Auckland Institute of Directors
“This panel discussion on cyber risk will cover all facets of the cyber threat together with recommendations on how to minimise an attack through good strategic planning. It is no longer just the responsibility of the IT team – rather, all staff must understand current cyber threats and adhere to the cyber strategy their organisation has developed/ adopted to counter an attack. So too the board of directors who, in addition to being fully conversant with the strategy, must ensure its robustness and ongoing suitability for the organisation.
GCSB – Andrew Hampton, GCSB: Peter Bailey - Aura; KPMG – Philip Whitmore; Marsh - Fred Boles; Chapman Tripp - Kelly McFadzien.
Andrew Hampton, Director, Government Communications Security Bureau
Q: Can you start off by giving us an overview of GCSB’s role?
A: GCSB is a New Zealand public service organisation. We are accountable to the Government of New Zealand and act in the interests of New Zealand and New Zealanders. While the nature of our work is sensitive, and often classified, it is important that we are as transparent as possible and that the public are confident that we are operating within our mandate and the law.
Everything we do needs to be in accordance with New Zealand law, our international human rights obligations, and we are subject to a high level of independent oversight and scrutiny.
Our legislation specifies three objectives for the Bureau:
- National security of New Zealand
- International relations and wellbeing of New Zealand, and
- Economic wellbeing of New Zealand
In fulfilling our objectives, GCSB has three functions.
We collect and report on foreign intelligence in accordance with Government’s National Intelligence Priorities. By finding out about the interests, intentions and capabilities of foreign parties we help inform Ministers and Government decisions.
We provide cyber security and information assurance services to organisations of national significance, from both the public and private sector.
- The National Cyber Security Centre – located in the GCSB
- The CORTEX programme, which uses cyber threat information – including inputs from our international partners – to help protect public and private sector organisations
- Our regulatory role under the Telecommunications Interception Capability and Security Act to ensure national security risks are not introduced into telecommunications networks
- All our cyber security services are provided with the consent of the organisations involved.
We assist Defence Forces, New Zealand Police and New Zealand Security Intelligence Service (NZSIS) to undertake their lawful functions. This includes counter terrorism and support to military operations.
In order to perform these functions we can exercise some intrusive, but warranted or authorised, powers on behalf of the State. It is therefore important that we are as transparent as possible about the nature of the threats New Zealand faces, our role in countering them, and how we are held accountable.
Importantly we are not an enforcement agency, we provide intelligence to others to inform their decisions.
Q: From GCSB’s perspective, how would you describe the nature of cyber threats facing New Zealand organisations?
A: For the Bureau, particularly our National Cyber Security Centre, our focus is countering cyber-borne threats to organisations of national significance – e.g. to government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
As part of our cyber security function we are working across government and the private sector to implement capabilities under the CORTEX project.
CORTEX focuses on countering advanced foreign-sourced malware that is typically beyond the defensive capabilities of commercially available tools. Uniquely it uses threat information to detect and disrupt this malware.
The number and nature of cyber threats in New Zealand continues to grow in line with international trends – threatening our economy and potentially undermining our strategic advantage.
We have a voluntary reporting regime and the threats recorded here are just those reported to us or detected by our own capabilities.
The NCSC recorded 338 incidents during the 2015/16 Financial Year, 148 more than in the 2014/2015 period. This increase is primarily due to the expanding capacity of the NCSC to detect and respond to more incidents. We believe this trend – driven by increased capacity - will continue in the current financial year.
In a typical month the NCSC detects through CORTEX between 15 and 20 cyber intrusions affecting one or more New Zealand organisations. (For context: roughly 0.5% of internet traffic analysed by GCSB under CORTEX has a ‘signature’ of advanced malware associated with it; and each month about 900 new signatures of this type are identified either here in New Zealand or by our overseas Five Eyes partners.)
The types of incidents detected and disrupted by CORTEX include:
- The stealing of credentials – personal details and system log on information – after users were tricked into entering their details into a fake website
- Foreign, likely state- supported, actors attempting to gaining access to multiple networks.
- Sustained – brute force – attempts to gain access to a network holding valuable intellectual property.
- The insertion of malicious code into a legitimate website in an attempt to gain access to that user’s network.
If allowed to achieve their objective these intrusions could result in substantial harm to important networks and the loss or manipulation of information important for the operation or future prosperity of our country.
