- Posted March 03, 2020
- Director-General Speeches
Presentation by GCSB Director General Andrew Hampton to Otago University Pols213,
3 March, 2020
Introduction
Good morning, and thank you for the opportunity to talk to you today.
I will spend time today talking through some of the key aspects of the work of the Bureau.
This includes the national intelligence priorities that Government sets for us, our intelligence collection and cyber security functions - including an overview of the cyber threats facing New Zealand organisations. I will briefly cover off our attribution of malicious cyber activity then move to our role in regulating aspects of the telecommunications network and space activity, and also talk a little about election security.
What is the GCSB? Our legislated role and how we do what we do
The GCSB is a ‘SIGINT’, or signals intelligence agency, meaning we specialise in intelligence derived from electronic communications. We also have a statutory role in cyber security and information assurance.
Everything we do needs to be in accordance with the objectives of the Intelligence and Security Act 2017, or ISA for short, and in accordance with New Zealand’s human rights obligations.
The purpose of the ISA is “protect New Zealand as a free, open and democratic society.”
The ISA states the principal objectives of the GCSB, and the NZSIS are to contribute to:
- the protection of New Zealand’s national security; and
- the international relations and well-being of New Zealand; and
- the economic well-being of New Zealand.
We do this by:
Collecting and reporting on intelligence – primarily foreign intelligence – in accordance with government priorities in order to inform government decision-making, and
Providing cyber security and information assurance services to protect the information and information systems of organisations of national significance, from both the public and private sector.
The ISA provides a strong authorising framework to ensure that our intelligence activities are not only legal, but also necessary and proportionate.
The ISA also provides for other checks and balances that ensure our compliance with the law, including independent oversight.
A Public Service agency with a difference
GCSB is a public service agency, and just like every other agency we are accountable to the Government of New Zealand and required to act in the interests of New Zealand and New Zealanders.
But we are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret.
Our powers can only be employed with the right level of authorisation.
Any intelligence warrant for the purpose of collecting intelligence against a New Zealander needs to be issued by both our Minister and the Commissioner for Security Warrants.
Independent oversight is provided by the Inspector General of Intelligence and Security who has strong investigative powers and can access all of our files and records.
The intelligence and security agencies also report to Parliament’s Intelligence and Security Committee. This is done at both an unclassified and classified level to give the Committee greater oversight.
Internally we promote a culture of strong legal compliance and we have strong systems to ensure we are meeting our compliance obligations.
For public service agencies in general, public trust and confidence is important – for us it is essential. One way we build public trust and confidence is by being as open as we can about the nature of the threats New Zealand faces, our role in responding to those threats, and how we are held accountable to the people of New Zealand.
National intelligence and security priorities
The Government’s National Security and Intelligence Priorities, or NSIP’s, direct the GCSB’s priorities.
A new set of National Security and Intelligence Priorities (the Priorities) were approved by Cabinet in December 2018.
The Priorities outline key areas of national security interest to the New Zealand Government, and assist agencies that have a national security role to make informed, joined-up decisions and define key areas of focus.
The NSIP’s are also highly relevant to our international partnerships. As well as our support to the New Zealand Police and the NZSIS on domestic terrorism issues, the GCSB for example makes a unique and highly valued contribution to the international efforts on global terrorism.
All information sharing is in accordance with our own legislation, policies and oversight.
The 16 Priorities, which are published on the website of the Department of Prime Minister & Cabinet, include:
- Biosecurity and human health,
- Environment, climate change and natural resources,
- Foreign influence, interference and espionage,
- Global economy, trade and investment,
- Implications of emerging technology,
- International governance, geopolitics and global security,
- Malicious cyber activity,
- Middle East regional security
- New Zealand's strategic interest in the Asia region,
- Pacific regional stability,
- Proliferation of weapons of mass destruction and conventional weapons,
- Space security,
- Territorial security and sovereignty,
- Terrorism,
- Threats to New Zealanders overseas, and
- Transnational organised crime.
