Speech to Minter Ellison Rudd Watts

Thank you to Minter Ellison Rudd Watts for inviting me to speak to you today. As you know, tomorrow is my last day as Acting Director of the Government Communications Security Bureau, before I take on my new position as Solicitor General.

In my nearly 12 months as Acting Director I've had a rare and fascinating insight into the work of the Bureau, and the wider New Zealand Intelligence Community (NZIC). I have observed first-hand the interesting, and often challenging, work that is carried out in the interests of keeping New Zealand, its people, and its information secure. I have seen the commitment, passion and professionalism of the people within the NZIC and it has been a privilege to have been able to speak on their behalf – and, as I am doing today – share an insight into aspects of their work and its importance.

I have learned a lot.

I have learned things about myself, I have learned about leadership, and I have learned about things that are important to the security and economic prosperity our country.

Naturally, much that I have learned must stay in the classified domain.

However, when it comes to information assurance, cyber security – or “data security” if you like – there is much that I have learned that I can share with you.

I do so today in the hope that you will take some of this information back to your day jobs and use it to help ensure the protection of your own data and your clients’/customers’ data from increasingly pervasive (and sophisticated) cyber threats.

While historically there has been some focus on GCSB’s foreign intelligence work (and it should be no surprise that the country’s foreign intelligence agency gathers foreign intelligence!), the Bureau’s cyber security mission has typically received less focus.

This is changing – through our own efforts to engage more, and also in response to a growing awareness in New Zealand of the cyber threat.

We are increasingly working with significant New Zealand organisations, in both government and the private sectors, NGOs, and our national and international partners to help make New Zealand’s networks and information less vulnerable to cyber threat.

Our cyber work is delivered largely through our National Cyber Security Centre. While we work with others, like New Zealand Police and Connect Smart, to have a “no wrong door” approach to responding to cyber threats, the Bureau and NCSC’s particular focus is on the more advanced, sophisticated threats.

These are the type of threats that typically cannot be mitigated effectively using commercially available tools.

While technology tools play a vitally important role in helping to ensure network security, education and increasing awareness around cyber risk management is equally critical. At a time when threats are growing in both volume and sophistication, it is essential that systems and data are protected by a multi-layered approach; an approach that combines effective governance and risk management with user education, effective policy settings and appropriate layers of security technology.

Boards, executives and senior management already have a solid grasp of risk management.

The challenge is to ensure the same rigour and discipline that is already applied to financial, legal, human resource, and operational risk, is applied to technology risk.

Awareness and regular discussion at the executive and board tables, and more broadly across an organisation, are important first steps.

The fact that we are having this conversation today suggests we are over the first hurdle – knowing that cyber security is important and something we all need to have a better understanding of.

This is a step forward from even 12 to 18 months ago when the challenge for us was to get cyber on the corporate/governance risk agenda.

Today we are seeing increasing levels of information targeting boards, executives - even legal chambers - emphasising the importance of information security in governance risk frameworks.

That information is coming from a wide range of sources – whether it is through the work of professional organisations like the Institute of Directors and its education programmes and resources[1], and the Law Society who provided a very good overview of the cyber issue in “Law Talk”[2] late last year, from the Department of the Prime Minister and Cabinet’s National Cyber Policy Office[3], or from our own National Cyber Security Centre resources[4].

We are increasingly being asked for our input.

This is great - it is a reflection of the changing threat landscape, and of how organisations are recognising and responding to the threats.

Today I want to talk with you about:

• The extent of the cyber threat risk, including touching on how we at the GCSB are responding to it;
• The consequences of not addressing the risk effectively; and
• Suggestions around how you can reduce the cyber risk.

At the end there will be some time for discussion and questions.

Cyber threat

I am sure it will not surprise you that, when it comes to information security, geography is no barrier to cyber threats. The ubiquity of the internet means New Zealand’s relative geographic isolation is no protection from the threat.

On the internet you and your business are just another IP address, regardless of where you are physically located.

The rapid development and adoption of new technologies – e-commerce, cloud storage, mobile communications, byod [bring your own device] - create new opportunities for cyber criminals and others who seek unauthorised access to your information.

And the new threat vectors keep growing. More recently the “Internet of Things” (IoT) is being seen as another emerging information security risk.

The Internet of Things is, in part, about the increasing propensity for adding wireless connectivity to virtually any imaginable electronic device, from home security and ventilation systems, through to portable home appliances, and even refrigerators – imagine a fridge that takes a photo every time you open the door and is able to email you when you’re at the supermarket to tell you what you need – how helpful is that?! While it may (arguably) be useful technology, it is also another opportunity for hackers to unlock access to your home or business network.

