The Government is pushing ahead with a plan to fold Cert NZ - the agency that helps the public and small businesses with cyberattacks - into the GCSB.
The move overrides opposition from security industry professionals who called for a “pause” on what they said was a rushed, ill-considered plan.
Cert NZ staff, funding and responsibilities will be moved under the GCSB’s National Cyber Security Centre (NCSC) from August 31, GCSB Minister Andrew Little said this morning in a speech to the Data, Digital and Security Summit in Wellington.
The two agencies will initially continue to operate as they do today but will “develop an improved operation model to take effect in 2024.”
Cert NZ - for now under MBIE - has 35 staff, and is headed by Rob Pope, the ex-cop best known to most Kiwis for his role as the detective inspector who led the investigation into the murders of Ben Smart and Olivia Hope.
Asked about Cert NZ staff numbers post-merger, a member of Little’s office said the operational plan was still being developed “but this is not a cost-cutting exercise.”
‘Single front door’
“The current system is fragmented, creating a ‘merry-go-round experience for business victims’ of cybercrime,” Little earlier told the Herald.
He wanted “a single front door for cyber security reporting, triage and response”, as recommended by the Cyber Security Advisory Committee (CSAC) first assembled in December 2021, whose members included Z Energy chief digital officer Mandy Simpson, Kiwibank tech boss Hamish Rumbold and Consumer NZ CEO Jon Duffy.
Today, Little released the committee’s report for the first time. It included a customer survey heatmap, based on a survey of cybersecurity victims who had interacted with what the committee also called a “merry-go-round” of nine government agencies.
Cert only managed one “green” rating, for its initial response. “Cert was very responsive but not seen as that useful, practical or proactive. Feedback suggests a mismatch between the generic services offered and the more specific resources desired,” the committee said.
Yet the NCSC fared little better, and in fact got worse scores in some categories, and drew similar criticism from the committee.
“NZ Police were seen as fairly clear on their mandate, but not that useful, proactive or interested. Of the four core agencies they rated lowest overall in terms of customer orientation. Victims’ comments suggest case management and follow-up were not ideal,” the committee said. Multiple victims of cybercrime have told the Herald police seem too overwhelmed to deal with cyber incidents.
The committee saw a “single front door” agency taking all details, and wrapping them up in a package that was easily digestible for police and other agencies, and offering more practical, hand-holding assistance for victims of cybercrime, saving them time, money and frustration.
Other recommendations ignored, for now
More, while Little has seized on the recommendation to move Cert NZ under the NCSC, his speech did not address the advisory committee’s other key recommendations, which included
- “Substantial new funding” for the NCSC (NZ has lagged Australia in cybersecurity funding,
- Mandatory reporting of ransomware payments
- An RBNZ-led review of cyber insurance, (which has become increasingly expensive and difficult to obtain as attacks have escalated)
- Direct intervention to strengthen capacity and capability within the cyber security labour market through migration, training and working with education providers; and
- Strengthened oversight regime for ISPs (internet service providers) and MSPs (managed service providers). Managed service providers- which host data and online services for multiple organisations - have become a popular target for hackers because a single breach of MSP defences provides access to many victims. In May, a cyberattack struck Wellington provider Lantech, whose clients included Fenz, MasterBuilders and Mahony Horner Lawyers.
- A SFD (”single front door”) agency headed by someone with “proven private sector experience in delighting customers and user-centricity”.
Asked if ex-Police officer Pope would still be in charge of Cert NZ within the NSCS - Little’s singe front door solution - a member of his staff said “That is an operational issue for [NCSC director] Lisa Fong.
Fong has been asked for comment.
In an open letter posted to LinkedIn in June, cybersecurity advisor and former Cert NZ board member Kendra Ross said: “While the objective of strengthening New Zealand’s cybersecurity capabilities is commendable, we believe that this decision, combined with the lack of broad consultation and the rushed implementation, poses significant risks and could have far-reaching negative consequences.”
Ross said two security forums she belonged to - representing some 1600 people in the industry - only learned about the shakeup last month, and were then given less than a week to make submissions.
