Aotearoa, New Zealand, is a young nation cutting its teeth on innovation and digital capabilities. Our tech sector is growing; our people use digital tools in business and at home to explore and invent. But, with every new technology-enabled path we forge, we must also defend ourselves from cyber threats and exploitation. New Zealand's national cyber defence involves many agencies and strategies. Here we take a look at some of the main players.
Government ministers, policies, and legislation
The New Zealand Government has two primary Ministers responsible for technology and security: Andrew Little, Minister for the GCSB and NZSIS, and David Clark, Minister for the Digital Economy and Communications. They are involved in developing New Zealand's cybersecurity policy with the help of the Government's chief information security officer/GCSB director-general Andrew Hampton and the broader Government. In addition, The ICT Security and Related Services Panel enables commercial organisations to supply security services to the Government to protect New Zealand's cybersecurity and defence.
Clark, Little, and their predecessors in previous governments have put significant effort into protecting New Zealand against security threats through the National Cyber Policy Office, established in 2012. In addition, there are specific forms of legislation and policies to plot New Zealand's cybersecurity journey. The most notable of these is the Cyber Security Strategy launched in 2011 and was updated until 2019. The Government also follows the Cyber Security Emergency Response Plan (CSERP), which was last updated in July 2021.
The CSERP outlines the government response to a cybersecurity emergency in terms of roles and responsibilities, the private sector's understanding of the government approach, an effective and coordinated response, and the swift restoration of services and operations. The CSERP focuses on five principles: Cooperation, coordination, sustainability, timeliness, and trust. The CSERP is also activated when the National Cybersecurity Centre (NCSC) or CERT NZ identifies a cybersecurity emergency based on reports from partners, the public, or technical capabilities that identify threats that could lead to an emergency.
The Government Communications Security Bureau (GCSB)
Currently led by Director-General Andrew Hampton, the GCSB has been operating since 1977. However, the modern form of the GCSB started to take shape in 2003 when it became a public service under the Government Communications Security Bureau Act 2003. Since then, the bureau has continued to build out its capabilities whilst administering the network security provisions of the Telecommunications (Interception Capability and Security) Act 2013 and delivering its mandate under the Intelligence and Security Act 2017.
The GCSB was drawn into the public eye after attacks on its Waihopai spy base in 2008 and its involvement in the Five Eyes intelligence network. However, the GCSB's remit is much broader than these incidents. Essentially, the GCSB exists to protect New Zealand from threats, both online and offline.
Hampton explains, “We have two primary missions. One is intelligence gathering or signals intelligence, which is generally foreign intelligence. We do that by electronic means, following priorities set by Government. This means finding out about global and national issues that are relevant to New Zealand decision-makers."
“The other role we have relates to the NCSC, specifically cybersecurity and information assurance for organisations of national significance. We don't provide the country's firewall, and we don't duplicate services provided by the commercial providers. Instead, we help to protect organisations of national significance from advanced persistent threat actors."
“There is a relationship between those two missions: the fact that we are an intelligence bureau means that we have access to legal authorities, partner relationships and technologies. These give us more capabilities in cybersecurity that other organisations may not be able to achieve.
The GCSB is also involved in security risk assessments for new technologies such as 5G and even space launches under the The Outer Space and High-altitude Activities Act 2017. For example, in the last year alone, the GCSB assessed 24 space-related activities from New Zealand - these assessments covered launches, payloads, and high-altitude vehicles.
“If anyone wants to launch a space vehicle from New Zealand, we need to assess the payload. This is to make sure there are no national security risks,” says Hampton.
New Zealand's National Cyber Security Centre (NCSC)
The NCSC was launched in 2011 and led by Lisa Fong since 2016. It operates within the GCSB to protect and provide incident response for New Zealand's most significant public and private sector organisations from cyber threats.
These organisations can include government departments, telecommunications companies, transport and energy companies, and much more. In 2018 there were more than 250 organisations in New Zealand classified as being of national significance. The NCSC provides advisory services, support, advice and education for these organisations. It also collaborates with the information security community, technology industry and Government.
The NCSC runs a malware detection and disruption service called Cortex. While Cortex's inner workings remain classified, it leverages threat intelligence from a range of sources to protect a select group of New Zealand organisations. Cortex is an ambitious service that is still shrouded in secrecy. Still, its prowess is apparent: In 2018, Cortex won two awards. The iSANZ Awards dubbed Cortex ‘Best Security Project' and the Institute of Public Administration (IPANZ) recognised Cortex in the Excellence Award for Building Trust and Confidence in Government.
“Much of what we do is classified by necessity so it was fantastic to be able to win awards that recognise the services we provide to ultimately protect organisations and New Zealanders,” says Hampton.
