Speech: Cyber Security in a Covid-19 world

August 3, 2020

(Text of presentation by Andrew Hampton, Director General, Government Communications Security Bureau to NZ Institute of International Affairs, Victoria University, Wellington, 3 August, 2020)

Good evening and thank you for the opportunity to come along tonight.

This session was originally going to be in March and I was intending to talk then about the current cyber threat scape, in particular the process we go through to identify, and when it’s in New Zealand’s interest to do so, publically attribute malicious cyber activity to particular actors.  However Covid-19 intervened and the decision was made to postpone.  It is therefore apt that the main focus of tonight’s session is cyber security in the Covid-19 world.

Special thanks to technology commentator Paul Brislen, who has come down from Auckland to help facilitate the second part of tonight's event where we aim to have a more interactive discussion about the challenges of operating securely in the Covid-19 environment.

I plan to talk for around 30 minutes covering off some of the key areas that we will then be able to dig into in more depth in the discussion session.

While the focus for this session is “Cyber security in the Covid–19 world”, I know the interests of NZIIA members extend beyond that perhaps narrow focus, so I plan to spend some of our time this evening talking more broadly about some other aspects of the Bureau’s work.

I will begin by talking about the role of the Bureau, our twin missions of intelligence and cyber security, the priorities we focus on behalf of the Government, and the special requirements on us as a public service, intelligence and security agency.

Recognising the international interest of the audience, I will touch on the Bureau’s role under the Telecommunications (Interception Capability Security) Act – TICSA and the work that we do to help ensure the security of New Zealand's telecommunications networks as well as our role in election security, given the General Election in September.

I will then move on to talk more specifically about cyber security, the nature of the threats we face globally and in New Zealand, and look at how Covid-19 has accelerated some existing information technology trends and impacted  on the cyber security landscape.

There has been a range of comment, internationally and here in New Zealand about who is behind the cyber threats we face, so I will spend some time talking about, what was going to be my original topic back in March, the attribution process and the thinking behind when the New Zealand Government “calls out” specific cyber threat actors.

I will finish by identifying what I see as some of the key implications for New Zealand and the actions we can take to help defend against some of the more advanced and persistent cyber threat actors in this new environment.  Then we can move into the discussion session facilitated by Paul.

What is the GCSB?

So, let’s start with what is the GCSB? What is our legislated role and how do we deliver on the priorities that the Government sets for us?

The GCSB is a ‘SIGINT’, or signals intelligence agency, meaning we specialise in intelligence derived from electronic communications. We also have a statutory, and increasingly important, role in cyber security and information assurance.  Our partner agency, the NZSIS, is a HUMINT agency, focused on human to human interactions but we work very closely together on common threats and in response to customer requirements.

Everything we do needs to be in accordance with the objectives of the Intelligence and Security Act 2017, or ISA for short, and in accordance with New Zealand’s human rights obligations. The purpose of the ISA is “protect New Zealand as a free, open and democratic society.”

The ISA states the principal objectives of the GCSB, and the NZSIS, are to contribute to:

• the protection of New Zealand’s national security; and
• the international relations and well-being of New Zealand; and
• the economic well-being of New Zealand.

We do this by:

• Collecting, analysing and reporting on intelligence – primarily foreign intelligence – in accordance with government priorities in order to inform government decision-making; and
• providing cyber security and information assurance services to protect the information and information systems of organisations of national significance, from both the public and private sector.

The ISA provides a strong authorising framework to ensure that our intelligence activities are not only legal, but also necessary and proportionate. The ISA also provides for other checks and balances that ensure our compliance with the law, including independent oversight.

A Public Service agency with a difference

GCSB is a public service agency, and just like every other agency we are accountable to the Government of New Zealand and required to act in the interests of New Zealand and New Zealanders. But we are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret. Our powers can only be employed with the right level of authorisation.

Any intelligence warrant for the purpose of collecting intelligence against a New Zealander needs to be issued by both our Minister and the Commissioner for Security Warrants, who needs to be a Judge, or a retired Judge of the High Court.

Independent oversight is provided by the Inspector General of Intelligence and Security who has strong investigative powers and can access all of our files and records. The intelligence and security agencies also report to Parliament’s Intelligence and Security Committee. This is done at both an unclassified and classified level to give the Committee greater oversight. Internally we promote a culture of strong legal compliance and we have strong systems to ensure we are meeting our compliance obligations.

