Speech to the Kiwicon 9
You have heard about us - from others, you have probably read about us – from others, well now it is time to hear about us, directly so we can tell you, in our own words, about the work that we do, about what we are trying to achieve and how we go about it.
Huge thanks to Adam and the rest of the Kiwicon crew for this opportunity – I know that it is a big call to have me here.
I understand there is a long standing tradition that every time a presenter mentions the word “cyber” they must drink. A substantial part of my job is about cyber, and some of my teams have cyber in their name. That is what I am here to talk about so I am going to say cyber a lot. And, I simply can’t and won’t drink that much.
We are all here because we share a common challenge – even if we do sometimes have different views about how we go about achieving it.
Those of you working in the private sector – I suspect that is most of you here today – play a key role in helping to raise New Zealand’s collective cyber security bar. I feel it is important to acknowledge that.
Thank you for the huge contribution you make.
Part of our challenge is that public and private sector information security interests can work together more effectively to improve New Zealand’s overall security posture.
The fact I am here talking to you today reflects an acknowledgement we know this is an area we can do better in.
I understand that not everyone is necessarily comfortable with us and aspects of the work we do. That is fine, we live in a democracy and it is important that we can have different views.
However, I hope that after this session you will have a better understanding of how we operate, and the work we do to achieve our shared goal.
And – perhaps more importantly - you will have a better understanding of how we use our capabilities to protect New Zealand’s important information and systems, and the rules around how we use those capabilities.
Rules which ensure we can only operate them with the full knowledge of support of the organisations whose information we are protecting, and that we can only use the information we obtain in ways that they consent to.
Enough of the advertorial, let’s get to the view from the inside.
The GCSB has three functions; foreign intelligence, support to other agencies and information assurance.
It is that information assurance function that I will focus on this morning.
Our cyber security mission is “to ensure the protection, security, and integrity of communications, and information infrastructures of importance to the Government of New Zealand,” and to do everything “necessary and desirable to protect the security and integrity of the communications and information infrastructures”.
Those are weighty words – essentially they mean we must do everything possible (within the limits of the law and our authorisations) to protect New Zealand’s most important information and systems.
This is achieved through the work of our Information Assurance and Cyber Security Directorate, which incorporates the National Cyber Security Centre.
The IACD does more than just in cyber security in the generally accepted sense of the term.
Some of the things you might not know about include;
- That we provide high grade cryptologic services to protect critical data of national importance
- We conduct technical inspections and accredit networks processing data of national importance. (If it is a New Zealand government network or system – including those which fly, float, or are located in our overseas embassies etc – then someone from the NCSC team has had to look at it and certified it meets the required level of system security and protection.)
- We provide information assurance and security guidelines via the government Protective Security Requirements and the NZ Information Security Manual and we work across government with GCIO to develop and promote compliance with those standards.
- Our outreach and engagement team works closely with customers across the public and private sectors helping convert our advice and inputs into actions which make networks more resilient.
- Our work includes the CORTEX initiative which I will talk in more detail on later.
- We also provide a point of national contact and coordination for reporting and sharing information on cyber threats and, in the case of some nationally significant information systems supporting response to those threats.
The goal of all this is to ensure there are no advanced, technology borne compromise of the New Zealand’s most significant national infrastructures.
This is a bold challenge – a stretch goal - , It is a challenge which will not be achieved by our efforts alone.
How are we going to achieve it?
We work through a range of approaches from outreach and engagement, educating boards and executives on cyber threat and risk management, through to provision of services and systems which assist organisations detect and disrupt threats.
We have a multi-disciplined technical team who focus on in-house development and support of our capabilities.
They do detection and analysis of malware. They turn that analysis into classified and unclassified product which can be passed on to partners and customers to help mitigate identified compromise.
The analysts are supported by an Outreach and Engagement team, working with customers across government and the private sector. They focus on building and maintain relationships with nationally significant organisations, passing on actionable threat information and supporting Security Information Exchanges where organisations with common threat parameters work together to mitigate known or emerging security issues.
Where possible we work with security vendors to pass on threat information which can then be incorporated into more widely available, commercial products.
The threat scape.
Like other areas of technology, the arena of cyber threat is very dynamic.
As technology pervades more aspects of our private and business lives the opportunities to exploit that technology for illegitimate means grow exponentially.
The commercialisation of exploit kits means that even relatively sophisticated cyber threats can originate from threat actors with a fairly low skill base.
From the NCSC perspective the number and nature of the threats we are recording is changing.
Whereas the NCSC was once the place where people went to report spam and scams this role is increasingly being taken by the likes of Netsafe and the DIA.
We are seeing continued growth in threats at the more sophisticated end of the spectrum.