Malware-Free Networks is a threat detection and disruption service similar to Cortex, but it is more widely available through cybersecurity providers and managed service providers. It also provides a curated threat feed informed by information from various sources, including classified ones, from the NCSC and its partners. Malware-Free Networks protects all organisations of national significance.
The service has been live since June, and the NCSC is working with network operators and commercial security service providers to enable the Malware-Free Networks service to be offered to their existing customers and accessible within the IT security market to new customers.
The NCSC's Cortex and Malware Free Networks services aren't available to every New Zealand business or individual. So who else can help out when an incident happens? CERT NZ is the next port-of-call.
A CERT is a Computer Emergency Response Team. CERT New Zealand (CERT NZ) was established in 2016 as an agency that provides security updates, and it investigates and reports security risks to businesses, IT teams, and individuals.
CERT NZ works with other government agencies and other CERTS worldwide, such as AusCERT (Australia), HKCERT (Hong Kong), and US-CERT (the United States).
The agency also partners to share intelligence, update and technical advice alongside the Department of Internal Affairs, the NCSC, the New Zealand Police, Netsafe, and international partners in Australia, the United States, Canada, and the UK. In addition, CERT NZ runs a Pacific Partnership Programme that supports Pacific countries to build their cybersecurity capabilities.
CERT NZ director Rob Pope explains, “We help protect people in three main ways: We analyse the international cybersecurity landscape for what threats and vulnerabilities are relevant to New Zealand, and pass on these warnings so that others can be vigilant. Secondly when an incident occurs, we are there for people to report to so we can offer our trusted and expert information and advice to help them deal with and recover from the attack. Lastly, we raise awareness of cybersecurity impacts and deliver up to date, actionable advice on cybersecurity best practice.
Pope says ransomware is amongst the most disruptive types of attacks in New Zealand and worldwide. Still, there are also lessons to be learnt from the speed at which attackers can exploit software vulnerabilities to conduct attacks. Every three months, CERT NZ publishes a Quarterly Report, which touches on the most commonly reported security incidents.
“The pressure is on organisations to be able to get their software updated before they can be impacted. Cybercrime is opportunistic and we see small to medium businesses being targeted frequently, and in the current economic climate as budgets are tightly constrained, often cybersecurity might seem like a line item organisations struggle to afford.
Pope believes it's important for businesses and New Zealanders to report cyber attacks or online fraud quickly.
“Incident reports are important because we can offer immediate support to help understand, mitigate and recover from cyber attacks. We can act as a triage service, putting people in touch with the right law enforcement contacts, and advising where to turn for IT help.
CERT NZ treats all reports as confidential, and those submitting reports need only share as much as they feel comfortable.
He adds, “We are seeing attitudes move away from the ‘shame' of being a victim of a cyber attack and people becoming more willing to report them and ask for help. The more reporting done, the more awareness and knowledge we're building, and the more we're helping each other to keep secure online.
You can report cyber attacks, security breaches or online fraud at cert.govt.nz/contact-us.
New Zealand Police
The NZ Police Cybercrime unit was created in 2009. Back then, its focus was to coordinate the response to technically complex crimes. It had a dual reactive and proactive focus on these crime types. Five years later, the unit expanded to cover complex and serious cybercrime, including the Cryptopia theft and the recent Waikato District Health Board ransomware attack.
The team works closely with other New Zealand agencies, including the NCSC, CERT NZ, Netsafe, the Department of Internal affairs, and international partner organisations like INTERPOL and other like-minded law enforcement agencies.
The Police Financial Crime Group Asset Recovery Unit has also been involved in investigating money laundering and cybercrime when New Zealand organisations get caught up in the mess. A prime example of this type of event is the Canton Business Corporation and BTC-e investigation, which resulted in the largest restraint of funds (NZ$140 million) in New Zealand Police history.
“New Zealand Police recognises cybercrime is a growth area which requires a targeted and meaningful response. We are continually working to strengthen the strategies Police use to address this type of offending,” says NZ Police Cybercrime Unit detective senior sergeant Greg Dalziel.
Dalziel echoes observations that ransomware attacks, cryptocurrency scams and business email compromise scams are becoming more common.
“Outside of this there are the volume crime cases where the losses are smaller, and often not connected to a particular campaign, hitting New Zealand."
"Prevention messaging remains a key response to cyber enabled crime. There is often a user interaction that results in the loss, and if we can prevent this occurring, we can stop a crime before any loss occurs.
Netsafe is a charity whose mission is to work with schools, parents, education providers, and the wider public. Netsafe aims to encourage positive use of technology, prevent online harm, and provide support for people who have negative and often devastating online experiences. The agency has been operating for 20 years and runs a confidential, free helpline and other services.
