• CORTEX is a suite of capabilities that counters cyber threats to organisations of national significance – e.g. to operators of critical national infrastructure.
  • CORTEX involves GCSB implementing capabilities to protect these organisations against advanced malicious software (‘malware’). The capabilities allow advanced malware to be detected and disrupted.
  • CORTEX operates with the explicit agreement of the organisations that are protected from cyber threats.
  • CORTEX operates under the law that generally applies to GCSB (currently transitioning from the old Government Communications Security Bureau Act 2003 to the new Intelligence and Security Act 2017). The detection and disruption of malware by GCSB is governed by legislation, authorisations issued by the Minister Responsible for GCSB and a Commissioner of Intelligence Warrants, customer consent documents, and internal policy and procedure.
  • Background to the original project is contained in redacted Cabinet papers available at beehive.govt.nz
  • CORTEX’s only purpose is to counter cyber threats to organisations of national significance.
  • CORTEX has a particular focus on countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or persistence. Malware of this type is not adequately mitigated by commercially-available tools.
  • Countering cyber threats helps to protect New Zealand’s economy and security. CORTEX therefore contributes to implementation of New Zealand’s Cyber Security Strategy.
  • The protections delivered by CORTEX are important because malicious cyber activity can cause significant harm in terms of:
    • theft of intellectual property (e.g. of unique research, technical designs, or commercially-sensitive business proposals)
    • loss of customer data (such as credit card details)
    • destruction or unauthorised dissemination of private communications
    • holding of data for “ransom” (wherein data is made inaccessible until a ransom is paid)
    • damage to IT networks or disruption to services relying on them.
  • Malicious cyber activity affects individual public and private sector organisations and has implications for New Zealand’s economy and security.
  • A number of organisations are involved in improving New Zealand’s cyber security.  These include CERT NZ, NetSafe, the NZ Internet Task Force, the National Cyber Policy Office (part of the Department of the Prime Minister and Cabinet), New Zealand Police, New Zealand Security Intelligence Service, Department of Internal Affairs, and the Connect Smart partnership.
  • Some are public sector organisations and some are businesses. The organisations include government departments, key economic generators, niche exporters, research institutions, and operators of critical national infrastructure.
  • All have been assessed as being of national significance according to criteria determined independently of GCSB.
  • GCSB does not disclose the identity of the individual organisations receiving the CORTEX protections. Doing so might help to confirm where some of New Zealand’s most valuable information is held and so increase the targeting of cyber attacks.
  • An organisation is offered the CORTEX protections only if it is of national significance – in particular, only if it owns or operates what is termed an ‘information asset of national interest’ (ANI). A list of such organisations is maintained by the National Cyber Policy Office, which is part of the Department of the Prime Minister and Cabinet (DPMC).
  • For capacity reasons, CORTEX’s scope cannot encompass all organisations on the DPMC list. So government officials oversee a process by which potential CORTEX organisations are selected from it. They consider:
    • where each organisation sits on the prioritised DPMC list
    • coverage of different sectors
    • evidence that a particular organisation, or particular sector, has or is likely to be targeted by advanced malware
 
  • One of GCSB’s functions relates to information assurance and cyber security. This function is described in sections 11 and 12 of the new Intelligence and Security Act 2017. It is in this capacity that GCSB has implemented CORTEX. 
  • GCSB’s access to and use of communications under CORTEX is governed by the relevant legislation, authorisations issued by the Minister Reponsible for GCSB and a Commissioner of Intelligence Warrants, customer consent documents, and internal policy and procedure.

Yes:

