Communications Minister Clare Curran wants to expand New Zealand's international cyber-security efforts and is considering publicly naming-and-shaming state-sponsored attacks as a deterrent in a review of the government's strategy.
The Department of Prime Minister and Cabinet's National Cyber Policy Office will lead the review of the 2015 strategy as a rising volume of increasingly sophisticated cyber threats have coincided with greater connectivity.
The strategy review will assess the nature of cyber-security risk, including the impact of new technologies and what constitutes international best practice.
"It's timely for us to step up New Zealand's cyber-security efforts so that we are not left vulnerable to cyber intrusion and to refresh the 2015 strategy so we can deal with increasingly bold, brazen and disruptive threats," Curran said.
"We must protect the information and network systems that are vital to our economic growth, ensure the integrity and security of our increasingly digitalised government services and make sure Kiwis can interact online without suffering harm."
The Government Communications Security Bureau's National Cyber Security Centre (NCSC) recorded a 17 per cent increase in cyber threats to 396 in the year ended June 30, 2017, and estimated its Cortex malware disruption defence saved the country almost $40 million from online attacks.
Of those attacks, 122 were linked to state-sponsored groups.
In a March 27 Cabinet committee paper, Curran recommended expanding New Zealand's international cyber efforts, which would probably need additional resources, saying the country needs to be heard in a global dialogue on acceptable state behaviour in cyberspace.
"We will need to consider the mechanisms available to us to dissuade or deter malicious cyber activities, particularly where it is state-sponsored or state condoned," Curran said.
"This includes the option of publicly attributing malicious cyber activity as a way of holding states to account."
If New Zealand attracts global recognition in managing cyber-security risk, it could "enhance New Zealand's reputation as a stable, innovative and safe environment in which to invest, find business partners, and do research and development".
Curran said the government needs a "hand-in-hand partnership with the private sector and non-government organisations" and was considering setting up advisory boards or a cyber- security council.
She also wanted to look at whether New Zealand Police could build closer ties with international cybercrime units, such as those in Europol and the US Federal Bureau of Investigation, and whether to accede to the Council of Europe Convention on Cybercrime, known as the Budapest Convention.
Curran intended to report back to the Cabinet External Relations and Security Committee - Prime Minister Jacinda Ardern, Deputy PM Winston Peters and ministers Grant Robertson, Andrew Little, and David Parker - by July 31 with a revised strategy, which she expected to see first in early July.
The review comes a week after Little, the minister responsible for the GCSB and Security Intelligence Service, told a security conference the government was currently considering how to best expand the Cortex services beyond the 66 nationally significant public and private sector organisations currently receiving them.
GCSB ran a pilot with Vodafone New Zealand rolling out the Cortex system, which uses top-of-the-line technology, to a small number of the internet service providers' commercial customers.
The intelligence agency's report on the trial to Cabinet showed the system could significantly dent malicious software incursions.
Curran's cabinet paper said the GCBS unit would submit recommendations on the future form of the Cortex malware disruption capability in March 2018.