Speaking Notes: Speech to the Technology and Privacy Forum
Tuesday 29 September 2015
Wellington
[Check against delivery.]
I am Una Jagose, the Acting Director of the Government Communications Security Bureau. I started in late February this
year, coming from my role as Deputy Solicitor-General, Crown Legal Risk at the Crown Law Office. The acting role was
extended and I’ll be in this role until the end of March 2016.
I am excited about having the extended period in this role: the GCSB, and the New Zealand Intelligence Community, is a
great place to be working. A lot has changed in the last few years and there is more change coming. The work we do is
vitally important to New Zealand, and our people are fantastic. The year ahead holds a lot of promise.
Today I am going to talk a bit about cyber security, and in particular project CORTEX, a GCSB initiative to counter
sophisticated cyber threats targeting New Zealand’s important information and information systems. But I also want to
start with an overview of the functions of GCSB – what we do and what we don’t do. The reason for that is that over
recent months there has been a bit of publicity about the GCSB and some activities that we may, or may not, have been
involved in. I want to be sure to address some of those concerns and explain how we respond to them. So I’ll take a few
opportunities to do some myth-busting about the Bureau along the way.
The day after I started in the Bureau a new wave of media attention started. You might remember there were quite a few
stories that followed in the months from March this year alleging things about the Bureau’s work. It seems to me that
the suggested motivation for these stories was to expose what the public needed to know about the Bureau’s work. The
suggestion was that there was something untoward going on, and that the media coverage would reveal all.
Also in my second week, Parliament’s Intelligence Security Committee conducted a public examination of the Bureau and
the NZSIS. You may recall I addressed questions there about whether the Bureau was conducting mass surveillance, whether
I could assure the Committee the Bureau was not conducting surveillance on New Zealanders, and so on.
Now, months later, we can look back at what’s been alleged. We have been told through the media that the Bureau may
conduct surveillance in foreign countries, and may assist in counter-terrorism work. It should not come as a surprise to
anyone that New Zealand’s foreign intelligence organisation … collects foreign intelligence; the statute that we operate
under tells you as much.
To be clear, our three functions are:
• Gathering and analysing foreign intelligence in accordance with the Government's requirements about the
capabilities, intentions, and activities of foreign persons and foreign organisations;
• Information assurance and defending and protecting critical information infrastructures (our cyber security
role, which I am going to talk about a bit later); and
• Assisting other agencies (Defence, Police and NZ Security Intelligence Service).
Just to be clear, we are prohibited by the GCSB Act from targeting New Zealanders’ private communications in our foreign
intelligence functions.
Of course it’s not news to talk about the great work we do, the value we provide, or the extraordinary people we work
with who do cool things in pursuing our statutory functions to deliver high quality cyber defence and foreign
intelligence for the Government of the day. It seems to be forgotten that the GCSB is a government department,
delivering on the Government’s priorities, and answerable to Ministers and subject to significantly more independent
oversight than most agencies (appropriately so, as I will outline today).
There are legitimate questions to be asked about our intelligence activities, but there is also a real risk of doing
real harm to New Zealand interests if the way those questions are attempted to be answered is by simply revealing
details from stolen – and classified – documents, trying to interpret at times technical intelligence-speak from them,
trying to draw threads about what is going on, and blithely publishing documents in full. Why? That approach will reveal
to adversaries what our targets or capabilities are, or are not – and, accordingly, what our vulnerabilities are. So,
you might say “why don’t you tell us everything then? Don’t wait for an exposé – you tell us.”
Fair enough. We can be better at that. But there is a real tension here. We are not so naïve as to think that we can
simply assert that we need to operate in secrecy and all will be well. The public want and expect transparency from
Government and its agencies. Secrecy breeds distrust, allows corruption to flourish and is the antithesis of what we
reasonably expect from modern, liberal and democratic governments committed to the rule of law. But, on the other hand,
security, which may look like secrecy to some, is required for effective intelligence operations (whereby agencies
around the world are tasked by their respective, democratically-elected governments with gaining insights that would not
otherwise be available).
