The latest annual report from the GCSB-run National Cyber Security Centre confirms the obvious - online attacks are growing in number and sophistication.
Less apparent is how the tide can be turned, but the agency did today outline plans for broader collaboration with the private sector.
In its Cyber Threat Report 2020/21, released this morning, the NCSC says its advice or intervention prevented an estimated $119m in harm to the 200 or so organisations of national significance under its protection - a rise on last year's estimate of $70.5m.
The Government's Computer Emergency Response Team (Cert NZ) has tracked a series of increases in cyber attacks, too, with director Rob Pope telling the Herald its numbers were only the "tip of the iceberg" because many were too embarrassed to report losses (his agency promises confidentiality for those who do).
But the NCSC only works at the big end of town, leaving attacks on small businesses and individuals to Cert NZ, NetSafe and, at the sharp end of things, the police, as it tends to its 200 organisations of national significance - and its report draws its numbers from its direct experience with those large companies and government agencies.
The NCSC tracked 404 cyber attacks affecting those it protects in the year to June, 2021 - up from 352 in the year to June 2020. All told it said it disrupted 2000 attempted attacks.
It was a year that saw the NSCS given three extra assignments on top of its regular workload: protecting online security around the general election, the Government's Covid response, and virtual Apec meetings hosted by NZ.
The agency won't say if any of those events were targets, but will say of the 404 attacks, 113 were pinned on politically-motivated state-sponsored actors, while 110 were blamed on financially-motivated criminals, but NCSC director Lisa Fong says the largest and fastest-growing category was "undetermined".
In part, that's because the growing sophistication of online attacks has made it harder to be definitive about their source, Fong says, and because the lines between state-sponsored and criminal gang activity are becoming blurred with what she calls "a "trend toward safe harbours." During the year, the GCSB joined other national agencies in criticising Russia and China for not doing enough to clamp down on cybercriminals alleged to be working within their borders.
That contributes to another major issue: the trail going cold. For example, the NSCC would only name an organisation thought responsible for 10 of the 110 attacks classified as criminal.
The rise of Covid misinformation
Traditionally, the types of cyberattacks traced by the GCSB have been about stealing trade or state secrets or extorting money or stealing intellectual property from the likes of key exporters.
The NCSC's latest report notes the rise of a less tangible threat: Misinformation. Russia has been accused of spreading misinformation on Facebook and other platforms in a bid to disrupt and manipulate the last two US elections.
In the year to June, a new misinformation target appeared: the Coronavirus.
"Over the 2020/21 year, the increase in Covid-19-themed disinformation and medical misinformation had a significant impact in the context of cyber security, where misinformation is used as a social engineering tactic," the report says.
"Public fear, interest, and desire for information about Covid-19 were exploited through pandemic-themed phishing lures and malware.
"In one instance, Avast – a security company and anti-virus provider – identified fake organisations using the World Health Organisation's logo and claiming to sell cures for Covid-19.
"The false information about a cure was spread as part of the actors' attempts to manipulate users into downloading malware."
The report says, "The NCSC assesses the use of disinformation will likely continue to escalate."
But although it has tracked a big rise, and expects more, the agency sees itself mainly as an observer and chronicler of the phenomenon. It says social media platforms have the biggest role to play in ensuring the integrity of online information.
"Circulating disinformation is a tactic sometimes used by state-sponsored actors to
create confusion or erode social cohesion," it says.
"While the NCSC is responsive to reporting from its security partners and the public regarding disinformation campaigns, the NCSC's role in responding is very limited."
More collaboration with the private sector
When it comes to the likes of ransomware and DDoS attacks, the NCSC does want to be on the front-foot.
But how can it counter these rising threats?
Fong says a new threat-warning feed will be launched later this month m an expansion of the existing Malware-Free Networks programme.
It will involve information about potential cyberattacks being sent from the NCSC to private sector partners such as ISPs and managed-service provides in near real-time.
Large companies like Fonterra with in-house security teams could get the feed directly (The NCSC works with around 200 "organisations of national significance" such as key exporters and government agencies, but does not generally name them unless it's helping out in the middle of an attack - such as the recent incidents involving the NZX and Reserve Bank.
"As part of our response, we are working to collaborate with the private sector to make sure that we're lifting resilience across New Zealand," Fong says.
"We're taking what we learned through our direct protection and disruption capability and scaling up through the private sector. And we're working with our Malware-Free Networks partners, to enable them to detect and disrupt advanced cyber threat actors who might be operating on the customer's system.
While budget and personnel increases have been modest compared to across the Tasman, Fong is not a policymaker, and can only play the hand she's dealt.
How good a hand is it? The GCSB does not reveal funding or headcount numbers for the NCSC, but Fong says her division has been adding staff (a GCSCB separately told the Herald, "Staffing within the GCSB, which includes the National Cyber Security Centre has increased from 353 FTEs [full-time equivalents] in 2016 to 488 in 2020. "This increase in staff reflects Government budget decisions, including investment in the NCSC's cyber security capabilities.")
The NCSC must recruit in a tight IT labour market, where cyber-security skills are particularly in demand.
"We've found it a challenge for some time, and the current situation probably makes it slightly more acute," Fong says.
Last year, an ex-GCSB staffer told the Herald that NCSC staff being poached by larger private sector companies, including banks, had emerged as an issue.
Fong says the NCSC has been able to find the staff it needs and, more broadly, that staff leaving for senior private sector roles should not be seen in entirely negative terms.
Again, she returns to the theme of increasing collaboration with the private sector.
"We've come to acknowledge our role, I suppose, in developing those new leaders and the new capabilities for the rest of industry," she says.
"So while it's a double-edged sword, it's actually good to see our people be able to have impact in the wider public and private sector when they need a [security] leader."
Going by the Vacancies section of its website, the GCSB is not currently trying to recruit any cyber-security staff (although there are openings for a "psychometrician", a "Covid incident response co-ordinator" and a "physical security adviser"),
Fong says the NCSC has also been extending its reach by working with regulators, such as the Financial Markets Authority - the market watchdog that raked the NZX over the coals after its 2020 extended outage caused by a DDoS (distributed denial of service attack). While the FMA does not feature spooks who can crawl through code to track or block online criminals, it can school the likes of the NZX if systems, resourcing and staff allocations are deficient.