23 Nov 2014

Insight for 23 November 2014 - Cyberwarfare and NZ

From Insight, 8:12 am on 23 November 2014

Countering cyber attacks  

As New Zealand faces an an increasing number of cyber attacks, security experts say it's getting more difficult to counter them.

Insight has been asking security experts, spy agencies and politicians what threats New Zealand faces in the virtual world.

Official logo of the government communications and security bureau.

The GCSB says cyber threats are on the rise. Photo: Supplied

The slogan of the Government Communications Security Bureau used to be "Mastering the Internet for the benefit of New Zealand".

Those words have been quietly removed from the GCSB website. Possibly because it drew an unwelcome link to the British GCHQ's "Mastering the Internet" mass surveillance programme exposed in documents from the US National Security Agency whistleblower, Edward Snowden, in 2013.

GCSB Director, Ian Fletcher

GCSB Director, Ian Fletcher Photo: Supplied

But the use of the internet as a weapon is still a major focus for the GCSB. Its Director, Ian Fletcher, says the number of reported cyber attacks on New Zealand computer systems are rising by 60 percent each year.

"More and bigger, at least in terms of the consequences, seems to be a trend which we and the rest of the developed world are seeing ...That cost is the cost of protection, the cost of remedy and sometimes the cost of rebuilding and cleaning up. It doesn't begin to put a dollar figure on the reputational cost".   

Phrases like "cyber attack" and "cyber weapon" have a broad meaning. They could cover anything from an EFTPOS card skimmer on an ATM to sophisticated malware like the Stuxnet worm which severely damaged Iranian nuclear infrastructure in 2010.

Dr Allan Friedman is the co-author of Cybersecurity and Cyberwar: What Everyone Needs to Know. "One of the challenges when we talk about cybersecurity is it takes a variety of threats and puts them together," he explained.

"So if I'm worried about someone attacking my country with an intercontinental ballistic missile and I'm also worried about someone shooting me, those are slightly related - they both involve gases expelled at great speed leading to death coming towards me quickly - but that's about all they have in common."

If an ATM card skimmer is the equivalent of a pistol on the cyber security spectrum, what is defending New Zealand from the digital equivalent of an ICBM? The answer, according to the Government, is Project CORTEX.

In the words of GCSB director, Ian Fletcher, CORTEX is "a kind of top-up service" for important government and corporate computer networks which are at risk from sophisticated cyber attacks.

"They face so-called advanced persistent threats. This is the kind of threat that even well managed commercial standard won't beat." 

He said the GCSB also has a special team which selected organisations can call on for help if they come under attack.

The Government won't go into the specifics of how CORTEX works or which organisations use it. It also won't say whether the GCSB has the ability to launch cyber attacks of its own. In Mr Fletcher's words "either confirming or denying a capability wouldn't be a step we are prepared to contemplate."

Tangled multi coloured computer wiring.

Computer wiring in a server room. Photo: RNZ / William Ray

And while Mr Ayers thinks CORTEX is a sensible defensive measure he questions whether Government computer systems as a whole are as secure as authorities suggest.

He says from his experience testing computer defences public sector IT departments need more money. "I know IT departments who in my view are under-resourced for the level of work that they currently do and because their management is trying to operate a sinking lid policy on the budget they are faced with losing another staff member, which means they are in an even worse position."

The Labour Party's IT spokesperson, Clare Curran, is another critic of government IT security.

Ms Curran lists what she described as a "significant series of data breaches right across government for the last four or five years" including Ministry of Social Development kiosk security flaws and holes in the Ministry of Justice website.

"There's enough of these issues to raise serious issues about the lack of systemic approach to IT security and risk identification across government"

She identifies the cause as the lack of a mandatory computer security standard which government agencies can be audited against.

The GCSB has a Government Information Security Manual which agencies are supposed to follow but it isn't compulsory and in 2012 only three percent of agencies had assessed whether they complied with it.

That figure comes from a KPMG report commissioned after journalist Keith Ng revealed private data about Ministry of Social Development clients could be accessed through kiosks at Work and Income offices.

 Director of the National Cyber Policy Office, Paul Ash

Director of the National Cyber Policy Office, Paul Ash Photo: Supplied

The Government Chief Technology Officer, Tim Occleshaw, says the report showed "risk management awareness at senior executive level in organisations was not where it needed to be" but he says improvements have been made since. "We need to strike the right balance between usability, accessibility and appropriate security."

The National Cyber Policy Office is currently reviewing the New Zealand Cyber Policy Strategy, which was last updated in 2011. Its director, Paul Ash, said the new strategy will refine the roles of different organisations in cyber security and encourage public agencies to work with the private sector.

Mr Ash said it would also call for a "net lift in effort, not just from the public sector but from private sector partners and others."

Follow Insight on Twitter