Over the past few months we are seeing (or having reported) a serious threat every day. The greater proportion of the threats are targeting government systems – this view is more likely because of increased detection.
The incidents we are seeing range in seriousness from the targeting of small businesses with “ransom ware” and attempts to obtain credit card information through to serious and persistent attempts to compromise the information systems of significant New Zealand organisations.
Some of these threats come from well-resourced foreign sources. Sometimes they are targeting New Zealand organisations, others use New Zealand systems to target overseas networks.
So, what are we seeing, and how do we see it?
The “what” first.
Typically our Security Operations Centre will detect known state-sponsored CNE actors attacking a New Zealand entity. The team will assess the threat and analyse the malware.
We will provide advice to the entity, with specific technical details to locate infected machines and detect further compromise.
If the victim organisation is unable to respond to these threats themselves the NCSC has an Incident Response team who can go out and assist. There is a clear process of warrants and authorisations to enable us to provide this support.
Examples of the threats identified through our cyber security capabilities include;
- The targeting of officials from a key government agency through email and web site exploits to get personal information and potentially compromise the agency’s network. This attack was detected and mitigated before important information could be lost/compromised
- The use of a malware package, most likely purchased online, to target six significant New Zealand organisations. The threat was detected and mitigated through systems and support provided via our CORTEX capabilities.
- Identifying and tracing the source of a new cyber-attack method from a known major foreign threat source. The attack targeting several CORTEX customers. The “fingerprints” of this new threat were able to be passed on to our international partners, helping to reduce global vulnerability to this particular attack.
- Detecting large-scale targeting of a nationally significant organisation as part of a global campaign by known foreign threat source. The NCSC was able to work closely with the New Zealand organisation to contain the threat.
The CORTEX initiative is an important part of our response to these more advanced types of these threats.
CORETX is an umbrella term for a mixture of passive and active detection and discovery, analysis and blocking tools, fuelled by a variety of inputs (signatures) including from classified sources.
The existence of the CORTEX initiative was disclosed by Government in September last year.
CORTEX has only has one purpose: to counter cyber threats to organisations of national significance.
It is not about replicating existing information assurance capabilities - it is focused on countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or persistence.
CORTEX customers include government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
There is a double gate (authorising mechanism) to CORTEX capabilities being provided to organisations.
- First, The organisation obtaining the capability must consent to receiving it – and agree to a number of conditions, and
- Second the capability must be authorised by the Minister, and the Commissioner of Security Warrants, under the GCSB Act
These conditions include that the protected systems maintain basic, effective security controls.
Operators of systems protected by CORTEX capabilities are required to advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes and, they must maintain confidentiality about the services it is receiving.
Information which we obtain can only be used for information assurance and cyber security purposes. And, the information can only be shared with the consent of the affected organisation.
CORTEX gives us an ability to detect threats to networks, and to tell protected organisations about those threats so that they can respond to them.
It enables us to provide targeted advice from our experts about the prevention and mitigation of cyber threats.
As part of CORTEX we are in the process of engaging with ISPs around an initiative we are calling Malware Free Networks.
We intend to pilot an arrangement whereby we share cyber threat information with an ISP so that the ISP can actively mitigate advanced malware that is targeting a small subset of its customers.
Under this pilot arrangement the benefiting ISP’s customers must consent to receiving the protections and the customers must be aware of GCSB’s support to the ISP.
GCSB will not receive internet traffic of the ISP or any of its customers. We will provide information on cyber threats which the ISP can then use to help protect the information of its customers.
CORTEX usually involves deployment of a layered set of technical capabilities
Initial detection occurs through automated means in the main– i.e. machines looking for indicators of malicious activity using information about previous successful of attempted cyber-attacks.
Rules limit the number of our people who can access the data, all of them computer network defence analysts, with a clear understanding of the rules.
The Inspector General of Intelligence and Security is able to view a log of what occurred, and the recorded reasons for any activity taken, for any analysts viewing of CORTEX data, and what they did with it.
Capacity constraints mean the CORTEX capabilities are only available to a limited range of organisations. However the benefits (threat information) are applied more widely through a range of approaches like direct interaction with customers, SIEs, publication of advisories
At the opening I mentioned one of the Kiwicon’s traditions – about using the cyber work. I understand it is not uncommon for presenters to say “we are hiring”. That part I can do. We are hiring - we are regularly and openly in the market recruiting for specialist roles, and for Graduate intakes.
I extend an invitation to anyone here have a look at the roles on offer, and to watch out for more recruitment activity in the New Year.
I appreciate having 15 minutes of your time. Thank you. Adam was good enough to put me on just before a break. I would welcome the opportunity to talk to you more, and will be staying for the break. Please feel free to come over and have a chat with me or one of the members of my team.