For public service agencies in general, public trust and confidence is important – for us it is essential.  One way we build public trust and confidence is by being as open as we can about the nature of the threats New Zealand faces, our role in responding to those threats, and how we are held accountable to the people of New Zealand.

Our intelligence lines of effort

While the main focus of this evening’s session is our cyber security function let me talk briefly about our intelligence mission. There are some limits on what I can say about this work, although there are some enduring areas of intelligence focus for us.  These are in line with the Government’s National Intelligence and Security Priorities (or NSIPS) which are now made public (on the DPMC website).

Peace, stability and security in the Pacific

Our geographic location, and the special relationships we have with our Pacific neighbours means part of our role is to pay particular attention to our region, both to help inform government decision making, and to help identify and respond to emerging risk. In 2018 the Inspector General produced a comprehensive public report on our activities in this area. 

Geostrategic competition

As this audience will be well aware, the world is currently experiencing an unprecedented level of geostrategic competition and some of that is playing out in our region. New Zealand therefore needs to be well informed about the interests, intentions and capabilities of foreign actors, and intelligence has an important role to play in this. New Zealand works in cooperation with like-minded partners to uphold the international norms that we rely on.  Again, intelligence makes a contribution here as well.

Support to Military operations

We play a role in supporting New Zealander Defence Force operations, including protecting personnel in their deployments around the world. This area has recently received scrutiny in the Government inquiry into Operation Burnham and the accompanying Inspector General of Intelligence and Security (IGIS) inquiry.

Transnational Crime

Through our signals intelligence capabilities we support New Zealand agencies to better target transnational crime networks with the aim of disrupting their efforts ‘upstream’ - before their activities can impact on New Zealand.  This is an important and growing line of effort for us.

Counter Terrorism

The NZSIS and the New Zealand Police are the lead agencies for domestic counter-terrorism. The role of the GCSB is to provide support to these agencies in their work. This support is primarily through our technical capabilities, and our access to foreign intelligence. 

We absolutely support the Royal Commission of Inquiry into the horrific Christchurch mosque attacks. It is vital that we know if there is anything that could have been done to prevent the attacks, and identify any lessons to be learned for the future, including whether the Bureau should have a greater role in domestic security matters. 

Our main counter terrorism contribution however, is externally focussed.  Here we use our unique capabilities to contribute to global efforts to defeat violent extremism in its various forms.

Covid-19

And then there has been the impact of Covid-19.  Covid-19 has resulted in increased demand, including from new customers, for pandemic related foreign intelligence.  Rather than resulting in a whole new line of intelligence effort, Covid-19 has brought a new lens to our existing priorities.

GCSB’s approach to intelligence gathering

We collect intelligence by electronic means, which includes the ability under the Intelligence and Security Act to intercept communications and to seize electronic information.

We do this through a range of capabilities, including interception of high frequency radio (Tangimoana) and satellite communications (Waihopai) and we have legal authorisation to access information infrastructures.

The 2015 Cullen Reddy review of NZ intelligence agencies made the point that modern communications mean it is often not possible to identity and copy a specific communication of interest in isolation.

We often need to collect a larger set of communications – they describe it as the “haystack” in which our analysts then find the “needle”. Even then, the extra information we draw together to form the haystack is a tiny proportion of the abundance of communications zooming around every day.  

We also share intelligence with our Five Eyes partners.  New Zealand derives significant net benefit from the relationship in terms of access to intelligence and technical capabilities that we would never be able to obtain working alone.  However, any intelligence sharing GCSB does with foreign partners needs to be in accordance with New Zealand law and human rights obligations.  Importantly, GCSB cannot ask partners to do anything that we can’t legally do ourselves. 

As has now been well established, we do not undertake “mass surveillance”.

What is key is that we have robust policies and process in place to manage and discard all the irrelevant information that makes up the “haystack”, retaining only that information – or the “needle” - that is relevant to the intelligence we produce.

Support for Elections

Let’s now move to a couple of topical matters.  The first is election security.  A recent report from CSE, the GCSB’s Canadian equivalent, found that at least half of the democracies who had elections between 2015 and 2018 were subject to some form of malicious cyber interference by foreign actors.