  • Some ISPs will receive the CORTEX protections directly – e.g. because they operate critical national infrastructure. Where this is the case, the ISP must first agree to receive the protections. The cyber protections will operate in respect of the ISP’s corporate communications and information systems (i.e. not those of the ISP’s customers). Any benefit to the ISP’s customers would be indirect – e.g. because the ISP’s corporate network is more resilient to cyber attack.
  • Some ISPs will be involved in assisting GCSB to provide the protections, including the Malware-Free Networks service, to other organisations. Where this is the case, the other organisations must be aware of the additional protections and agree to receive them. The situation must be one in which the organisation receiving the cyber protections has consented to receiving them by signing a formal deed with GCSB and is aware that an ISP might assist GCSB in providing the protections.
  • The only CORTEX data shared with other 5-EYES cryptologic agencies relates to malicious cyber activity – e.g. what types of cyber attack have been detected in New Zealand.
  • Like GCSB, these other agencies – ASD, CSE, GCHQ and NSA – have a cyber security mandate. GCSB works with these agencies – and also with the international CERT (computer emergency response team) community – because many cyber threats to New Zealand have an overseas source.
  • CORTEX does not involve GCSB sharing private New Zealand communications with overseas agencies – e.g. 5-EYES, CERT, security, military, law enforcement or other.
  • Moreover:
    • the capabilities delivered by CORTEX cannot be used for purposes other than cyber security
    • warrants and access authorisations prevent GCSB from sharing CORTEX-derived data with other government agencies or with any other organisation (domestic or overseas), except in the context of countering cyber threats
    • if sensitive communications of a protected organisation are to be provided to another government agency for cyber security purposes, then the protected organisation must explicitly agree to this.
  • No, when this is a question about an ISP receiving the CORTEX cyber protections itself. If an ISP is receiving the protections, this is because the ISP has agreed to this and has signed a deed with GCSB – there is no requirement to do so under law.
  • No, when this is a question about the Malware-Free Networks initiative.
  • The situation is different, however, when a nationally significant organisation has a signed a consent document with GCSB to receive the CORTEX protections and an ISP is assisting GCSB to deliver the protections to that organisation. In this situation:
    • the ISP provides the assistance where there is an authorisation issued by the Minister Responsible for GCSB and a Commissioner of Security Warrants
    • the Minister and Commissioner believe that the activity described in the authorisation meets the standards set out in the relevant legislation, including that the activity is justified, necessary and proportionate
    • the ISP has a statutory duty to assist GCSB to give effect to such an authorisation. This means that, when GCSB presents the relevant authorisation to the ISP, the ISP has to assist GCSB.
  • Malware-Free Networks is an initiative linked to CORTEX. It involves GCSB sharing cyber threat information with a broad range of consenting nationally significant organisations to help them defend against cyber attack.
  • The MFN cyber threat detection and disruption capability builds on that provided by the customer’s network operator (Internet Service Provider).
  • It is a scalable way of reaching a wide group of nationally significant organisations.
  • Networks being totally free of malware might be unrealistic – but ‘malware-free’ is something to aim for.

Because of CORTEX, GCSB is able to:

