GCSB director-general Andrew Clark. Photo / RNZ, Samuel Rillstone
By Phil Pennington of RNZ
The Government has launched cyber security reforms in the scramble to catch up with its Five Eyes partners, even as its intelligence agency warns that some of the country’s critical infrastructure is barely up to scratch.
Threats are spiralling, but security remained very patchy, the Government Communications Security Bureau (GCSB) has told MPs.
“Unfortunately, there are ... pockets, including in our critical infrastructure, where that cyber security is barely meeting that foundational level that we would expect,” GCSB director-general Andrew Clark said at a select committee on Wednesday.
Australia was spurred in 2022 to overhaul its critical infrastructure protections by a hack on big telco Optus that exposed 10 million customers.
The reform push in Aotearoa four years later comes after two cyber attacks that stole sensitive patient data from MediMap and Manage My Health.
It is accompanied by a new cyber security strategy and an action plan.
The strategy replaces one done in 2019 that predated generative AI and ChatGPT.
The action plan makes protecting “critical infrastructure” the first priority, kick-starting a consultation last week that began with the most basic question: what critical infrastructure to protect? It starts off mentioning “everything from the electricity grid and telecommunications networks to health services and financial systems”, which is quite wide.
“In today’s hyper-connected world, the cyber threats to critical infrastructure have never been more acute or complex,” said the Prime Minister’s Department in its online promotional.
The Five Eyes of the US, Canada, Australia and UK answered that question years ago and have pressed on.
In the US, which has defined 16 types, the 2021 Colonial Pipeline ransomware attack caused major fuel shortages, spurring a regulatory crackdown where guidelines had once sufficed.
In Australia, which has defined 11 sectors (communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport and water and sewerage), the compliance costs and penalty regime have triggered debate – and an industry around complying. Systems of national significance are declared at ministerial level now.
Extra protections included entities having to have personnel security plans and conduct AusCheck background checks for onshore critical staff at least every five years.
Australia’s spy chief in December said foreign hackers were targeting the country’s critical infrastructure.
Clark told the committee in Wellington on Wednesday that a tool that counts cyber threats to the country recently “clicked over one billion”.
Supply chains, including digital ones from private companies into public agencies, were increasingly a weak point, and so they had to make sure the private ones were hardened up like the public ones, the spy agencies told MPs.
Reports show increasingly that AI “agents” (not humans) are supercharging the attacks by industrialising the scale and glossing up the sophistication of them.
Media reports last week had highlighted the slow pace of getting a new cyber security strategy together up to the very day the new one was released. They are normally renewed every four years.
The new strategy has four “pillars”: Understand, Prevent and Prepare, Respond, and Partner.
Law firm Russell McVeagh judged it would have “significant governance implications for organisations” because it put clear expectations on firms to shape up.
Clark mentioned to MPs that small firms might not be in critical infrastructure but still have a lot of sensitive personal information needing protecting.
“A missing piece” was the right incentive for organisations that held such data to secure it at the right levels, he said.
Russell McVeagh talked about regulation on the horizon to “better incentivise the protection of personal information”.
At the critical infrastructure level, the debate to come over what to include was unlikely to be straightforward if the parallel process around what to designate as “essential infrastructure providers” under the Emergency Management Bill was anything to go by. At a recent select committee, submitters questioned why the bill had omitted the national weather radar, GNS, early warning and monitoring systems for floods and other disasters, and flood protection services from the list of essentials.
The consultation’s second question was, “What should the depth of the cyber defences of these infrastructure services be?”
It had to find a “minimum level of cyber risk management”, including those that impacted national security, by all designated entities.
“Consultation with these key organisations is now underway about potential cybersecurity regulation” and with critical infrastructure providers and the South Pacific partners, a backdoor attack channel, said Clark.
A sovereign data centre for secrets and critical data was opened in Auckland last June.