If we allow our capabilities, areas of interest or targets to be known, we are vulnerable to those who do not have New
Zealand’s best interests at heart - whether through foreign espionage, terrorism or activity to compromise critical
information systems to steal data (e.g. intellectual property), or to control critical systems, or to obtain insights
into the Government’s sovereign intentions, dialogue and policies. New Zealand has interests we want to protect and
secrets others want to steal. And we want New Zealand to be able to flourish and prosper in this online world we live
in. So complete openness (even with the best of intentions, telling New Zealanders what its covert intelligence agency
is doing) is also openness to adversaries; that weakens, rather than strengthens, the system.
So, what to do about that? And how do we ensure that the goals of security and rights of New Zealanders – including
privacy - can be met? The tension has to be managed in a way that provides appropriate levels of security (and therefore
protection of New Zealanders and our interests) and public assurance (of lawfulness, of understanding and adequate
protection of rights to privacy, along with other rights). Taking privacy as an example, it is not a binary choice:
either security or privacy – we want them both. The framework of controls and oversight provides the appropriate
settings under which both of these objectives can be achieved, proportionate to the threat and the outcomes we are
trying to achieve.
So I say a significant answer to these inherent tensions lies in the system itself. It lies in the legislative controls
and external, independent oversight of the intelligence agencies. That oversight is crucial for assuring the New Zealand
public that those agencies are properly delivering on all the relevant interests: security, privacy, lawful conduct,
etc.
Can I come to the first popular myth about the Bureau? We do not simply randomly hoover up information and rummage
through it, hoping to find something useful. This image of “mass surveillance” is one of the biggest myths about our
work. The truth is quite the opposite: where our foreign intelligence work requires access to infrastructures that would
otherwise be unlawful (as I’ve said, to gather and analyse intelligence (including from information infrastructures) in
accordance with the Government's requirements about the capabilities, intentions, and activities of foreign persons and
foreign organisations), it is conducted under Ministerial warrant or authorisation.
The Act sets out how the system works: the reason for the access or intercept must fit within the Government’s
requirements, and be justified. The Minister responsible must receive an application that sets out the reasons why the
particular access is sought, how the proposed outcome justifies the access or intercept, whether the outcome can be
achieved another way. The Minister must be satisfied that there are controls put in place to make sure that the Bureau
only does with the information that which is needed for its proper performance. Overall the process is about ensuring
that the access sought is lawful, reasonable and proportionate.
These are high hurdles. In addition, the Minister of Foreign Affairs must be consulted before any authorisation is
granted, and the Minister responsible may impose any conditions he thinks fit. The Commissioner of Security Warrants – a
former Court of Appeal judge – must also agree if a New Zealander’s communications are to be targeted (New Zealanders’
personal communications are not to be targeted, but there are exceptions if a New Zealander is, in the words of the Act,
“an agent of a foreign power or foreign organisation”). None of these steps is taken lightly and in my experience the
applications are not “rubber stamped.” My observation is that everyone involved takes very seriously the powers we
exercise. The Director is also required to keep a Register of all such warrants and authorisations.
The controls do not stop there, of course, once we have the approval to undertake warranted work. Work conducted under
those warrants and authorisations does not commence until an analyst has a customer requirement for intelligence. That
requirement is linked into an internal plan (how will we service the customer request), which itself links to the
Government’s foreign intelligence requirements. Before conducting work under an authorisation, analysts must enter all
this data (what they are doing, for what purpose, under what plan and customer requirement, what foreign intelligence
priority) into the database before they begin.
All of these inputs into the system, all of the work done on the systems, are fully traceable and auditable.
As I have said, there is a prohibition on targeting the private communications of a New Zealander in our foreign
intelligence work. Our website has our Nationality Policy on it (under “News”), which sets out how we ensure compliance
with that prohibition.
