A New Zealand perspective on cyber threats
Talking points delivered by Andrew Hampton, Director-General of the GCSB, at the Aspen Cyber Summit forum on 9 November 2018.
We are a small nation of just 4.9 million people, located in the southern Pacific.
Historically our location was a defence against many forms of harm, but the tyranny of distance was also an economic barrier. To succeed we had to innovate – not just in how we got our products to market, but in the products themselves.
In today’s connected world the internet has not only allowed us to banish the tyranny of distance, it has enabled a whole new world of digital innovation. Through that innovation we now generate weight less exports - digital products and services transported to markets on electronic networks rather than the physical trade routes of old.
Whether through the development of cloud-based accounting software by Xero, block buster entertainment franchises like Lord of the Rings from Weta Workshops or innovative farming solutions like those used globally by dairy giant, Fonterra – to name just a few – New Zealand is taking full advantage of the digital export opportunities our global connectedness provides.
We are also a nation of networkers. Whether it is through relationships with like-minded nations, our Five Eyes partners, or in business, sport, and our social and family lives.
The internet has become a vital thread that connects our lives, our businesses, our government and our communities, and connects us as a nation with the rest of the world.
But it also creates vulnerabilities, especially given our size, relative geographic isolation and the interdependencies of our supply chains.
As digital transformation becomes a catch cry for making government services more accessible we all need to increase our focus on ensuring strong cyber defence.
The role of GCSB
While my organisation, the Government Communications Security Bureau is a signals intelligence (SIGINT) agency, our cyber security mandate is broader than most of our partners.
Our mandate is “to do anything necessary or desirable to protect information infrastructures of importance to the New Zealand Government”.
These infrastructures include a broad range of organisations beyond government. We work directly with hundreds of organisations of national significance - key economic generators, niche exporters, research institutions and the operators of critical national infrastructure. Organisations that are at the heart of our economy.
In addition to our cyber security mandate, we have responsibilities relating to the security of New Zealand’s telecommunications networks. Through the Telecommunications (Interception Capability and Security) Act, or TICSA, we engage with network operators to identify and mitigate potential risks to national security.
While we have performed this role effectively to date, the advent of new telecommunications technologies like 5G potentially increase the security risk, by making it more difficult to isolate potentially vulnerable equipment.
We also have a regulatory role for New Zealand’s burgeoning space industry, assessing payloads to ensure they do not present national security risks.
For the GCSB, our broad mandate and focus, and our relationships with New Zealand’s organisations of national significance help us better understand the nature of the cyber threat New Zealand is facing, and how to respond to it.
New Zealand’s cyber threat scape
New Zealand is exposed to the same cyber threats as our partners around the globe, and indeed any other developed nation with well-established infrastructure.
New Zealand organisations are subject to both direct and indirect threats. Not only are our systems being directly targeted for cyber-crime and espionage purposes, they are also being used as staging points by threat actors using our systems to target those in other countries.
In GCSB’s last annual cyber threat report we noted that nearly one third of the cyber incidents we recorded contained indicators that could be linked to state sponsored actors. Fortunately we have not experienced the types of political influence campaigns seen elsewhere.
A number of times in the past year the GCSB, on behalf of the New Zealand Government, has joined other like-minded nations in calling out North Korea and Russia in particular for undertaking global campaigns of malicious cyber activity that served no legitimate national security purpose.
New Zealand sees this type of activity as unacceptable. It is counter to our vision for an open, safe and secure cyberspace, and we will continue to use public attribution as one of the tools available to deter such threats.
In terms of global trends, the cyber threatscape continues to evolve as fast as technology changes; the barriers to entry are getting lower, blurring the line between state and non-state actors; and cyber means are being used to achieve an increasing array of nefarious outcomes, including revenue generation and political disruption.
As a result we anticipate malicious cyber activity will continue to have escalating impacts on New Zealand business, government and private citizens, whether we are directly targeted or not.
New Zealand’s response to cyber threats – Project CORTEX
A key means by which the Bureau has responded to this threatscape is through a suite of cyber defence capabilities known as CORTEX.
Beginning in 2013 we went out and engaged across a broad range of public and private sector organisations to convince them to receive cyber defence services from the government’s SIGINT agency. The timing was hardly ideal – you may recall the disclosures that lead to significant debate around the role of SIGINT agencies and the Five Eyes partnership.
In spite of this, we received strong support and now a broad reach of New Zealand’s most important organisations receive our CORTEX services. Indeed, Project CORTEX recently won a prestigious public sector excellence award for Trust and Confidence in Government.
CORTEX is not a “one size fits all” model, but a range of capabilities that can be deployed at different points on a customer’s network depending on network configuration and risk profile. Some services simply provide alerting when specific activities are detected on a network, while others actively disrupt malicious activity.
We took a range of standard products and combined them with the unique cyber threat insights available to us through our Five Eyes relationships. This allows us to deliver cyber threat detection and disruption capabilities typically not available through commercial providers. We also contribute unique insights to our Five Eyes partners about the malicious activity we are seeing on New Zealand networks.
GCSB commissioned an independent assessment to help determine the value CORTEX is providing. It calculated the value of harm prevented through the operation of our CORTEX capabilities is significant and substantially greater than the cost of developing and deploying them. This has helped give the Government the confidence to approve further work so we can scale the delivery of one capability – we call it Malware Free Networks - to a much greater spread of organisations.
The concept behind CORTEX is more than just direct cyber threat detection and disruption. If we know activity is targeting a customer’s network, we can make that cyber threat information available to a much wider group – not directly protected by CORTEX capabilities - and enable them to mitigate the threat also.
Last week we released the results of a survey of 250 customers where we asked them to assess their cyber security maturity and their preparedness to respond to cyber threats.
This assessment, not surprisingly showed a broad range of maturity and preparedness. In particular it noted uneven engagement about cyber security at a governance level, limited readiness to respond to incidents, insufficient investment in people and skills, and substantial supply chain risk given the significant increase in outsourcing to managed service providers.
The survey has given us and our customers a solid basis from which to determine where to best focus our ongoing cyber defence efforts.
For us, cyber security is very much a team sport and we enjoy a unique position of being a defensive player, a coach and a commentator at the same time.