The integrity of New Zealand’s electoral process is at the heart of our democratic society and elections must be free and fair.  The intelligence agencies have an important role to play in protecting our electoral process from foreign interference and malicious cyber activity, but it is an area where we must tread very carefully.  The role of the agencies in responding to such threats to the general election is set out in a protocol recently published on the New Zealand Intelligence Community website.

Currently we are very focussed on providing support to the Electoral Commission, including standing up a dedicated team to manage surge work. This support includes working directly with the Electoral Commission to help them protect their systems.

With the NZSIS we are also providing advice and assistance to MPs, political parties and candidates on how to protect themselves from foreign interference and from cyber threats.  This includes some recent public guidance, available on the NZSIS Protective Security Requirements website.

GCSB’s role with regard to disinformation on social media is a limited and conservative one.  During the election period we will be responsive to reporting from our security partners, political parties or the public regarding suggestions of state sponsored disinformation campaigns. However, the Bureau has no role in monitoring political discussion in New Zealand.  Robust political debate and freedom of expression are fundamental to our democratic process.  Our role is limited to supporting efforts which ensure that there is no attempt to covertly influence the election by a state actor.

With regard to electronic voting, I am on the record as expressing a view that there is much work to be done, in terms of IT maturity and security, before we can consider electronic voting.  This is at both the national and local government level.

Covid-19 Essential Services

The Bureau including our National Cyber Security Centre (NCSC) and the NZSIS were, along with many other organisations and services, deemed essential to New Zealand’s Covid-19 response.

We scaled back our services at Level 4 lock down to focus on only essential activity.   This included priority national security services such as: 

• domestic and international threat assessments, with a particular priority towards NZ citizens and posts;
• critical intelligence collection, analysis and dissemination;
• a 24/7 national security Watch and Warn function through the NZ Security Operations Centre;
• high grade encryption and cryptographic services;
• maintaining CORTEX systems providing high grade cyber security detection and disruption to organisations of national significance; 
• guidance to support government in maintaining safe and resilient ICT services; and
• support to essential ICT networks within the national security sector.

What Covid-19 means for how we work?

Like all other organisations during lockdown, we had to very rapidly change the way we operated to minimise risk to our staff and maintain continuity of essential services. We reduced staffing levels and limited staff numbers around our facilities by moving to shift working, with weekly rotations.

For many staff the restrictions of lock down meant a shift in focus for their work; their emphasis moved from primarily working on highly classified information and systems to undertaking what work they could do in the unclassified domain.  This “low-side” working as we call it often included professional development and research, but it was also essential for staying connected with our cyber security customers who were also working remotely.

I have already mentioned that Covid-19 led to an increased demand for our foreign intelligence products, including from new customers.  We also saw increased demands for our cyber security expertise and advice as organisations in both the public and private sector looked to rapidly, and securely, move to new platforms and systems to enable remote working under lock down conditions.  In addition, we provided cyber security advice on tracking and tracing technologies being commissioned by Government.

Also like other organisations, now we are out of lockdown we have a lessons learned process underway to identify and embed those new ways of working that we wish to keep.

New Zealand’s response to Covid-19 also saw us in a unique position amongst our international intelligence partners.  While we experienced some disruption during the Level 3 and Level 4 lockdown we have now largely returned to a normal operating model.  As I engage with my senior leadership colleagues in partner agencies around the world it is clear they are having to operate under significant constraint, based on the Covid-19 situation in their own countries, and that this situation may continue for some time to come.

International Covid-19 cyber threat scape

Now let’s turn to the international Covid-19 cyber threat scape.  We have a lot of classified reporting on this which I am unable to share.  However, I can highlight some of the themes from open source reporting which broadly align with the more sensitive reporting.

Cyber criminals adapted their techniques and tactics to match the themes of global emergency.  They opportunistically exploit the public’s desire for information and news about Covid-19 and use it as a lure for the malicious activity. Examples of this sort of activity include:

• use of fake Covid-19 contact-tracing apps to infect peoples’ devices, and compromise of their phones;
• phishing enabled fraud involving financial relief packages and payments; and,
• use of CV attachments to install credential-stealers and other malicious files on victim computers.