Full details are in the appendices of the DPMC 2019 annual report(external link) at
While GCSB makes a contribution to all 16 NSIPS, there are some enduring areas of intelligence focus for the agency. These include;
Peace stability and security in the pacific
In the current international environment New Zealand needs to be well informed about the interests, intentions and capabilities of others. We need to work in cooperation with like-minded partners, and we need to call out bad behaviour that doesn’t conform to the international norms we rely on.
Our geographic location, and the special relationships we have with our Pacific neighbours means part of our role is to pay particular attention to our region, both to help inform government decision making, and to help identify and respond to emerging risk. This work is increasingly important given the increased strategic competition in the region.
In 2018 the Inspector-General of Intelligence and Security completed a comprehensive review of our intelligence collection in the Pacific and concluded that or work was properly authorized and legally compliant.
Support for military operations
From time to time we are called on to use our specialist capabilities to provide support to New Zealand military operations in the Pacific and elsewhere, where New Zealand troops are deployed. There are occasions where this may involve deployment of staff in direct support of our defence forces. Some of this activity is included within the scope of the Operation Burnham inquiry.
Transnational Crime
Through our signals intelligence capabilities we able to support New Zealand agencies to better target transnational crime networks with the aim of disrupting their efforts ‘upstream’ - before their activities can impact on New Zealand.
The ISA 2017 provides a strong legal footing for this work and for our cooperation with Five Eyes partners, noting of course that any cooperation needs to be in accordance with New Zealand law and human rights obligations.
In the recent years the Bureau has worked with partners to make valuable contributions on cyber security, transnational crime and violent extremism. This has included supporting law enforcement, defence and boarder control operations throughout the pacific region.
Countering Violent Extremism
The GCSB’s role in countering violent extremism is primarily externally focussed. This includes making unique contributions to global counter terrorism efforts. The NZSIS and the New Zealand Police are the lead agencies for domestic counter-terrorism.
The role of the GCSB is to provide support to these agencies in their work. This support is primarily through our technical capabilities, and our access to foreign intelligence.
Like the NZSIS, the Bureau immediately stood-up a 24/7 response team who worked tirelessly to support the investigation and wider response.
Over the three years prior to the attacks the GCSB took a series of deliberate steps to enable us to respond effectively to assistance requests on domestic counter-terrorism, within our legislative framework and resourcing.
This involved establishing capabilities, accesses and legal authority that do not distinguish between different forms of violent extremism and can be deployed quickly and flexibly. As a result we were well placed to respond to requests from our NZSIS and Police partners in the aftermath of the Christchurch attack.
We absolutely support the Royal Commission of Inquiry. It is vital that we know if there is anything that could have been done to prevent the attacks, and identify any lessons to be learned for the future.
GCSB’s approach to intelligence gathering
We collect intelligence by electronic means, which includes the ability under the Intelligence and Security Act to intercept communications and to seize electronic information.
We do this through a range of capabilities, including interception of high frequency radio (Tangimoana) and satellite communications (Waihopai) and we have legal authorisation to access information infrastructures. Under the Telecommunications (Interception capability and Security) Act 3013 we can require New Zealand network operators to give effect to a warrant. We also receive a significant volume of intelligence from our Five Eyes partners.
The 2015 Cullen Reddy review of NZ intelligence agencies made the point that modern communications mean it is often not possible to identity and copy a specific communication of interest in isolation. We often need to collect a larger set of communications – they describe it as the “haystack” in which our analysts then find the “needle”. Even then, the extra information we draw together to form the haystack is a tiny proportion of the abundance of communications zooming around every day.
As has now been well established, we do not undertake “mass surveillance”. What is key is that we have robust policies and process in place to manage and discard all the irrelevant information that makes up the “haystack”, retaining only that information – or the “needle” - that is relevant to the intelligence we produce.
Elections
The integrity of New Zealand’s electoral process is at the heart of our democratic society and elections must be free and fair.
As we get closer to the general election in September we will be focussed on providing support to the Electoral Commission, including standing up a dedicated team to manage surge work.
This support includes working directly with the Electoral Commission to help them protect their systems, most of which are fortunately not connected to the internet which limits points of vulnerability.
We have provided updated guidance for political parties and candidates on how to protect themselves from cyber threats, which has been circulated by the Electoral Commission.
