As communications technologies advance, the need to protect information carried by those technologies also grows.
There are two main reasons to protect information. Firstly, the confidential information of the Government of New Zealand needs to be protected from unauthorised disclosure; government departments must be able to communicate information securely. Secondly, there is a requirement to protect information and infrastructure from corruption by malicious 'attack', such as a humble computer virus.
The information assurance (IA) function of the GCSB relates to the protection of information that is processed, stored or communicated by electronic or similar means and includes:
These functions incorporate and expand on the more traditional functions of communications security, computer security, and technical security.
In August 2001 the Government extended the functions of the GCSB to include co-ordination, support and advice to critical infrastructure owners regarding cyber-borne threats and vulnerabilities. The Centre for Critical Infrastructure Protection (CCIP) was established and primarily assisted organisations in the energy, emergency services, banking and finance, government, transport, and telecommunications sectors.
In September 2011, the role of the CCIP was absorbed by the National Cyber Security Centre (external link) (NCSC). The NCSC provides enhanced services to government agencies and critical infrastructure providers to assist them to defend against cyber-borne threats.
CORTEX is a project to counter cyber threats to organisations of national significance – e.g. to operators of critical national infrastructure.
It involves GCSB implementing capabilities to protect these organisations against advanced malicious software (‘malware’). In some cases malware is passively detected. In others it is actively disrupted or ‘blocked’.
The capabilities delivered by CORTEX cannot be used for purposes other than cyber security.
CORTEX operates under the GCSB Act. The detection and disruption of malware by GCSB is governed by warrants and access authorisations approved by the Minister Responsible for GCSB and the Commissioner of Security Warrants.
CORTEX is one part of New Zealand's Cyber Security Strategy. The strategy is available on the DPMC (external link) and Connectsmart (external link) websites.
Organisations protected by CORTEX come from both the private and public sectors. They include government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
CORTEX always operates with the explicit consent of the organisations that are protected from cyber threats.
GCSB does not disclose the identity of the individual organisations receiving the CORTEX protections. Doing so might help to confirm where some of New Zealand’s most valuable information is held and so increase the targeting of cyber-attacks.
Working with ISPs – Malware Free Networks
GCSB has commenced a pilot of an initiative called Malware-Free Networks, where it shares cyber threat information and technology with Internet Service Provider, Vodafone NZ, so Vodafone NZ can actively mitigate advanced malware for a small subset of its commercial customers.
Vodafone NZ’s customers involved in the Pilot have explicitly consented to receiving the protections and are aware of GCSB’s involvement. GCSB does not have access to the communications of Vodafone or of Vodafone customers in any way.
More information about the Malware-Free Networks pilot is available here.
Malware-Free Networks pilot FAQs available here.
When implementing IT infrastructure changes, the GCSB recommends consideration of information assurance standards. The following are some of the organisations and resources New Zealand government departments and agencies should consider when developing their IT requirements and architectures.
The GCSB maintains the NZ Information Security Manual (NZISM) publications. The GCSB also produces doctrine for use of high-grade cryptographic systems, available to departments as required.
The NZISM is an integral part of the Protective Security Requirements (external link) (PSR) framework which sets out New Zealand Governments expectations for the management of personnel, information and physical security. The PSR framework superseded the SIGS and PSM documents in December 2014.
Standards New Zealand promulgates several New Zealand-specific standards as well as a host of joint Australian/New Zealand and international standards. AS/NZS17799 Information Security Management provides an overview of the types of factors that should be considered and included to protect information and information systems. NZS6656 Code of Practice for Implementation and Operation of a Trustworthy Computer System discusses security-related factors that should be considered in a computer operation, for instance when outsourcing system management. HB231 describes the process of information security risk management, and NZMP6653 is a directory of national and international security standards. These standards and guides are available in hardcopy or electronic form to order or download from the Standards New Zealand website (external link) .
The Internet Engineering Task Force (IETF) working groups produce the Request For Comments (RFC) documents that define the protocols and operations of the Internet. Security protocols such as SSL, S/MIME, IPSec, and SKIP are defined, as well as PKI standards and gateway configuration guidelines. The RFCs are available from www.ietf.org/rfc.html. (external link)
New Zealand is a member of the Australasian Information Security Evaluation Programme (AISEP) and is represented on its Management Board by the GCSB. The programme provides for impartial evaluation of information technology products against an internationally recognised standard, the Common Criteria for information technology security evaluation (external link) . The results of these evaluations are certified by the Australian Signals Directorate (ASD), and are published in the ASD Evaluated Products List (external link) (EPL).
The Mutual Recognition Arrangement (MRA) provides for the recognition of Common Criteria certifications, up to and including EAL4, among what are known as “certificate producing” and “certificate consuming” nations, and all products certified between EAL1 and EAL4 are published to the Common Criteria Portal Certified Products List (external link) .
There is no MRA for products certified between EAL5 and EAL7. For products certified at these assurance levels, look at the national EPLs listed above.
GCSB recognises all products certified up to EAL4 (including EAL4+, which incorporates Flaw Remediation) as per the MRA. However, for products certified EAL5 and higher, the GCSB recognises those produced by ASD under the AISEP scheme only. The GCSB is to be consulted for products certified by other schemes to EAL5 and higher.
The use of unevaluated mobile phone devices precludes their use for information above UNCLASSIFIED.
