NZ’s Cyber Resilience Framework to be evolving and potentially automated
Cybersecurity was a top concern for the government in this year's budget, with tens of millions of dollars earmarked for agencies and sectors to boost their defences against cyberattacks.
These include the Ministry of Education ($27 million), the Ministry of Justice ($12 million), the Department of Corrections ($59 million), the New Zealand police ($24 million) and the Serious Fraud Office ($1 million).
For CERT NZ, Budget 2022 gave it some of the biggest increases in funding since its conception. The government pumped $30 million to the agency to provide cyber resilience support for the private sector and individuals. That's a significant jump on even its start-up costs in 2016 when the government announced an investment of $22.2 million to set up a new cybersecurity response team.
And part of the funding from this year's budget is going into what the agency says will be a first-of-its-kind Cyber Resilience Framework.
What is a Cyber Resilience Framework?
CERT NZ's manager of insights and reporting Nicte Lopez says the framework is about setting a baseline of information that could lead to insights on how Aotearoa is doing in the cyberspace.
That includes whether New Zealand can withstand attacks, whether we're learning and evolving to be more prepared, and like the title says, whether we are resilient against the emerging threats that come in.
"It's a framework or an index that we're looking to develop that can be used by private, public and individuals. It's not a cybersecurity framework where you have a tick box, and you go, Oh, I need to do these steps to be a bit more," says Lopez.
"It's thinking about New Zealand as a whole system, which involves its communities, its individuals, and organizations, small, medium, large."
CERT NZ has been developing this framework for about a year, and in its initial research, it hasn't found anything similar in the international landscape. Only indexes or systems based on public information are currently available and there isn't anything that is as comprehensive as what the government agency wants to develop. Lopez says many of the things that exist out there are also quite technical. They don't necessarily think about the social impact a cyber attack can have on an individual and a community.
"That's something that we are very keen to be able to quantify, to understand. Are we providing our effort in the right area, or do we need to maybe focus a little bit more somewhere?" she says.
Examples of international frameworks include the Global Cybersecurity Index which measures the commitment of countries to cybersecurity at a global level – to raise awareness of the importance and different dimensions of the issue. There's also the National Cyber Security Index in Estonia, which measures the preparedness of countries to prevent cyber threats and manage cyber incidents.
"Again, those are very technical focused, and they're very focused on governance that exists. We're looking for something a bit broader that gives us that human element to what cybersecurity really is," says Lopez.
The work that's been done and what's next
Lopez says CERT NZ is currently moving from its discovery phase, understanding what the world is doing, into its scoping phase.
"We've reached out to the world, and they're very interested. They want to see us succeed so they can have something that they can start using. There are already conversations internationally around being able to do a little bit more analysis on how countries are doing," she says.
That's hard to do with larger countries, but Lopez says New Zealand has an opportunity because of its scale and its ability to work together with the private sector. This work has been allocated $2.4 million over three years, and CERT NZ envisions being able to develop a proxy framework which will also look at what it would take to have a fully mature framework.
But getting to the end result isn't as easy as some might think.
"We have to think about information is scattered everywhere. You require people to analyze it and ask the questions. You also need to think about this as a living thing. You can't put budget to it and then walk away, you want to continuously invest in the knowledge that you've gained and iterate that knowledge," says Lopez.
What CERT NZ is considering is developing a skeleton, or a mock-up of the domains it thinks it could look at and, for each domain, involve the private, public sector and experts in academia. This makes it a progressive and iterative process.
"The questions that we have this year are not going to be the same questions we have three years down the line. So it's really about building a system that can learn by itself. What are the new questions that we need to be constantly asking to know are we being resilient against the threats from New Zealand in the cyberspace?" says Lopez.
At the end of the day, cyber threats are constantly evolving, so any resilience framework needs to do so too. That means the framework can't be a dead document. Lopez says while it's early days, automating information could play a role in keeping the work up to speed.
"There are limits of being able to work together with the agencies that have information to consolidate it. Obviously, automation would be a good way forward," she says.
"Those are probably the questions that we will be asking once we identify what it is that we want to achieve, and then how can we achieve this in the best way possible?"
For businesses and industries who see the framework as useful, Lopez is asking them to reach out to CERT NZ. She says the agency is currently in the phase of seeking to understand what the problem is and how it can put the framework or the index together. CERT NZ wants it to be usable for anybody, whether it be an individual or business, to understand if there's a particular weakness or strength in their industry.
"We're not gonna get perfect on day one. It is an iterative thing. We you know, we need to work together to get this right and we're one country but I think we've got a really good attitude towards making this succeed," says Lopez.
"We want to create something that is sustainable, and that is not costing taxpayers money without the value that they're getting back."