November 6, 2022, a new government took office in the Pacific island country of Vanuatu. On the same day, a ransomware attack shut down all state-run computer systems, making it impossible for the new government to do its job.
Since access couldn’t be fixed, public services went downhill quickly. Taxes weren’t paid, and medical procedures were put off and canceled. Whole offices returned to using notepads to write down new records, and others quickly set up new Gmail accounts to talk to the public. Chair of the Vanuatu Business Resilience Council Glen Craig says that after the hack, “the entire sovereign nation of Vanuatu was running on personal email.”
It took a few months for the government of Vanuatu to rebuild and strengthen its servers, partly with the help of a cybersecurity team from Australia that was brought in to help. It’s not the only country a group of cybercriminals has taken hostage.
In April 2022, cybercriminal groups Conti and Hive took over the government of Costa Rica and shut it down. They then asked for millions of dollars in Bitcoin to let them back in. In the Pacific, two big phone companies, the Tonga Communications Corporation, and Guam’s Docomo Pacific, were shut down by cyberattacks.
Many small countries, not just in the Pacific area, have built their plans for growth around digital transformation. Carsten Rudolph, a professor of cybersecurity at Australia’s Monash University, says that the case of Vanuatu shows what can happen to countries that don’t put cyber defense into their general plans. He says that without them, “processes that have been completely local and unrelated to global risks can all of a sudden become the target of cyberattacks.”
Vanuatu, on the other hand, wasn’t unprepared for a cyberattack. Since 2021, it has had its own Computer Emergency Response Team (CERT) to respond to and sort out potential breaches. Rudolph says, “It’s not a lot of people, and it’s still pretty new,” but it has given Vanuatu and an expert team from Australia a place to start rebuilding their systems.
This process, however, has been painfully slow. By early December, only 70% of government computers were back online. This is partly because the job was so big, but it’s also because such a careful method helped prevent breaches building. Rudolph says, “If you look at Costa Rica as an example, there were months when different kinds of attacks happened there.” In the case of Vanuatu, this did not take place, and “the result seemed to be a clean system with no backdoors left.”
How the hackers got past Vanuatu’s cyber defenses in the first place is still a mystery, as neither the country’s government nor the Australian team sent to fix its systems has given a full explanation.
We’ve heard that a computer was broken into, but we don’t know for sure,” says Craig. In December, the RansomHouse hacking group said it was behind the attack and that 3.2 terabytes of data were taken. Even though the files it released seemed to have been stolen from Vanuatu, it was still unclear if any information in them was secret.
What lessons can the rest of the area and other small countries learn from Vanuatu? One obvious one would be for each government office or department to have basic backup plans in case of a cyberattack. When it became clear that the government systems of Vanuatu were being held for ransom, civil workers were mostly left to come up with their solutions on the fly. They started by making new Gmail accounts.
“It was a complete and utter failure on the part of all the different ministries not to have business continuity plans in place, especially since we are the most vulnerable country in the world to natural disasters, and we like to think of ourselves as strong,” says Craig. “We tell people!”
To do this, the government should invest in backups that can be returned to government networks anytime. However, these backups also seem to have been encrypted by the hackers. The government of Vanuatu hasn’t said anything about how much info was taken. Craig says that because of this, “we’re acting as if everything in the government system was taken.”
Even though the private sector of Vanuatu was not directly affected by the hack, life in the country was messed up for months afterward. Everything from getting a license for your pet to buying a house was delayed.
In other places, criminal cases were still in limbo while the court system worked to get back into its record system, and surgeries and operations had to be canceled because doctors couldn’t read patient files. Craig says that most of the information that has been found so far has been data that was saved on their hard drives.
The businessman is surprised that during the cyberattack, Vanuatu’s CIO has been given a permanent job. (Tech Monitor asked the government several times for a response, but they didn’t answer.)
“You might think that being the first sovereign nation to have an attack on the whole country isn’t the best thing to have on your resume,” says Craig. If this happened in the private sector, he says, not only would the person’s job be in danger, but “you’d want to kill yourself from the shame of it all.”
But it’s unclear if countries like Vanuatu, which has about 330,000 people, will ever develop the skills they need to defend themselves against similar attacks. “For these small states, which have small economies and small people
“It’s hard for them to have the resources in their own countries to deal with these threats, which are always changing,” says Dr. Amanda H.A. Watson, a research fellow at the Department of Pacific Affairs at the Australian National University. And when it comes to grave risks, countries in the South Pacific also have to deal with the massive threat of global climate change. Professor Matt Warren of RMIT University says that it’s likely that more money will be spent on protecting against cyclones than on cybersecurity.
Even so, cyber-defense cooperation in the area is getting better. Australia and Vanuatu signed a trade deal in December that includes measures for helping each other with cybersecurity. This is similar to Australia’s Fiji, Samoa, and Kiribati sales.
When it was in trouble, Australia’s help to Vanuatu showed the benefits of working with other countries to improve the regional defense. Warren says that as Vanuatu’s ally, it was Australia’s responsibility to “develop their capabilities, develop their systems, and test that they work.”
But does this portend an undesirable trade-off in national sovereignty between smaller nations and their more prominent allies? While cybersecurity treaties haven’t yet, like submarine internet cables, been subordinated to the great geopolitical game taking place between China, the US, and its Western allies, Rudolph agrees that permanent technical arrangements would inevitably necessitate concessions on national sovereignty from smaller countries – the reason why, he adds, an agreement among the Pacific nations to empower a regional CERT failed. Instead, there’s PaCSON, “an Australia-funded network of cybersecurity emergency response teams in the region,” says Rudolph
Its primary purpose is to share knowledge, but it’s not just for technical support.” In the meantime, Vanuatu’s government still has to deal with the authentic effects of last year’s crippling cyberattack on its image and economy. Craig says, “From what I’ve heard, the government didn’t pay any ransoms.” “But because of the lost information, [the breach] will hurt the private sector for a long time to come.”