We have also assisted with protective security briefings to Members of Parliament in conjunction with the NZSIS.
During the election period we will be responsive to reporting from our security partners, political parties or the public regarding suggestions of state sponsored disinformation campaigns.
The Bureau has no role in monitoring political discussion in New Zealand.
Robust political debate and freedom of expression are fundamental to our democratic process and our role is supporting efforts which ensure that there is no attempt to covertly influence the election by a state actor.
With regard to electronic voting, I am on the record as expressing a view that there is much work to be done – in terms of cyber security - before we can consider electronic voting.
GCSB’s Regulatory functions
There's been public focus on the GCSB’s regulatory roles recently – in particular in relation to the country’s telecommunications networks and the move to 5G
GCSB is responsible for administering the network security provisions of TICSA. Through TICSA, we engage with network operators to identify and mitigate potential risks to national security before they occur.
TICSA applies a country and vendor agnostic framework. It requires the GCSB to make an independent assessment of network security risks, on a case-by-case basis.
Since TICSA came into effect in 2014, the GCSB has received hundreds of notifications from network operators. In the last financial year the GCSB received 158 notifications from network operators. The vast majority of those were assessed and resolved within our self-imposed customer service targets of 20 working days. In fact, we currently average 8.8 working days.
GCSB also has a regulatory role for New Zealand’s burgeoning space industry, assessing payloads to ensure they do not present national security risks.
There are a number of space-related enterprises developing in New Zealand, including Rocket Lab, projects being led by local universities and foreign companies wanting to establish space-related industries here.
The Outer Space and High-altitude Activities Act came into effect in December 2017 and allows agencies, including the GCSB and the NZSIS to manage risks to New Zealand’s space-related national interests and security.
The Act requires the GCSB and NZSIS to conduct national security risk assessments for all activities licensed or permitted. These assessments inform consultation between relevant Ministers about the security risk associated with each activity.
In the last financial year the intelligence and security agencies conducted 30 assessments on space-related activities from New Zealand. These assessments covered multiple launches, space payloads and high-altitude vehicles. I expect this will be a growing area of work for the agencies.
In undertaking these regulatory processes the GCSB acts independently. While we receive intelligence from our Five Eyes partners, we also act independently from them, in accordance with our own domestic legislation.
Cyber Security
GCSB’s cyber security functions are delivered through the National Cyber Security Centre – or NCSC.
One of our key focus areas is countering advanced, cyber-borne-threats to organisations of national significance across the public and private sector. These tend to be more sophisticated cyber threats that are typically beyond the capabilities of commercial products and vendors.
Our cyber security defence capabilities include our existing CORTEX programme, and our Malware Free Networks capability that we will be making available to a much wider set of organisations.
We have an incident response capability to assist organisations of national significance respond to potentially high impact cyber security incidents.
We also take cyber threat information obtained through the operation of these capabilities, and provided to us through a range of international relationships, and make it available to New Zealand’s significant organisations to help them strengthen and defend their networks from cyber threats.
We are constantly reaching out to establish relationships, through direct engagement with organisations, through sector based forums and via a customer portal to share information that can help increase the resilience of New Zealand’s important information networks and systems.
This information sharing ranges from alerts and updates about potential threats and actions that can be taken to reduce vulnerability to more general advice on the steps organisations can take to ensure the resilience of their systems.
Following the production of our cyber resilience assessment last year, we are also moving into developing more practical guidance and tools to assist organisation management and governance better understand how they can support and manage their organisations cyber resilience efforts.
The next few slides provide an update on the New Zealand cyber environment, as reported in our NCSC’s annual cyber threat report released late last year.
Cyber threats serious impact on NZ
The NCSC recorded 339 incidents in the 12 months to 30 June 2019, compared with 347 incidents in the previous year.
These figures represent a small proportion of the total cyber security incidents impacting New Zealand, as the NCSC’s focus is on potentially high impact events and those affecting organisations considered to be of national significance.