The Inspector-General of Security and Intelligence (IGIS) must have access to the Register I mentioned, and to all the
supporting material, and work done under the warrants/accesses. She has a significant role, independent of the Bureau,
to oversee the work done in the Bureau (and the NZSIS). All our work is available to her at any time and it must be
fully auditable by her – she has direct access to the building, to the systems, and to us. The IGIS conducts audits,
reviews and regular inquiries, and reports to Ministers and, as we have seen, to the public. Ministers can direct
inquiries to her if they wish. Members of my staff can make complaints directly to her and have full protection from any
employment consequences if they do so. She also can initiate inquiries herself or on complaint from the public. She has
full inquiry powers to examine people under oath, to call for and see any relevant material – and associated
crimes/penalties apply for failing to comply.
I should mention that, as a government department, the Privacy Commissioner, the Ombudsman and the Auditor-General also
have oversight roles. And, finally, the Intelligence and Security Committee, a parliamentary committee, has an important
role in holding the agencies to account for what they do.
So, that tension I mentioned: it is managed here, in this system of control and oversight. We cannot be entirely
transparent to the public about what we do. But we must be – and we are - utterly open with the oversight bodies. Their
reports on us are what should reassure the public that what goes on is lawful and done with New Zealand’s interests at
heart. This oversight is very important and we welcome it. It is necessary to build a credible and resilient security
and intelligence service for New Zealand. It is the platform for a strong public mandate that I intend to continue
building in my time as Acting Director.
The lack of transparency to the public does not make us a closed shop, saying “don’t look here” and allowing us to make
up our own rules, and report on our own compliance. The oversight is independent and very real. In the next few months
the IGIS will be publishing her annual report of the 14/15 year and completing some inquiries into the Bureau’s work. So
you will be able to see for yourselves independent oversight in action.
So, back to mass surveillance briefly. It’s a term that creates an image of random information collection, collection
without purpose, collection without control. None of that is true. But, as I say, don’t take that from me; look to the
system. There is no evidence of it (despite what you might hear or read in various commentary). The IGIS said, when
asked in September last year, that in her work to date she had not seen any indiscriminate interception of New
Zealanders’ data. Think back to the process for warrants and authorisations I’ve outlined – the system simply does not
allow for such wide-ranging, uncontrolled conduct.
In the time I have been at GCSB I have been impressed at the oversight and compliance built into the system. The most
immediate oversight is the internal management oversight exercised day-to-day by the leadership team. There are built in
checks and authorisations, and compliance training and exams, required before information can be accessed and, as
mentioned, all accesses are fully auditable.
And I’ve been impressed with the people too. There is thorough vetting before people can work for or with us: aside from
comprehensive psychological tests, people agree to reviews of their financial background, what they do in their spare
time, personal relationships, online habits, any other habits … it is a very intrusive process. Our people have very
high levels of integrity and loyalty. They share a real sense of the burden and the privilege of the material they work
with, and the importance of what they do, day to day.
One final myth; we’re not listening in to your private communications! We’re not following your online searches or
computer use. We take very seriously the intrusive powers we do have and have a strong system of compliance within the
Bureau, and independent oversight of our activities outside of the Bureau.
Another way to ensure the tension is managed is in the Bureau being more open about the things it can be open about. I
accept that, in the past, the intelligence agencies have tended to keep everything secret, in order to maintain national
security interests. After all, it was not until 1984 that the New Zealand Government expressly acknowledged the work of
the GCSB – and our signals intelligence capability - as part of the Government’s network of agencies. And we’ve been
slow, over the next 30 years, to reassure the public by telling you what we can tell, without compromising national
security. We want to get better at that – because we can see the benefits in increasing the public understanding, and
therefore the mandate, for what we do in protecting New Zealand and our interests.
So, today, I want to speak in more detail than the Bureau has before about our cyber security role. Our cyber security
functions are about protecting the security and integrity of certain New Zealand communications and communications
systems.
The Bureau’s cyber security mission is to ensure the protection, security, and integrity of communications and
information infrastructures of importance to the Government of New Zealand, and to do everything that is necessary or
desirable to protect the security and integrity of those communications and information infrastructures, including
identifying and responding to threats or potential threats to them.
