New Zealand is in urgent need of information sharing hubs to combat cyber threats, according to the Institute of Directors, who is calling on the Government to take action.
The company says New Zealand businesses are in serious danger of becoming the cyber dinosaur of the developed world if the private sector doesn’t start sharing information on cybercrime.
“Cybercrime losses are in the millions, and information sharing on attacks is a way to combat these threats,” says Simon Arcus, Institute of Directors chief executive.
“Cyber sharing hubs are a feature of the international scene and play an invaluable role in the collective response to threats,” he explains. “Many companies have no forum to share data and there is often a reluctance to discuss attacks. This puts commercial data at risk, where a combined response to threats will be a major advantage and drive down costs.”
Last week Norton Cybersecurity released a report attributing New Zealand’s lose to cybercrime at more than $256.8 million. On average 22 hours were lost and $300 spent per person dealing with its impacts.
Arcus says the IoD believes cybersecurity threats must be shared within the private sector and between the private sector and government.
“Rapid information sharing is an essential element of cybersecurity because a collective response is more effective than companies trying to deal with cyber-risks alone,” he says.
“Pace is everything, we have an evolving cyber-threat to tackle. It is adaptable. Our cyber adversaries move with speed and stealth. We need to keep pace,” Arcus explains.
“The very confidentiality that a business relies on to operate is working against it when facing a sophisticated and relentless enemy,” he says. “It is a huge advantage to hackers that businesses are unwilling or unable to share data. Hubs make collaboration safer, faster, and easier to respond.”
The IoD says the government must lead and urgently expedite plans for better information sharing because it is the only entity that can facilitate information sharing groups in a cross-industry and liability appropriate environment.
“We need businesses to have safe places to share,” says Arcus. “We must link the good initiatives we have seen from the government in lockstep with the private sector needs. We need to see a breathless pace of action from government with a fresh, energised framework for engagement in place.”
Arcus says that government must lead in the establishment of a sharing hub but tread a fine line between involvement and ownership of the space.
“I don’t think government should own or run these groups, but they should be kept informed and act as a key player and facilitator,” he clarifies.
According to the IoD, political leadership is a key feature of this in countries such as the USA and UK. In the USA the number of Information Sharing and Analysis Organisations (ISAOs) has grown. President Obama issued an Executive Order in February to encourage more information sharing on cybersecurity threats with the government and each other, the company says.
In the UK the Cyber-security Information Sharing Partnership (CiSP) is a joint industry/government initiative to share cyber threat and vulnerability information. Its members exchange cyber-threat information in real time, in a secure and dynamic environment but, critically, protections exist for doing so, IoD explains.
“Cyber hackers respect no national boundaries. It is old fashioned to think that geographical distance equates to protection from threat for our islands,” says Arcus. “We need to take the steps any country with a modern developed cyber-infrastructure might do.
“If we do not facilitate private sector sharing we face the dire outcome that the hackers start to win,” he continues. “If you don’t report a house break-in to the police they can’t solve who did it. In New Zealand’s case we aren’t even telling each other there are burglars in the neighbourhood. That ignorance will play into our enemy’s hands.”