Canterbury Institute of Directors on Cyber Security
Thanks for invitation and the opportunity to talk with you today. It’s great to be back in Christchurch. I grew up on a farm south of Ashburton and went to University of Canterbury. As Deputy Secretary for Courts at the Ministry of Justice, I was closely involved with the first year of the earthquake response and recovery, when we had to run a Court system without access to any Court buildings. It’s great to see first-hand how much progress has been made since then and I recognise the role you have all played as business leaders in helping to drive ongoing recovery of the city.
I look forward to sharing some insights about the work of the GCSB and our National Cyber Security Centre, and to the discussion with Barry and Mark on how you go about building cyber security into your governance and risk management work.
There is certainly a lot of interest in the topic, and we find forums like this really useful as a way of promoting discussion and reinforcing the importance of cyber security as part of the board room agenda.
I will begin by talking about the role of the GCSB and our National Cyber Security Centre. I will then provide a high level view of the New Zealand cyber threat scape and identify some of the key issues we think are facing New Zealand organisations.
I will finish by outlining some of the things you should consider – in your governance role – then we will open the floor for a wider discussion.
GCSB role and function
Given some of the introductory comments, I think I should explain what the GCSB doesn’t do, before I give you an overview of what we actually do to help keep New Zealanders and their information safe.
We do not undertake “mass surveillance” – we are not actively monitoring the emails, texts, or internet use of large sections of New Zealand’s population. We don’t have the legal authority, the capacity or the interest to do this. But don’t just take my word for it. Dame Patsy Reddy and Sir Michael Cullen, when undertaking their recent independent review of the intelligence agencies, looked at the question of mass surveillance and concluded we don’t do it. This is also the conclusion of the independent Inspector-General of Intelligence and Security who has full access to everything we do.
The GCSB is a New Zealand public service department. We are accountable to the Government of New Zealand and act in the interests of New Zealand and New Zealanders. Everything we do needs to be in accordance with New Zealand law, including our international human rights obligations, and we are subject to a high level of independent oversight and scrutiny, including from the Inspector-General of Intelligence and Security.
The new Intelligence and Security Act came fully into force last week. Its purpose is to protect New Zealand as a free, open and democratic society. The Act puts into place a single legislative regime for the GCSB and the NZSIS, and strengthens our oversight mechanisms.
The Act specifies three shared objectives for the GCSB (with the NZSIS):
We contribute to:
- The protection of New Zealand’s National security
- The international relations and wellbeing of New Zealand, and
- Economic well-being of New Zealand.
The GCSB do this by:
Collecting and reporting on intelligence – primarily foreign intelligence - in accordance with the Government’s National Intelligence Priorities. By finding out about the interests, intentions and capabilities of foreign parties we help inform Ministers’ and Government decisions.
Second, we provide cyber security and information assurance services to organisations of national significance, from both the public and private sector. This includes malware detection and disruption services, information sharing and advice, and a regulatory role for New Zealand telecommunication network operators.
We also assist other agencies, including Defence Forces, New Zealand Police and New Zealand Security Intelligence Service (NZSIS) to undertake their lawful functions. This includes counter terrorism, counter espionage, disruption of trans-national organised crime, and support to military operations.
In order to perform these functions we exercise some intrusive, but warranted or authorised, powers on behalf of the State. It is therefore important that we are as transparent as possible about the nature of the threats New Zealand faces, our role in countering them, and how we are held accountable.
We are a SIGINT, or signals intelligence agency, which means our focus in on electronic communications.
Importantly we are not an enforcement agency; we provide intelligence to others to inform their decisions.
Our cyber security role
For the GCSB, particularly our National Cyber Security Centre, one of our key focus areas is countering complex and persistent cyber-borne threats to organisations of national significance – e.g. to government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
We work closely with the recently established Computer Emergency Response Team (CERT NZ) and other cyber security agencies to increase New Zealand’s cyber resilience.
While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.
As part of our cyber security role we are working across government and the private sector to implement cyber defence capabilities (developed through our CORTEX initiative) to protect a range of nationally significant organisations from advanced cyber threats.