According to Microsoft reporting by the end of March 2020, nearly every country in the world had at least one Covid-19 themed attempt to exploit computer users’ desire for Covid-19 related information. 

At the more significant end of the scale, there are multiple overseas reports of sophisticated actors targeting government organisations, and research institutions to steal information on responses to Covid-19 and Covid-19 related research.  There have also been reports of health and pharmaceutical sectors being targeted and of state-actors using malicious cyber activity to promote narratives about the origins of the virus and their own, and other countries’ response to it.

In May, I added New Zealand’s voice to international condemnation of this sort of activity.  The targeting of such systems in any country, at any time is unacceptable, and is particularly deplorable in the midst of the current global health crisis.  I called on all cyber actors to refrain from activity that may jeopardise national or international responses to the Covid-19 pandemic.

Since then I have made several other statements on behalf of the Government, in support of international “calling out” of specific Covid-19 malicious activity.

Covid-19 accelerating threat Cyber Trends

Many of the cyber security risks and challenges posed by Covid-19 and the global response to it are not new. What Covid-19 has done is accelerated the pace of change and adoption of technologies which in turn has increased risks, and created more opportunities for malicious actors.

Organisations were already adopting new technologies like moving portions of their IT infrastructure to cloud based platforms and out sourcing aspects of their technology systems and services to third party suppliers.  However, as they grapple with the challenges of operating in locked down, or constrained environments they are looking for solutions that increase their flexibility and their ability to pivot quickly, to change and to take advantage of new opportunities.  Whether that is using Internet of Things (IOT) based technology to speed up or automate process, or using remote working tools and platforms to give greater workforce flexibility.  

While this type of change has been underway, or on the horizon for organisations for some time, cyber security practice and awareness has not always been at the forefront of their conversations or consideration as they quickly evolve their operating models and supporting systems in response to the pandemic.

Unfortunately much of the risk and the technical vulnerability that enables malicious actors to access and impact on systems stems from known issues.

We continue to see incidents where malicious cyber actors have exploited known, unpatched vulnerabilities to gain access to systems.  Many of these incidents can be defended against by following basic cyber security steps like security patching, regular security testing, and taking additional steps to secure critical data. 

Our NCSC engagement teams are constantly reinforcing this message in their engagements and reporting to customers.

Who are the malicious cyber actors?

Our NCSC publishes an annual cyber threat summary highlighting key trends in malicious activity impacting New Zealand organisations. In 2018-2019 the NCSC recorded 339 incidents with 38 percent of those being able to be linked to state-sponsored actors.

As part of New Zealand commitment to upholding the rules-based international order we will, from time to time, publically call out actors responsible for particular events where it is seen as in New Zealand’s interest to do so.  The decision to publically attributed malicious cyber activity is made by the New Zealand Government, based on its own independent assessment and independence of New Zealand’s international partners.

Organisations involved in advising Government on attributing malicious cyber activity include the GCSB, the Ministry of Foreign Affairs and Trade, and the Department of Prime Minister and Cabinet’s National Cyber Policy Office.

The GCSB’s primary role in this process is conducting a technical attribution of the malicious cyber activity to ensure an independent, sovereign technical assessment is made.  This technical assessment feeds into the consideration of a range of factors by the New Zealand Government, including the scale of the activity and the activity’s impact on New Zealand.

In the past few years the GCSB, on behalf of the New Zealand Government, has publically attributed five cyber campaigns which were designed to generate revenue, disrupt businesses, undermine democracy, or for the theft of intellectual property.

The WANNACRY campaign was attributed to North Korea. This was a significant international ransomware campaign which exploited a known vulnerability for which patches had been released.

The NOTPETYA attack was attributed to Russian state actors. While NotPetya masqueraded as a criminal ransomware campaign, its real purpose was to damage and disrupt systems. Its primary targets were Ukrainian financial, energy and government sectors however its indiscriminate design caused it to spread around the world affecting these sectors world-wide.

A collection of other campaigns have been attributed to Russian Military Intelligence (GRU). The attributed activity included targeting overseas political institutions, business, media and sporting organisations.

The CLOUDHOPPER global campaign of cyber-enabled commercial intellectual property theft was attributed to the Chinese Ministry of State Security (MSS). This long-running campaign targeted the intellectual property and commercial data of a number of global managed service providers, some operating in New Zealand.