The NCSC was able to identify indicators linking state-sponsored cyber actors to 39 percent of total incidents recorded in 2018-19. While this is similar to the previous year (38%) NCSC analysis of these incidents shows they had a greater impact as more were detected in the post compromise phase of the threat cycle – where actors have had an opportunity to have an effect.
Cyber threat cycle
To look at that in more detail, you can see that 83 percent of incidents were recorded pre compromise, either at the preparation phase (41 percent) or the engagement phase (42 percent), compared to 17 percent of incidents detected post compromise (five percent at the presence phase and 12 percent at the effect/consequence phase.
Pre-compromise incidents
Pre-compromise activity is characterised by planning and reconnaissance by cyber actors, or initial engagement with their targets.
Pre-compromise incidents observed this year include New Zealand organisations that were targeted through phishing campaigns, website compromises, credential harvesting, or brute force attempts.
In 2018/2019, 214 NCSC cyber incidents were identified before the point of network compromise. While pre-compromise incidents are lower on the range of severity, they can still have a significant impact on an affected organisation.
Pre-compromise activity can evolve into fully fledged network compromise, if not detected and mitigated in a timely manner.
Post-compromise incidents
The goal of post-compromise incidents is to ensure ongoing access to a network, and to exfiltrate data or disrupt infrastructure or systems.
Seventeen of the incidents in the 2018-19 year were detected at the post-compromise phase.
These types of incidents range from internal network reconnaissance and keystroke logging, to encrypting, locking or exfiltration of files. Remediation of incidents that reach the post-compromise phase can have significant impacts for the affected organisation, depending on the nature and extent of the intrusion.
While the figures show just a five percent increase in the post compromise incidents, over the previous year – the difference in terms of impact (and the amount of effort required from our incident response team and the organisations they have assisted) has been quite significant. You can see examples of some of these incidents in the case studies presented in the National Cyber Security Centre’s annual cyber threat report.
Cyber Trends
In the 2018/19 year the cyber security incidents seen impacting New Zealand's nationally significant organisations have increased in their severity, particularly from sophisticated state-sponsored actors. As already noted 38 percent of incidents in 2018-19 could be linked to state-sponsored actors. While this is the same proportion as the previous year, a greater number of state-sponsored incidents were characterised as “post compromise”
The NCSC continues to see incidents where malicious cyber actors have exploited known, unpatched vulnerabilities to gain access to systems. This can be prevented through security patching, regular security testing , and taking additional steps to secure critical data. Mitigating known vulnerabilities means cyber actors are forced to use more sophisticated tools and techniques to compromise a network.
In the international cyber security environment, the frequency of public reporting about cyber security incidents resulting in significant data breaches involving personally identifiable information is increasing. The range of industries impacted is indicative of the high value of personal information, targeted by both state-sponsored and criminal actors.
The NZ Government continues to work closely with international partners to “call out” malicious cyber activity counter to the internationally accepted norms of behaviour in cyber space. I will talk more about our approach to attribution in a few minutes.
Attribution
Let me talk more about attribution.
The GCSB frequently conducts internal, technical attributions of malicious cyber activity and shares these with the New Zealand Government and international partners (usually at a classified level).
When it is in our national interest to do so, the New Zealand Government may decide to publically reveal the conclusions of our technical attribution process to call out a malicious cyber actor.
Undertaking a technical attribution of malicious cyber activity, whether it is made public or not, is an important part of our role.
Understanding the actors’ tactics, techniques and procedures allows cyber defenders to adopt defensive postures to reduce the risk of a compromise, or identify compromise in its early stages.
By identifying the actors responsible for malicious cyber activity, we may be able to assess the intent of actors targeting New Zealand or global networks. This may allow us to identify other organisations being similarly targeted, and identify other campaigns or activity conducted by the actors. Doing so, helps to inform the cyber security advice the NCSC can provide to New Zealand’s organisations of national significance and contributes to international understanding of malicious cyber activity.
Attribution is not a straight forward process. While at a high level attribution appears to be data collection, analysis and drawing conclusions, the reality is much more complicated.
To undertake the technical attribution process, we use data collected from the NCSC’s CORTEX capabilities, technical evidence from the NCSC’s incident response to affected organisations, and reviewing classified and unclassified reporting from international partners and the private sector.