We deliver these functions by taking a multi layered approach that includes:
• providing high grade cryptologic services to protect critical data of national importance;
• conducting technical inspections and accrediting networks processing critical data of national importance;
• providing well-researched information assurance guidelines following international standards and best practice;
• working across government, with the Government Chief Information Office, to develop and promote compliance with
information security standards;
• developing and publishing information security standards (required for government organisations but widely
adopted as best practice across the private sector) and part of the Government Protective Security Requirements;
• promoting the move to a mature security culture through outreach and engagement;
• maintaining relationships with key public and private organisations of significance to the security and economic
wellbeing of New Zealand. This includes the Security Information Exchange Groups that we facilitate and the CORTEX
programme, which I will share some insights into shortly;
• providing a point of national contact and coordination for reporting and sharing information on cyber threats
and, in the case of some nationally significant information systems, supporting response to those threats;
• coordinating cyber security and incident response services to deal with threats to national critical
infrastructure;
• providing a range of direct cyber threat detection and reporting services – targeting the most advanced and
persistent threats - through our “CORTEX” capabilities; and
• working closely with the National Cyber Policy Office – a part of DPMC – to provide input into New Zealand’s
strategic response to the broad range of cyber threats.
We also have a regulatory role under Part III of the Telecommunications (Interception Capability & Security) (TICSA) Act – in respect of the security provisions.
As you can see, much of our focus is on technology and on addressing threats that only organisations with our special
technical (cryptologic) skills can do.
At this point it might seem reasonable to question the extent and nature of the threat we are working to protect our
important information and systems from.
In broad terms, threat stems from the rapidly changing nature of the internet, which was not designed with security in
mind. The more we are connected to and holding data on internet facing systems, the greater our vulnerability to attack.
The scale and pace of growth is almost unimaginable, and means vulnerabilities are constantly being introduced,
protected against, and reintroduced and rediscovered, and so on it goes. Connectivity to the internet is everywhere:
crossing national and international boundaries and time zones, and allowing previously disparate groups to connect.
A couple of years ago there were as many internet connected devices in the world as there were people. Current growth
trends point to there being three times as many internet devices as there are people in the world by 2017. Nearly 2
billion people use the internet as preferred means of communication. It’s a scale that offers massive opportunities,
both for those who have good intentions, and those who do not.
On the not-so-good side, the trend is moving from just simply stealing data to manipulating or destroying it. For
example, the much publicised Sony hack. And more recently the United States Office of Personnel Management (OPM)
security clearance computer system database of personal information relating to military and intelligence officials was
inhabited by hackers. Millions of US government workers’ private details were taken. And the hack was not discovered for
more than a year, giving the adversary ample time to steal as much information as it wanted.
In the New Zealand context:
• In the 12 months to 31 December 2014 there were 147 incidents recorded by the National Cyber Security Centre.
• In the first six months of 2015 we have already recorded 132 incidents and expect that by the end of 2015 this
figure will be in excess of 200.
• Of the incidents recorded so far in 2015, 79 were reported by government agencies and 33 by private sector
organisations.
• A further 20 incidents were reported to us by our cyber security partners where the nature of the organisation
was not identified.
• These incidents range in seriousness from the targeting of small businesses with “ransom ware” and attempts to
obtain credit card information through to serious and persistent attempts to compromise the information systems of
significant New Zealand organisations.
• Roughly 0.5 % of the data analysed through GCSB’s recently developed (CORTEX) capabilities has a signature
(fingerprint) associated with some form of cyber threat.
• Each month GCSB and our international cyber security partners identify around 900 new signatures. Where possible
this information is used to help identify the source of the threat and to assist others to avoid the threat – although
attribution (who is doing this) can be a very complex matter to determine, and our focus is on defending our systems.
Some of these threats come from well resourced, foreign threat actors. While at times they are directly targeting
significant New Zealand organisations, we are also seeing them use (and attempt to use) New Zealand based systems as a
“jumping off point” to host malware which is used to target overseas networks.