The creation and exploitation of cyber threats is no longer the exclusive domain of well-resourced, highly technical criminals, or state supported actors. Today even people with relatively low levels of technical skill can purchase an exploit kit and start generating threats.

Cyber criminals now have their own black market, where new versions of threats are developed and sold – complete with their own support packages.

This has all contributed to exponential growth in threats over the past few years – and thus growth in risk to businesses, governments, and private individuals.

Information from major information security providers gives a small insight into the scale of the issue.

Symantec:

[global information security and systems provider - produces monthly and annual threat intelligence reports]

Symantec’s November 2015 update[5] says they detected 19.4 million new pieces of malware (cyber threats) in November.

For the whole of 2014 they detected more than 317 million new pieces of malware – almost one million new threats per day!

And they say those threats are increasing in sophistication – making them more difficult to detect and analyse.

This means they are likely to operate undetected for longer and potentially cause greater harm.

Mandiant – Trends 2015:

In its 2015 “M-Trends” report[6], Mandiant noted that the median number of days that a threat was present on a network before it was detected was 205!

This gives the adversary plenty of time to gain access and give themselves administrator privileges, conduct reconnaissance of the data in a network, package up what they want and send it to themselves, then disguise their tracks so it is difficult for the victim to identify what has been taken.

The longest presence they noted before detection was 2,982 days.

Mandiant reported that 69 percent of victims were notified of the threat by an external entity, rather than having it picked up by their own internal systems.

Australia:

Taking a more regional focus - research[7] released by the Australian Cyber Security Centre in December last year provides a useful picture of both the threat profile and cyber maturity of key Australian businesses and government organisations.

The study was able to be compared with an earlier (2013) study conducted by CERT Australia and provided a useful insight into how the Australian cyber security posture had improved.

It included responses from Government and business organisations and found that 50 percent of respondents had experienced at least one cyber incident in the past year.

The study noted that in 2014 CERT Australia responded to 11,073 incidents affecting businesses – this is up from 7,300 incidents in 2012[8].

The most common form of threat was ransom ware (72% of those who reported an incident), followed by malware (66%) and targeted malicious emails (59%).

Of concern – in a system where there is significant reliance on self-reporting[9] - 43 percent of respondents indicated that they did not report cyber incidents to anyone because they did not see any benefit from reporting.

New Zealand:

Here in New Zealand, the Institute of Director’s 2015 Director’s Sentiment Survey[10] included several questions that help indicate the cyber security posture/risk awareness of New Zealand boards.

The potential for business disruption through technology was ranked in the top 10 “single biggest risks to organisations” by five percent of respondents. This was the first time that risk had featured in the top 10.

The survey also found that just 27 percent of boards are regularly discussing cyber risk and are confident about their company’s ability to respond to a cyber incident or attack.

The Institute’s website provides some useful resources including a Cyber Risk Practice Guide[11].

At the Bureau we are seeing continued growth in reporting of significant cyber incidents, although the reporting pattern is changing as more organisations – both Government and NGO - become involved in cyber threat reporting, response and education.

The National Cyber Security Centre (NCSC) – recorded a total of 190 cyber security incidents for the 12 months to 30 June 2015.

Of the 190 recorded incidents, 114 were identified as targeting government systems, 56 targeting private sector, and a further 20 where the sector targeted was not identified in the reporting.

While the total number of incidents is slightly lower than for the 12 month period to December 2013 (219 incidents), this was likely due to changes to recording and reporting practices[12], rather than a reduction in incidents.

In fact, I believe the reverse to be true and that serious incidents are continuing to increase.

In the latter part of 2015 the NCSC incident response team was recording an average of one serious incident a day.

We believe the reporting approach followed by victims of cyber incidents has also changed. Reduced reporting of spam, scam and website defacement incidents is likely to be a result of these type of incidents now being reported to other organisations like Netsafe instead of the NCSC.

The incidents we are seeing, and recording, range in seriousness from the targeting of small businesses with “ransom ware” and attempts to obtain credit card information through to serious and persistent attempts to compromise the information systems of significant New Zealand organisations.

Some of these threats come from well resourced, foreign threat actors.

While at times they are directly targeting significant New Zealand organisations, we are also seeing them use (and attempt to use) New Zealand-based systems as a “jumping off point” to host malware that is used to target overseas networks.

Part of our response to the more sophisticated and advanced types of these threats is the CORTEX project – which I will talk more about later.

What is being targeted?

Because of the relatively small size of our data sets and requirement to maintain confidentiality, the NCSC does not currently report on threats by industry sector.