We analyse how the actors compromised a network, what activity they conducted and look for links to known malicious actors. We also work to understand the organisation and the specific information targeted or taken to help determine the sophistication and intent of the actor.
This type of information can also contribute to helping identify who may have been responsible by linking the activity to actors who have previously targeted similar organisations or information.
Often, malicious cyber campaigns do not occur in isolation, and occur in multiple countries simultaneously. By working with international partners, the GCSB can share information to assist with remediation of partner networks and to strengthen the overall attribution process.
Our confidence in the attribution assessment relies on the range, strength, number and reliability of the links found. As more information is confirmed, the confidence or strength of the attribution can also strengthen.
New Zealand is committed to upholding the rules-based international order which contributes to the secure, resilient and prosperous online environment from which New Zealand benefits. New Zealand’s cyber security strategy highlights these values and asserts New Zealand’s willingness to call out malicious cyber activity when it is in its national interest to do so.
The decision to publically attribute malicious cyber activity is made by the New Zealand Government, based on its own independent assessment and independent of New Zealand’s international partners.
Organisations involved in advising Government on attributing malicious cyber activity include the GCSB, the Ministry of Foreign Affairs and Trade, and the Department of Prime Minister and Cabinet’s National Cyber Policy Office.
The GCSB’s primary role in this process is conducting a technical attribution of the malicious cyber activity to ensure an independent, sovereign technical assessment is made.
This technical assessment feeds into the consideration of a range of factors by the New Zealand Government, including the scale of the activity and the activity’s impact on New Zealand.
These considerations ensure the decision to publically attribute malicious cyber activity aligns with New Zealand’s national interest and supports New Zealand’s vision for cyberspace.
In the past two years the GCSB, on behalf of the New Zealand Government, has publically attributed five cyber campaigns which were designed to generate revenue, disrupt businesses, undermine democracy, or for the theft of intellectual property.
The WANNACRY campaign was attributed to North Korea. This was a significant international ransomware campaign which exploited a known vulnerability for which patches had been released.
The NOTPETYA attack was attributed to Russian state actors. While NotPetya masqueraded as a criminal ransomware campaign, its real purpose was to damage and disrupt systems. Its primary targets were Ukrainian financial, energy and government sectors however its indiscriminate design caused it to spread around the world affecting these sectors world-wide.
A collection of other campaigns have been attributed to Russian Military Intelligence (GRU). The attributed activity included targeting overseas political institutions, business, media and sporting organisations.
The CLOUDHOPPER global campaign of cyber-enabled commercial intellectual property theft was attributed to the Chinese Ministry of State Security (MSS). This long-running campaign targeted the intellectual property and commercial data of a number of global managed service providers, some operating in New Zealand.
Most recently, two weeks ago, New Zealand has added its voice to international condemnation of a series of malicious cyber-attack against Georgia. These attacks by Russian state actors impacted over 2000 Georgian websites and the Georgian national television station.
We are aware of other countries which are involved in state-sponsored cyber-attacks. These examples are the ones which have gone through New Zealand’s public attribution process.
Attributing malicious cyber activity helps send a strong signal to the actors and states responsible for the activity that their conduct is unacceptable within the rules-based international order.
Public attribution can be accompanied by private diplomatic engagement, and in some instances, particularly in the United States, the laying of criminal charges against the threat actors identified as being responsible.
Calling out this activity also reduces the efficacy of malicious cyber actors.
By revealing the actor’s methods of compromise and increasing the reputational costs of conducting malicious cyber activity, the actors’ ability to operate in cyberspace is decreased. By outing these methods, organisations can more readily detect, and respond to these threats, forcing the actors to change their behaviour and making it harder for the actors to successfully conduct malicious cyber activity.
The New Zealand Government also expects that calling out this malicious cyber activity will raise public awareness of the risks posed by malicious cyber activity. By educating the public about these potential threats, the GCSB and the New Zealand Government hope to improve cyber defensive measures and raise awareness of malicious cyber activity which may adversely impact New Zealanders.
This in turn contributes to the safety and security of New Zealanders online.