The Vanuatu National Cyber Security Strategy 2030

The Vanuatu National Cyber Security Strategy 2030, published on 9 March 2021 by the Office of the Government Chief Information Officer (OGCIO) under the Prime Minister’s Office, outlines a comprehensive framework to address the growing cyber threats in the country and to build a resilient digital infrastructure.

This strategy is a response to the increasing sophistication and frequency of cyber threats affecting national security, economic activities, and individual digital safety. It aims to create a secure cyberspace by promoting awareness, capacity building, legal frameworks, and international cooperation.

Strategic context

Vanuatu’s cyber environment faces a growing number of threats, including phishing, ransomware, online scams, business email compromise, malware, and abuse of social media. Reported cases indicate a steady rise in these incidents, reflecting global trends but also highlighting local vulnerabilities such as a lack of encryption, poor password hygiene, outdated systems, and low user awareness.

The strategy acknowledges that cybersecurity is not solely a technological issue but requires widespread behavioural change, awareness, and education. It also highlights the importance of protecting critical infrastructure sectors such as health, water, communications, energy, and finance.

Vision and mission

The vision is to create a secure, self-taught, and cyber-aware environment for all citizens and organisations, improving national cyber hygiene and resilience.

The mission is to implement a proactive cybersecurity framework supported by improved information-sharing mechanisms and adherence to information security standards.

Strategic priorities

Six national priorities have been identified:

1. Cyber resilience – strengthening the country’s ability to prevent, detect, and recover from cyber incidents.
2. Cybersecurity awareness – raising public understanding of digital threats and safety practices.
3. Cyber capability and literacy – developing a skilled workforce capable of defending national systems.
4. Addressing cybercrime – enhancing law enforcement and legal tools to combat cyber threats.
5. International engagement – building cooperative ties to benefit from global expertise and partnerships.
6. Cybersecurity standards and legal frameworks – enacting policies, standards, and legislation to support a secure digital environment.

Implementation approach

The strategy was developed through extensive stakeholder consultations using three methods:

• One-on-one meetings with key organisations and agencies,
• Nationwide consultations across all provinces with community leaders and youth,
• Targeted sessions with academic institutions and international partners.

These consultations revealed pressing needs such as:

• Establishing a National Cyber Security Agency,
• Developing standards and regulations tailored to community needs,
• Enhancing incident response capacities,
• Expanding educational and awareness programs.

Action plan

The strategy outlines a ten-year roadmap to:

• Build national CSIRTs and Security Operations Centres (SOCs),
• Promote unified awareness campaigns such as ‘Cyber Smart Pacific Month,’
• Support formalised information-sharing protocols (e.g. Traffic Light Protocol),
• Integrate cybersecurity into all national frameworks,
• Increase regional and international cooperation,
• Ensure that cybersecurity considerations are embedded in digital development projects.

Maturity model and assessments

Vanuatu adopted the Capability Maturity Model Integration (CMMI) and used the Cybersecurity Capacity Maturity Model (CMM) developed by the Global Cyber Security Capacity Centre. A 2018 assessment, conducted with the Oceania Cyber Security Centre (OCSC) and ITU, established a baseline for the country’s cybersecurity maturity across five dimensions: policy and strategy, culture and society, education and skills, legal frameworks, and standards and technology.