It is possible to get some relevant insight into the range of sectors being targeted by looking at overseas reporting.

Australian reporting indicates threats target sectors such as[13]

• Energy: 29%
• Banking finance: 20%
• Communications: 12%

The Mandiant (M-Trends 2015) report[14] – which draws information from Mandiant’s global monitoring, indicates business and professional services organisations - very well represented in this audience – were the targets in 17 percent of their reported incidents, followed by retail (14%) and financial services (10%).

In terms of data being targeted, cyber criminals and those behind cyber espionage are going for pretty much anything that can either advantage them or that they can on sell for a profit.

Banking, credit card and other financial transition credentials are very marketable commodities on the black market- the value of credit card details can be between US$30 and US$45 for a single card where full user information is captured[15].

So too are system user credentials, which can then be used to gain access to systems and enable further data extraction or manipulation, and identity information, which can be used to create false personas for fraudulent activity.

Information targeted for more espionage related purposes includes business information - valuable intellectual property, business plans, pricing and acquisition strategies, and government information in all its various forms.

What is the most common form of threats?

Threats – particularly the kinds of advanced malware (or cyber intrusions) that our organisation is most interested in - come in all shapes and sizes.

In the past 12 months the most common threat noted in New Zealand by the NCSC is “spear-phishing”.

Email, often carefully engineered to reflect a particular interest of the receiver, that contains a threat, or a hyperlink to a threat, and which when opened enables the adversary to access the user’s device or network.

This type of threat makes up around 30 percent of the threats reported to or detected by the NCSC.

Spear-phishing is followed by network intrusion (21%) and botnets (9.5%), then “drive by downloads” and denial of service attacks (both on 5.8%)[16].

The thing about some of these threats, particularly spear-phishing and drive by downloads, is that the delivery mechanism is often so cleverly socially engineered that even someone who is relatively cyber aware can unwittingly provide the vector for the threat to be introduced to your network.

Serious threat actors research their targets through company website, social media profiles (including LinkedIn), and business media to develop credible email messages that lead victims to click on attachments or visit sites containing hidden threats.

Education combined with effective systems and technology controls are the keys to reducing the threat risk.

It is not just about you.

Organisations need to be aware that the threat is not just to them or necessarily directly targeted.

You could be targeted via a third party relationship or provide a vector for targeting others.

Your whole supply chain needs to be secure and subject to the same risk management approach.

This is an area of particular importance to those of you in the professional services sectors. Your organisation’s systems are potentially points of accumulation of high value information from multiple organisations to which you are providing services. While your clients may have invested in significant information assurance protections, both technical and procedural, their relationship with your organisation could be the weak link. The potential liabilities – both financial and reputational – are significant.

Cost and consequence

There is a lot of commentary here and internationally about the cost of cybercrime.

The variability in the numbers just reinforces the limitations of our knowledge on the extent and impact – particularly given most reporting, here and overseas, is voluntary.

A September 2015 Grant Thornton International Business Report[17] stated that cyber attacks are estimated to have cost Asia Pacific businesses $81 billion in the past 12 months, while firms in the EU ($62 billion) and North America ($61 billion) are also counting the significant cost of attacks.

A survey by Hewlett Packard and the Ponemon Institute quantified the annual cost of cybercrime across a benchmark sample of organisations in seven countries. It found that the average cost per victim organisation was $7.7 million[18].

2014’s major cyber attack on Sony Corporation – and the subsequent release of a broad range of business documents - has been reported as potentially costing the corporation between US$70m to US$100m.

While there has been a lot written about direct cost, organisations also need to consider the impact cyber attacks can have on a business’s value and on an organisation’s ability to attract investment.

While various international reports suggest the impact on share value may be relatively short lived - the share price of major US organisations Ebay, AOL, and Target dropped by between 5.7 and 25.5 percent within a month of significant attacks being disclosed – the consequences can be long term.

These figures do not necessarily take account of loss of corporate reputation, loss of customers, sales or potential investors.

Increasingly an organisation’s cyber resilience or preparedness is a factor being taken into account by investors.

The response to the cyber threat

Taking into account all of the above, I am sure that if cyber security was not already firmly on your (business) agenda, it will be now.

The key question is “what can we do about it?”

And, perhaps before that, “what is the Government doing about?”

The response, to both, is “quite a lot”.

In December last year Minister for Communications Amy Adams launched New Zealand’s Cyber Security Strategy[19] (2015).

The Strategy provides a single framework for government-led action to address cyber security, in partnership with the private sector. It will help guide a coordinated, multi-agency response.

