Director’s Address to University of Waikato – Cyber Security Challenge 2017
Thanks and overview
Thank you to Cybersecurity Researchers of Waikato, the University, and Ryan and his team for the invitation to be here today.
It is exciting to be here and see so much talent and enthusiasm focussing on cyber security - one of the most significant security issues facing nation states, organisations large and small, and our communities.
There was time when it was said that we needed to put cyber security on the agenda, before it became the agenda.
There is no doubt that cyber security is now very much part of everyone’s agenda.
If there was ever any doubt about that – the recent Wannacry and Petya/Not Petya campaigns have surely changed that.
I would like to take the opportunity to tell you a bit about the Government Communications Security Bureau, and the National Cyber Security Centre within the bureau where we help address the cyber security challenges of some of New Zealand’s most significant organisations. I’ll be unashamedly plugging for you to come and work for us.
I will also be announcing an initiative which we hope will help encourage students to continue along a path of academic study which could one day lead them to an important role in the cyber security arena – hopefully working for us!
But first I want to tell you a bit about our role and functions, do a little myth busting and touch on the cyber threat scape as we see it.
GCSB is a New Zealand public service agency. We are accountable to the Government of New Zealand and act in the interests of New Zealand and New Zealanders. Everything we do needs to be in accordance with New Zealand law, our international human rights obligations, and we are subject to a high level of independent oversight and scrutiny.
Our legislation specifies three objectives for the Bureau. These are to contribute to
- National security
- International relations and wellbeing, and
- Economic wellbeing
In fulfilling our objectives, GCSB has three functions.
1) We collect and report on foreign intelligence in accordance with Government’s National Intelligence Priorities. By finding out about the interests, intentions and capabilities of foreign parties we help inform Ministers’ and Government decisions.
2) We provide cyber security and information assurance services to organisations of national significance, from both the public and private sector.
- The CORTEX programme, which uses cyber threat information to help protect nationally significant public and private sector organisations.
- Our regulatory role under the Telecommunications Interception Capability and Security Act to ensure national security risks are not introduced into telecommunications networks.
3) We assist Defence Forces, New Zealand Police and New Zealand Security Intelligence Service (NZSIS) to undertake their lawful functions. This includes counter terrorism and support to military operations.
In order to perform these functions we exercise some intrusive, but warranted or authorised, powers on behalf of the State. It is therefore important that we are as transparent as possible about the nature of the threats New Zealand faces, our role in countering them, and how we are held accountable.
Importantly we are not an enforcement agency; we provide intelligence to others to inform their decisions.
There is a range of commentary about the role of the Bureau, our functions and our capabilities. The fact that anyone can make comment about what we do and how we do it is an important part of an effective democracy – however there are times when this commentary stretches beyond informed comment and into the realm of myth and misconception. I would like to take this opportunity to briefly address some of the most common of these “myths”.
First up, that the GCSB is part of a shadowy intelligence sharing partnership called the Five Eyes.
That’s actually true. It’s just not that shadowy. To be effective, intelligence agencies do need to undertake much of their activity in secret. However, the fact that New Zealand is part of the Five Eyes and derives significant benefit from it is on our website!
The Five Eyes partnership affords New Zealand a greater level of protection and intelligence than we could ever achieve alone as a small island state. For each foreign intelligence report the GCSB produces we get ninety-nine from our international partners.
As with all of our activities, any sharing of intelligence with partners needs to be in accordance with New Zealand law and our international human rights obligations.
That leads to the next common myth about the GCSB, that we are a law unto ourselves.
I have to say, it doesn’t feel like that when I am meeting with Ministers two or three times most weeks, seeking their authorisation and briefing them. I have been struck by the strong culture of legal compliance in the Bureau and the steps that are taken to ensure everything we do is properly authorised. We work under a strong legal framework that has been reinforced through independent review, and that is reflected in new legislation which comes into effect later this year.
Another common myth is that the GCSB is staffed by “Cold War Warriors”, stuck in the past.