Part of our response to the more sophisticated and advanced types of these threats is the CORTEX project I mentioned. It
was announced publicly last year. If you look at beehive.govt.nz you can find the Cabinet papers that authorised it.
CORTEX only has one purpose: to counter cyber threats to organisations of national significance. Those organisations are
chosen because of their significance to New Zealand (because they are information assets of national interest) – both
public and private sector – through criteria determined by Government, independently of the Bureau.
Included are government departments, key economic generators, niche exporters, research institutions and operators of
critical national infrastructure.
We do not talk about which organisations are receiving CORTEX protection – that is because doing so may disclose where
New Zealand’s most valuable information is held and allow a more focused attention from cyber-attacks.
Through CORTEX the Bureau has and is developing capabilities to protect selected organisations. Through these technical
capabilities, advanced malware is able to be both detected and disrupted.
There is a double gate to CORTEX capabilities being provided to organisations: first, the capability must be authorised
by the Minister, and the Commissioner of Security Warrants, under the GCSB Act – the same process I mentioned earlier.
But, also, the organisation obtaining the capability must consent to receiving it – and agree to a number of conditions
(for example, each recipient must conduct the highest level of basic cyber-hygiene, advise those who interact with their
computer systems (staff, customers) that their communications may be accessed for cyber security purposes and, for the
reason above, maintain confidentiality about the services it is receiving).
So, what does CORTEX deliver?
We provide a number of different layers of protection. The system offers:
• an ability to detect threats to networks, and to tell protected organisations about those threats so that they
can respond to them;
• targeted advice from our experts about the prevention and mitigation of advanced and other cyber threats (we
share what we learn from specific instances with a wider pool);
• an ability to identify vulnerabilities in computer systems and networks that advanced threats might exploit; and
• an ability to actively blocking advanced malware directly.
As we know, many organisations already employ technical means to block malicious internet traffic that would otherwise
flow through to their customers. CORTEX is not about replicating those existing capabilities but is focused on
countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or
persistence. This type of malware is not adequately mitigated by commercially available tools.
So, how does CORTEX work?
Usually it involves a layered set of technical capabilities– layering provides better coverage and is more likely to
detect sophisticated malware that might be able to avoid detection at some levels.
Organisations may receive just one or several layers of capability.
At the heart of the capabilities is the detection of advanced malware. Detection occurs through automated means in the
main– i.e. machines looking for indicators of malicious activity using information about previous successful or
attempted cyber-attacks.
In some cases the capabilities also involve ‘active defence’. This involves putting in place systems that can identify
and disrupt sophisticated cyber threats in near real-time. These systems are given ’fingerprints’ – patterns of data
that identify particular, known threats – for them to use to distinguish between benign and malicious internet traffic.
When malicious internet traffic is identified by a finger print, the system prevents it from reaching its destination.
In some cases (so far our experience tells us that is less than 0.005% of the total data analysed), a human analyst
would need to review the data where the machine analysis throws up malicious cyber activity but is unable to resolve it
– perhaps because it’s a new form of attack.
We conducted a privacy impact assessment on the CORTEX project. We did not restrict ourselves to those principles that
apply to us (s 57 Privacy Act exempts us from many of the information privacy principles (IPPs)) but, following the
Privacy Commissioner’s Office advice on best practice, we considered all of the 12 principles. While some of those IPPs
are not apt to the work under CORTEX, the extraordinary controls on storage, use and retention of data, along with the
independent oversight of our work, are the keys to dealing with any privacy implications.
And – just as in our foreign intelligence work - technology assists in ensuring independent oversight of the CORTEX
capabilities for compliance with the law, with the specific terms of the authorisation, and to reassure you that the
capabilities are being use for their authorised purpose and nothing else. The system itself provides strong and
comprehensive oversight of the use of CORTEX data. The data is categorised according to how it should be handled, and
the rules about what can (or cannot) be done with it.
