INDEPENDENT NEWS

Patrick Gower interviews GCSB acting director Una Jagose

By: The Nation
Published: Mon 5 Oct 2015 10:32 AM
On The Nation:
Patrick Gower interviews GCSB acting director Una Jagose
Jagose says GCSB doesn’t focus on who is responsible for cyber attacks on NZ companies & government departments but on protecting networks and systems instead.
“It is apparently a very technical and difficult thing to work out where did that come from, who’s doing it and why are they doing it. We spend our energy on defence.”
Says companies using Cortex cyber-security defence system would notify people that their communications could be screened
Gower: Yeah, but I would be told, would I, by the company that they’ve now put Cortex on?
Jagose: You’ll be told that your communications will be screened or may be screened for cyber-defence purposes.
Gower: Right. How do you get told that?
Jagose: In terms and conditions of use, for example.
Says that in their cyber defence work, GCSB analysts only look at private internet traffic in 0.005% of cases.
Lisa Owen: Welcome back. Over the past few years the GCSB has been at the centre of a series of spy scandals. Now the new acting director, Una Jagose, says she's on a campaign to bring more transparency to the organisation. While talk that we spy on our Pacific neighbours and are part of America's "full-take collection" network is still largely off-limits, Jagose this week gave a speech about Project Cortex, designed to detect and stop cyber-attacks. In the past six months New Zealand has been hit by more cyber-attacks than the whole of 2014. Political editor Patrick Gower sat down with her and asked just who is under attack.
Una Jagose: We focus our attention on New Zealand companies that are holders of information, assets of importance to New Zealand, so nationally important infrastructure companies and some key government departments. So, yes, we’re definitely seeing attacks there.
Patrick Gower: So what you’re talking about – banks, telecom companies, those kinds of things?
Well, those parts of the infrastructure, the nationally important, those sorts of things. We actually don’t talk about who they are or specifically what types of organisations they are, because revealing that also reveals to an adversary where we might have our best and richest sources of data that they might be interested.
Yeah, and when you talk about an adversary, who is trying to get this information? Is it individual criminal organisations, or is it countries? What use is that information to someone?
Well, information is valuable. It can be used and added to other data sets and sold, or it can be manipulated or destroyed in order to have an impact on a company or on a network. At best it’s criminals. It’s often foreign-sourced sophisticated malware that we’re seeing. We don’t spend too much of our time trying to track down who did that, because, in fact, we want to use our time and our technology protecting networks and systems.
Yeah, and would some of it be what would be called industrial espionage, I guess, getting these secrets of Kiwi businesses?
Yes, it could be industrial espionage. It could be IP theft. It could be just having an in to important sovereign communications or discussions by government agencies, policies, positions governments might take, positions companies might take. If you can imagine yourself being able to get into someone’s computer, imagine what you could reveal to yourself about what they were planning.
Sure, and, I guess, in terms of adversaries, one thing that is said is that a lot of these attacks come from China and, indeed, from the Chinese military or the Chinese government. Is that what you’re finding?
Well, again, I say we don’t spend our energy looking at— attribution is really difficult. It is apparently a very technical and difficult thing to work out where did that come from, who’s doing it and why are they doing it? We spend our energy on defence.
In terms of getting to the broader issues of the GCSB, mass surveillance versus mass collection is something that people have often talked about. What’s your take on it? Is it just playing with words to say mass surveillance and mass collection are different?
Well, mass surveillance – we don’t use that term, because nobody has the same view about what it means. It gives an image of collection without purpose, collection without control, collection just for the hell of it, and we certainly don’t do that. So it’s not a concept that we use.
Can you guarantee, though, that in this sweeping up of information or whatever that Kiwis have not been accidentally spied on or snooped on unwillingly?
Well, using words like ‘spy’ and ‘snoop’ are other words that we don’t use either. But the process for collection of information— for cyber-defence purposes, are you talking?
Yes.
That is used for cyber-defence purposes, so it is used to defend networks.
So, say, for instance, my personal information could somehow get taken up and used for cyber defence purposes?
Let’s say that you are in communication with a company that has deployed a Cortex service that is protecting its network. The way it does that is by identifying fingerprints or signatures of malware in the internet traffic, and so your internet traffic, if it is infected by malware, will have the fingerprint associated with it, and we will be able to, usually by a mechanised means, either identify that and tell the company or block it.
And at that point, my personal information that is in that email or what have you, can the GCSB see that? What does it do with it? How is my privacy protected at that point?
In the first instance, most steps are taken in a mechanised way so the system itself can identify the malware, identify the fingerprint and either block or defend— block or identify. Our assessment or our experience tells us that in about 0.005% of instances of data does the machinery throw up a question that can’t be answered by the system itself, and so an analyst will have to look at it in order to see what is this malware, is it new, is it something we haven’t identified yet? So in a very limited 0.005%, our experience to date tells us of data an analyst might have to look at a particular piece of internet traffic.
What does the analyst do if there’s a personal email there?
Well, the analyst is looking at it not for its content but for what the email and the traffic tells us about the fingerprint or the adverse attack that is occurring. So that’s what they do with it.
But the analyst can see the content if they want to?
Yes.
And they ignore it, effectively? Is that the protection of privacy there?
Well, there are many controls that are in place to make sure that what is done with that information is what is entitled to be done or allowed to be done, which is about cyber defence in our example. The particular analyst that needs to look at it needs to record why they are doing something with it and what is happening with it, how it is being stored and what they found out when they looked at it. And all of that is auditable and reviewable by our systems, by the Inspector General. I’ve got great confidence in my people that they use that information for the purpose for which we’ve got it, which is to build up a good picture of cyber defence.
Is a warrant needed in the first place?
Yeah, there are two things, sort of a double-gated approach to the Cortex capabilities. First of all, there is a warrant, and it goes through the same process as set out in the legislation, by the Minister and the Commissioner of Security Warrants proving the capability. And the second gate is that the company that receives the service consents to that, and there are a number of preconditions that that company must meet, such as undertaking basic cyber-hygiene but, importantly, to your point, advising people that come into contact with that network, that their communications may be screened for cyber defence purposes.
Is there still a sort of way there that I’m sending an email and it’s seen by someone at the GCSB without my knowledge?
Well, you will know in advance that your communications will be screened for cyber-defence purposes if this is a Cortex product we’re talking about, so you’ll already know that in your engagement with whatever the company or agency is. And the reason that the analyst has to look at that communication is because it has an advanced form of malware attached to it.
Right.
They’re not interested in your personal communication, I can assure you.
Yeah, but I would be told, would I, by the company that they’ve now put Cortex on?
You’ll be told that your communications will be screened or may be screened for cyber-defence purposes.
Right. How do you get told that?
In terms and conditions of use, for example.
Transcript provided by Able. www.able.co.nz
________________________________________
The Nation on TV3, 9.30am Saturdays and 10am Sundays. Proudly brought to you by New Zealand on Air’s Platinum Fund.

