Cyber security refresh needed for New Zealand

Government Digital Services Minister Clare Curran recently announced a review of New Zealand’s Cyber Security Strategy and Action Plan. In a cabinet paper this month, Curran wrote that a “comprehensive refresh” of the plan is needed due to the “upwards trajectory of cyber security threats.”

The current plan was only put in place in November 2015, but cyber security is a particularly fast moving area of technology. What’s more, hacking has gotten more political in the last couple of years – with allegations of Russian interference in US politics top of mind among the “Five Eyes” intelligence alliance, of which New Zealand is a member alongside the US, the UK, Australia and Canada.

Curran acknowledged that good progress in cyber security was made under the previous administration, including the establishment of CERT NZ in April 2017 (which monitors cyber security threats) and the launch last June of the National Cyber Security Centre’s (NCSC) CORTEX cyber defence system.

But the pace of cyber attacks has also continued to rise. In its most recent cyber threat report, the NCSC noted 396 incidents for the 2016-17 year – an increase of 58 over the previous reporting year. Examples included the WannaCry ransomware in May 2017 and the notPetya ransomware the following month.

Almost a third of the reported incidents were foreign threats, according to the NCSC report. Government Communications Security Bureau (GCSB) director Andrew Hampton confirmed to Radio NZ that 122 of the incidents had connections to foreign intelligence agencies, including Russian state and state sponsored actors.

So what should the cyber security strategy refresh be looking to improve?

For comment I reached out to Adam Boileau, Principal Consultant at New Zealand information security firm Insomnia Security and the organiser of local hacker conference Kiwicon.

Boileau firstly pointed out that CORTEX detects just a small percentage of cyber attacks. It’s only used by “certain big corporations and critical infrastructure that are in the GCSB’s club,” he said, and only picks up “stuff that’s easily detectable on the wire through passive network observation.”

Boileau added that what’s detectable by CORTEX is decreasing, “as crypography becomes ever more pervasive in the post-Snowden world.”

It should be noted that the GCSB is nearing the end of a $120 million project to upgrade the New Zealand Government’s cryptographic infrastructure. This project is called the Cryptographic Products Management Infrastructure (CPMI). However it appears to have fallen behind schedule, as GCSB director Andrew Hampton told a Parliament select committee in March that the “implementation timeline has been extended due to a delay in the delivery of third party components.”

When we’re talking cryptography in cyber security, the context is usually encrypting of communications. So a key reason for the CPMI project is to ensure that classified government communications are secure. But equally important is protecting the privacy of individuals and corporations. In other words, encryption is also used by the public to prevent being snooped on by governments.

There’s a balance to find here in protecting the security of the nation and the privacy of individuals. In June of last year there was talk that the Five Eyes alliance would force technology companies to introduce back-doors into their encrypted products. Various UK and Australian officials advocated for this idea, but thankfully it was soon dropped.

InternetNZ has been vigilant on this front in New Zealand. In a position paper, InternetNZ stated that “encryption is not only vital for businesses and governments, but it’s vitally important for modern life.”

Other than debates about whether or not our government should be able to spy on us – and to what extent – there seems little argument that being a part of Five Eyes is a good thing for New Zealand. Especially since we’re the smallest country in the alliance. It’s nice to have big brothers who will protect us; as long as it doesn’t turn into Big Brother.

But one key question Clare Curran’s strategy review should address is: are we doing our share of cyber security work in the Five Eyes alliance? In Curran’s cabinet paper, she mentions the need to “keep in step with our international partners.” That seems to imply that we’re not keeping up currently.

Certainly Adam Boileau thinks so. He told me that without Five Eyes, New Zealand would be “woefully under equipped” in national cyber security. “We benefit from all of the money and effort expended by all the other, much bigger, four eyes,” he said.

Boileau also pointed out that being the “weakest eye” makes us a target for international cyber attacks. So we need to up our game, for our own national safety.

One approach is to “consider our national interest as a holistic system,” Boileau said. “An attacker can look at the entire ecosystem – public sector, private sector, supply chain, cloud, social systems, financial systems – and choose where to attack.”

Boileau thinks our defence system needs to adapt to this; for example by improving communications between government departments, companies across sectors, security contractors and anyone else who is a part of our cyber security infrastructure.

“Defence needs to be informed by the reality of how attackers work, and historically, that is not a thing we as an industry do,” Boileau said.

So clearly there’s room for improvement in how we manage our nation’s cyber security. We’ve made good progress with initiatives like CERT and CORTEX, but we need to do more to protect our country – not to mention pull our weight in Five Eyes.

Clare Curren will report back to the Cabinet External Relations and Security Committee Committee by 31 July with her proposals for a refreshed Cyber Security Strategy and Action Plan.