Close×

NZ is not bereft of cyber security agencies; there is the Government Communications Security Bureau (GCSB), the National Cyber Security Centre (NCSC) and the National Cyber Policy Office (NCPO).

The NCPO, established last July, has six to eight staff and answers to the Intelligence Coordination Group; both organisations are integrated into the Department of Prime Minister and Cabinet (DPMC).

Apparently the NCPO will use the DPMC’s existing IT systems and has a budget of $1 million per annum with which, say official sources, ‘to oversee and coordinate the development, implementation and review of national cyber security strategies and policy across government. “[To] take the lead in providing advice to inform issue resolution and decision-making for ministers, and as well as the longer-term development of policy and strategic direction to underpin relevant government agencies activities. It will also facilitate coordination with the private sector on cyber security issues.”

Encouraged by the last sentence ADM rang the number listed for the NCPO’s manager, Paul Ash. However, the operator was unable to connect the call because ‘someone has erased part of [Ash’s] contact number.’

Ash subsequently told ADM that his office had recently moved from temporary accommodation into Pipitea House (home to the DPMC, the GCSB, the Combined Threat Assessments Group and other cyber and intelligence units).

“We aim to be accessible,” Ash said in a statement, which explained to ADM whereabouts in the official cyber hierarchy the NCPO exists.

“It works closely alongside a wide range of other agencies, including the NCSC and also has a role in engaging with the private sector and other non-government entities,” he said.

Having clarified the NCPO’s relative position, the statement addressed ADM’s question about the current state of NZ’s cyber security.

“The NCSC reported a significant increase in the number of reported attacks against NZ government agencies, critical national infrastructure, and private sector organisations in 2012, with 134 threats that meet the threshold which puts government or other critical national infrastructure at risk. The NCSC is sure this number is under-reported. The NCPO is considering options to lift awareness and build understanding of the steps that can be taken to enhance cyber-resilience.”

Chris Hails, who handles security at not-for-profit NetSafe, told ADM the civilian organisation has around 1,000 cyber incidents reported a month.

“We triage these reports and pass them up the chain, as it were, to NCSC and GCSB. That means there’s information sharing across all agencies.”

Hails described national cyber security as being in ‘a state of flux’. He has certainly has been delivering the message; he told ADM that he gave 35 presentations last year to about 750 people.

“Each organisation has a different role, and works with different stakeholders,” Director of the GCSB, Ian Fletcher explained  “We work well together. One common goal we have is raising awareness of cyber security risks and how to mitigate them. The more channels we can deliver that message through, and the more people who get that message and act on it, the better.”

Earlier this year the NCSC issued a media release saying ‘A group of NZ critical infrastructure organisations have established the NZ Cyber Security Voluntary Standards for Industrial Control Systems with the support of the National Cyber Security Centre (NCSC).’

“Members of this group are the experts in terms of their own infrastructure. It’s in their best interests to take the lead in the matter. They know how to best secure it, and they are the consumers of the standards. The standards are a work in progress, and while we have drawn from international efforts, our standards are a result of applying industry expertise to the NZ environment, which has helped us agree to the standards voluntarily.

ADM contacted one of the critical infrastructure organisations identified in the NCSC media release, state-owned enterprise Genesis Energy.

Richard Gordon, Public Affairs Manager for the power company, told ADM that the standards themselves are still under development ‘but we will evaluate adoption once the standards are more complete.’

“Having a clear set of objectives and expectations of security outcomes against which to baseline activities can be beneficial in order to identify potential areas for improvement. Energy companies, as essential infrastructure, have always been aware [of] and taken steps to manage cyber security,” Gordon said.

As part of the wider digital landscape, telecommunications companies are aware of their role.

“Vodafone was already running a Global Cyber Security Operations Centre, identifying and monitoring threats across markets,” Colin James, Chief Technology Service Officer, at Vodafone NZ said. “We receive large amounts of intelligence. Vodafone Group does influence our policies, but each affiliate – including Vodafone NZ – has its own Chief Technology Security Officer.

“From a corporate perspective, our challenges are around protecting critical and sensitive company data and preventing data leakage, particularly customer related and competitive information. As an ISP, it’s about providing a level of trust in our network by protecting customers from malware, spam and spoofing where possible, through education and deployed network technologies.

James told ADM that NZ telcos share best practices around network defence and, where necessary, work together on joint mitigation strategies.

“Our suppliers and subcontractors are effectively extensions of our network and are made aware of the importance of their cyber security. We are very aware that when it comes to cyber security, there’s no geographical barrier.”

Bit the greater in depth detail about how all these pieces fit together are still all be identified and fleshed out in a number of forums. A state of flux indeed. 

comments powered by Disqus