NZ is not bereft of cyber security agencies; there is the
Government Communications Security Bureau (GCSB), the National Cyber Security Centre
(NCSC) and the National Cyber Policy Office (NCPO).
The NCPO, established last July, has six to eight staff and
answers to the Intelligence Coordination Group; both organisations are
integrated into the Department of Prime Minister and Cabinet (DPMC).
Apparently the NCPO will use the DPMC’s existing IT systems
and has a budget of $1 million per annum with which, say official
sources, ‘to oversee and coordinate the development, implementation and review
of national cyber security strategies and policy across government. “[To] take
the lead in providing advice to inform issue resolution and decision-making for
ministers, and as well as the longer-term development of policy and strategic
direction to underpin relevant government agencies activities. It will also
facilitate coordination with the private sector on cyber security issues.”
Encouraged by the last sentence ADM rang the number listed
for the NCPO’s manager, Paul Ash. However, the operator was unable to connect
the call because ‘someone has erased part of [Ash’s] contact number.’
Ash subsequently told ADM that his office had recently moved
from temporary accommodation into Pipitea House (home to the DPMC, the GCSB,
the Combined Threat Assessments Group and other cyber and intelligence units).
“We aim to be accessible,” Ash said in a statement, which
explained to ADM whereabouts in the official cyber hierarchy the NCPO exists.
“It works closely alongside a wide range of other agencies,
including the NCSC and also has a role in engaging with the private sector and
other non-government entities,” he said.
Having clarified the NCPO’s relative position, the statement
addressed ADM’s question about the current state of NZ’s cyber security.
“The NCSC reported a significant increase in the number of
reported attacks against NZ government agencies, critical national
infrastructure, and private sector organisations in 2012, with 134 threats that
meet the threshold which puts government or other critical national
infrastructure at risk. The NCSC is sure this number is under-reported. The
NCPO is considering options to lift awareness and build understanding of the
steps that can be taken to enhance cyber-resilience.”
Chris Hails, who handles security at not-for-profit NetSafe,
told ADM the civilian organisation has around 1,000 cyber incidents reported a
month.
“We triage these reports and pass them up the chain, as it
were, to NCSC and GCSB. That means there’s information sharing across all
agencies.”
Hails described national cyber security as being in ‘a state
of flux’. He has certainly has been delivering the message; he told ADM that he
gave 35 presentations last year to about 750 people.
“Each organisation has a different role, and works with
different stakeholders,” Director of the GCSB, Ian Fletcher explained “We work well together. One common goal we
have is raising awareness of cyber security risks and how to mitigate them. The
more channels we can deliver that message through, and the more people who get
that message and act on it, the better.”
Earlier this year the NCSC issued a media release saying ‘A
group of NZ critical infrastructure organisations have established the NZ Cyber
Security Voluntary Standards for Industrial Control Systems with the support of
the National Cyber Security Centre (NCSC).’
“Members of this group are the experts in terms of their own
infrastructure. It’s in their best interests to take the lead in the matter.
They know how to best secure it, and they are the consumers of the standards.
The standards are a work in progress, and while we have drawn from
international efforts, our standards are a result of applying industry
expertise to the NZ environment, which has helped us agree to the standards
voluntarily.
ADM contacted one of the critical infrastructure
organisations identified in the NCSC media release, state-owned enterprise Genesis Energy.
Richard Gordon, Public Affairs Manager for the power
company, told ADM that the standards themselves are still under development
‘but we will evaluate adoption once the standards are more complete.’
“Having a clear set of objectives and expectations of
security outcomes against which to baseline activities can be beneficial in
order to identify potential areas for improvement. Energy companies, as
essential infrastructure, have always been aware [of] and taken steps to manage
cyber security,” Gordon said.
As part of the wider digital landscape, telecommunications
companies are aware of their role.
“Vodafone was already running a Global Cyber Security
Operations Centre, identifying and monitoring threats across markets,” Colin
James, Chief Technology Service Officer, at Vodafone NZ said. “We receive large
amounts of intelligence. Vodafone Group does influence our policies, but each
affiliate – including Vodafone NZ – has its own Chief Technology Security
Officer.
“From a corporate perspective, our challenges are around
protecting critical and sensitive company data and preventing data leakage,
particularly customer related and competitive information. As an ISP, it’s
about providing a level of trust in our network by protecting customers from
malware, spam and spoofing where possible, through education and deployed
network technologies.
James told ADM that NZ telcos share best practices around
network defence and, where necessary, work together on joint mitigation
strategies.
“Our suppliers and subcontractors are effectively extensions
of our network and are made aware of the importance of their cyber security. We
are very aware that when it comes to cyber security, there’s no geographical
barrier.”
Bit the greater in depth detail about how all these pieces
fit together are still all be identified and fleshed out in a number of forums.
A state of flux indeed.