- Posted December 15, 2019
- Director-General Speeches
Introduction
Good morning, and thank you for the opportunity to talk to you today, and to open the second day of your annual gathering.
It is good to see some familiar faces in the group, including some of my own team and some former team members.
It has been several years since a director of the Bureau has spoken to this group and a few things have changed.
For a start my position is now one of Director General rather than Director, one of the changes that came about since the enactment of the Intelligence and Security Act in 2017.
The Act also enables the Bureau to be even more responsive in some of our cyber security work.
Earlier this week the Inspector General of Intelligence and Security commented in her annual report on our use, for the very first time of a very urgent warrant.
Normally, for us to undertake intrusive activities we need a warrant issued by our minister, and if the purpose is to access the information of a New Zealander, it also needs to be issued by the Commissioner of Warrants, who needs to be a former judge of the High Court. In exceptional circumstances a very urgent warrant can be issued by me as Director General, but it then needs to be either confirmed by the Minister, and the Commissioner, if necessary within 24 hours or discontinued.
This first very urgent authorisation was to enable the National Cyber Security Centre to respond rapidly to a serious cyber-security incident involving a nationally significant organisation. It enabled National Cyber Security Centre staff to work with the victim organisation to respond to the incident and secure their systems.
I will talk a little more about the ISA and its changes a little later.
We have also had the horrific act of terrorism, in Christchurch on March 15 this year.
NZ Police and the NZSIS are the lead agencies for counter terrorism in New Zealand. The GCSB continues to provide assistance to both agencies in the ongoing response to the Christchurch attacks, primarily through our technical capabilities and access to foreign intelligence. We welcome the Royal Commission that was set up to determine if anything could have been done to prevent the attacks and to identify lessons can be learned for the future.
I will spend most of the time today talking about our cyber security function, as a lot has been happening in this area in recent years as well. I will provide a cyber-threat update, based on our annual cyber threat report which was released yesterday afternoon and talk about our work on cyber threat attribution. I will also give you an update on our Malware Free Network’s initiative and the work we are doing to support New Zealand organisations of national significance to lift their overall cyber security resilience.
I plan to move through that fairly quickly as I am keen to leave time to allow for questions. I have brought several members of the team who are developing and implanting MFN to help with response to questions you might have around some of the more technical aspects.
I appreciate that many of you here are familiar with aspects of the Bureau’s work, especially as it relates to information assurance and cyber security. I also know that previous directors have spoken to this audience.
However, as I mentioned earlier a few thing have changed since then and I would like to take a few minutes to address the broader aspects of our work, and some of the changes which have come about through our new authorising legislation.
What is the GCSB, our legislated role and how we do what we do?
The GCSB is a ‘SIGINT’, or signals intelligence agency, meaning we specialise in intelligence derived from electronic communications. We also have a statutory role in cyber security and information assurance.
Everything we do needs to be in accordance with the objectives of the Intelligence and Security Act 2017, or ISA for short, and in accordance with New Zealand’s human rights obligations.
The purpose of the ISA is “protect New Zealand as a free, open and democratic society.”
The ISA states the principal objectives of the GCSB, and the NZSIS are to contribute to:
- The protection of New Zealand’s national security; and
- The international relations and well-being of New Zealand; and
- The economic well-being of New Zealand.
We do this by:
- Collecting and reporting on intelligence – primarily foreign intelligence – in accordance with government priorities in order to inform government decision-making, and
- Providing cyber security and information assurance services to protect the information and information systems of organisations of national significance, from both the public and private sector.
The ISA provides a strong authorising framework to ensure that our intelligence activities are not only legal, but also necessary and proportionate.
The ISA also provides for other checks and balances that ensure our compliance with the law, including independent oversight.
A Public Service agency with a difference
GCSB is a public service agency, and just like every other agency we are accountable to the Government of New Zealand and required to act in the interests of New Zealand and New Zealanders.
But we are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret.
Our powers can only be employed with the right level of authorisation.
As I described earlier, any intelligence warrant for the purpose of collecting intelligence against a New Zealander needs to be issued by both our Minister and the Commissioner for Security Warrants.
Independent oversight is provided by the Inspector General of Intelligence and Security who has strong investigative powers and can access all of our files and records.
The intelligence and security agencies also report to Parliament’s Intelligence and Security Committee. This is done at both an unclassified and classified level to give the committee greater oversight.
Internally we promote a culture of strong legal compliance and we have strong systems to ensure we are meeting our compliance obligations.
For public service agencies in general, public trust and confidence is important – for us it is essential. One way we build public trust and confidence is by being as open as we can about the nature of the threats New Zealand faces, our role in responding to those threats, and how we are held accountable to the people of New Zealand.
