SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The dark web in Aotearoa: Is it as bad as we think?
Wed, 27th Apr 2022
FYI, this story is more than a year old

Encountering the term 'dark web' might bring thoughts of criminal activity and harmful behaviour to mind, but what exactly is it, and is it all bad?

According to the National Cyber Security Centre's (NCSC's) Cyber Threat Report 2020/21, access to dark web forums is currently one of three significant foundational elements of the criminal ransomware industry, along with cryptocurrency exchanges and anonymous virtual private servers (VPS).

Although the report doesn't break down the data by category, it does show ransomware attacks as a whole have increased, and ransomware actors have continued to strengthen their operations and strategies for maximum financial gain.

Incidents affecting nationally significant organisations increased by 15%, and of the 404 in total, the report notes 110 were considered to be motivated by criminal or financial intent.

The NCSC's report also notes that through its cyber defence capabilities, the organisation, on average, identifies 13 cyber breaches affecting at least one nationally significant organisation a month and receives 21 new incident reports or requests for assistance not pertaining to these capabilities.

A branch of the GCSB, a spokesperson for the NCSC says the intention of using the dark web is purely for anonymity, and as a result, it can be used for a broad variety of reasons.

"For example in the NCSC context, we know that malicious cyber actors use the dark web to obtain information, tools and resources," the spokesperson says.

While the GCSB is unable to comment on specific areas of operational focus for safety reasons, the NCSC spokesperson does say that the dark web is included in its scope, "only to the extent that it is required for the NCSC to fulfil its mission."

"The NCSC helps New Zealand's most significant public and private sector organisations protect their information systems from advanced cyber-borne threats.

"Our focus is on detecting and disrupting cyber threats that are typically beyond the capability of commercially available products and services.

Additionally, the spokesperson acknowledges the Intelligence and Security Act 2017, noting that this legislation mandates the organisation to do "everything that is necessary or desirable to protect the security and integrity of communications and information infrastructures of importance to the Government of New Zealand, including identifying and responding to threats or potential threats to those communications and information infrastructures."

However, according to InternetNZ chief security officer Sam Sargeant, use of the dark web doesn't always have to come with malicious intent.

InternetNZ is a non-profit organisation focused on ensuring the well being of all New Zealanders online through its provision of infrastructure, security and support services.

Clarifying the distinction between internet terminology, Sargeant says there are some confusing terms involved.

"The 'deep web' talks about websites which are not listed in search engines. This might be your work email and intranet, Internet banking, or some social media services like messaging. Lots of websites aren't immediately available via a search engine.

"The 'dark web' is online information that people deliberately hide using tools that aim to keep users private and anonymous. That can sound sinister, but in some ways, the 'dark web' is more popular than you might think.

"Businesses often use a Virtual Private Network (VPN) to protect their information from prying eyes. If you squint hard enough, you could see all those VPNs as being 'dark web' tools.

"My point is that the 'dark web' is not hiding in the bushes ready to jump out. It's information that is hidden using tools, like many of us use daily, to achieve a security or privacy outcome.

"Of course, when people have tools like the 'dark web' that allow them to hide their identity or activity, some will use it for criminal or objectionable activity," Sargeant says.

But while criminal uses can often involve money laundering or the exchange of illicit information, Sargeant says that ultimately, the dark web is simply a technology tool; where the harm really comes from is in how it's being used.

"A spanner can be used to harm others, but no one is asking what infrastructure the country needs to protect the public from spanners."

Noting that use of the dark web usually occurs after a crime is committed, Sargeant believes the key is to focus on preventing that crime from taking place at all.

"When we're feeling anxious we can get tied up in knots about specific threats online that read like the plot of a movie. But instead of worrying about very specific threats, we can often take simple steps that make us safer in general. You don't worry about the type of burglar who comes to your house, you just lock the door."

He adds that security is a collaborative effort and requires a range of organisations to be on board to ensure complete security, including the NCSC for critical infrastructure and CERT NZ for the wider public.

"Another part of the response is our international arrangements. Threats from the internet are global, and in many cases, an effective response needs to be a global response.

"One way to prevent the crimes from occurring is to strengthen international cooperation with law enforcement. New Zealand has recently signed on to the Budapest Convention, which is an international treaty whose member states help each other to investigate and prosecute online criminal activity across borders."

InternetNZ operates in areas such as policy work around local internet issues, the provision of community grants to support projects related to the internet, carrying out research to shed light on the current state of New Zealand's internet, as well as hosting events to offer Aotearoa's internet community an opportunity to come together.

As part of its policy work, the organisation recently made a submission to the Government's draft 'Digital Strategy.'

Noting the summary of feedback released in mid-April, Sargeant says, "a clear theme in the area of Mahi Tika (trust) was a need for more focus on helping New Zealanders feel safe online, including work on privacy, cybersecurity, and building trust in institutions and technologies.

"We agree that a strong focus on building trust is a vital foundation for the new Digital Strategy."