Cyber security shake-up ‘rushed’, says top consultant
Secret Govt proposal outed by ex-Cert NZ board member over ‘negative consequences’
Acybersecurity shakeup, revealed in an open letter by an angry security industry insider, is being considered by Cabinet, GCSB Minister Andrew Little has confirmed.
His plan, kept under wraps until now, is to move Cert NZ under the GCSB’s National Cyber Security Centre (NCSC).
“The current system is fragmented, creating a ‘merry-goround experience for business victims’ of cybercrime,” Little told the Herald.
He wanted “a single front door for cyber security reporting, triage and response”, as recommended by a 2021 cybersecurity advisory committee whose members included Z Energy chief digital officer Mandy Simpson, Kiwibank tech boss Hamish Rumbold and then Consumer NZ chief executive Jon Duffy.
Cert NZ was created in 2016, under Sir John Key’s Nationalled Government to act as a “triage unit”, issuing public alerts about cybersecurity threats and aiding individuals and small businesses who had suffered a cyber attack toward the right help.
It is still run by its founding director, Rob Pope — the ex-cop best known to most Kiwis for his role as the detective inspector who led the investigation into the murders of Ben Smart and Olivia Hope.
A Cert NZ spokesman said the agency today has 35 staff. Questions were referred back to Little’s office.
In an open letter posted to LinkedIn, cybersecurity consultant and former Cert NZ board member Kendra Ross said: “While the objective of strengthening New Zealand’s cybersecurity capabilities is commendable, we believe that this decision, combined with the lack of broad consultation and the rushed implementation, poses significant risks and could have far-reaching negative consequences.
“Placing an outward-facing non-intelligence organisation under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cybersecurity operations.”
Ross told the Herald she was affiliated with a “closed security group” that learned of the plan early last week. Members of the group took concerns to the National Cyber Policy Office, which reports to Communications Minister Ginny Andersen and Little. The members were given until Friday to give feedback, and told not to discuss the plan publicly.
Ross said she resigned from the group so she could speak out. She told the Herald she had cofounded two cybersecurity forums that represented some 1600 security professionals between them.
She criticised the “apparent rush to implement this decision without a clearly defined government strategy for the cyber security sector”.
In her open letter, she criticised the Government for a lack of consultation on such a “substantial reorganisation”, in the context of what she saw as a half-decade of cyber security directionlessness.
“Five years without a government strategy in such a critical area is worrisome,” she said.
The lack of consultation could build resistance, and mean key trends in a fastmoving threat landscape were missed.
“Cert NZ does an excellent job, but since it was established in 2016, the cybersecurity threats New Zealand faces have become more sophisticated and costly to protect against and remediate,” Little told the Herald. “Much of the NCSC’s work is public-facing, and is delivered to customers across the public and private sector in the same manner as Cert NZ’s.
“However, the NCSC’s responsibilities for supporting the cybersecurity resilience of New Zealand’s nationally significant organisations and responding to national level harm means they have access to cyber threat information which is only accessible to intelligence agencies, such as intelligence about the advanced state-based threats which are increasingly a concern for nationally significant organisations.”
Bringing the two agencies together would improve coordination and help to boost low-reporting of cybersecurity incidents.
Ross countered that Cert NZ being under the GCSB’s NCSC unit would make embarrassed victims even more reluctant to admit that their systems had been breached by hackers, or that they had fallen for a scam.
The Herald understands that a key catalyst for the formation of the cybersecurity advisory committee, whose recommendations led to the plan to move Cert NZ under the GCSB, was an unco-ordinated response to the DDoS (distributed denial of service) attack on the NZX in 2020, which took the stock exchange offline for days.
Little ordered the GCSB’s NCSC to help the exchange, the Herald understands — a move that apparently the minister thought should not have been necessary given the simple, brute force nature of a DDoS attack, where a swarm of bots try to access a site, effectively crowding out regular users. A 2021 Financial Markets Authority report on the incident was sharply critical.
The Cyber Security Advisory Committee (CSAC) was formed in December 2021.
“Over the following year the CSAC surveyed and consulted with businesses and organisations and found the current system is fragmented, created a ‘merry-go-round experience for business victims’, and did not present a safe experience for Mā ori especially when information sharing goes unchecked. The CSAC found there is a significant gap between the current state and a high performance future state for cyber security prevention and defence,” Little said.
“The CSAC recommended the creation of a single front door for cybersecurity reporting, triage and response, and that it should be placed under NCSC, in part because the NCSC has empowering legislation that creates detailed obligations on it and protections for the public, whereas Cert NZ does not.”
Little’s proposed restructure follows moves by the other Five Eyes countries to bring their Cert equivalents under security agency control.
“This unified model is increasingly the international standard and would also help government to better understand the overall cyber threat landscape and use this information to provide guidance to New Zealanders.”
Ross said anecdotal feedback from staff in those countries (the US, the UK, Canada and Australia) was that the measure hadn’t worked and should be unwound.
Little maintained there had been consultation. “Since CSAC made its recommendations there has been further consultation to seek input from organisations who represent other voices from the information security sector and everyday New Zealanders,” he said.
Asked if all of Cert NZ jobs would be safe under the NCSC plan, a member of Little’s staff said the plan was still being finalised.