New Zealand’s intelligence agency says a group backed by the Chinese state was responsible for a 2021 cyber attack that targeted government services. It has brought renewed scrutiny of cybersecurity in this country. Here, Giovanni Russello, a University of Auckland professor in Cybersecurity, talks about why we need an urgent upgrade.
Here we go again. Sometimes, I feel like a broken record. For the 100th time, I am asking why does NZ’s cybersecurity remain an issue?
I am a professor in cybersecurity at the University of Auckland. I am also the head of the school of computer science at the university. Since arriving in NZ in 2012, I have worked and collaborated with universities, government, industry, and investor firms here and overseas to improve NZ’s cybersecurity.
Why is it still an issue? As you can imagine, the answer is nuanced and multifaceted, so I’ve broken it down.
Attitude
First and foremost, there is a prevailing attitude that because NZ is geographically isolated and distant, we are safe from cyberthreats. However, in the interconnected world we live in, everything and everyone is just a click away. This means that all our digital and connected infrastructure is accessible to anyone.
The 2021 cyberattack on the Waikato District Health Board is a glaring example that this attitude is unfounded and problematic. This attack had a huge impact on hundreds of patients, who could not access medical services for months.
A few weeks ago, MediaWorks disclosed that one of its databases was breached and the personal information of Kiwi users was published and sold online by the attacker. The rate at which these attacks will affect Kiwis is increasing, stressing the fact that our geographical borders do not protect us from cyberthreats. The lack of robust cybersecurity legislation further compounds this issue.
Many individuals and smaller organisations may not fully understand the importance of cybersecurity or the potential consequences of inadequate protection. We need to do more in awareness campaigns or educational initiatives targeting these groups to improve their understanding and practices.
It is crucial for large organisations to invest in building a strong cybersecurity culture within organisations for maintaining vigilance and promoting best practices among employees. This involves fostering a mindset of security awareness and responsibility at all levels of the organisation.
At the same time, we need to understand and support the human aspects of cybersecurity: it must be easy for people to use well, and people must expect good design and support. Which is not the status quo with the commercial cybersecurity tools available today.
High costs and lack of investments
Maintaining a robust cybersecurity stance is expensive, to say the least. Organisations need to invest in top-tier tools and products, which come at a premium. Additionally, these tools are only as effective as the team of talented cybersecurity experts managing them, who are also in high demand and command premium salaries. Given that most businesses in NZ are SMEs, only a few can afford the best products and talent. This underscores the need for more co-ordination with NZ’s community of cybersecurity experts.
The recent news of malicious cyber activities sponsored by China affecting the Parliament network underscores that even within the government, there are vulnerabilities in its digital infrastructure due to inadequate cybersecurity investments and measures.
Importing talent
There is a tendency among organisations to rely on importing expertise from overseas rather than investing in developing local talent. This trend extends beyond cybersecurity and reflects a broader issue. However, foreign experts soon realise the shortcomings of the NZ landscape regarding vision and strategy for technology and talent investment. Demoralised, they often leave for Australia in pursuit of better opportunities. They will never be as invested or insightful about protecting the country as homegrown experts.
Developing cybersecurity talent is not solely the responsibility of the business sector. Computer science academic units in universities should be at the forefront in this effort. However, there’s a noticeable lack of emphasis in expanding cybersecurity programs. During the past 12 years, I have witnessed more cybersecurity academics leaving than being hired, resulting in a limited pool of expertise. Moreover, universities often lack the resources – like specialised computer labs isolated from the rest of the network where students can learn how hackers deploy their attacks – necessary to provide students with hands-on training, making them less prepared for industry demands.
Relying on overseas technology
NZ organisations rely heavily on off-the-shelf solutions from overseas players. While there’s nothing inherently wrong with this approach, NZ’s small economy means it holds little leverage with giant tech companies. Consequently, off-the-shelf solutions often fail to address specific needs, such as Māori data sovereignty. Cybersecurity is essential to protect NZ’s main export industries: their IP and their strategies. Exporters need to stay competitive internationally, and weak cybersecurity puts that at risk. Moreover, relying on overseas technologies puts NZ’s cybersecurity strategy at risk of being undermined by choices made by these companies based on financial or strategic considerations that may not align with NZ organisations’ goals.
If Sweden can do it, so can NZ
NZ needs to invest significantly in education, especially in STEM [science, technology, engineering and maths] disciplines. As proven by countries like Sweden, a highly educated population drives tech innovation and fosters self-reliance, reducing the need for external support.
The NZ political class must champion a vision of R&D investments to help local companies create long-term value. Often, NZ companies’ exit strategy involves selling to larger overseas entities, which does little to advance the country and primarily benefits a few individuals at the expense of taxpayers.
Finally, NZ has is a fragmented approach to cybersecurity. There is a lack of co-ordination and collaboration among different sectors (government, private, academic) in addressing cybersecurity threats. Investing in a more unified and co-ordinated approach could enhance overall resilience against cyber attacks.