These rules specifically limit the number of our people who can access the data, all of them computer defence
specialists, with a clear understanding of the rules. And the IGIS is able to view it all – a complete log of what
occurred, and the recorded reasons for any activity taken, for any analyst’s viewing of CORTEX data, and what they did
with it.
As I’ve said, CORTEX is designed and used for a specific purpose. We cannot, and do not, use that capability for any
other purpose. It’s all about cyber security.
And it’s going really well.
In the first 10 weeks of 2015, we resolved more cyber security incidents than we did in all of 2014. We think it’s more
likely that’s not because of an increase in the volume of incidents so much as our improved capacity to identify and
resolve incidents promptly – thus minimising the harm to important New Zealand organisations.
I’ve talked to some private sector organisations about CORTEX lately. Both some receiving the capabilities and some who
are not receiving them. They tell me that industry is highly supportive of the Government’s investment in defences
against the more advanced, sophisticated cyber borne threats and providing them to help reduce the vulnerability of our
nationally important systems to attack.
Some recent (since March this year) examples of what we have seen or been involved in responding to recently, include:
• The targeting of several officials from a key government agency through email and web site exploits in an effort
to gain access to personal information and potentially compromise the agency’s network. This attack was detected and
mitigated before important information could be lost or compromised
• The use of a malware package – most likely sourced from the “dark web” – to target six significant New Zealand
organisations. The threat was detected and mitigated through systems and support provided via our CORTEX capabilities.
• These capabilities also helped us identify and trace the source of a new cyber- attack method from a known major
foreign threat source. The attack targeted several CORTEX customers. The “fingerprints” of this new cyber-attack were
able to be passed on to our international partners, helping to reduce global vulnerability to this particular attack.
• CORTEX also enabled us to detect the large-scale targeting of a nationally significant organisation as part of a
global campaign by a known foreign threat source. We were able to work closely with the New Zealand organisation to
contain the threat.
We have also helped:
• an Auckland firm’s computer network attacked by an overseas-based criminal group
• resolve a long-term compromise of a major IT firm
• a telecommunications provider to respond and strengthen their systems after seeing suspicious, overseas-sourced
activity on their network
• private sector organisations suffering ransom-ware and denial of service attacks.
Some incidents require our assistance, others can be resolved with some advice, and others again are managed by the
entities themselves when they are aware of what’s going on in their systems.
New Zealand government and private sector entities are targets and victims of malicious actors. We cannot be complacent
about it. But plenty is being done, with government, industry, academia and NGOs working together to understand better
the threatscape and how to build our resilience to it. By working together to counter these threats, we are protecting
New Zealand’s economy and security.
We typically do not currently provide direct assistance to smaller businesses or to individuals, however we may assist
with evaluation of cyber incidents if they fit within our authorisation criteria.
As I’ve said, our focus is on organisations of national significance. But we do make sure that we work closely with
other organisations on the cyber threat. We’re well connected with:
• Police – National Cybercrime Unit
• DIA on privacy and information assurance
• Connect Smart (NCPO) – an initiative to increase awareness and improve cyber security. The National Cyber Policy
Office in DPMC (NCPO) is developing useful partnerships and increasing the range of organisations we are able to benefit
through cyber security insights.
• Netsafe
• NZ Internet Taskforce (largely volunteers in the commercial sector).
We provide the information we learn – at appropriate levels of generality and declassified – in advisories and other
information sharing forums such as the Security Information Exchanges (SIEs) that we facilitate. SIEs are where sectors
or industries meet as a group and discuss relevant cyber threats and mitigations, and all benefit from sharing
information.
While our work has a clear technical focus, and is primarily directed at addressing the more serious end of the threat
spectrum, cyber security is something we all have to be aware of. It is not just a technical issue, or one which only
technicians need to concern themselves with. Cyber security should be approached as an enterprise wide issue.
Information in organisations is under threat from a number of overlapping areas.
We encourage organisations to see information security through a lens of people, places and systems:
• The people risk – an insider threat can be as damaging as a cyber attack. And your people can also be the cause
vulnerability – whether deliberately or by failing to follow security protocols.
