Improving the cyber security resilience of New Zealand businesses

Speech by Andrew Hampton, Director-General GCSB, delivered to the Business New Zealand CEO Forum, Auckland.

Opening

Kia ora koutou katoa.

Thank you for the invitation to speak with you today. It’s my pleasure to come and talk with you about the work of my organisation, the Government Communications Security Bureau, particularly our role in helping to protect New Zealand’s most important information and information systems.

Christchurch terrorist attacks                   

I would like to start by acknowledging the attacks in Christchurch on 15 March. 

The attacks were an abhorrent challenge to everything that New Zealand holds dear.  GCSB’s thoughts are with the families, friends and communities of the victims.

New Zealand’s response is a testament to the values of tolerance and openness that define our country.

As you’ll be aware Rebecca Kitteridge, Director-General of the New Zealand Security Intelligence Service (NZSIS) was invited to co-present with me today. Rebecca gives her apologies, but she is needed in Wellington.

NZSIS has two top priorities at the moment. First, they are focused on supporting New Zealand Police in their important investigation and the resulting prosecutions. Second, they are focused on mitigating the risks to New Zealanders posed by possible revenge or copycat attacks.

Both the GCSB and NZSIS have welcomed the Royal Commission of Inquiry.

It is important that there will be an inquiry and GCSB is committed to providing all necessary support. It is of the utmost importance that the public are assured that GCSB acted lawfully and appropriately.

What I will cover

This afternoon I will begin by talking about the role and function of the GCSB, including our two primary missions of foreign intelligence collection and the provision of cyber security and information assurance services for New Zealand’s organisations of national significance.

I will also touch on our role in assisting domestic counter-terrorism activity, including what we can and cannot do with regards to “monitoring” New Zealand’s internet traffic for intelligence purposes.

I will then focus on the cyber threatscape, and our response to it.

This will include sharing some of the key findings from the cyber security resilience assessment that the GCSB’s National Cyber Security Centre staff conducted with more than 250 of New Zealand’s organisations of national significance.

I will close by sharing some of the tangible steps you can take as leaders in your organisations to help ensure the resilience of the systems and information you are responsible for.

What is the GCSB? Our legislated role and how we do what we do

The GCSB is a ‘SIGINT’, or signals intelligence agency, meaning we specialise in intelligence derived from electronic communications. We also have a statutory role in cyber security and information assurance.

Everything we do needs to be in accordance with the objectives of the Intelligence and Security Act 2017, or ISA for short, and in accordance with New Zealand’s human rights obligations.

The purpose of the ISA is “protect New Zealand as a free, open and democratic society.”

The ISA states the principal objectives of the intelligence and security agencies are to contribute to:

• the protection of New Zealand’s national security; and
• the international relations and well-being of New Zealand; and
• the economic well-being of New Zealand.

 We do this by:

• collecting and reporting on intelligence – primarily foreign intelligence – in accordance with government priorities in order to inform government decision-making, and
• providing cyber security and information assurance services to protect the information and information systems of organisations of national significance, from both the public and private sector.

The ISA provides a strong authorising framework to ensure that our intelligence activities are not only legal, but also necessary and proportionate.

The ISA also provides for other checks and balances that ensure our compliance with the law, including independent oversight.

A Public Service agency with a difference

GCSB is a public service agency, and just like every other agency we are accountable to the Government of New Zealand and required to act in the interests of New Zealand and New Zealanders.

But we are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret.

Our powers can only be employed with the right level of authorisation.

For example any intelligence warrant for the purpose of collecting intelligence against a New Zealander needs to be issued by both the Minister Responsible for the GCSB and the Commissioner for Security Warrants who is a former High Court Judge.

Independent oversight is provided by the Inspector General of Intelligence and Security who has strong investigative powers and can access all of our files and records.

The intelligence and security agencies also report to Parliament’s Intelligence and Security Committee. This is done at both an unclassified and classified level to give the Committee greater oversight.

Internally we promote a culture of strong legal compliance and we have strong systems to ensure we are meeting our compliance obligations.

For public service  agencies in general, public trust and confidence is important. For the intelligence and security agencies it is vital.

It is what gives us the social licence we need to undertake the work that we do. That is one of the reasons we make a deliberate effort to talk about what we do across both the public and private sectors.

It is also why winning the 2018 IPANZ Excellence Award for Trust and Confidence in Government is a perhaps more significant for us than many other public sector agencies.

GCSB’s role in domestic counter-terrorism

In regards to domestic counter-terrorism, the GCSB’s role is to provide assistance to the NZSIS and the New Zealand Police at their request. This assistance is primarily technical capabilities and access to foreign intelligence.

Over the past three years the GCSB has taken a series of deliberate steps to enable us to respond effectively to requests for assistance on domestic counter-terrorism, within the legislative and resource constraints we operate under.

