The National Cyber Policy Office (NCPO) is testing the market appetite to deliver a 'Cyber Credentials Scheme' that would ensure New Zealand's small and medium-sized businesses - the vast majority of firms - are protected against cyber threats.
The office, which is part of the Department of the Prime Minister and Cabinet, used the Creative HQ Lightning Lab Accelerator process to design a prototype for "a web-based interactive online platform that delivers a cyber-security assessment, support and certification package for under $400", according to a notice on the government GETS tender website.
It seeks parties to develop the scheme into a successful business with initial goals of protecting 124,000 SMEs over three years and a long-term goal of increasing the cybersecurity capability of most small Kiwi businesses. The GETS notice cites Statistics NZ data that shows that almost 90 per cent of New Zealand's 515,049 enterprises employ five or fewer people.
NCPO director Paul Ash said the office had looked at overseas schemes including the UK's Cyber Essentials but concluded they were pitched at larger businesses and might not work for New Zealand's truly small SMEs.
He told the Defence, Industry & National Security Forum in Wellington this week that New Zealand's SMEs were "exceptionally hard to reach" in terms of equipping them with protection from cyber threats, despite being "bombarded by advice" from vendors of security software.
The forum, which was organised by the NZ Defence Industry Association, had as its theme: "Emerging Technologies & Cybersecurity Capabilities Supporting National Security Agencies". It heard from speakers including Tony Kryzewski, a cybersecurity compliance consultant who cited figures showing that worldwide, 1.9 billion records were extracted from organisations in the first half of 2017, and in September alone 174 million files were stolen.
This week the ZDNet website reported that a hacker stole restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft and the Joint Direct Attack Munition (JDAM) smart bomb kit from an Australian defence subcontractor. The breach was in July 2016 although the Australian Signals Directorate wasn't alerted until November last year. The data was restricted under the US International Traffic in Arms Regulations, the report said.
Ash said his office anticipates a workshop being held in the next month or so as a result of the GETS notice with organisations capable of delivering a scheme for SMEs.
"We're trying to offer that work to the market, to see what interest is there and what ideas that might generate," he told BusinessDesk.
It aims to give New Zealand's small businesses a credential they could show their customers and supply chain: "Here's my cyber credential. If you're coming to do business with me you can at least know we've been through a sensible process to improve our cyber security."
The scheme for SMEs is part of the National Cyber Security Strategy, which was released with an Action Plan in 2015.
Another leg of the strategy was the establishment last year of a Cyber Security Skills Taskforce, which is made up of executives from the IT and banking industries along with representatives of educational bodies.
A near-term target is the launch of a 'polytech' level course of less than a year that would train people to work in roles such as junior cyber-security analysts. Ash said the NZ Qualifications Authority is currently considering a proposal for a level 6 diploma and consulting with industry to ensure the right trainees were produced.
Work was also being done on options to repurpose mid-career workers for cyber roles. "There are lots of people with assurance and compliance skills, particularly in professions such as accounting, who could be retrained into cybersecurity," Ash said.
Another body of work was underway, involving the Ministry of Foreign Affairs and Trade and other agencies to ensure New Zealand businesses will be ready for the cyber regulatory environments currently emerging in major global markets such as the European Union, the US and China, he said.
"We're just at the front edge of that now," Ash said. "We need to be able to demonstrate we can meet or beat other countries' cybersecurity frameworks."
That requires upskilling - bringing digital expertise to bear on existing diplomatic and trade policy expertise - and international cooperation, he told the Forum this week.
Challenges include a lack of consensus on the rules of operation in cyberspace (the United Nations and a range of other organisations have work underway) and rapidly evolving technology including "a massively expanded attack surface" with the emergence of the Internet of Things, a wider range of threat actors, and artificial intelligence.