Communications Minister David Clark: "Any increase to cyber security spending is subject to Budget decisions. Decisions on Budget 2021 are still being considered." Photo / Mark Mitchell
OPINION:
Cyber attacks are on the rise, but New Zealand's response remains relatively low-energy.
Here's how other countries are moving ahead, and NZ falling behind.
In the US, President Joe Biden launched an emergency task force to address the aggressive cyber attack on hundreds of thousands of Microsoft Exchange customers around the world - which is still under way.
After a wave of cyber-attacks against Australia last year, Prime Minister Scott Morrison said his company needed to put itself on a "war-footing" against hackers, and announced A$1.35 billion ($1.4b) in new spending to support efforts to defend the country's public and private networks.
Here, we saw Crown agency Cert (the Computer Emergency Response Team), created in 2016 with a $22m budget, got a $2.3m lift in its annual budget over each of the next four years in Budget 2019. A pitiful $8m (or $2m) a year was allocated in Budget 2019 to "help implement Cyber Security Strategy" but so far no initiatives have been announced from it.
Cert plays an education and alert role.
At the sharp end of things is a GCSB unit called the National Cyber Security Centre (NCSC), which runs the Cortex software that helps protect government agencies, plus the networks of companies deemed to be key exporters or otherwise essential to our economic security.
Funding for the NCSC is never broken out, but we do know that Budget 2020 saw the total allocation for Communications, Security and Intelligence drop to $122m from the prior year's $131m.
The US, Australia and other countries have been happy to announce new initiatives and new spending on the fly as the cyber-threat escalates.
And here, there's been no shortage of high-profile victims, from the NZX to the Reserve Bank to regular folk as CERT NZ has tracked a one-third increase in cyber attacks over the past year.
However, new Digital Economy and Communications Minister David Clark told the Herald earlier this week, "Any increase to cyber security spending is subject to Budget decisions. Decisions on Budget 2021 are still being considered."
Clark is already under fire from some in the ICT sector over an apparently unhurried approach to the next spectrum auction.
National, if you're wondering, did not mention cyber-security in its IT policy last election, letting a free-hit go begging.
Last year, a GCSB staffer complained to the Herald about a number of issues, from Cortex getting creaky to skilled staff being poached by the private sector. But perhaps the key issue was a stew of agencies being involved in cyber-security, and confusion over who should take the lead.
Martin Cocker, the head of Crown agency Netsafe - which deals with everything from cyber-bullying to hacking, scams and harmful content - has not been shy of making the same point.
"New Zealand doesn't have a clear strategy for fighting scams," Cocker told the Herald in February, as he commented on a case where a business's email system was hijacked by hackers, who then used it to send fake invoices from its real email accounts.
"We have a lot of agencies doing a lot of stuff; a lot of good stuff, but one of them needs to take a lead role."
It's a sharp contrast to Australia, where staff cybersecurity specialists from multiple agencies - including Australia Federal Police, the Aussie equivalents our GCSB and Cert, and even policy makers - are literally under one roof in the Australian Cyber Security Centre - as described by one of Australia's top cyber-cops, Brad Marden, during a recent transtasman Business Circle meeting.
"We've got to be a bit more dynamic, and partner more with business," Acting Assistant Commissioner Mike Johnson, Investigations, Serious and Organised Crime, New Zealand Police, told the same meeting, in the context of discussing the recent rash of attacks, including the NZX.
"We've really got to work hard on that. I'm envious of what Brad's talking about in terms of them all being in one building. We do that really well in a different way - but there's some improvement to be made," Johnson said.
"Often we're mitigating an attack in its own right - but we really need to get ahead of that to be proactive and get people to invest in protection.
"Yes, New Zealand's bottom of the world, we think we're quite safe. Actually, we're in a borderless society. So we've got to change our thinking."
Johnson said NZ Police were now "linking much more proactively" with international colleagues - such as the FBI on the NZX attack - but he added that, as a country, "we've really got to be more nimble".
Cert NZ acts as a kind of triage unit, advising people or small businesses who've been hit by hackers. It also runs alerts. It was a sensible move to set up the Crown agency in 2016, but since then it's led a largely low-profile existence.
It needs more resources for promoting the hacker threat, and what individuals and organisations can do about it, just as Netsafe has with harmful content.
Whenever I've spoken to people who've been hacked, such as this West Auckland couple who were stung for $21,000, they've inevitably never heard of CERT.
As things stand, there's been a culture of complacency, with recent reports finding even the likes of the Reserve Bank and the NZX have under invested in security.
Since 2013, Cabinet has directed government agencies to take a cloud-first approach to developing new IT services, while the distinctly cloud-hesitant GCSB still advises Crown organisations to assess the cloud on a case-by-case basis.
Similarly, a Government directive in place since 2018 that "agencies must consider how they can create opportunities for New Zealand businesses" has been reinforced during the outbreak - even as the Crown hands high-profile work, such as the new, unfinished vaccine register, to multinationals.
In 2018, there was an attempt to take things by the scruff of the neck.
Then Communications Minister Clare Curran sought to cut across the alphabet soup of digital titles and agencies in security and other IT areas by appointing a digital czar or chief technology officer with sweeping powers to shape strategy.
That effort fell on its face as appointee Derek Handley was handed a $107,500 payout as the Government had a last-minute rethink. After Curran was shuffled off stage left, it was ultimately decided that the CTO role should be replaced by a "Digital Council" of lowish-profile IT industry figures who were appointed in February 2020 without fanfare. It's put out some reports summarising the work of other agencies, and encouraged the Government to do better in areas such as closing the digital divide - where we saw a brief burst of energy during the first lockdown before it petered out as children returned to school. Government agencies, DHBs, schools, councils and other government agencies continue to take different approaches to security and other IT issues, depending on area, wealth and whim.
In its most recent publically-available annual report, for year to June 30, 2019, the GCSB says it recorded 339 "cyber-security incidents involving organisations of national significance" - actually slightly down from prior year's 347.
Of those, 131, or 38 per cent "had links to state-sponsored actors".
The GCSB says "disruption of malicious cyber activity, by Cortex capabilities, has prevented $27.7 million worth of harm to New Zealand's nationally significant organisations".
The previous year, Cortex (described by Prime Minister John Key as "Norton AntiVirus at a very high level") prevented $27.0 million worth of harm, the agency says, while over the past three years, the total is $94.7m. The methodology behind the numbers is not shared.
The GCSB says it "surveyed 250 nationally significant organisations to establish their cyber-security resilience and the potential impacts if they were compromised" in the year to June 2019. It doesn't say what the follow-up action was; certainly, it wasn't enough to spur the Reserve Bank (according to a June 2020 internal report) or the NZX (according to a January 2021 FMA report) into updating under-resourced systems. And that begs the question: how many attacks go undetected?
Stories about hackers being caught tend to be few and far between, whether big organisations or individuals are being targeted. There are obvious challenges for local law enforcement when attackers are based in Nigeria or Eastern Europe. But what about business email compromise - where a company's network is hacked and then fake invoices sent from real email addresses. That scam often involves a local accomplice, who sets up a local bank account (see the West Auckland couple story).
Cert has identified business email compromise as a rising threat over the past couple of years. I asked police for some prosecution stats over the past three years, but there was no "business email compromise" category, and even general hacking is blurred in with "illegal access" which could be me as a rogue employee misusing my company's network.
Still, the stats showed that for all NZ's various drawbacks in its war on cyber-crime, some people who mess with computers are being found out, and hauled into court.
The industry faces challenges but hopes to bring newcomers and veterans together.