These steps included putting in place warrants that allow GCSB to gather intelligence about terrorism that do not differentiate between different forms of violent extremism. The GCSB has also focused on building close working relationships with NZSIS, New Zealand Police and New Zealand Customs through joint operations and staff secondments.

We have established processes for responding to changing priorities and requests by other agencies for assistance under the ISA. As a result GCSB teams can be deployed across a range of intelligence priorities and agency requirements. To develop such teams supported by the right technologies takes time, but once in place are highly effective.

The GCSB’s response to the Christchurch terrorist attacks

I can only provide limited comment about the GCSB’s response to the Christchurch terrorist attacks while there is an active Police investigation and a Royal Commission of Inquiry.

GCSB is normally in the position where it can neither confirm nor deny operational details. However, given the nature of the situation, I have already said publically that the GCSB had not collected or received from partners any relevant intelligence ahead of the terrorist attacks.  The Police have now confirmed that they believe the attacker acted alone, however I must emphasise that it is my clear understanding that the investigation is as yet incomplete.

In the aftermath of the March 15 terrorist attacks we received tasking from NZSIS and New Zealand Police. Once tasked we were able to quickly use our capabilities to make unique, and material, contributions to the investigation and the response.

We continue to have staff working 24/7 in support of the operation.

Monitoring the internet, what the GCSB does and doesn’t do

I would also like to take this opportunity to clarify what the GCSB does and doesn’t do when it comes to monitoring the internet as there has been public comment about this in the wake of the Christchurch attacks.

New Zealand intelligence agencies do not have the legal authority, technical means, resourcing, or indeed the social licence to monitor all of the country’s internet activity. For example, agencies cannot monitor
all traffic to particular web sites and chat rooms or who is up-loading certain types of material.

The GCSB is able to intercept the communications of New Zealanders for intelligence gathering purposes if it acquires a Type 1 warrant under the Intelligence and Security Act 2017. In order to obtain such a warrant the activity must be shown to be both necessary and proportionate.

To be able to conduct general monitoring of New Zealand’s internet traffic would require an access programme to enable the bulk collection of internet traffic entering and leaving the country. New Zealand does not have such an access programme.

Under such a programme the initial analysis of internet traffic would be done in an automated way, but it would also require a significant number of skilled people to do more detailed analysis and reporting. Importantly, due to the massive data volumes involved we would need to have a substantive lead, or compelling hypothesis.

Increasingly internet traffic is encrypted or involves closed chat rooms. This means activity would not necessarily be easily detected.

This is not a problem unique to New Zealand. Law enforcement and security intelligence agencies around the world are dealing with the extreme challenges encryption present.

Persons of Interest can also use tactics to further obfuscate their activity, such as using code words and purposeful misspellings.

We can and do access the internet traffic of New Zealand organisations for cyber security purposes, to help keep them safe from cyber-attacks. We do this with the consent of the organisations involved.

GCSB’s regulatory functions – telecommunications and outer space

There has been considerable public focus on the GCSB’s regulatory roles recently – in particular in relation to the country’s telecommunications network.

Many of you may have noted the recent media coverage of the Telecommunications (Interception Capability and Security) Act 2013 – or TICSA. The Act establishes obligations for New Zealand’s telecommunications network operators in two key areas – interception capability and network security.

GCSB is responsible for administering the network security provisions of the TICSA. Through TICSA, we engage with network operators to identify and mitigate potential risks to national security.

The TICSA applies a country and vendor agnostic framework. It requires the GCSB to make an independent assessment of potential network security risks, on a case-by-case basis.

Since TICSA came into effect in 2014, the GCSB has received several hundred notifications from network operators. For example, in the last financial year the GCSB received 123 notifications from network operators.

GCSB also has a regulatory role for New Zealand’s burgeoning space industry, assessing payloads to ensure they do not present national security risks.

There are a number of space-related enterprises developing in New Zealand, including Rocket Lab, projects being led by local universities and foreign companies wanting to establish space-related industries here.

The Outer Space and High-altitude Activities Act came into effect in December 2017 and allows agencies, including the GCSB and the NZSIS to manage risks to New Zealand’s space-related national interests and security.

The Act enables the GCSB and NZSIS to conduct national security risk assessments for all activities licensed or permitted. These assessments inform consultation between relevant Ministers about the security risk associated with each activity.

In the last financial year the intelligence and security agencies conducted 24 assessments on space-related activities from New Zealand. These assessments covered multiple launches, space payloads and high-altitude vehicles. I expect this will be a growing area of work for the agencies.

In undertaking these regulatory processes the GCSB acts independently from Ministers.  While we receive intelligence from our Five Eyes partners, we also act independently from them, in accordance with our own domestic legislation.