CORTEX capabilities focus on countering complex and persistent foreign-sourced malware that is typically beyond the capabilities of commercially available tools. They use threat information from a range of sources, including our Five Eyes partners, to detect and disrupt this malware.
Operation of these capabilities helps protect against theft of intellectual property, loss of customer data, destruction or dissemination of private communications, holding data for ‘ransom’ and damage to IT networks and services.
The capabilities operate with the explicit agreement of the organisations that are protected, and are subject to independent oversight from the Inspector-General of Intelligence and Security.
A recent independent assessment found that our customers have already avoided damage in the tens of millions of dollars as a result of CORTEX capabilities.
Another part of our role, delivered through the National Cyber Security Centre is to take cyber threat information obtained through the operation of these capabilities, and provided to us through a range of international relationships, and make it available to New Zealand’s significant organisations more generally to help them strengthen and defend their networks from cyber threats.
We are progressively reaching out to organisations to establish relationships (through engagements like this, through other sector based forums and through the establishment of our customer portal) to ensure there are effective channels in place for the sharing of information that can help increase the resilience of New Zealand’s important information networks and systems.
This information sharing ranges from alerts and updates about potential threats and actions that can be taken to reduce vulnerability to more general advice on the steps organisations can take to ensure the resilience of their systems.
New Zealand’s cyber threat-scape
Later this month we will be releasing our latest unclassified cyber threat summary, reporting on the number and range of incidents we have seen in the past financial year.
We have seen the number of incidents recorded grow from fewer than 100 in 2011 (our NCSC’s first year of operation) to almost 400 in the 2016/17 reporting year.
This increase is reflecting both growth in our own capability and reporting from our customers as we build our customer base.
However, we know these numbers are just a small proportion of the total incidents affecting New Zealand and New Zealanders. This is a reflection of NCSC’s focus on the more significant end of the threat spectrum.
The establishment of CERT NZ earlier this year, has provided a point for New Zealanders to report the full spectrum of cyber threats, including internet scams and criminal activity affecting homes and businesses. Their first, quarterly report – covering the period from 1 April to 30 June this year records 364 cyber security incidents were reported to them in that quarter.
Regardless of the source of recording – our NCSC, CERT NZ or overseas reporting the common factors are that cyber incidents are increasing in volume, diversity, sophistication and potential impact, and they will continue to do so.
Global estimates suggest more than 200,000 new malware variants are being created every day.
And, in spite of the investment and growth in technology prevent, detect and mitigate threats, the average time taken to detect an intrusion is still more than 200 days.
In a typical month our NCSC detects between 15 and 20 cyber intrusions affecting one or more New Zealand organisations.
We would also receive multiple requests for some other form of concrete cyber security assistance. These requests are as much from private sector firms as government agencies. The organisations in question have included financial institutions, ISPs and tertiary institutions.
You will have probably seen recent media reports that attributed cyber-attacks overseas to various state actors. A feature of the last year or so has been reports of states using cyber-attacks to achieve political ends or even raise revenue. For New Zealand, the biggest threat we face is still likely to be from those who wish to steal our valuable information, whether it be government secrets, IP, customer information or credentials – the personal details and log-on details – our organisations hold.
There is also the very real threat of foreign actors using our networks to attack other third parties, without us knowing.
Let me give you a couple of recent examples of what we’ve seen.
We learned a New Zealand organisation’s network had been used to perform a significant cyber-attack against a foreign organisation. GCSB and Police investigated. We worked with the organisation to remediate the compromise and provided prevention guidance to enhance their IT security.
In a separate instance, we learned of malware activity involving the NZ subsidiary of a global organisation. We worked with them to investigate and in response, the organisation launched a large global investigation and significantly improved its network security posture.
These types of threat are not unique to the kinds of organisations protected by our CORTEX capabilities. All New Zealand organisations, public and private sector, are vulnerable to the broad range of cyber threats, but can take tangible steps to protect themselves from them.