Regulatory functions
There's been public focus on the GCSB’s regulatory roles recently – in particular in relation to the country’s telecommunications networks and the move to 5G.
GCSB is responsible for administering the network security provisions of the Telecommunications (Interception Capability and Security) Act 2013, or TICSA. Through TICSA, we engage with network operators to identify and mitigate potential risks to national security before they occur.
TICSA applies a country and vendor agnostic framework. It requires the GCSB to make an independent assessment of network security risks, on a case-by-case basis.
Since TICSA came into effect in 2014, the GCSB has received hundreds of notifications from network operators. The vast majority of those were assessed and resolved within our self-imposed customer service targets of 20 working days. In fact, we currently average 8.8 working days.
GCSB also has a regulatory role for New Zealand’s burgeoning space industry, assessing payloads to ensure they do not present national security risks.
There are a number of space-related enterprises developing in New Zealand, including Rocket Lab, projects being led by local universities and foreign companies wanting to establish space-related industries here.
The Outer Space and High-altitude Activities Act came into effect in December 2017 and allows agencies, including the GCSB and the NZSIS to manage risks to New Zealand’s space-related national interests and security.
The Act requires the GCSB and NZSIS to conduct national security risk assessments for all activities licensed or permitted. These assessments inform consultation between relevant Ministers about the security risk associated with each activity.
In the last financial year the intelligence and security agencies conducted 30 assessments on space-related activities from New Zealand. These assessments covered multiple launches, space payloads and high-altitude vehicles. I expect this will be a growing area of work for the agencies.
In undertaking these regulatory processes the GCSB acts independently. While we receive intelligence from our Five Eyes partners, we also act independently from them, in accordance with our own domestic legislation.
Cyber Security
I will now move to cyber security.
GCSB’s cyber security functions are delivered through the National Cyber Security Centre – or NCSC.
One of our key focus areas is countering advanced, cyber-borne-threats to organisations of national significance across the public and private sector. These tend to be more sophisticated cyber threats that are typically beyond the capabilities of commercial products and vendors.
Our cyber security defence capabilities include our existing CORTEX programme, and our Malware Free Networks capability that we will be making available to a much wider set of organisations.
We also take cyber threat information obtained through the operation of these capabilities, and provided to us through a range of international relationships, and make it available to New Zealand’s significant organisations to help them strengthen and defend their networks from cyber threats.
We are constantly reaching out to establish relationships, through direct engagement with organisations, through sector based forums and via a customer portal to share information that can help increase the resilience of New Zealand’s important information networks and systems.
This information sharing ranges from alerts and updates about potential threats and actions that can be taken to reduce vulnerability to more general advice on the steps organisations can take to ensure the resilience of their systems.
Following the production of our cyber resilience assessment last year, we are moving into developing more practical guidance and tools(external link) to assist organisation management and governance better understand how they can support and manage their organisations cyber resilience efforts. I will talk more about that later.
The next few slides provide an update on the New Zealand cyber environment, as reported in our NCSC annual cyber threat report(external link) which was released yesterday.
Cyber threats serious impact on NZ
The NCSC recorded 339 incidents in the 12 months to 30 June 2019, compared with 347 incidents in the previous year.
These figures represent a small proportion of the total cyber security incidents impacting New Zealand, as the NCSC’s focus is on potentially high impact events and those affecting organisations considered to be of national significance.
The NCSC was able to identify indicators linking state-sponsored cyber actors to 38 percent of total incidents recorded in 2018-19. While this is similar to the previous year (39%) NCSC analysis of these incidents shows they had a greater impact as more were detected in the post compromise phase of the threat cycle – where actors have had an opportunity to have an effect.
Cyber threat cycle
To look at that in more detail, you can see that 83 percent of incidents were recorded pre compromise, either at the preparation phase (41 percent) or the engagement phase (42 percent), compared to 17 percent of incidents detected post compromise (five percent at the presence phase and 12 percent at the effect/consequence phase).
Pre-compromise incidents
Pre-compromise activity is characterised by planning and reconnaissance by cyber actors, or initial engagement with their targets.
Pre-compromise incidents observed this year include New Zealand organisations that were targeted through phishing campaigns, website compromises, credential harvesting, or brute force attempts.
In 2018/2019, 282 NCSC cyber incidents were identified before the point of network compromise. While pre-compromise incidents are lower on the range of severity, they can still have a significant impact on an affected organisation.
Pre-compromise activity can evolve into fully fledged network compromise, if not detected and mitigated in a timely manner.
Post-compromise incidents
The goal of post-compromise incidents is to ensure ongoing access to a network, and to exfiltrate data or disrupt infrastructure or systems.
Seventeen of the incidents in the 2018-19 year were detected at the post-compromise phase.