Earlier this year, New Zealand added its voice to international condemnation of a series of malicious cyber-attack against Georgia.  These attacks by Russian state actors impacted over 2000 Georgian websites and the Georgian national television station.

And, as already mentioned we have also added our voice, several times in the past few months, to international condemnation of malicious cyber activity targeting Covid-19 research and various nation states response to the Covid-19 pandemic.  Most recently, just last month I spoke out – on behalf of the NZ government in response to a cyber-security advisory issued by the United Kingdom, United States and Canada regarding state sponsored malicious cyber activity targeting organisations involved in Covid-19 vaccine development.

We are aware of other countries which are involved in state-sponsored cyber-attacks both internationally and on New Zealand networks. These examples I have referenced are the ones which have gone through New Zealand’s public attribution process.

Attributing malicious cyber activity helps send a strong signal to the actors and states responsible for the activity that their conduct is unacceptable within the rules-based international order.

Calling out this activity also reduces the efficacy of malicious cyber actors. By revealing the actor’s methods of compromise and increasing the reputational costs of conducting malicious cyber activity, the actors’ ability to operate in cyberspace is decreased. By outing these methods, organisations can more readily detect, and respond to these threats, forcing the actors to change their behaviour and making it harder for the actors to successfully conduct malicious cyber activity.

The New Zealand Government also expects that calling out this malicious cyber activity will raise public awareness of the risks posed by malicious cyber activity. By educating the public about these potential threats, the GCSB and the New Zealand Government hope to improve cyber defensive measures and raise awareness of malicious cyber activity which may adversely impact New Zealanders.

Public attribution can be accompanied by private diplomatic engagement, and in some instances, the laying of criminal charges against the threat actors identified as being responsible.

So what does this mean for the future?

While there has been a lot of international commentary about the potential impact and exploitation of Covid-19, we did not see any significant increases in malicious cyber activity targeting New Zealand organisations of national significance during the lock down period. There was, however a continuation of ongoing threats posed by both criminal and state-sponsored actors. Ransomware campaigns in particular targeting corporate networks in the healthcare, transport, and technology sectors are a continuing threat.

For all that New Zealand has gone through the initial lock down and response to Covid-19, and we are settling back into a new (relatively normal) normal – the risk from advanced threat actors looking to exploit Covid-19 themes or seeking information about our Covid-19 response will endure for the foreseeable future. 

Some of the risks we foresee include:

It is almost certain New Zealand organisations and individuals will continue to be affected by malicious cyber activity that employs Covid-19 themes to entice and manipulate victims.

Advanced persistent threat (APT) groups (both state-sponsored and criminal) are capitalising on the Covid-19 pandemic by exploiting public fear, interest and the desire for information. Examples include phishing campaigns with Covid-19-themed lures, and websites masquerading as trusted organisations. The activity matches normal patterns of behaviour; actors commonly modify social-engineering tactics to exploit current events.

State-sponsored groups almost certainly have the capability and intent to target organisations for the purpose of gathering information about their response to Covid-19.

A number of our international partners have issued joint advisories warning that APTs are targeting national and international bodies involved in Covid-19 responses. Targets include pharmaceutical companies, academia, medical research organisations and local government. Our international partners, various industry professionals and security researchers have also publicly attributed Covid-19 related campaigns to state sponsored APT groups.

The tactics, techniques and procedures (TTPs) of state-sponsored actors remain consistent, and will possibly have an increased impact on New Zealand organisations in coming months.

Common tactics for state-sponsored actors have recently included broad-scale scanning for recently disclosed vulnerabilities across a wide range of domains that are of potential interest. Once an automated exploit proves successful, actors may return to explore their access and determine if the target may have ongoing value.

New Zealand domains and organisations could possibly be added to the net of potential targets owing to increased global media reporting on, and interest in, New Zealand’s response to Covid-19.

Changes to the technology environments as part of the urgent response to enable remote working ahead of and during Covid-19 lockdown, coupled with increased public awareness and scrutiny of how organisations are managing the Covid-19 response, potentially increase the likelihood and impact of a security breach.