The National Cyber Security Centre, which sits within the GCSB

I would now like to move to cyber security.

GCSB’s cyber security functions are delivered through the National Cyber Security Centre – or NCSC.

One of our key focus areas is countering advanced, persistent, cyber-borne-threats (APTs) to organisations of national significance. APTs tend to be more sophisticated cyber threats that are typically beyond the capabilities of commercial products and vendors.

As part of our cyber security role we work across government and the private sector to implement cyber defence capabilities protecting a range of nationally significant organisations from advanced cyber threats. This includes our existing CORTEX programme, and our Malware Free Networks capability that we will be making available to a much wider set of organisations.

We take cyber threat information obtained through the operation of these capabilities, and provided to us through a range of international relationships, and make it available to New Zealand’s significant organisations to help them strengthen and defend their networks from cyber threats.

We are progressively reaching out to establish relationships, through direct engagement with organisations, through sector based forums and via a customer portal to share information that can help increase the resilience of New Zealand’s important information networks and systems.

This information sharing ranges from alerts and updates about potential threats and actions that can be taken to reduce vulnerability to more general advice on the steps organisations can take to ensure the resilience of their systems.

Cyber Threats

In December last year the National Cyber Security Centre released its annual cyber threat report providing an overview of the cyber threat activity we have seen. The report covers the 2017-18 financial years.

347 cyber security incidents were recorded in New Zealand. Of those 134, (about 39 per cent) contained indicators linking them to known state-sponsored cyber actors.

Most of those incidents (85 per cent) were detected at, or prior to, their first attempt to compromise an organisation.

We estimate that the cost of harm avoided through the operation of our cyber defence capabilities was around NZD $27 million. 

When combined with the figures for the previous year the cost of harm avoided is conservatively estimated at around NZD $67 million since June 2016.

But the numbers only tell part of the story.

We know cyber adversaries are getting smarter. Changes in technology are increasing their “attack surface” and providing more tools for them. Their emails are better targeted, and more credible, and their fake websites are increasingly difficult to distinguish from the real thing.

In terms of cyber threat trends some of the things we can expect to see in the future – both in New Zealand and internationally include:

• Growing insecurity in cyberspace as technology change, such as artificial intelligence, the internet of things and quantum computing increases the potential scale and impact of cyber-attacks.
• A continued trend towards larger, more geographically dispersed and more costly malicious cyber activity.
• Cyber being used not only for espionage but also for influence – for example in the US Presidential Campaign - and revenue generation.
• More global cyber-attacks having an adverse impact on New Zealand’s interests due to aggressive or reckless actions in cyber space.
• New Zealand government and private sector organisations could be targeted or indiscriminately affected by disruptive and widespread global cyber incidents.

Who is behind state-sponsored cyber campaigns?

The GCSB has a robust attribution process it works through before it calls out state-sponsored cyber-attack. The process can be complex and often takes time to work through. New Zealand publically attributes cyber incidents where it is in the national interest to do so.

In the last 18 months the GCSB, on behalf of the New Zealand Government, has joined with like-minded countries to publically attribute four cyber campaigns. These cyber campaigns were designed to generate revenue, disrupt businesses, undermine democracy, or for the theft of intellectual property.

The WANNACRY campaign was attributed to North Korea. This was a significant international ransomware campaign which exploited a known vulnerability for which patches had been released.

The NOTPETYA attack was attributed to Russian state actors. While NotPetya masqueraded as a criminal ransomware campaign, its real purpose was to damage and disrupt systems. Its primary targets were Ukrainian financial, energy and government sectors however its indiscriminate design caused it to spread around the world affecting these sectors world-wide.

A collection of other campaigns have been attributed to Russian Military Intelligence (GRU). The attributed activity included targeting overseas political institutions, business, media and sporting organisations.

The CLOUDHOPPER global campaign of cyber-enabled commercial intellectual property theft was attributed to the Chinese Ministry of State Security (MSS). This long-running campaign targeted the intellectual property and commercial data of a number of global managed service providers, some operating in New Zealand.

GCSB is aware of other countries which are involved in state-sponsored cyber-attacks. These four examples are the ones which have gone through New Zealand’s attribution process.

I am not able to provide more detail about state actors undertaking activity that the GCSB is concerned by. As I said earlier, given the sensitive nature of the work we do it often needs to be carried out in secret. This is why I’m careful about what we say in an unclassified environment – because when information is provided to the public, the information may also get to those who wish to do New Zealand harm.

Determining how much information is put into the public arena is a complex risk assessment which has to balance public interest and national security.

How business can improve its resilience to the growing cyber threat

One of the ways GCSB can help New Zealand organisations to be more resilient to these types of campaigns is by identifying where they can best focus their cyber security and resilience efforts.