• The places risk – premises need to be secure to prevent physical access. What are your boundaries – in cyber
terms obviously you have to think of them as more than the physical reaches of your organisation. What is the reach of
your information and data sets? That’s the boundary. Now think again – are you sure your boundary is secure?
• Following that, the systems risk is probably obvious, and doubtless your IT teams assure you of security of
those systems. But have you considered outsourced IT service providers:
o What are their security arrangements?
o
o Is their resilience regularly tested?
o
Contracting out won’t prevent cyber attacks on your business.
Think of your information as a supply chain – from start to finish – it’s only as secure as the weakest link in that
chain.
A recent Vodafone report tells us: 56% of NZ businesses reported a cyber-attack in past year, 45% of them self-report
that they have inadequate tools and policies to face cyber threats.
If any element of your connectivity is insecure, you are vulnerable. And, are you creating vulnerabilities for others?
There are three common positions on cyber security that influence how an organisation prepares for and responds to cyber
threats. Each position is wrong, in my view, and risks a cyber-stance that exposes, rather than reduces, the agency to
vulnerabilities.
Organisations don’t believe they have anything of value or underestimate what information is of value. That position
leads them to think they are not at threat. But your data is valuable. Your customers certainly think so. We live in a
data economy and are not only seeing data being stolen, but combined with other data sets to create commoditised
information with commercial value or changed along the way.
NZs geographical isolation traditionally has meant we are safer from some of the risks we see overseas – but of course
connectivity to the internet knows no geographic boundaries, and, accordingly, there is vulnerability.
Taking a risk avoidance position: this is only successful if you can be sure to have better defence than every potential
attack. That’s not likely, I’m sorry to say. It is better to have a risk acceptance strategy: mitigate the risks and
prepare your resilience to those risks being realised at some point. Traditional approach has been to build bigger walls
– firewalls, anti-virus software, and perimeter security devices. All necessary still but no longer enough. A holistic
approach is required to cyber risk management: across the organisations/networks/supply chains and larger ecosystem, to
the boundary.
Recent events tell us that private information – held in datasets that are connected to the internet – is at risk from
being improperly used if cyber attacks work.
The secret of cyber security is that the basics matter – but they are not as commonly implemented as you would think.
Most cyber-attacks succeed because basics aren’t followed. Even though there are some adversaries who have access to the
most sophisticated cyber-attack capabilities, they will always try the obvious first. After all, what burglar doesn’t
try for an unlocked window first, even if she can hack through your household security system? So too, an adversary will
not risk deploying their expensive, covert and hard won cyber-attack capabilities if they can slip in the ‘open window’
in your system.
So what are the basics? Our Australian counterpart ASD has some good mitigation strategies on its website – four
recommended in particular are patching systems and applications as patches become available, ensuring that people don’t
bring their own software to work (white-listing – only allowing approved software to run), limiting administrator
privileges, and strong control of passwords. See more on our website: ncsc.govt.nz (or gcsb.govt.nz can take you there)
or google “catch, patch, match” for ASD’s site.
These basic policies provide a very solid basis for building and maintaining more cyber secure systems and networks. The
basics of an effective cyber security system can be built on some relatively simple concepts, as I’ve outlined. But the
serious, high end sophisticated threats to significant New Zealand entities and infrastructures needs a more complex
response, and CORTEX is an important part of that.
I hope my presentation today has helped inform your own understanding of the role and functions of the Bureau, along
with the important security challenge we all face. If you look at our website you will see, along with handy tips for
thinking about cyber security, some internal policies that we work to in various areas. They’ve been declassified, of
course, for public consumption. More material is to come as we progress our commitment to greater transparency. We are
also working on some very detailed information on CORTEX for the website. I’m determined that the Bureau keeps talking
publicly and providing the public with more information about the work we do, because, as I’ve said, we understand that
this is an important part of the controls and transparency to our work.
Thank you very much for your time. I am happy to take a few questions.