For example rapid deployment of tools to support staff in remote working, including Zoom, Microsoft Teams, or unmanaged corporate devices such as laptops, tablets, and mobile phones are likely to have altered the exposure and attack surface of organisations.  As we move back into a more normal operating tempo organisations will now need to review the deployment and ongoing management of these tools to evaluate and manage the new risks.

If hygiene measures such as regular patch cycles, user account audits, security configurations and device hardening, have not been effectively implemented organisations will be more susceptible to activity by malicious cyber actors.

I hope that gives you a good over view of the cyber threat environment, how it has changed in the Covid-19 world, and who is behind some of the malicious activity we are concerned about and what this could all mean for New Zealand.

I will finish by providing some, hopefully reassuring, comment about what we at the GCSB are doing to address it. 

I will spend the next few minutes setting out our role in New Zealand’s cyber defence - our defensive capabilities, the advice and support we provide to customers, and the wider role that I have as Government Chief Information Security Officer (GCISO) to provide information security leadership across the Government system.

Valued cyber defence

Our CORTEX cyber defence capabilities enable us to provide advanced protection against cyber threats to a number of nationally significant organisations.  These capabilities provide defence against cyber threats that are typically beyond the scope of commercially available tools. We, in turn use the threat intelligence gained from the operation of those capabilities, and information from other sources to inform the advice we provide to a broader set of customers to help inform their cyber defence activity.

We have been able to value some of the impact our capabilities our cyber defence capabilities are having. Using an independently validated model the NCSC calculates the value of harm directly prevented through the operation of our CORTEX cyber defence capabilities in the 2018-19 year was in excess of $NZ 27.7 million.  This means the operation of those advanced cyber defence capabilities have contributed to reducing cyber harm to New Zealand’s nationally significant organisations by more than $NZ 100 million since June 2016.

Malware Free Networks (MFN)

One of the keys to expanding the reach of our cyber defence capacity is through the delivery of our Malware Free Networks (or MFN) capability which will begin to be rolled out later this year.  It involves NCSC generating and sharing threat intelligence with organisations in order to detect and disrupt malicious activity. The MFN threat intelligence feed contains indicators of malicious activity generated from a range of sources including specialist information the NCSC has access to through domestic and international partnerships.  We anticipate organisations will use the feed for detection and disruption purposes and that they will provide telemetry back to the NCSC.  This will help NCSC analysts better understand the nature of threats targeting New Zealand organisations, and to inform our wider cyber defensive efforts. 

Advice and support

The NCSC’s Cyber Resilience Unit has hundreds of engagements with customers (private and public sector) from around the country every year.  A significant part of their work is to provide information and advice to help organisations defend their network from malicious cyber activity to be better prepared to respond when incidents occur.   The NCSC website has a lot of useful information and guidance designed to assist with this including martial drawn from a study of more than 250 New Zealand organisations of national significance to assess they cyber resilience.  This study highlighted four key areas organisations should invest in to help increase their security posture.  These areas – governance, incident response, supply chain and investment – are the subject of information campaigns being progressively rolled out by the NCSC’s Cyber Resilience Unit.

GCISO

In 2018 I was appointed by the State Services Commissioner as the public service’s functional lead for information security.  This included getting the title Government Chief Information Security Officer or GCISO.  While risk management and decision making responsibility remain with individual agency’s Chief Executive, the GCISO provides system level policy and strategic advice and support. I am supported in this work by an information security policy team based in the NCSC.  We work closely with others in Government – particularly the Department of Internal Affairs (and Government Chief Digital Officer) to take a more strategic approach to identifying systemic risk and developing policy advice and processes to help mitigate it. Recent practical manifestations of this have been the advice we provided around mitigation of security risk involved in use of the meeting platform, Zoom, for discussing Government business up to RESTRICTED level, and advice provided around increasing the resilience of systems being used for remote working as part of the Covid-19 response.  We are also closely involved with work underway across government to support migration to cloud services in a more coordinated way, with security considerations being a central component of this transition.

Conclusion

As Government and private sector organisations adapt to the changing environment, the impact of Covid-19, the need to deliver the best value for customers and stakeholders alike to the use of digital tools and platforms will be one of the keys to how service delivery is enhanced and transformed. Right across the work of the Bureau our focus is very much on enabling this “digital transformation” but in a way that ensures the risks I have been talking about today are effectively mitigated.