Netsafe CEO Martin Cocker says, “Individuals are never more than a few clicks away from trolls, bullies, scammers, objectionable content and a range of other unpleasant online experiences. According to Netsafe's research, one in five adults and nearly twice as many young people received a digital communication that had a negative impact on their life."
“Our job is to make it easier for people to enjoy the opportunities being online offers and to help them if something goes wrong. We do this by providing free support, advice and education, and by working collaboratively with the community, tech industry and Government.
Netsafe and its collaboration partners strive to achieve the best outcomes for New Zealand. The agency is involved in everything from the Facebook Safety Advisory Board and the Twitter Trust - Safety Council to working groups such as the Global Internet Forum to Counter Terrorism (GIFCT), the NZ Pornography Working Group, and many partners in between.
Over the last couple of years, Netsafe noted a rapid uptake in technology during the pandemic, which has produced benefits and downsides for New Zealanders. Unfortunately, the negatives added to existing anxiety about health, stress, and physical separation. Cocker says that during this time, many people contacted Netsafe for self-help and incident support. Unfortunately, these experiences have sometimes resulted in physical, financial, and psychological harm, decreased user confidence, and undermined the digital economy and social investment.
“Some of the main threats facing the community relate to misinformation, the need to build resiliency, and providing equal access to content. Large parts of the internet function as an egalitarian platform. This means that the infrastructure of the internet treats the information it delivers as functionally equivalent,” he says.
In other words, the internet can present a scam and a genuine service alongside each other almost in the same breath. Fringe ideologies can divide people and also create their own communities. While the internet does have platforms, moderators and online safety mechanisms, they can't always catch content designed to misinform or misdirect people.
“With more and more contentious issues debated online, many of these centring around internet technologies themselves, it takes a team effort to support people who have been the subject or recipient of this content and to better develop tools and processes to reduce this in the long term,” says Cocker.
"Aotearoa New Zealand's digital society is full of challenges, and some are highly complex – but there are organisations people can turn to for help. There are processes, systems, self-help advice and tools that work – if only we can connect people to them fast enough.
You can report an online safety incident on Netsafe's website at netsafe.org.nz/reportanincident.
New Zealand's cybersecurity sector - diversity, pathways, and careers in homegrown tech
One of the most important ways to develop New Zealand's cybersecurity capabilities is through fresh thinking, recruitment, and skills development. But this can be difficult - the world is facing a technology skills shortage, especially in cybersecurity. Private organisations and universities also offer scholarships and degrees, but what are our government agencies doing to help?
As an equal opportunity employer, The GCSB runs initiatives such as the Gender Pay Gap Action Plan and Diversity and Inclusion Strategy to attract more women, Māori, Pacific and Asian peoples within the GCSB and NZSIS. If that wasn't enough, the GCSB also runs Women in STEM scholarships to help pave the way for STEM careers and within the GCSB itself. To top it off, The GCSB received the Rainbow Tick for diversity and inclusion.
Hampton says diversity and inclusion are important to the GCSB - as they should be for any organisation. The cybersecurity industry is facing challenges that require many different perspectives to solve. Diversity is not just about the usual things like gender, ethnicity, or sexuality - it also means different ways of thinking. Groupthink, Hampton says, is not welcome.
The GCSB is also growing as the Government invests more in New Zealand's security. That means the bureau needs to represent the very New Zealanders it serves.
“Organisations like ours operate in secret by necessity, but it's also important that we're open to people with different views and different perspectives, and that we reflect New Zealanders. That's what we try to achieve through our recruitment.
“Cybersecurity is a great career to pursue, particularly when there is a skills shortage. If you're after job security and if you want an in-demand role, cybersecurity is a great fit. It helps if you have a technical background so STEM (science, technology, education and mathematics) subjects are important, but you also need to balance that with curiosity, an understanding of context, and a keenness to learn.
He continues, “Cybersecurity doesn't exist in isolation. It's actually something that should be pervasive in business and in society. Even if your aspiration isn't to have a career in cybersecurity, learning something about it's going to be important for whatever job you do because it's likely to involve technology in some form or another. Technology also creates a whole lot of risk and so having some understanding of that and how to manage it will be important whatever you choose.
Rob Pope adds on behalf of CERT NZ, “The best way to get involved is to find your local cybersecurity community groups. Often there will be technical or social meetups. These are excellent ways for people looking to join the field to learn from people involved in the industry and get advice on how to move into cybersecurity as a career path. There are also tertiary study options now.
“The other important thing is to just be curious, as there are a wealth of resources available to learn about cybersecurity available, and anyone can dive in and begin learning about the field.