Her open letter called for a pause to consider whether Cert NZ - the Computer Emergency Response Team established in 2017 as a triage unit to point people and small businesses to the right law enforcement or technical hep after a cyberattack - would be a good fit with the NCSC, which helps “organisations of national significance” grapple with hackers.
“Placing an outward-facing non-intelligence organisation under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cybersecurity operations,” Ross said.
A key issue for Cert NZ is under-reporting. Some $5.8 million in direct financial losses from cybercrime were reported to the agency in the first three months of this year, a 66 per cent jump on the first quarter of 2022.
Even with that jump, Pope conceded that reported incidents were likely the tip of the iceberg, due to people’s sheepishness about admitting they had been duped, and firms worried about reputational damage.
Ross said some victims would be even warier about revealing an embarrassing breach to a spy agency, and even less likely to come forward.
‘More authoritative, more consistent”
“This will not make Cert NZ an intelligence agency. Its work will continue on the ‘low side’, as most of the NCSC’s work already does,” Little said this morning.
“However, in time, individuals and businesses should expect more authoritative, more consistent advice for preventing and responding to cyber harm.
“Additionally, there is scope for more comprehensive and meaningful reporting to the public about the cyber security threats New Zealand faces.”
Caught out by ‘crude’ attack
In his speech this morning, Little highlighted the DDoS (distributed denial of service) attack on the NZX, which caused an extended outage in April 2020 as hackers directed millions of bots to request access to its site - overwhelming it and rendering it inaccessible.
The Herald understands the incident - and the fact he had to order the GCSB’s NCSC unit in to help out - was a trigger point for Little’s push for reform.
“Our stock exchange, the NZX, was knocked offline for days after what was frankly a crude DDoS attack that should have been a temporary nuisance rather than an event could shake international confidence in one of the most critical parts of our capital-raising infrastructure,” Little said.
“That event tested the existing mandates of the public service and the limits of our current cyber security protections and incident response. A DDoS attack didn’t really meet the threshold for NCSC involvement. However, this particular attack’s effects went beyond the referral brokering mandate of Cert NZ. What we had was a system focussed on the public service and its networks, not the total national interest,” he added.
“And since then, there have been too many other significant cyber security incidents.”
Enough of a shakeup?
While some have questioned the Cert NZ-NCSC move, tech commentator Peter Griffin called it “tinkering”. Much bigger moves were required to create a coherent cyber security strategy.
And New Zealand’s Budget 2023 failed to match Australia’s Budget 2023 cybersecurity moves.
Australia’s budget included A$2 billion for new digital initiatives, with most tied to e-safety.
They included A$86.5m to establish a new National Anti-Scam Centre, which will include establishing Australia’s first SMS Sender ID Registry to help prevent scammers from imitating trusted brand names.
The Aussies also had A$46.5m earmarked to establish a co-ordinator for Cyber Security to handle multi-agency efforts in the event of a cyber incident, something New Zealand could do with given its stew of agencies attempting to grapple with the rise and rise of cybercrime.
And the office of Australia’s e-Safety Commissioner (its equivalent to NZ’s Netsafe) had its funding quadruple with a A$131m injection. Here, Netsafe has probably already had its lot for 2023 via a recently announced one-off $690,000 increase. Its total funding is around $4.5m.
Following Five Eyes
Although the NZX attack was a catalyst for moving Cert NZ under the GCSB’s cyber unit, other countries in the Five Eyes alliance (the United States, the United Kingdom, Canada, Australia and New Zealand) have already moved their equivalents of Cert NZ under a main domestic security agency.
Ciaran Martin - the former head of the UK’s National Cyber Security Centre (part of the GCHQ, Britain’s equivalent our GCSB) - is in Wellington today for a 4pm public lecture at Victoria University for the Centre for Strategic Studies.
Martin, who now chairs security firm CyberCX’s UK operation and lectures at Oxford University, told the Herald: “This is a decision for the New Zealand Government. However, it is something we in the United Kingdom and Australia have both done successfully.”
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer. He has written extensively about cybersecurity incidents and cybersecurity policy.