Next in New Zealand politics

Maori Authority Warns Government On Fast Track Legislation
By: National Maori Authority
The Chair of the National Maori Authority, Matthew Tukaki, has warned a Parliamentary Select Committee that fast-tracking legislation is a perilous practice that undermines the core tenets of democracy, transparency, and accountability.
Comprehensive Partnership The Goal For NZ And The Philippines
By: New Zealand Government
A key outcome of the meeting was the agreement that New Zealand and the Philippines will upgrade their relationship to a Comprehensive Partnership by 2026.
Canterbury Spotted Skink In Serious Trouble
By: Department of Conservation
This discovery means the Canterbury spotted skink’s overall population is considerably smaller than our previous estimates.
Oranga Tamariki Cuts Commit Tamariki To State Abuse
By: Te Pati Maori
Te Pāti Māori is disgusted at the confirmation that hundreds are set to lose their jobs at Oranga Tamariki, and the disestablishment of the Treaty Response Unit. “This act of absolute carelessness and out of touch decision making is committing tamariki ...
Inflation Data Shows Need For A Plan On Climate And Population
By: New Zealand Council of Trade Unions
Data today shows headline CPI inflation at 4%, continuing the fall begun in March 2023. Rises are concentrated in particular sectors – especially services. This data also shows that that the minimum wage increase will be half the rate of inflation ...
Annual Inflation At 4.0 Percent
By: Statistics New Zealand
New Zealand's consumers price index increased 4.0 percent in the 12 months to the March 2024 quarter, according to figures released by Stats NZ today. The 4.0 percent increase follows a 4.7 percent increase in the 12 months to the December 2023 quarter. ...
View as: DESKTOP | MOBILE
Scoop Contact About Services Newsagent Login
Connect Submit News Social Media Scoop Network
Ethical Paywall Accredited Orgs. Licensing Terms of Use
© Scoop Media