The National Cyber Policy Office in the Department of the Prime Minister and Cabinet will work with a range of partners to implement the Strategy. This includes hosting a national Cyber Security Summit to provide an opportunity to reinforce the partnership approach. The summit is being organised through Connect Smart[20], broadening the range of opportunities for the private sector to partner with Government to help improve our national cyber security posture.

The Strategy includes an action plan that is intended to be a “living document”, reviewed and updated annually.

The Strategy includes a National Plan to Address Cybercrime[21], recognising the growing impact of cybercrime and the need for a joined-up government approach.

Most of the initiatives will be carried out within existing departmental baselines, though a proposal to establish a Computer Emergency Response Team (CERT) will be considered in the Budget 2016 process.

Establishing a national CERT is a key feature of the strategy.

A CERT is a service organisation responsible for receiving, reviewing, and providing advice on computer security incident reports and activity.

CERTs typically provide:

• incident triage and reporting
• analysis of threats
• information and advice
• an international point of contact and collaboration.

A New Zealand CERT would have close relationships with a range of government agencies including Police, the New Zealand Security Intelligence Service (NZSIS), Department of Internal Affairs (DIA) and the GCSB, and with the private sector.

The GCSB is closely involved with the CERT project and, while it is too early to determine how the establishment of a CERT will impact on GCSB’s range of customer relationships, the implementation of a CERT will not impact on the CORTEX initiative and the Bureau’s CORTEX relationships.

The Bureau/NCSC

The CORTEX initiative is just one aspect of the GCSB’s broad information assurance role.

Delivered largely through the work of the our Information Assurance and Cyber Security Directorate (IACD) (this includes the National Cyber Security Centre), we work through a range of approaches from outreach and engagement, including educating boards and executives on cyber threat and risk management, through to provision of services and systems that assist organisations to detect and disrupt threats.

The IACD does more than just cyber security in the generally accepted sense of the term.

Some of the things you might not know about include:

We provide high grade cryptologic services to protect critical data of national importance.

We conduct technical inspections and accredit networks processing data of national importance. (If it is a New Zealand government network or system – including those that fly, float, or are fixed to the ground – then someone from the NCSC team has had to look at it and certified that it meets the required level of system security and protection).

We provide information assurance and security guidelines via the government Protective Security Requirements[22] and the New Zealand Information Security Manual[23] and we work across government with Government Chief Information Officer (GCIO) to develop and promote compliance with those standards.

Our outreach and engagement team works closely with customers across the public and private sectors, helping convert our advice and inputs into actions to make networks more resilient.

We also provide a point of national contact and coordination for reporting and sharing information on cyber threats and, in the case of some nationally significant information systems, supporting response to those threats.

We have a multi-disciplined technical team who focus on in-house development and support of our capabilities.

They do detection and analysis of malware. They turn that analysis into classified and unclassified product that can be passed on to partners and customers to help mitigate identified compromises.

The analysts are supported by the outreach and engagement team, working with customers across government and the private sector. They focus on building and maintaining relationships with nationally significant organisations, passing on actionable threat information and supporting Security Information Exchanges (SIE), where organisations with common threat parameters work together to mitigate known or emerging security issues.

Where possible we work with security vendors to pass on threat information that can then be incorporated into more widely available commercial products.

Typically our Security Operations Centre will detect known computer network exploitation actors attacking a New Zealand entity. The team will assess the threat and analyse the malware.

We will provide advice to the entity, with specific technical details to locate infected machines and detect further compromise.

If the victim organisation is unable to respond to these threats themselves the NCSC has an Incident Response team who can go out and assist. There is a clear process of warrants and authorisations to enable us to provide this support.

Examples of the threats identified through our cyber security capabilities include:

• The targeting of officials from a key government agency through email and web site exploits to get personal information and potentially compromise the agency’s network. This attack was detected and mitigated before important information could be lost/compromised.
• The use of a malware package, most likely purchased online, to target six significant New Zealand organisations. The threat was detected and mitigated through systems and support provided via our CORTEX capabilities.
• Identifying and tracing the source of a new cyber attack method from a known major foreign threat source. The attack targeted several CORTEX customers. The “fingerprints” of this new threat were able to be passed on to our international partners, helping to reduce global vulnerability to this particular attack.
• Detecting large-scale targeting of a nationally significant organisation as part of a global campaign by known foreign threat source. The NCSC was able to work closely with the New Zealand organisation to contain the threat.

CORTEX

The CORTEX initiative is a key part of our response to these more advanced types of threats.

CORETX[24][25] is an umbrella term for a mixture of passive and active detection and discovery, analysis and blocking tools, fuelled by a variety of inputs (signatures), including from classified sources.