These types of threat are not unique to the kinds of organisations protected by our CORTEX capabilities. All New Zealand organisations, public and private sector, are vulnerable to the broad range of cyber threats.
Recent global attacks
Ransomware is one of the more significant forms of cyber disruption as evidenced by the WANNACRY global attack in May.
For reasons which are not entirely clear – most likely a combination of time zones, geography and a good deal of luck, it appeared to largely bypass New Zealand.
While New Zealand may had dodged that particular threat – it had massive impact around the world, taking out hospital systems in the United Kingdom, impacting on public transport networks in Germany and major manufacturing plants in Japan – to name a few.
Importantly, this threat succeeded by exploiting a known vulnerability, for which a security patch had been issued. This reinforces one of our key recommendations for ensuring systems are resilient to threats – always ensure you apply security patches when they are released.
Another global cyber threat had the potential to cause substantial harm was publically reported by information security providers – PricewaterhouseCoopers and BAE systems.
The “CLOUD HOPPER” report released in the UK in early-April focused attention of the information security community on threat actors ability to move laterally between networks – and from one organisation to another- by exploiting vulnerabilities processes around managing network administration access.
This vulnerability could enable someone to gain access to your network by exploiting a weakness in the network of one of your suppliers or service providers.
Applying the latest security patches to applications and operating systems and limiting administrator privileges are three of four basic mitigations we require our CORTEX customers to apply.
The fourth is “white listing” where permission is specifically granted to for the applications that are intended to run on your network.
Q: What is the Government doing about these threats?
A: For the Bureau, particularly our National Cyber Security Centre, a key part of our response is the CORTEX initiative, which I will provide some more detail on in a few minutes.
We also work closely with CERT NZ and other cyber security agencies to increase New Zealand’s cyber resilience.
While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.
The Bureau also has a regulatory role under the Telecommunications Interception Capability and Security Act to ensure national security risks are not introduced into telecommunications networks.
Our CORTEX initiative helps protect nationally significant organisations from advanced cyber threats.
It focuses on countering advanced foreign-sourced malware that is typically beyond the defensive capabilities of commercially available tools.
It helps protect against theft of intellectual property, loss of customer data, destruction or dissemination of private communications, holding data for ‘ransom’ and damage to IT networks and services.
CORTEX operates with the explicit agreement of the organisations that are protected.
As part of CORTEX we are currently working with Vodafone to pilot a capability called Malware Free Networks. This involves sharing cyber threat information and technology with Vodafone so that they can use that information to help protect a subset of their customers.
Vodafone tell us that in the first few months of operation the capability which used information supplied by us detected and disrupted twice as many instances of malicious communications as the capability operated on non-GCSB threat information.
What are the key things decision makers should be thinking about to help protect their organisations from cyber threats?
Mitigating the risks posed by cyber threats requires a “whole of business”, not just a purely technical approach.
This involves effective risk management and reporting, supported by resilient technology platforms, and careful system monitoring.
These need to be backed up with sound policy - around security settings and obligations on users, and ongoing user education to ensure staff and other system users are aware of common risks and how to avoid them.
Organisations need to be able to identify where their most valuable information is and prioritise its protection accordingly.
This enables development of threat profiles to help understand where the most likely threat sources are and to determine appropriate risk management approaches.
Mitigations need to be proportionate to the threat – so different areas of your system and network may need to have different levels of protection.
Cyber security needs to be seen as an enterprise wide, strategic risk, not something which is solely the responsibility of your IT/Security team.
It should be reflected in organisation’s risk registers, disaster recovery, business continuance plans.
Cyber security should be reported on to Executive and Board level in the same way as financial, HR and OSH risks. This includes regular, independent review and audit of risk profiles and security response.
Cyber incidents are security and confidence issues on which you will be judged publically (and by the markets, your insurers, your bankers and your shareholders).
The Protective Security Requirements (developed by the New Zealand Security Intelligence Service) and the New Zealand Information Security Manual (developed by the GCSB) are a useful place to start. They provide a risk management framework developed by the intelligence community to provide guidance to government organisations on personnel, physical and information security risk. These public documents can be found online.
Some of what I have covered is also addressed in the Institute of Director’s own “Cyber Practice Guide ”. A link to the practice guide and a range of other useful information is available on the resources section of the National Cyber Security Centre’s website, www.ncsc.govt.nz/resources.