In October last year our NCSC released the first Cyber Security Resilience report, benchmarking the cyber security resilience of New Zealand’s nationally significant organisations.

We sat down with the IT managers of 250 organisations, and asked them 50 questions about their cyber security set up, plans, oversight and funding.

The report summarises the survey data collated and identified that despite an increased investment in cyber security in the past 12 months, organisations feel their security practices are not keeping pace with the rate of digital transformation.

We identified four areas of good practice where organisations should focus their efforts for the greatest effect; governance, investment, readiness and supply chain.

Governance– this is the oversight of cyber security at a board or executive level. Executives and boards play a critical role in driving cyber security as a priority within the organisation and ensuring the security approach aligns with business strategy.

They are ultimately responsible for any outcomes of an incident, including the potential impact on stakeholder and customer confidence.

We found that in some NZ organisations, there is a lack of effective cyber security governance.

Only 19 percent of organisations surveyed have a dedicated Chief Information Security Officer (CISO) and 39 percent of organisations do not provide cyber security reporting to senior management or only do so on an ad hoc basis.

We suggest the following steps to help increase maturity in this area:

• Identify the person, or people, who are accountable for cyber security in your organisation;
• Ensure your organisation’s leadership receives regular reporting on security issues from your IT team or service provider, and
• Make cyber security reporting easier to consume. For example, report cyber security ‘near misses’ in the same way as you might report Health and Safety issues.

Investment is necessary for any organisation to make improvements in their cyber security. 

Not all investment returns the same value. We found that while spending has increased, investment could be more targeted. Our survey showed that despite 73 percent of organisations increasing spending on cyber security in the past year this has not translated into an increased level of confidence in their cyber security resilience.

Only 33 percent of organisations had fully identified their critical information assets and 52 percent of organisations reported they had insufficient numbers of skilled staff to satisfy their perceived security requirements.

We suggest organisations could take the following steps to increase their investment maturity:

• Identify the information assets that are most critical to your business and assess the risks posed to these assets,
• Seek agreement at a governance level on the organisation’s risk appetite;
• Balance strategic, longer term investments in the development of assets  and staff over “one off” costs for vulnerability assessment snapshots; and
• Create a separate budget line to effectively manage and track IT security spending.

Readiness refers to preparing the organisation to detect, respond, and recover from a cyber security incident.

Readiness for an incident enables an organisation to reduce the overall cyber security risk through prompt and effective recovery. The ability to detect an intrusion and to respond promptly is the difference between a minor and a major compromise.

Our survey demonstrates that NZ organisations could improve their readiness.

It showed organisations have low levels of confidence in their ability to detect an intrusion.  Only 38 percent reported having full time IT security staff, and only 63 percent have an incident response plan.

Organisations can increase their cyber security readiness by:

• Acquiring the tools or services that enable detection of incidents.
• Prepare a cyber security incident response plan and test the response plan on a regular basis.

Supply Chain refers to maintaining oversight and awareness of the cyber security risks in an organisation’s supply chain.

Outsourcing can be an effective way to overcome challenges of IT investment.

However, this does not transfer the risk. Organisations must be aware of the strength of each link in their IT or security supply chain. Organisations must also ensure third party providers are delivering the business requirements for security.

We found that the supply chain risk is becoming more and more apparent in New Zealand.

Seventy-two percent of organisations use some type of managed service provider, but only 64 percent of them considered IT security as part of the vendor contracting process.

In order to improve supply chain security organisations should:

• Include cyber security as a consideration when assessing new vendors. Include regular security reporting as part of the contract and, where possible, build specific security clauses into Service Level Agreements, and,
• Ensure you have the right to audit your vendor’s performance periodically to validate the agreed level of security is being provided.

I have copies of our cyber security resilience assessment here with me, and it is available on the GCSB and NCSC web sites if you would like to understand our findings and recommendations in more detail.

Questions all business leaders should be asking

I will finish by providing some questions you should be asking your executive team and your information security staff to help ensure the cyber security resilience of your organisations.

Things you should be discussing with your teams include:

• Information assets: What are our most important information assets? How are we protecting these assets? Are we managing the risk to an acceptable level in accordance with our business objectives and do we have a security framework in place?
• Impact: What would be the impact of a cyber-attack? What are the cyber security risks to the organisation? What is the potential cost of a cyber-attack and the damage to our brand?
• Vulnerabilities: What vulnerabilities exist in our systems? Do we have inventories of all of our IT systems? Are we following best-practice advice and do we conduct regular audits and security risk assessments?
• Response: What is our communication strategy for dealing with a cyber incident?  What are our disclosure requirements for cyber incidents and what is our incident response plan?

Closing

I have covered a fair amount of ground and appreciate that there is a lot to take in.  Thank for your time and attention today.

I am happy to take a few questions.