In the wake of last week's massive cyber-attack on government departments and private companies across the Tasman by an un-named "sophisticated state actor", Scott Morrison's government is planning a series of measures to tighten his country's virtual defences.
Businesses will be required to comply with minimum standards of cyber-security under a federal government plan to harden that nation's defences of vulnerable computer networks against foreign adversaries and cyber-criminals.
Firms will also need to ramp up their spending on cyber-security, including potentially contributing to the cost of the national agencies as part of an updated cyber-security strategy.
Additionally, Morrison said today he had recruited former US Secretary of Homeland Security Kirstjen Nielsen to prepare a new cyber-security strategy.
Here, a spokesman for GCSB Minister Andrew Little said private enterprise already received assistance from the security agency free of charge as part of the GCSB's remit to protect the country's economic security.
The question of following Australia's move toward minimum standards of cybersecurity for private firms was bounced to Communications Minister Kris Faafoi, who did not offer immediate comment.
The GCSB's National Cyber Security Centre (NCSC) "works with a range of customers" beyond Government agencies, including "key economic generators and niche exporters" to counter cyber threats.
Key economic generators like Fonterra, with its intellectual property secrets?
The spokesman for Little said it was not policy to name companies assisted by the agency.
What's clear, however, is that a hand is needed. Toll Group got hit in January, tightened its defences, then got hit again in May. Lion's systems were compromised despite a big-money move to SAP's Hana platform.
The rise of Covid - with attendant confusion among staff cuts - has provided fertile ground for the kinds of phishing efforts that often proceed a cyberattack. And it was also mooted this week that NZ is seen as a soft-touch next to once-bitten US companies who have now raised their cyber defences.
Cortex for 'organisations of national significance'
Since 2013, the GCSB has used its "Cortex" suite of cyber defence systems to detect and disrupt attacks on "organisations of national significance".
Last week's cyberattacks on Australia did not succeed in disabling any infrastructure or the theft of any data, according to initial reports. And Little said the GCSB did not detect any threats out of the normal here.
But cyberattacks are costing our economy. Toll Group, Fisher & Paykel Appliances and Lion have all seen significant disruption to their businesses, with manufacturing and stock management systems down for weeks, following recent ransomware attacks - which a report by security company Emsisoft estimates have cost NZ at least $37.5m this year.
GCSB says it has prevented $100m in harm
In a report delivered in February, the GCSB said, "We have continued to improve and advance our Cortex cyber-defence capabilities, which we calculate have prevented almost $100m of harm to nationally significant organisations since June 2016."
It said $27.7m in harm was prevented by Cortex in 2019 as the GCSB assisted or advised some 800 organisations. The agency reported there were 339 cyber attacks on NZ "organisations of national significance" in 2019. Of those, 131 had "links to state-sponsored actors - the same proportion as the previous year," when there were 347 attacks.
Beyond Cortex, since 2016 the GCSB has been required to vet proposed telecommunications network upgrades under the Telecommunications (Interception Capability and Security) Act - the legislation that created the process that saw Huawei blocked from Spark's 5G mobile network upgrade on un-named national security grounds (later hinted at by GCSB director-general Andrew Hampton).
Little has pointed out that New Zealand businesses and individuals hit by a cyber-attack can also contact the Government's Computer Emergency Response Team or Cert NZ, created in 2016 with at $22.2m budget (which got a $2.2m per year boost in Budget 2019). Cert NZ, headed by director Rob Pope, acts as point of first contact or triage centre, directing victims of cyber attacks to the relevant police or tech support contacts. It also offers alerts and advice.
And he pointed to Netsafe, which was created in 1998, but was considerably beefed up in 2015 after it was named as the lead agency for the Harmful Digital Communications Act. A lot of Netsafe's activities involve online abuse and bullying, but it also has a cybersecurity remit.
Budget 2018 set aside $8 million to be spent over four years on new cyber-security policy. The Government did not immediately answer a question on how that process was tracking or what new policy was in train as a result of the funding.
Some analysts put China in the frame for last week's cyberattacks on Australia. Morrison did not name any state.
New Zealand has not had the same adversarial relationship with China. But regardless of whomever was behind last week's attacks, NTT cyber-security head Matthew Lord told the Herald that Kiwis should not be complacent - particularly organisations that had operations on both sides of the Tasman.