Tonga National Cybersecurity Framework

The Tonga National Cybersecurity Framework, approved on 4 January 2022, presents a comprehensive strategy to strengthen Tonga’s cybersecurity posture across government institutions, critical infrastructure, and society at large. It complements existing national strategies like the Tonga Digital Government Strategic Framework (2019–2024) and the Tonga Strategic Development Framework (2015–2025). Here is a detailed overview of its structure and key components:

Purpose

The framework aims to:

• Enhance cybersecurity across government ministries, departments, and agencies (MDAs).
• Extend guidance and awareness to private enterprises and citizens.
• Support digital governance, data protection, and secure public service delivery.
• Align with Tonga’s broader digital transformation strategies.

It adopts a whole-of-government approach, emphasising coordination between G2G, G2B, and G2C interactions, and recognises cybersecurity as a shared responsibility involving public institutions, private enterprises, and civil society.

Vision

To provide a more reliable and safe digital environment for Tonga, aligned with national development and digital government strategies.

Key principles

The framework incorporates the ten digital principles from the Tonga Digital Government Strategic framework:

• Security
• Connectivity
• Interoperability
• Portability
• Innovation
• Accessibility
• Customer focus
• Standardization
• Redundancy
• Holistic approach

Environmental analysis

The framework outlines:

• Rising cyber threats: Including financially and politically motivated cybercrime, ransomware, and cyber-espionage.
• Critical infrastructure vulnerabilities: Many agencies still operate independent or outsourced systems despite the availability of a secure national infrastructure.
• Awareness challenges: Limited public knowledge, connectivity issues in remote areas, and gaps in employee training hinder progress.
• Control environment: Many MDAs lack formal IT security policies or coverage of key areas like mobile security, business continuity, and patch management.

Strategic tasks and objectives

1. Implement safe digital governance

• Develop a Cybersecurity Manual as a precursor to national security standards.
• Upgrade civil registration and identity systems.
• Transition all MDAs to the Secure Government Network (SGN) and consolidated data centers.

2. Risk management

• Identify threats and vulnerabilities in public systems.
• Perform regular risk assessments and maintain a national cybersecurity risk register.
• Develop disaster recovery and risk mitigation plans.

3. Threat preparedness and incident response

• Define incident management processes within all MDAs.
• Enforce mandatory incident reporting.
• Strengthen CERT Tonga and law enforcement collaboration.
• Create digital forensics protocols and standardise electronic evidence management.

4. Enhanced skills and awareness

• Integrate digital literacy into all educational programs.
• Train the trainers and expand cybersecurity curriculum to underserved groups.
• Continue national awareness campaigns for civil servants, youth, and parents.

5. International cooperation

• Leverage global partnerships (e.g., APCERT, Interpol, GLACY+).
• Participate in international cybersecurity exercises.
• Promote bilateral and multilateral engagement to enhance cyber capacity.

6. Governance Framework

• Clarify the roles and responsibilities of all stakeholders.
• Enhance national-level cooperation and information sharing.
• Promote common cybersecurity initiatives (like SGN, Secure Cloud).
• Develop templates for cybersecurity policies and guidance documents.

Implementation plan

The framework includes a structured implementation matrix:

• Activities are aligned with strategic objectives.
• Lead and supporting agencies are assigned (e.g. MEIDECC, Ministry of Education, Ministry of Justice).
• Key Performance Indicators (KPIs) are defined for each activity (e.g. % of MDAs connected to SGN, number of risk assessments conducted).