- Posted March 15, 2022
- Director-General Speeches
Tuesday 15 March 2022
GCSB Director-General Andrew Hampton opening statement to Intelligence and Security Committee
Open session
Kia ora koutou,
Thank you for the opportunity to update the Committee in this open session about the work of the GCSB.
But, before I start my opening address, I would like to acknowledge that today is the anniversary of the March 15 terrorist attacks. Although three years have since passed, the terrible events of that day are front of mind. Our thoughts are with the 51 victims, the survivors, their whanau, and the witnesses.
It has been another high-tempo year operationally for both our intelligence and cyber security missions, which collectively have contributed to the full range of the Government’s National Security and Intelligence Priorities.
Intelligence
Firstly I would like to briefly update the Committee on salient aspects of our Intelligence Mission since we last convened.
During the 2021/22 year, the GCSB provided signals intelligence to 19 customer agencies, and their Ministers, on topics ranging from COVID-19 to climate change.
Our signals intelligence on the ever-changing geostrategic landscape, including in our region and the implications for Aotearoa New Zealand, has helped shape national policy decisions across government. Throughout the year we have also provided intelligence support to New Zealand Defence Force operations, including August’s evacuations in Afghanistan.
The GCSB has continued to make a unique and highly valued contribution to global counter-terrorism efforts, including contributing to the disruption of attack planning. As well as UN-designated terrorist entities, this work has also focussed on identity motivated extremists.
In-line with the commentary from the Royal Commission into the abhorrent Christchurch terror attacks, the GCSB has been increasingly proactive in supporting New Zealand Police with its domestic counter-terrorism investigations, as well as our traditional partner, the NZSIS.
The GCSB also provided ongoing support to New Zealand Police during the course of Operation VAN, a high profile disruption of an international criminal network.
Understandably this is a very high-level snapshot of our intelligence mission; aspects of which were provided in more detail in the prior closed session.
Technology and technical capability
A key moment for the GCSB last year was the decision to retire the two radomes and dishes at Waihopai. While the domes were no longer operationally important, contributing less than 0.5% of our intelligence reporting, it was significant from a public perspective as they were the most visible part of the New Zealand intelligence system.
There have been huge technological advancements in the 33 years since the first dome was installed at Waihopai. The world is cabled up, there is ubiquitous encryption and we have seen the advent of the internet. As a result our technical capabilities and authorities have also well and truly moved on.
And as both technology and the threat environment continues to evolve at pace, we will continue to assess and update our capabilities.
Cyber security
I now want to turn to our Cyber Security Mission.
In November the Bureau’s National Cyber Security Centre (NCSC) released its annual cyber threat report which showed there were 404 incidents affecting nationally significant organisations in the 2020/21 year, a 15% increase on the previous year. This included high profile attacks on the Reserve Bank, Waikato DHB and NZX, all of which involved the NCSC providing incident response services.
Of the incidents recorded, 28% showed links to suspected state-sponsored actors, while a similar proportion (27%) were likely criminal and financially motivated.
The increasing sophistication of tools used by criminal actors means it is becoming much more difficult to distinguish between state and criminal actors, particularly in cases where we are able to intervene early. This situation is sometimes exacerbated with some states offering safe harbour to criminal organisations.
Current cyber threatscape
Two particular features of the current threatscape are the rise of ransomware and supply chain attacks.
In recent years, malicious actors have been shifting their ransomware targeting strategy towards higher-profile organisations that are more vulnerable to extortion. Malicious actors are putting considerable effort into researching the sensitivity of the data, operating environments, and financial information of their victims. Organisations holding particularly sensitive personal or commercial information are especially at risk.
These days it is not sufficient to just ensure the cyber security resilience of your own organisation, you also need to consider how secure your supply chain is. A recent development in supply chain attacks has been compromising software updates as a means of establishing a presence in customer systems.
Last year the NCSC released guidance to organisations of national significance specifically on managing supply chain risks.
State-sponsored activity
While the past year has seen increasingly sophisticated and impactful attacks by criminal groups, malicious activity by state actors continues to be of significant concern.
In 2021 the New Zealand Government has publically attributed two malicious state-sponsored cyber campaigns, one to Russian and the other to Chinese state actors, based on technical assessments by GCSB and our international partners.
Throughout the year the Bureau also provided classified briefings to members of the Committee about state actors targeting several key government organisations and the role of the NCSC in identifying and evicting the attackers, and helping the victim agencies restore their systems.
Russian invasion of Ukraine
International partners have publically called out Russia for engaging in malicious cyber activity to support its invasion of Ukraine, although this activity was not of the scale expected. There has also been reporting of a significant increase in cyber activity by proxies on both sides of the conflict and by criminal groups taking advantage of the crisis. This makes attribution difficult and increases the risk of escalation.
To date we have not seen indications of an increased targeting of Aotearoa New Zealand organisations from actors associated with the invasion. Through the NCSC, our focus has been on using our technical capabilities to monitor New Zealand networks for indicators of malicious activity, sharing intelligence reporting and working with organisations of national significance to keep building their cyber resilience.
So far this month we have distributed a large number of signals intelligence reports on the crisis to New Zealand government customers. With NZSIS, we are also providing intelligence support to the recently introduced sanctions regime.
So what are we doing about the cyber threat?
Our analysis based on an independently devised model indicates the NCSC’s cyber defence capabilities prevented an estimated $119 million in harm to New Zealand’s nationally significant organisations in the 2020/21 year.
Since June 2016, when the NCSC first started operating those capabilities, we have prevented harm from malicious cyber activity of approximately $284 million.
In December the NCSC formally launched its Malware Free Network (or MFN) – a scaling up of cyber defence capabilities, which makes our cyber threat intelligence available to commercial cyber security providers to help defend their customers’ networks. As of the end of last week, the number of threats disrupted by the MFN capability has exceeded 50,000.
However, it has to be stressed that no single cyber security capability is a silver bullet. Nor are we the country’s one-stop cyber security firewall.
We still need organisations to ensure they have effective cyber security governance, understand their critical systems and risks – particularly across their supply chain – and to have a plan for how they would respond to a cyber-security incident.
Working in partnership with organisations to help build their cyber resilience is therefore one of our key priorities.
Other key areas of work of the GCSB and looking ahead
As Government Chief Information Security Officer or GCISO, my focus is on understanding the key information security threats and vulnerabilities facing the public sector. This includes, for instance, supporting Cloud uptake by government departments. In the past year we worked with Microsoft and Amazon Web Services to deliver baseline security templates for their Azure and AWS Cloud offerings to the public service.
This year the GCSB also completed the $440m Cryptographic Products Management Infrastructure project, which broadly speaking, encrypts Aotearoa New Zealand’s most sensitive information.
As I mentioned earlier, technological acceleration always represents a challenge for any digitally-focused intelligence agency, and we will be looking to make further announcements regarding investments later this year.
For the GCSB it is not all about technology, it is also about building our workforce. As we grow as an organisation, we are becoming more diverse and our gender pay gap continues to reduce. And, along with the NZSIS we were the proud winners of the New Zealand Supreme Rainbow Excellence Award.
I am now happy to take questions from the Committee.
Ngā mihi nui.