Most of the GCSB senior team are in their 30s and 40s. The Berlin Wall was long down before most of us started working. I’m also pleased to report that over 50 percent of our managers are women, a high proportion of our staff are from the private sector, and we attract some of the brightest new graduates in the country.
The most common myth is that the GCSB is engaging in the “mass surveillance” of New Zealanders; that we are actively monitoring the phone calls, the emails and the internet traffic of large sections of the population.
I can assure you, we aren’t. The GCSB does not have the legal authority, the capacity or the interest to undertake such activity. But don’t take just my word for it. Dame Patsy Reddy, and Sir Michael Cullen, who led an independent review of New Zealand’s intelligence agencies, and the Inspector-General of Intelligence and Security have all concluded that the GCSB does not do this.
Our Cyber Security Function
For the Bureau, particularly our National Cyber Security Centre, one of our key focus areas is countering cyber-borne threats to organisations of national significance – e.g. to government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
We assist others to protect their own networks from the types of threats which are typically beyond the capability of commercially available tools.
While we are not a one stop shop for victims of cyber threats, we are able to offer incident triage and response to nationally significant organisations.
We also work closely with CERT NZ and other cyber security agencies to increase New Zealand’s cyber resilience.
While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.
One of our main capabilities is CORTEX.
CORTEX focuses on countering advanced foreign-sourced malware that is typically beyond the defensive capabilities of commercially available tools. Uniquely, it uses threat information, much of it sourced from our partners, to detect and disrupt this malware.
It helps protect against theft of intellectual property, loss of customer data, destruction or dissemination of private communications, holding data for ‘ransom’ and damage to IT networks and services.
CORTEX operates with the explicit agreement of the organisations that are protected.
As part of CORTEX, GCSB is working with Vodafone to pilot a capability called Malware Free Networks. This involves sharing cyber threat information and technology with Vodafone so that they can use that information to help protect a subset of their customers. These customers consent to receiving the service in the knowledge that we are the source of the threat information.
Vodafone have said that during the first few months of operation, the capability which used information supplied by us detected and disrupted twice as many instances of malicious communications as the capability using non-GCSB threat information.
NZ Cyber threatscape
The number and nature of cyber threats in New Zealand continues to grow in line with international trends – threatening our economy and potentially undermining our strategic advantage.
We have a voluntary reporting regime and the threats recorded here are just those reported to us or detected by our own capabilities.
The NCSC recorded 338 incidents during the 2015/16 Financial Year, 148 more than in the 2014/2015 period. This increase is primarily due to the expanding capacity of the NCSC to detect and respond to more incidents. This trend – driven by increased capacity – has continued for the 2016/17 year and we will be releasing more reporting on that in the coming months.
In a typical month the NCSC detects through CORTEX between 15 and 20 cyber intrusions affecting one or more New Zealand organisations. For context: roughly 0.5% of internet traffic analysed by GCSB under CORTEX has a ‘signature’ of advanced malware associated with it; and each month about 900 new signatures of this type are identified either here in New Zealand or by our overseas Five Eyes partners.
The types of incidents detected and disrupted by CORTEX include:
- The stealing of credentials – personal details and system log on information – after users were tricked into entering their details into a fake website
- Foreign, likely state-supported, actors attempting to gain access to multiple networks.
- Sustained – brute force – attempts to gain access to a network holding valuable intellectual property.
- The insertion of malicious code into a legitimate website in an attempt to gain access to that user’s network.
If allowed to achieve their objective these intrusions could result in substantial harm to important networks and the loss or manipulation of information important for the operation or future prosperity of our country. This is why the capabilities available through our CORTEX initiative are so important.
If you think that sounds like interesting and challenging work – you are right. Some of what we do is cutting edge stuff, working with capabilities and information unique to the intelligence community and our Five Eyes partners – to help protect New Zealand, New Zealanders and the valuable information that sustains our way of life and our economy.
