Cyber: Kiwi cyber security | ADM May 2012

NZ’s national cyber security policy was released in June 2011. No less than 13 pages of it, including a paragraph on ‘hactivism’ and the hactivist. The policy says that ‘NZ needs to ensure its cyber security activities are as coordinated and effective as possible to be able to identify and mitigate emerging cyber threats.’

However, it would wrong to assume Wellington has only just woken up to the cyber peril, for ADM understands that information security has been part of the Government Communication Security Bureau (GCSB) mandate since its inception.

Nevertheless, the Centre for Critical Infrastructure Protection (CCIP) was established in 2001 – as part of the (GCSB) – to provide ‘24/7’ watch and warning advice to those involved in critical national infrastructure.

Then last September the CCIP was sub-sumed by the National Cyber Security Centre (NCSC), which describes itself as a ‘key element’ in the national cyber security strategy.

“This is an important step in building NZ’s capacity to protect against sophisticated cyber threats,” said Stephen Joyce, Minister for Communications and information Technology. The NCSC’s three main initial functions were to provide advice and support, to detect and respond to sophisticated cyber threats and to coordinate and assist operation responses to major cyber events of national importance.

Nonetheless, it is the Energy and Communications branch of the Ministry of Economic Development (MED), not the NCSC, which describes itself as the ‘lead agency’ in the national cyber security policy. Although it is the GCSB website that uses the phrase ‘ Mastery of cyberspace’ and officially the NCSC is ‘hosted within’ the GCSB.

So it was the newly established NCSC that ADM called. Only it was not the NCSC that answered but someone working for the GCSB who although startled to receive a call from an external source, said that he would email the NCSC. Which seemed odd, given that it was the middle of a Monday morning and that the NCSC is located in the same building as the GCSB. Setting aside the chain of events that followed, ADM subsequently emailed questions to the NCSC and two weeks later came official answers from senior cyber security consultant, Brian James.

Is NCSC essentially just name change from CCIP, asked ADM, an evolution or a revolution or both?

“As part of the NZ Cyber Security Strategy the National Cyber Security Centre was established. The NCSC absorbed the functions of the CCIP and is expanding its activities to cover a more widespread and varied set of services,” said James.

In October it was reported the MED was investigating establishing a national computer emergency response team. What, asked ADM, is the current state of play?

“This proposal has not progressed. However, NCSC continues to effectively fill a role as the de facto national CERT,” said James.

Is not NCSC effectively a CERT? What is the difference, if any?

“It is true that the NCSC does offer assistance and guidance with regard to incident response. However, that is not its only function. Every national CERT offers a different range of services and response capability,” explained James.

There is obvious conflict between cyber security and the concurrent need for security purposes to be able to access cyber traffic. NCSC is striving for greater digital security yet your parent, GCSB needs to access cyber traffic. How do you balance the polar opposites?

“These functions are clearly set out in the GCSB Act, which also provides a clear basis for ensuring that we can separate these activities,” James told ADM. “Internationally the GCSB is also structured logically around these separate activities.”

ADM noticed that the NCSC website guide to mitigating targeted cyber intrusions takes one to the Australian Defence Signals Directorate (DSD); why not a NCSC guide?

“The DSD 35 mitigations paper has globally acclaimed,” explained James. “And as such has been adopted and adapted for use globally. The GCSB adopted the 35 mitigations for use in the Cyber Security Plan that is currently being implemented across NZ government organisations. The CSP and the mitigation it recommends will continue to be adapted as required for [national] use.”

Are their factors that make cyber security in NZ distinguishable from Australia, Canada, the UK or the US? If so, what? asked ADM.

“Genetic, indiscriminate cyber attack in the form of malware, data exfiltration and denial of service attack is common to all of the countries you list, and others. New Zealand is no exception,” said James.

How do you assess or measure success?

“Metrics regarding success in the context of security are always challenging, you can’t measure what you prevent from occurring,” said James. “We use qualitative measurements regarding the success of our outputs and functions and endeavour to corroborate this success through situational comparison with other countries and economics.”

It is worth noting that for every deliberate cyber attacks there is likely to be carelessness in maintaining security measures, or in the case of one security agency, their own website.