These types of incidents range from internal network reconnaissance and keystroke logging, to encrypting, locking or exfiltration of files. Remediation of incidents that reach the post-compromise phase can have significant impacts for the affected organisation, depending on the nature and extent of the intrusion.
While the figures show just a one percent increase in the post compromise incidents, over the previous year – the difference in terms of impact (and the amount of effort required from our incident response team and the organisations they have assisted) has been quite significant. You can see examples of some of these incidents in the case studies presented in the cyber threat report.
Valued cyber defence
We have been able to value some of the impact our capabilities our cyber defence capabilities are having.
Using an independently validated model the NCSC calculates the value of harm directly prevented through the operation of our CORTEX cyber defence capabilities in the 2018-19 year was in excess of $NZ 27.7 million.
This means the operation of those advanced cyber defence capabilities have contributed to reducing cyber harm to New Zealand’s nationally significant organisations by more than $NZ 97.4 million since June 2016.
CORTEX’s contribution to New Zealand’s cyber defence, and to building trust and confidence in government was also recognised externally with two significant industry and sector awards in 2018-19.
In July 2018 the GCSB was awarded the Institute of Public Administration (IPANZ) award for Building Trust and Confidence in Government, for its delivery of the CORTEX Project and in November CORTEX was named Best Cyber Security Initiative at the 2018 New Zealand information security awards (ISANZ). I know the 2019 awards were announced earlier this week – so congratulations to the winners in the various categories, the recognition of you industry peers is truly some of the most valuable validation of your work.
So, what have we been able to determine through this work? In the past we have seen the continuation of some trends and some new patterns emerge.
Cyber Trends
This year the cyber security incidents seen impacting New Zealand's nationally significant organisations have increased in their severity, particularly from sophisticated state-sponsored actors. As already noted 38 percent of incidents in 2018-19 could be linked to state-sponsored actors. While this is the same proportion as the previous year, a greater number of state-sponsored incidents were characterised as “post compromise”
The NCSC continues to see incidents where malicious cyber actors have exploited known, unpatched vulnerabilities to gain access to systems. This can be prevented through security patching, regular security testing, and taking additional steps to secure critical data. Mitigating known vulnerabilities means cyber actors are forced to use more sophisticated tools and techniques to compromise a network.
The NZ Government continues to work closely with international partners to “call out” malicious cyber activity counter to the internationally accepted norms of behaviour in cyber space. I will talk more about our approach to attribution in a few minutes.
In the international cyber security environment, the frequency of public reporting about cyber security incidents resulting in significant data breaches involving personally identifiable information is increasing. The range of industries impacted is indicative of the high value of personal information, targeted by both state-sponsored and criminal actors.
Attribution
Let me talk more about attribution.
The GCSB frequently conducts internal, technical attributions of malicious cyber activity and shares these with the New Zealand Government and international partners (usually at a classified level).
When it is in our national interest to do so, the New Zealand Government may decide to publically reveal the conclusions of our technical attribution process to call out a malicious cyber actor.
Undertaking a technical attribution of malicious cyber activity, whether it is made public or not, is an important part of our role.
Understanding the actors’ tactics, techniques and procedures allows cyber defenders to adopt defensive postures to reduce the risk of a compromise, or identify compromise in its early stages.
By identifying the actors responsible for malicious cyber activity, we may be able to assess the intent of actors targeting New Zealand or global networks. This may allow us to identify other organisations being similarly targeted, and identify other campaigns or activity conducted by the actors. Doing so, helps to inform the cyber security advice the NCSC can provide to New Zealand’s organisations of national significance and contributes to international understanding of malicious cyber activity.
Attribution is not a straight forward process. While at a high level attribution appears to be data collection, analysis and drawing conclusions, the reality is much more complicated.
To undertake the technical attribution process, we use data collected from the NCSC’s CORTEX capabilities, technical evidence from the NCSC’s incident response to affected organisations, and classified and unclassified reporting from international partners and the private sector.
We analyse how the actors compromised a network, the activity they conducted and look for links to known malicious actors. We also work to understand the organisation and the specific information targeted or taken to help determine the sophistication and intent of the actor.
This type of information can also contribute to helping identify who may have been responsible by linking the activity to actors who have previously targeted similar organisations or information.
Often, malicious cyber campaigns do not occur in isolation, and occur in multiple countries simultaneously. By working with international partners, the GCSB can share information to assist with remediation of partner networks and to strengthen the overall attribution process.
Our confidence in the attribution assessment relies on the range, strength, number and reliability of the links found. As more information is confirmed, the confidence or strength of the attribution can also strengthen.
New Zealand is committed to upholding the rules-based international order which contributes to the secure, resilient and prosperous online environment from which New Zealand benefits. New Zealand’s cyber security strategy highlights these values and asserts New Zealand’s willingness to call out malicious cyber activity when it is in its national interest to do so.