Ours is a work place like no other and the work that we do is truly – to borrow from our recruiting material – beyond ordinary.
I would strongly encourage you to visit our Beyond Ordinary website to gain a better appreciation of the broad range of career opportunities available within the GCSB as well as the career pathway frameworks we have in place to develop, grow and progress our people.
Diversity & Inclusion
The Government has increased investment in the New Zealand Intelligence community. Not so that we become a bigger version of our current selves. Rather, the Government expects us to be more connected, more outcome focussed, more open and transparent and more effective in responding to the various threats New Zealand faces. This means we need to think differently about the type of workforce we need to have.
Central to this is ensuring our workforce better reflects the diversity of New Zealand. In order to be more creative and make better informed decisions we need to diversify our thinking; ensuring our workforce is from different backgrounds, from diverse ethnicities and with different ways of thinking.
While women are well represented in GCSB at the senior level, overall only 36% of our workforce is female. We want to improve that. One of the pathways to achieving this is by increasing the number of women in STEM roles. These are areas where we have a big gender imbalance – in particular in computer technology, computer science and engineering.
Some of you may have seen the films, Hidden Figures about African American women in the NASA programme, and another about the WW2 female code breakers at Bletchley Park. There is also the film The Imitation Game about Alan Turing. While these stories have no doubt had the Hollywood treatment, they send a clear message – to succeed you need diversity – of gender, sexuality, ethnicity and mind. I am committed to GCSB growing a more diverse workforce and to ensuring their different perspectives are always valued.
We are developing a diversity and inclusion plan focusing on four key areas:
- Proactively encouraging more women with STEM qualifications and experience to GCSB
- Using data and training to help ensure there is no bias in recruitment, remuneration and promotions
- Supporting women to develop their careers by providing flexible working arrangements and ensuring strong internal support networks, and
- Promoting STEM subjects to secondary and university students, particularly among women and the broad range of diversity communities.
We recognise there is real competition to recruit the best people with the skills and experience we need, particularly if we are to better reflect the communities we serve.
We think we have got a pretty special offer, both in terms of the nature of the work we do and the range of roles available and the support we provide to our workforce.
But we recognise in this environment that may not be enough.
That is why I am really proud to announce today that GCSB is offering a $10,000 tertiary scholarship for female students in their second year of study or above taking a Science, Technology, Engineering or Mathematics (STEM) tertiary qualification.
The scholarship is open to New Zealanders and permanent residents, aged 18 or above at the time of application, intending to take a course of study in any of the STEM subjects at a New Zealand tertiary Institution.
The limitation to New Zealand students is in part to ensure there is a potential pathway for recipients of the scholarship to become part of the our workforce – being a New Zealander or a permanent resident is one of our requirements for employment, as is a comprehensive security vetting check.
We have kept the scholarship broad – we are open to applications from those pursuing a Master’s degree in areas like Cyber Security, Computer Science or Mathematics.
Various universities have told us that while women have a clear interest in these areas, they - and those who advise them - are not seeing a clear career path. They are unaware of the roles available to them if they follow a technology, science or maths study path.
Opportunities to work with us
When you are ready to start your careers, take some time to think about us as a future employer. There are opportunities for smart, committed young people to join our team – either at entry level, through our graduate programme or through the varied analyst, engineering and development roles we offer.
We have roles for computer engineers, cryptological engineers, data scientists, research and development engineers, cryptanalysts, systems engineers, people that write code and yes – those that break code, web architects, cyber security analysts and a whole range of other specialists. They do fascinating and challenging work every day – and to be frank, work that you would not get the opportunity to anywhere else.
I strongly encourage you to consider us as a future employer.
We have a graduate intake every year and are looking for a diverse range of people to be part of our future. Several staff that joined us via our graduate programme are here to talk with you at the career fair and are very happy to take your questions.
You can check out our website for details on our graduate programme and information on the scholarship.
That is it from me for now – good luck with the remainder of the day and the cyber security challenges ahead.