  • detect cyber threats to information systems owned or operated by protected organisations
  • provide targeted advice on the prevention and mitigation of these threats to those organisations and others
  • identify vulnerabilities in computer systems and networks that advanced threats might exploit
  • mitigate advanced malware directly.
  • No. CORTEX’s scope is limited to mitigating cyber-borne threats to nationally significant organisations. There is no other reason for the project. The capabilities delivered by CORTEX cannot be used for purposes other than cyber security.
  • GCSB is not allowed to share CORTEX-derived communications with other government agencies or with any other organisation (domestic or overseas), except in the context of countering cyber threats.
  • Moreover, if communications of a protected organisation are to be provided to another government agency for cyber security purposes, then the protected organisation must explicitly agree to this.
  • Yes, in some cases. Some organisations will receive CORTEX protections that provide ‘active defence’ of their networks or computer systems.
  • Such active defence involves putting in place systems that can identify and stop cyber threats in real-time. These systems are given ’fingerprints’ – patterns of data that identify particular threats – for them to use to distinguish between benign and malicious internet traffic. When malicious internet traffic is identified by a fingerprint, the system prevents it from reaching its destination.
  • No. CORTEX is consented, authorised and highly targeted. The cyber protections are made available to a limited group of public and private sector organisations of national significance – e.g. government agencies, critical infrastructure providers, key economic generators.
  • The detection and disruption of malware by GCSB is governed by legislation, authorisations issued by the Minister Responsible for GCSB and a Commissioner of Security Warrants, customer consent documents, and internal policy and procedure.
  • These authorisations do not allow GCSB analysts to have access to the communications of the protected organisations as a matter of course. There is a two-step process whereby GCSB analysts are granted access to relevant data only if a risk has been identified to a particular organisation, and only if the need for the access has been justified to the satisfaction of the Minister Responsible for GCSB and the Commissioner of Security Warrants.
  • CORTEX does not involve mass or bulk scanning of New Zealand internet (or other) communications. Detection of cyber threats operates in respect of a highly targeted (and consented and authorised) range of communications. 
  • If all eligible organisations signed up to the protections, less than 1% of New Zealand’s internet traffic could be involved in CORTEX. Current experience suggests that only a very small proportion of that traffic (0.5% of the 1%) would ultimately be found to contain indications of malicious cyber activity and an even smaller proportion (0.01% of the 0.5%) would need to be looked at by a GCSB analyst, and only following automatic machine-based alerting.
  • In most cases, no. However, sometimes email that might be regarded as spam represents a first step to installing malicious software on a victim’s computer. GCSB would look to identify and defend against spam of this type for protected organisations of national significance.
  • ISPs already use technical means to block malicious internet traffic that their customers would otherwise receive. CORTEX’s primary focus is malware that takes a particularly severe form and is advanced in terms of technical sophistication and/or persistence. Such malware is less common than spam.
  • Machine analysis involves computers looking in data for patterns (or ‘fingerprints’) of known evidence of malicious cyber activity.
  • These fingerprints tell the computers what to look for and are produced in various ways, often by inspecting a sample of malicious software to understand how it operates and what evidence it leaves behind during a cyber intrusion.
  • Malicious software samples may be collected after a successful or attempted cyber intrusion has been identified, and the resulting fingerprints can be used to prevent future attacks of the same type, or at least identify when they have happened.
  • GCSB engineers program the machines. In the same way that GCSB analysts are prohibited from looking at CORTEX data unless it is strictly for the purpose of identifying and defending against malicious cyber activity, GCSB engineers are also prohibited from programming the machines for any other purpose.
  • Yes. The cyber protections delivered by CORTEX and the Malware-Free Networks initiative are provided to a limited group of nationally significant organisations who consent to receiving them.
  • There is no compulsion. The organisations agree to receive the protection only if they see value in doing so.
  • Consent is confirmed in a formal customer consent document between GCSB and each organisation. The document sets out the conditions under which GCSB will provide one or more cyber security services to the organisation.
  • There are multiple checks, both through independent audit and in elements built into systems being used, to ensure information is accessed only for appropriate, authorised purposes.
  • Access to data is restricted to GCSB staff specifically approved to carry out the analysis. A very limited number of GCSB analysts and engineers have access to CORTEX data. Senior GCSB managers are responsible for overseeing restrictions on access, which is approved for specialists in computer network defence only.
  • Searches of CORTEX data must be documented by the relevant GCSB analyst before it is undertaken. Any non-compliant use – deliberate or otherwise – would be visible on audit.
  • Analytical tools supporting CORTEX automatically audit and restrict use of data by GCSB analysts according to the permission under which the data is received.
  • Machines eliminate the vast majority of data that CORTEX processes as ‘not for human analysis’ on the basis that the machines cannot find indicators of malicious cyber activity.
  • In addition, all CORTEX data is categorised according to how it should be handled, making the rules about what can and cannot be done with particular data clear to GCSB analysts. It would be very difficult for someone to accidentally open something they were not meant to open.
  • The GCSB analysts and engineers hold the highest level of government security clearance. This involves thorough inquisition vetting, including background checks, investigations and interviews.
  • A GCSB analyst who intentionally looked at something in CORTEX data for their own purposes, knowing that it was not relevant to the provision of cyber protections, would be acting outside of GCSB’s legal authority. Like any serious misconduct, this action would be treated very seriously by GCSB and could lead to the analyst losing their job.
  • GCSB has an internal compliance team that conducts audits of these processes to ensure that GCSB staff are adhering to: the Intelligence and Security Act 2017; GCSB policy requirements; and consent documents with the individual organisations receiving the CORTEX protections. The internal compliance team checks that rules regarding who can handle the data and what they can do with it are adhered to.
  • The Inspector-General of Intelligence and Security provides external oversight to ensure that GCSB – including through CORTEX – operates within the law and with propriety, and its compliance systems are sound, and that complaints against GCSB can be independently investigated.
  • In some cases yes – so that cyber intrusions detectable in the data can be identified and advisories can be issued.
  • Each protected organisation must explicitly agree to this and confirm they have the authority to allow GCSB to access relevant data.
  • When organisations sign up to receiving CORTEX protection they agree to informing their staff – and, where relevant, others who might interact with their IT systems – that their communications might be accessed for cyber security purposes.
  • Responsibility for the notification lies with the protected organisation. The notifications are put in place in different ways depending on the nature of the organisation and which of its IT systems receive the CORTEX protections.
  • The notifications will not name GCSB, as doing so might confirm to potential hackers that particularly sensitive information is processed by the organisation’s computer networks.

Only in truly exceptional circumstances. All of the following would have to be true:

  • you are in email communication with a public or private sector organisation of national significance. Only this email communication could be accessed – your other communications (e.g. to your friends and family, or to other organisations) could not be analysed under CORTEX.
  • that organisation has agreed to receiving the CORTEX protections and has advised staff and other (including external) users of its computer systems that the organisation’s internet traffic is scanned for cyber security purposes. 
  • your email correspondence with that organisation of national significance is somehow associated with – e.g. inadvertently carries – malicious cyber activity that machine scanning has flagged as of concern.
  • because of a specific risk to the organisation in question, GCSB has been granted a warrant or access authorisation that explicitly allows GCSB analysts to access communications of this type. CORTEX warrants and access authorisations do not allow this access automatically – justification specific to each organisation and a defined period of time is required, with approval given by both the Minister Responsible for GCSB and the Commissioner of Security Warrants.

Even with all these conditions met, all a GCSB analyst would be looking for in an email is evidence of malicious cyber activity. If any such evidence is found, this information could only be used for cyber security purposes.