Fending off cyber threats
State-sponsored cyber attacks have risen 10 per cent in the past financial year, and a survey of New Zealand’s most significant organisations has returned a mixed picture when it comes to resilience against such threats.
All the while, total recorded cyber incidents have dropped; a statistic that has piqued the interest of the spy agencies.
As the National Cyber Security Centre (NCSC) progressed its new ‘‘Malware Free Network’’ capability – or ‘‘son of Cortex’’ – it was advising organisations to be aware of a ‘‘shift in the cyber threat landscape’’. Director of the NCSC Lisa Fong said the rise of statesponsored activity – cyber attacks known to have originated within a foreign government – was ‘‘notable, certainly’’.
The NCSC is a branch of external spy agency the Government Communications Security Bureau (GCSB) and works directly with ‘‘organisations of national significance’’ to protect against cyber threats.
It recently carried out a highlevel survey of 250 nationally significant organisations, which revealed a marked increase in security spending on tools, but less so on expertise.
Only 19 per cent had a dedicated chief information security officer and 39 per cent did not provide any cyber security reporting to senior management. A further 33 per cent had fully identified their ‘‘critical information assets’’.
But 73 per cent had increased their cyber security spending in the past year.
It was encouraging in terms of the awareness of risk but the NCSC would like to see a bigger spend on personnel and training.
‘‘There has been an increase in spending, but largely that’s gone on tools.
‘‘Where we see the need is investment alongside those tools, because they won’t be able to analyse their systems for instance, and that won’t produce effective reporting,’’ said Fong.
While the NCSC would not comment on what agencies were deemed ‘‘nationally significant’’, it included government departments as well as private companies that provided national services, were economically significant, or had access to nationally sensitive information.
Fong would not be drawn on which states had been responsible for the rise in cyber attacks. ‘‘We don’t talk about specific actors unless we’re prepared to publicly attribute.
‘‘Part of the reason for that is ... to make sure we can keep detecting and remediating.’’
In December, the GCSB took the rare step of joining its Five Eyes allies – the United States, Canada, Britain and Australia – in naming China as being behind a major global attack.
Most went unattributed, however. ‘‘The decision to publicly attribute isn’t a decision we make alone.
‘‘It’s a multi-agency process and of course, ministers and the prime minister will make that choice,’’ said Fong.
Cyber attacks on New Zealand companies were primarily focused on financial crime or espionage, but recent statesponsored campaigns like Russia’s disinformation attack during the US presidential election also had authorities here paying attention.
‘‘For the last election there was ... a multi-agency protocol to ready us in the event that we were able to detect anything, but we did not have to use that.’’
And in the middle of last year, Cabinet approved the widespread rollout of Malware Free Networks, following a pilot trial.
Fong described it as ‘‘son of Cortex’’ – an already-known suite of capabilities, developed by the GCSB, to allow advanced malware to be detected and disrupted. Malware Free Networks takes it a step further.
‘‘So what we’re hoping to do is work with internet service providers – and we’re mid-project – to develop a capability that will allow us to proactively detect potential incidents before they occur,’’ Fong said.
Outsourcing of supplies, and the ‘‘internet of things’’ were two emerging areas of weakness.
The ‘‘internet of things’’ refers to the increasing connectivity between devices that power homes, buildings or entire networks – they effectively create a wider ‘‘surface area’’ for potential attacks. The development of a 5G network also falls under that category.
‘‘What that presents is both opportunity – you get your driverless cars, you get your medical devices .... It also represents potential vulnerability.’’
The Government and the GCSB were working through an application from telco Spark, which wants Chinese telecommunications company Huawei to build its new 5G network. The application was initially rejected by the bureau, which has the power to exert such vetoes when it comes to nationally-sensitive infrastructure.
Huawei’s relationship with the Chinese Government, paired with a law change last year that many Western countries perceive to mean that Chinese companies could be compelled to spy, is understood to be a major driver in the GCSB’s decision.
Similar decisions have been made, or are being considered, by other Five Eyes countries.