In terms of what’s coming next, we see some emerging trends and some constants. These include:
The Internet of Things (IoT) – is a real enabler for business (and individuals) but we frequently see low standards of security. We don’t want the innovations and advantages to be eroded by security breaches that make customers lose confidence. It is incumbent on the developers and users of these new technologies to ensure they bake security in.
Control systems (i.e. like SCADA) – many industries using control systems are reaching a difficult transition between old unsupported legacy systems and new systems that may not have adequate security built in. This is coinciding with significantly increased levels of targeting of these controls worldwide.
People – your staff, your contractors, customers. People are still one of the biggest vectors for cyber threats (phishing, whaling, data breaches, poor basic security etc).
Supply chain – we are all highly connected now with many different feeds into our organisations (lawyers / accountants / suppliers / customers etc). Immunity of the herd is critical. When looking at your risks, consider your whole ecosystem / interdependencies and work with suppliers to mitigate / minimise risk.
Embedding cyber resilience within your organisation’s culture
So how do you help protect your organisation from these risks?
There is no “one size fits all” cyber security solution. Just as the nature of the threat differs between organisations, so too does the nature of the response.
But there are a number of common areas you can focus on.
Whole of business approach
Mitigating the risks posed by cyber threats requires a “whole of business”, not just a purely technical approach.
As governors of your organisations, you need to treat cyber security as a strategic risk. And the more digital you get, the more fundamental this will become. You need to be asking your IT and security teams the right questions – Not, are we secure? But how do we know we are secure?
This involves effective risk management and reporting, supported by resilient technology platforms, and careful system monitoring.
These need to be backed up with sound policy - around security settings and obligations on users, and ongoing user education to ensure staff and other system users are aware of common risks and how to avoid them.
Understand your information assets and your network
We encourage organisations to really get to grips with their cyber defence at a deep level and protect what matters.
Do you know where your important information assets are, who has access to them and how well they are protected?
You need to identify your ‘crown jewels’ – your priority systems, processes, knowledge (intellectual property) and assess their vulnerability.
Only then will you be able to confidently apply security controls. We recommend the Australian Signals Directorate’s Top 35. These contain the Essential 8 security mitigations designed to prevent malware running and limit the extent of incidents and recover data. They typically provide about 85% protection against common cyber borne threats.
The effectiveness of these controls also rests on your ability to know what’s actually running on your network and effectively monitoring what is happening across the breadth of your systems.
For example, you might believe you are fully patched. However if you don’t have an effective hardware and software asset management policy, how do you know if you are patching 100% of the equipment and applications in your environment?
Have an incident response plan
Another important aspect of this is to make sure you have an incident response plan so you can be confident in your ability to manage security incidents. This includes information privacy breaches as well as cyber intrusions.
The aim is to contain the incident and prevent it from escalating. The plan needs to be tested regularly – every 12 months at a minimum.
Reliance on Managed Service Providers
We strongly advocate that you retain responsibility for IT security when working with Managed Service Providers. Not doing so potentially exposes organisations to lateral intrusion via your provider’s network.
You should not assume that third-party vendors have been fully vetted and had the competency of their defences tested. You need to validate this with the vendor themselves.
It comes down to regularly monitoring your Service Level Agreements to make sure security measures are set at the right level for your organisation.
While you can outsource many things, you cannot outsource risk.
The ever-expanding world of identity and access management
Guidance is in this area is evolving, particularly as the Cloud develops.
Meanwhile, the NZ Information Security Manual, which we publish, sets out the mandatory requirements for government entities. The security advice it contains is equally applicable to private sector organisations.
Agencies must develop and maintain a set of policies and procedures covering system users’ identification, authentication, authorisation and make their system users aware of the agency’s policies and procedures.
The ISM also covers physical access to locations, including data centres, and personnel security.
As more functions move to the Cloud, multi-factor authentication becomes more important.
There is much more we could cover in this engaging and important area and there are others here today who will add to and expand on the points I have made.
Thank you again for the opportunity to be here today, I will now hand over to Barry and Mark to expand on some of the themes I have touched on and talk about other important security risk management areas, then we will open up for questions.