Vanuatu’s systems have been rebuilt in collaboration with a specialist team in Australia.
That process, however, has been grindingly slow, with only 70% of government servers back online by early December. That is partly down to the scale of the task at hand, but also because such a deliberative approach helped to prevent breaches from happening during the reconstruction period. “If you compare it to Costa Rica, for example, there were months where different types of attacks occurred,” says Rudolph. In the case of Vanuatu, however, that didn’t happen, “and seemed to result in a clean system that didn’t have any backdoors left.”
The question of how the hackers got past Vanuatu’s cyber defences in the first place, however, remains a mystery, with neither its government nor the Australian team brought in to restore its systems having released a detailed explanation. “We’ve heard rumours that it was a router that was compromised, but we don’t know,” says Craig. In December, the RansomHouse hacking group claimed responsibility for the attack and said that it exfiltrated 3.2 terabytes of data. While the files it published did appear to have been purloined from Vanuatu, it remained unclear whether any of the information they contained was sensitive.
What lessons does Vanuatu’s example have for the rest of the region, and for other small nations? An obvious one would be for each government ministry or department to have basic contingency plans in the event of a cyberattack. After it became clear that Vanuatu’s government systems were being held to ransom, civil servants were largely left on their own to devise ad-hoc responses, beginning with the creation of new Gmail accounts.
“It was a complete dismal failure on all of the different ministries not to have business continuity plans in place, considering we’re the most at-risk nation to natural disaster in the world and we pride ourselves on being resilient,” says Craig. “We preach it!”
That should involve investing in offsite backups capable of being plugged back into government networks at a moment’s notice, though these somehow seem to have been encrypted by the hackers, too. Meanwhile, Vanuatu’s government has remained silent on precisely how much data was stolen. As such, says Craig, “we’re [acting] on the presumption that everything… on the government system was taken.”
Pacific independence
While Vanuatu’s private sector was not directly targeted by the cyberattack, daily life in the country was disrupted for months afterward, with everything from the granting of pet licences to the transaction of real estate being delayed. Elsewhere, criminal cases remained in limbo as the court system fought to restore access to its record system, while surgeries and operations were cancelled thanks to doctors being unable to read patient histories. Most of the information that has been recovered now, claims Craig, “has been data that has been stored on their own personal backup drives.”
For his part, the businessman is astonished that Vanuatu’s CIO during the cyberattack has been reappointed on a permanent contract (the government did not respond to repeated requests for comment from Tech Monitor.) “You’d think that maybe the first sovereign nation to have a full country attack isn’t really the best thing to have on your CV,” says Craig. If this were to happen in the private sector, he adds, not only would the person’s job be up for question, but “you’d want to throw yourself on your sword, really, [from] the shame of it all.”
It’s questionable, however, as to whether nations like Vanuatu – which has an estimated population of 330,000 – will ever have the homegrown expertise required to fend off similar attacks in the future. “For these small states, with small populations and small economies… it’s difficult for them to have the resources in-country to be able to respond to these threats, which are changing all the time,” says Dr Amanda H.A. Watson, a research fellow at the Australian National University’s Department of Pacific Affairs. And as far as existential risks go, countries in the South Pacific also have to contend with the immense threat posed by global climate change. Simply put, argues RMIT University’s Professor Matt Warren, it’s inevitable that more money is going to be invested in protection from cyclones than it is in cybersecurity.
Even so, regional cooperation on cyber-defence is on the rise. In December, Australia and Vanuatu signed a bilateral trade agreement with provisions for mutual cybersecurity assistance, building on similar deals the former has struck with Fiji, Samoa and Kiribati. Australia’s assistance to Vanuatu in its time of need arguably showcases the advantages of international collaboration in shoring up regional cybersecurity. It was, says Warren, part of Australia’s duty of care as Vanuatu’s ally to “develop their capabilities, develop their systems and test that they work.”
But does this portend an undesirable trade-off in national sovereignty between smaller nations and their larger allies? While cybersecurity treaties haven’t yet, like submarine internet cables, been subordinated to the geopolitical great game taking place between China, the US and its Western allies, Rudolph agrees that permanent technical arrangements would inevitably necessitate concessions on national sovereignty from smaller countries – the reason why, he adds, an agreement among the Pacific nations to empower a regional CERT failed. Instead, there’s PaCSON, “an Australia-funded network of cybersecurity emergency response teams in the region,” says Rudolph. “It’s really [there] to provide information exchange, but it’s not for purely technical support.”
In the meantime, Vanuatu’s government still has to contend with the very real reputational and economic impact of last year’s debilitating cyberattack. “From all accounts, the government didn’t pay any ransoms,” says Craig. “But [the breach] will have detrimental effects in the private sector for a long time to come, because of the lost data.”