The decision to publically attribute malicious cyber activity is made by the New Zealand Government, based on its own independent assessment and independent of New Zealand’s international partners.
Organisations involved in advising Government on attributing malicious cyber activity include the GCSB, the Ministry of Foreign Affairs and Trade, and the Department of Prime Minister and Cabinet’s National Cyber Policy Office.
The GCSB’s primary role in this process is conducting a technical attribution of the malicious cyber activity to ensure an independent, sovereign technical assessment is made.
This technical assessment feeds into the consideration of a range of factors by the New Zealand Government, including the scale of the activity and the activity’s impact on New Zealand.
These considerations ensure the decision to publically attribute malicious cyber activity aligns with New Zealand’s national interest and supports New Zealand’s vision for cyberspace.
In the past two years the GCSB, on behalf of the New Zealand Government, has publically attribute four cyber campaigns which were designed to generate revenue, disrupt businesses, undermine democracy, or for the theft of intellectual property.
The WANNACRY campaign was attributed to North Korea. This was a significant international ransomware campaign which exploited a known vulnerability for which patches had been released.
The NOTPETYA attack was attributed to Russian state actors. While NotPetya masqueraded as a criminal ransomware campaign, its real purpose was to damage and disrupt systems. Its primary targets were Ukrainian financial, energy and government sectors however its indiscriminate design caused it to spread around the world affecting these sectors world-wide.
A collection of other campaigns have been attributed to Russian Military Intelligence (GRU). The attributed activity included targeting overseas political institutions, business, media and sporting organisations.
The CLOUDHOPPER global campaign of cyber-enabled commercial intellectual property theft was linked to the Chinese Ministry of State Security (MSS). This long-running campaign targeted the intellectual property and commercial data of a number of global managed service providers, some operating in New Zealand.
We are aware of other countries which are involved in state-sponsored cyber-attacks. These four examples are the ones which have gone through New Zealand’s public attribution process.
Attributing malicious cyber activity helps send a strong signal to the actors and states responsible for the activity that their conduct is unacceptable within the rules-based international order.
Public attribution can be accompanied by private diplomatic engagement, and in some instances, particularly in the United States, the laying of criminal charges against the threat actors identified as being responsible.
Calling out this activity also reduces the efficacy of malicious cyber actors.
By revealing the actor’s methods of compromise and increasing the reputational costs of conducting malicious cyber activity, the actors’ ability to operate in cyberspace is decreased. By outing these methods, organisations can more readily detect, and respond to these threats, forcing the actors to change their behaviour and making it harder for the actors to successfully conduct malicious cyber activity.
The New Zealand Government also expects that calling out this malicious cyber activity will raise public awareness of the risks posed by malicious cyber activity. By educating the public about these potential threats, the GCSB and the New Zealand Government hope to improve cyber defensive measures and raise awareness of malicious cyber activity which may adversely impact New Zealanders.
This in turn contributes to the safety and security of New Zealanders online.
At this conference last year, we presented on the cyber security resilience study the NCSC had undertaken to develop a high level picture of the resilience of 250 of New Zealand nationally significant organisations.
To briefly recap…….
Cyber Resilience
We sat down with the IT managers of 250 organisations, and asked them 50 questions about their cyber security set up, plans, oversight and funding.
The report summarises the survey data collated and identified that despite an increased investment in cyber security in the past 12 months, organisations feel their security practices are not keeping pace with the rate of digital transformation.
We identified four areas of good practice where organisations should focus their efforts for the greatest effect; governance, investment, readiness and supply chain.
We are now taking that work a step further and developing more detailed “how to” guidance around those topics.
We see that as pitched at a management and governance level, rather than technical guidance – you have the NZISM for that – and we see it as the type of resource security professionals might use to help promote understanding of cyber security risk and to support their own work in developing and implementing cyber security resilience plans for their organisations.
The first of these resources focussing on governance(external link) will be available within the next few weeks.
Resources
The resources provide an overarching summary, and six guiding documents which deal more deeply with the some of the core concepts. They have been developed with the view that they can be used by either practitioners or the leadership of an organisation to support their internal conversations and to guide the development of resilience strategies and reporting frameworks.
We will initially be making them available on the NCSC website, and in the New Year we will look at other activity to support and encourage cyber security resilience discussions – either through existing forums of more direct engagement with organisations with the greatest need.
Conclusion
That brings me to the end of my presentation –I have covered a fair bit of ground as I am keen to maximise the opportunity. This audience, perhaps more than any other group I have spoken to recently plays a key role in helping secure New Zealand’s critical systems and infrastructure. In the time we have left, I am keen to take your questions and perhaps expand on the areas most interested in.