The existence of the CORTEX initiative was disclosed by Government in September 2014.

CORTEX has only has one purpose: to counter cyber threats to organisations of national significance.

It is not about replicating existing information assurance capabilities. It is focused on countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or persistence.

CORTEX customers include government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.

There is a double gate authorising mechanism to CORTEX capabilities being provided to organisations:

• First, the organisation obtaining the capability must consent to receiving it – and agree to a number of conditions; and
• Second, the capability must be authorised by the Minister and the Commissioner of Security Warrants under the GCSB Act.

These conditions include that the protected systems maintain basic, effective security controls.

Operators of systems protected by CORTEX capabilities are required to advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes, and they must maintain confidentiality about the services they are receiving.

Information that we obtain can only be used for information assurance and cyber security purposes. And the information can only be shared with the consent of the affected organisation.

CORTEX gives us an ability to detect threats to networks, and to tell protected organisations about those threats so that they can respond to them.

It enables us to provide targeted advice from our experts about the prevention and mitigation of cyber threats.

As part of CORTEX we are in the process of engaging with ISPs around an initiative we are calling Malware Free Networks.

We intend to pilot an arrangement whereby we share cyber threat information with an ISP so that the ISP can actively mitigate advanced malware that is targeting a small subset of its customers.

Under this pilot arrangement the benefiting ISP’s customers must consent to receiving the protections and the customers must be aware of GCSB’s support to the ISP.

GCSB will not receive internet traffic of the ISP or any of its customers. We will provide information on cyber threats that the ISP can then use to help protect the information of its customers.

CORTEX usually involves deployment of a layered set of technical capabilities.

Initial detection occurs through automated means in the main– i.e. machines looking for indicators of malicious activity using information about previous successful of attempted cyber attacks.

Rules limit the number of our people who can access the data, all of them computer network defence analysts with a clear understanding of the rules.

The Inspector-General of Intelligence and Security is able to view a log of what occurred, and the recorded reasons for any activity taken, for any analyst’s viewing of CORTEX data, and what they did with it.

Capacity constraints mean the CORTEX capabilities are only available to a limited range of organisations. However, the benefits (threat information) are applied more widely through a range of approaches like direct interaction with customers, SIEs, and publication of advisories.

Our engagement team is working hard to build relationships with a wide range of New Zealand organisations, and to develop new means of sharing understanding of threats and responses to them.

This includes increasing face to face interactions directly with key organisations and through sector information forums.

We are also planning to increase use of our own website, and secure online portals, to increase the availability of threat information and provide a place where incidents and responses to them can be discussed in a “safe” forum, without the risk to reputation and share price that may go with more public discussion.

The NCSC works the Department of Internal Affairs and the Chief Government Information Officer to support the development of a list of information security service providers through the Government Security and Related Services Panel[26].

There is more information on managing security risks, including advice for executives, available in the Government Protective Security Manual[27].

This work covers physical and personal security, as well as information assurance. While it has been developed to provide guidance and a risk framework for government organisations, it is increasingly being used by the private sector as a basis for their own security standards and frameworks.

I have mentioned that part of our response is to help educate boards, executives and other around effective responses to cyber risk. I will not go into those responses in detail here – much of the advice around information is available on the NCSC website[28].

However, I will finish with a few key points from our guidance to executives.

For the more technically minded amongst you, there are four actions – system and policy setting – that significantly reduce your organisation’s vulnerability to cyber threat.

The “top four[29] key mitigations” are:

1. The use of application white listing: having a defined list of applications that are the only ones allowed to run on a network. This helps prevent malicious software and unapproved programmes from running.
2. Patching operating system vulnerabilities: as new vulnerabilities are discovered in operating systems, vendors release patches (system updates) to address them (think of those iOS upgrades many of you will have been notified of recently).
3. Similarly, patching applications: things like Java, PDF viewers, Flash, web browsers and Microsoft Office.
4. And, finally, restricting administrative privileges to operating systems based on the user’s duties.

The application of these top four mitigations can reduce vulnerability by up to 80 percent.

In closing, I hope I am leaving you with a better understanding of the risks posed by cyber threats and the threat actors who are targeting our systems.

In terms of response, it is clear that making our networks more resilient (and our information safer) requires a joined up approach.

This means government and the private sector working more closely, and better sharing of threat information and of the strategies and tools to respond to threats.

It also means organisations need to be better joined up in their own response – from board awareness and risk management, to executive engagement and regular reporting on cyber threat, through to user education and technical system management.

Everyone has a role to play.

Thank you for your time and attention today. Thanks again to Minter Ellison Rudd Watts for this opportunity. I am happy to take questions.

References: