Speech to the Technology and Privacy Forum

I am Una Jagose, the Acting Director of the Government Communications Security Bureau. I started in late February this year, coming from my role as Deputy Solicitor-General, Crown Legal Risk at the Crown Law Office. The acting role was extended and I’ll be in this role until the end of March 2016. 

I am excited about having the extended period in this role: the GCSB, and the New Zealand Intelligence Community, is a great place to be working. A lot has changed in the last few years and there is more change coming. The work we do is vitally important to New Zealand, and our people are fantastic. The year ahead holds a lot of promise.

Today I am going to talk a bit about cyber security, and in particular project CORTEX, a GCSB initiative to counter sophisticated cyber threats targeting New Zealand’s important information and information systems. But I also want to start with an overview of the functions of GCSB – what we do and what we don’t do. The reason for that is that over recent months there has been a bit of publicity about the GCSB and some activities that we may, or may not, have been involved in. I want to be sure to address some of those concerns and explain how we respond to them. So I’ll take a few opportunities to do some myth-busting about the Bureau along the way.

The day after I started in the Bureau a new wave of media attention started. You might remember there were quite a few stories that followed in the months from March this year alleging things about the Bureau’s work. It seems to me that the suggested motivation for these stories was to expose what the public needed to know about the Bureau’s work. The suggestion was that there was something untoward going on, and that the media coverage would reveal all.

Also in my second week, Parliament’s Intelligence Security Committee conducted a public examination of the Bureau and the NZSIS. You may recall I addressed questions there about whether the Bureau was conducting mass surveillance, whether I could assure the Committee the Bureau was not conducting surveillance on New Zealanders, and so on. 

Now, months later, we can look back at what’s been alleged. We have been told through the media that the Bureau may conduct surveillance in foreign countries, and may assist in counter-terrorism work. It should not come as a surprise to anyone that New Zealand’s foreign intelligence organisation … collects foreign intelligence; the statute that we operate under tells you as much.

To be clear, our three functions are:

  • Gathering and analysing foreign intelligence in accordance with the Government's requirements about the capabilities, intentions, and activities of foreign persons and foreign organisations;

  • Information assurance and defending and protecting critical information infrastructures (our cyber security role, which I am going to talk about a bit later); and

  • Assisting other agencies (Defence, Police and NZ Security Intelligence Service).

Just to be clear, we are prohibited by the GCSB Act from targeting New Zealanders’ private communications in our foreign intelligence functions.

Of course it’s not news to talk about the great work we do, the value we provide, or the extraordinary people we work with who do cool things in pursuing our statutory functions to deliver high quality cyber defence and foreign intelligence for the Government of the day. It seems to be forgotten that the GCSB is a government department, delivering on the Government’s priorities, and answerable to Ministers and subject to significantly more independent oversight than most agencies (appropriately so, as I will outline today).

There are legitimate questions to be asked about our intelligence activities, but there is also a real risk of doing real harm to New Zealand interests if the way those questions are attempted to be answered is by simply revealing details from stolen – and classified – documents, trying to interpret at times technical intelligence-speak from them, trying to draw threads about what is going on, and blithely publishing documents in full. Why? That approach will reveal to adversaries what our targets or capabilities are, or are not – and, accordingly, what our vulnerabilities are. So, you might say “why don’t you tell us everything then? Don’t wait for an exposé – you tell us.” 

Fair enough. We can be better at that. But there is a real tension here. We are not so naïve as to think that we can simply assert that we need to operate in secrecy and all will be well. The public want and expect transparency from Government and its agencies. Secrecy breeds distrust, allows corruption to flourish and is the antithesis of what we reasonably expect from modern, liberal and democratic governments committed to the rule of law. But, on the other hand, security, which may look like secrecy to some, is required for effective intelligence operations (whereby agencies around the world are tasked by their respective, democratically-elected governments with gaining insights that would not otherwise be available). 

If we allow our capabilities, areas of interest or targets to be known, we are vulnerable to those who do not have New Zealand’s best interests at heart - whether through foreign espionage, terrorism or activity to compromise critical information systems to steal data (e.g. intellectual property), or to control critical systems, or to obtain insights into the Government’s sovereign intentions, dialogue and policies. New Zealand has interests we want to protect and secrets others want to steal. And we want New Zealand to be able to flourish and prosper in this online world we live in. So complete openness (even with the best of intentions, telling New Zealanders what its covert intelligence agency is doing) is also openness to adversaries; that weakens, rather than strengthens, the system. 

So, what to do about that? And how do we ensure that the goals of security and rights of New Zealanders – including privacy - can be met? The tension has to be managed in a way that provides appropriate levels of security (and therefore protection of New Zealanders and our interests) and public assurance (of lawfulness, of understanding and adequate protection of rights to privacy, along with other rights). Taking privacy as an example, it is not a binary choice: either security or privacy – we want them both. The framework of controls and oversight provides the appropriate settings under which both of these objectives can be achieved, proportionate to the threat and the outcomes we are trying to achieve.

So I say a significant answer to these inherent tensions lies in the system itself. It lies in the legislative controls and external, independent oversight of the intelligence agencies. That oversight is crucial for assuring the New Zealand public that those agencies are properly delivering on all the relevant interests: security, privacy, lawful conduct, etc.

Can I come to the first popular myth about the Bureau? We do not simply randomly hoover up information and rummage through it, hoping to find something useful. This image of “mass surveillance” is one of the biggest myths about our work. The truth is quite the opposite: where our foreign intelligence work requires access to infrastructures that would otherwise be unlawful (as I’ve said, to gather and analyse intelligence (including from information infrastructures) in accordance with the Government's requirements about the capabilities, intentions, and activities of foreign persons and foreign organisations), it is conducted under Ministerial warrant or authorisation.

The Act sets out how the system works: the reason for the access or intercept must fit within the Government’s requirements, and be justified. The Minister responsible must receive an application that sets out the reasons why the particular access is sought, how the proposed outcome justifies the access or intercept, whether the outcome can be achieved another way. The Minister must be satisfied that there are controls put in place to make sure that the Bureau only does with the information that which is needed for its proper performance. Overall the process is about ensuring that the access sought is lawful, reasonable and proportionate.

These are high hurdles. In addition, the Minister of Foreign Affairs must be consulted before any authorisation is granted, and the Minister responsible may impose any conditions he thinks fit. The Commissioner of Security Warrants – a former Court of Appeal judge – must also agree if a New Zealander’s communications are to be targeted (New Zealanders’ personal communications are not to be targeted, but there are exceptions if a New Zealander is, in the words of the Act, “an agent of a foreign power or foreign organisation”). None of these steps is taken lightly and in my experience the applications are not “rubber stamped.”  My observation is that everyone involved takes very seriously the powers we exercise. The Director is also required to keep a Register of all such warrants and authorisations.

The controls do not stop there, of course, once we have the approval to undertake warranted work. Work conducted under those warrants and authorisations does not commence until an analyst has a customer requirement for intelligence. That requirement is linked into an internal plan (how will we service the customer request), which itself links to the Government’s foreign intelligence requirements. Before conducting work under an authorisation, analysts must enter all this data (what they are doing, for what purpose, under what plan and customer requirement, what foreign intelligence priority) into the database before they begin. 

All of these inputs into the system, all of the work done on the systems, are fully traceable and auditable.

As I have said, there is a prohibition on targeting the private communications of a New Zealander in our foreign intelligence work. Our website has our Nationality Policy on it (under “News”), which sets out how we ensure compliance with that prohibition. 

The Inspector-General of Security and Intelligence (IGIS) must have access to the Register I mentioned, and to all the supporting material, and work done under the warrants/accesses. She has a significant role, independent of the Bureau, to oversee the work done in the Bureau (and the NZSIS). All our work is available to her at any time and it must be fully auditable by her – she has direct access to the building, to the systems, and to us. The IGIS conducts audits, reviews and regular inquiries, and reports to Ministers and, as we have seen, to the public. Ministers can direct inquiries to her if they wish. Members of my staff can make complaints directly to her and have full protection from any employment consequences if they do so. She also can initiate inquiries herself or on complaint from the public. She has full inquiry powers to examine people under oath, to call for and see any relevant material – and associated crimes/penalties apply for failing to comply.

I should mention that, as a government department, the Privacy Commissioner, the Ombudsman and the Auditor-General also have oversight roles. And, finally, the Intelligence and Security Committee, a parliamentary committee, has an important role in holding the agencies to account for what they do.

So, that tension I mentioned: it is managed here, in this system of control and oversight. We cannot be entirely transparent to the public about what we do. But we must be – and we are - utterly open with the oversight bodies. Their reports on us are what should reassure the public that what goes on is lawful and done with New Zealand’s interests at heart. This oversight is very important and we welcome it. It is necessary to build a credible and resilient security and intelligence service for New Zealand. It is the platform for a strong public mandate that I intend to continue building in my time as Acting Director.

The lack of transparency to the public does not make us a closed shop, saying “don’t look here” and allowing us to make up our own rules, and report on our own compliance. The oversight is independent and very real. In the next few months the IGIS will be publishing her annual report of the 14/15 year and completing some inquiries into the Bureau’s work. So you will be able to see for yourselves independent oversight in action.

So, back to mass surveillance briefly. It’s a term that creates an image of random information collection, collection without purpose, collection without control. None of that is true. But, as I say, don’t take that from me; look to the system. There is no evidence of it (despite what you might hear or read in various commentary). The IGIS said, when asked in September last year, that in her work to date she had not seen any indiscriminate interception of New Zealanders’ data.  Think back to the process for warrants and authorisations I’ve outlined – the system simply does not allow for such wide-ranging, uncontrolled conduct.

In the time I have been at GCSB I have been impressed at the oversight and compliance built into the system. The most immediate oversight is the internal management oversight exercised day-to-day by the leadership team. There are built in checks and authorisations, and compliance training and exams, required before information can be accessed and, as mentioned, all accesses are fully auditable.

And I’ve been impressed with the people too. There is thorough vetting before people can work for or with us: aside from comprehensive psychological tests, people agree to reviews of their financial background, what they do in their spare time, personal relationships, online habits, any other habits … it is a very intrusive process. Our people have very high levels of integrity and loyalty. They share a real sense of the burden and the privilege of the material they work with, and the importance of what they do, day to day.

One final myth; we’re not listening in to your private communications! We’re not following your online searches or computer use. We take very seriously the intrusive powers we do have and have a strong system of compliance within the Bureau, and independent oversight of our activities outside of the Bureau. 

Another way to ensure the tension is managed is in the Bureau being more open about the things it can be open about. I accept that, in the past, the intelligence agencies have tended to keep everything secret, in order to maintain national security interests. After all, it was not until 1984 that the New Zealand Government expressly acknowledged the work of the GCSB – and our signals intelligence capability - as part of the Government’s network of agencies. And we’ve been slow, over the next 30 years, to reassure the public by telling you what we can tell, without compromising national security. We want to get better at that – because we can see the benefits in increasing the public understanding, and therefore the mandate, for what we do in protecting New Zealand and our interests. 

So, today, I want to speak in more detail than the Bureau has before about our cyber security role. Our cyber security functions are about protecting the security and integrity of certain New Zealand communications and communications systems.

The Bureau’s cyber security mission is to ensure the protection, security, and integrity of communications and information infrastructures of importance to the Government of New Zealand, and to do everything that is necessary or desirable to protect the security and integrity of those communications and information infrastructures, including identifying and responding to threats or potential threats to them.

We deliver these functions by taking a multi layered approach that includes:

  • providing high grade cryptologic services to protect critical data of national importance;

  • conducting technical inspections and accrediting networks processing critical data of national importance;

  • providing well-researched information assurance guidelines following international standards and best practice;

  • working across government, with the Government Chief Information Office, to develop and promote compliance with information security standards;

  • developing and publishing information security standards (required for government organisations but widely adopted as best practice across the private sector) and part of the Government Protective Security Requirements;

  • promoting the move to a mature security culture through outreach and engagement;

  • maintaining relationships with key public and private organisations of significance to the security and economic wellbeing of New Zealand. This includes the Security Information Exchange Groups that we facilitate and the CORTEX programme, which I will share some insights into shortly;

  • providing a point of national contact and coordination for reporting and sharing information on cyber threats and, in the case of some nationally significant information systems, supporting response to those threats;

  • coordinating cyber security and incident response services to deal with threats to national critical infrastructure;

  • providing a range of direct cyber threat detection and reporting services – targeting the most advanced and persistent threats -  through our “CORTEX” capabilities; and

  • working closely with the National Cyber Policy Office – a part of DPMC – to provide input into New Zealand’s strategic response to the broad range of cyber threats.

We also have a regulatory role under Part III of the Telecommunications (Interception Capability & Security) (TICSA) Act – in respect of the security provisions.

As you can see, much of our focus is on technology and on addressing threats that only organisations with our special technical (cryptologic) skills can do.

At this point it might seem reasonable to question the extent and nature of the threat we are working to protect our important information and systems from.

In broad terms, threat stems from the rapidly changing nature of the internet, which was not designed with security in mind. The more we are connected to and holding data on internet facing systems, the greater our vulnerability to attack. The scale and pace of growth is almost unimaginable, and means vulnerabilities are constantly being introduced, protected against, and reintroduced and rediscovered, and so on it goes. Connectivity to the internet is everywhere: crossing national and international boundaries and time zones, and allowing previously disparate groups to connect.

A couple of years ago there were as many internet connected devices in the world as there were people. Current growth trends point to there being three times as many internet devices as there are people in the world by 2017. Nearly 2 billion people use the internet as preferred means of communication. It’s a scale that offers massive opportunities, both for those who have good intentions, and those who do not.

On the not-so-good side, the trend is moving from just simply stealing data to manipulating or destroying it. For example, the much publicised Sony hack. And more recently the United States Office of Personnel Management (OPM) security clearance computer system database of personal information relating to military and intelligence officials was inhabited by hackers. Millions of US government workers’ private details were taken. And the hack was not discovered for more than a year, giving the adversary ample time to steal as much information as it wanted.

In the New Zealand context:

  • In the 12 months to 31 December 2014 there were 147 incidents recorded by the National Cyber Security Centre.

  • In the first six months of 2015 we have already recorded 132 incidents and expect that by the end of 2015 this figure will be in excess of 200.

  • Of the incidents recorded so far in 2015, 79 were reported by government agencies and 33 by private sector organisations. 

  • A further 20 incidents were reported to us by our cyber security partners where the nature of the organisation was not identified.

  • These incidents range in seriousness from the targeting of small businesses with “ransom ware” and attempts to obtain credit card information through to serious and persistent attempts to compromise the information systems of significant New Zealand organisations.

  • Roughly 0.5 % of the data analysed through GCSB’s recently developed (CORTEX) capabilities has a signature (fingerprint) associated with some form of cyber threat.

  • Each month GCSB and our international cyber security partners identify around 900 new signatures. Where possible this information is used to help identify the source of the threat and to assist others to avoid the threat – although attribution (who is doing this) can be a very complex matter to determine, and our focus is on defending our systems.

Some of these threats come from well resourced, foreign threat actors. While at times they are directly targeting significant New Zealand organisations, we are also seeing them use (and attempt to use) New Zealand based systems as a “jumping off point” to host malware which is used to target overseas networks. 

Part of our response to the more sophisticated and advanced types of these threats is the CORTEX project I mentioned. It was announced publicly last year. If you look at beehive.govt.nz you can find the Cabinet papers that authorised it. 

CORTEX only has one purpose: to counter cyber threats to organisations of national significance. Those organisations are chosen because of their significance to New Zealand (because they are information assets of national interest) – both public and private sector – through criteria determined by Government, independently of the Bureau. 

Included are government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.

We do not talk about which organisations are receiving CORTEX protection – that is because doing so may disclose where New Zealand’s most valuable information is held and allow a more focused attention from cyber-attacks.

Through CORTEX the Bureau has and is developing capabilities to protect selected organisations. Through these technical capabilities, advanced malware is able to be both detected and disrupted. 

There is a double gate to CORTEX capabilities being provided to organisations: first, the capability must be authorised by the Minister, and the Commissioner of Security Warrants, under the GCSB Act – the same process I mentioned earlier. But, also, the organisation obtaining the capability must consent to receiving it – and agree to a number of conditions (for example, each recipient must conduct the highest level of basic cyber-hygiene, advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes and, for the reason above, maintain confidentiality about the services it is receiving).

So, what does CORTEX deliver? 

We provide a number of different layers of protection. The system offers:

  • an ability to detect threats to networks, and to tell protected organisations about those threats so that they can respond to them;

  • targeted advice from our experts about the prevention and mitigation of advanced and other cyber threats (we share what we learn from specific instances with a wider pool);

  • an ability to identify vulnerabilities in computer systems and networks that advanced threats might exploit; and

  • an ability to actively blocking advanced malware directly.

As we know, many organisations already employ technical means to block malicious internet traffic that would otherwise flow through to their customers. CORTEX is not about replicating those existing capabilities but is focused on countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or persistence. This type of malware is not adequately mitigated by commercially available tools. 

So, how does CORTEX work?

Usually it involves a layered set of technical capabilities– layering provides better coverage and is more likely to detect sophisticated malware that might be able to avoid detection at some levels. 

Organisations may receive just one or several layers of capability.

At the heart of the capabilities is the detection of advanced malware.  Detection occurs through automated means in the main– i.e. machines looking for indicators of malicious activity using information about previous successful or attempted cyber-attacks.

In some cases the capabilities also involve ‘active defence’. This involves putting in place systems that can identify and disrupt sophisticated cyber threats in near real-time. These systems are given ’fingerprints’ – patterns of data that identify particular, known threats – for them to use to distinguish between benign and malicious internet traffic. When malicious internet traffic is identified by a finger print, the system prevents it from reaching its destination.

In some cases (so far our experience tells us that is less than 0.005% of the total data analysed), a human analyst would need to review the data where the machine analysis throws up malicious cyber activity but is unable to resolve it – perhaps because it’s a new form of attack.

We conducted a privacy impact assessment on the CORTEX project. We did not restrict ourselves to those principles that apply to us (s 57 Privacy Act exempts us from many of the information privacy principles (IPPs)) but, following the Privacy Commissioner’s Office advice on best practice, we considered all of the 12 principles. While some of those IPPs are not apt to the work under CORTEX, the extraordinary controls on storage, use and retention of data, along with the independent oversight of our work, are the keys to dealing with any privacy implications. 

And – just as in our foreign intelligence work - technology assists in ensuring independent oversight of the CORTEX capabilities for compliance with the law, with the specific terms of the authorisation, and to reassure you that the capabilities are being use for their authorised purpose and nothing else. The system itself provides strong and comprehensive oversight of the use of CORTEX data. The data is categorised according to how it should be handled, and the rules about what can (or cannot) be done with it. 

These rules specifically limit the number of our people who can access the data, all of them computer defence specialists, with a clear understanding of the rules. And the IGIS is able to view it all – a complete log of what occurred, and the recorded reasons for any activity taken, for any analyst’s viewing of CORTEX data, and what they did with it. 

As I’ve said, CORTEX is designed and used for a specific purpose. We cannot, and do not, use that capability for any other purpose. It’s all about cyber security. 

And it’s going really well. 

In the first 10 weeks of 2015, we resolved more cyber security incidents than we did in all of 2014. We think it’s more likely that’s not because of an increase in the volume of incidents so much as our improved capacity to identify and resolve incidents promptly – thus minimising the harm to important New Zealand organisations.

I’ve talked to some private sector organisations about CORTEX lately. Both some receiving the capabilities and some who are not receiving them. They tell me that industry is highly supportive of the Government’s investment in defences against the more advanced, sophisticated cyber borne threats and providing them to help reduce the vulnerability of our nationally important systems to attack.

Some recent (since March this year) examples of what we have seen or been involved in responding to recently, include:

  • The targeting of several officials from a key government agency through email and web site exploits in an effort to gain access to personal information and potentially compromise the agency’s network. This attack was detected and mitigated before important information could be lost or compromised

  • The use of a malware package – most likely sourced from the “dark web” – to target six significant New Zealand organisations. The threat was detected and mitigated through systems and support provided via our CORTEX capabilities.

  • These capabilities also helped us identify and trace the source of a new cyber- attack method from a known major foreign threat source. The attack targeted several CORTEX customers. The “fingerprints” of this new cyber-attack were able to be passed on to our international partners, helping to reduce global vulnerability to this particular attack.

  • CORTEX also enabled us to detect the large-scale targeting of a nationally significant organisation as part of a global campaign by a known foreign threat source. We were able to work closely with the New Zealand organisation to contain the threat.

We have also helped:

  • an Auckland firm’s computer network attacked by an overseas-based criminal group

  • resolve a long-term compromise of a major IT firm

  • a telecommunications provider to respond and strengthen their systems after seeing suspicious, overseas-sourced activity on their network

  • private sector organisations suffering ransom-ware and denial of service attacks.

Some incidents require our assistance, others can be resolved with some advice, and others again are managed by the entities themselves when they are aware of what’s going on in their systems.

New Zealand government and private sector entities are targets and victims of malicious actors. We cannot be complacent about it. But plenty is being done, with government, industry, academia and NGOs working together to understand better the threatscape and how to build our resilience to it. By working together to counter these threats, we are protecting New Zealand’s economy and security.

We typically do not currently provide direct assistance to smaller businesses or to individuals, however we may assist with evaluation of cyber incidents if they fit within our authorisation criteria.

As I’ve said, our focus is on organisations of national significance.  But we do make sure that we work closely with other organisations on the cyber threat. We’re well connected with:

  • Police – National Cybercrime Unit

  • DIA on privacy and information assurance

  • Connect Smart (NCPO) – an initiative to increase awareness and improve cyber security. The National Cyber Policy Office in DPMC (NCPO) is developing useful partnerships and increasing the range of organisations we are able to benefit through cyber security insights.

  • Netsafe

  • NZ Internet Taskforce (largely volunteers in the commercial sector).

We provide the information we learn – at appropriate levels of generality and declassified – in advisories and other information sharing forums such as the Security Information Exchanges (SIEs) that we facilitate. SIEs are where sectors or industries meet as a group and discuss relevant cyber threats and mitigations, and all benefit from sharing information.

While our work has a clear technical focus, and is primarily directed at addressing the more serious end of the threat spectrum, cyber security is something we all have to be aware of. It is not just a technical issue, or one which only technicians need to concern themselves with. Cyber security should be approached as an enterprise wide issue. Information in organisations is under threat from a number of overlapping areas.

We encourage organisations to see information security through a lens of people, places and systems:

  • The people risk – an insider threat can be as damaging as a cyber attack. And your people can also be the cause vulnerability – whether deliberately or by failing to follow security protocols.

  • The places risk – premises need to be secure to prevent physical access. What are your boundaries – in cyber terms obviously you have to think of them as more than the physical reaches of your organisation. What is the reach of your information and data sets? That’s the boundary. Now think again – are you sure your boundary is secure?

  • Following that, the systems risk is probably obvious, and doubtless your IT teams assure you of security of those systems. But have you considered outsourced IT service providers:

    • What are their security arrangements?

    • Is their resilience regularly tested?

Contracting out won’t prevent cyber attacks on your business.

Think of your information as a supply chain – from start to finish – it’s only as secure as the weakest link in that chain.

A recent Vodafone report tells us: 56% of NZ businesses reported a cyber-attack in past year, 45% of them self-report that they have inadequate tools and policies to face cyber threats.

If any element of your connectivity is insecure, you are vulnerable. And, are you creating vulnerabilities for others?

There are three common positions on cyber security that influence how an organisation prepares for and responds to cyber threats. Each position is wrong, in my view, and risks a cyber-stance that exposes, rather than reduces, the agency to vulnerabilities.

Organisations don’t believe they have anything of value or underestimate what information is of value. That position leads them to think they are not at threat. But your data is valuable. Your customers certainly think so. We live in a data economy and are not only seeing data being stolen, but combined with other data sets to create commoditised information with commercial value or changed along the way.

NZs geographical isolation traditionally has meant we are safer from some of the risks we see overseas – but of course connectivity to the internet knows no geographic boundaries, and, accordingly, there is vulnerability.

Taking a risk avoidance position: this is only successful if you can be sure to have better defence than every potential attack. That’s not likely, I’m sorry to say. It is better to have a risk acceptance strategy: mitigate the risks and prepare your resilience to those risks being realised at some point. Traditional approach has been to build bigger walls – firewalls, anti-virus software, and perimeter security devices. All necessary still but no longer enough. A holistic approach is required to cyber risk management: across the organisations/networks/supply chains and larger ecosystem, to the boundary.

Recent events tell us that private information – held in datasets that are connected to the internet – is at risk from being improperly used if cyber attacks work. 

The secret of cyber security is that the basics matter – but they are not as commonly implemented as you would think.  Most cyber-attacks succeed because basics aren’t followed. Even though there are some adversaries who have access to the most sophisticated cyber-attack capabilities, they will always try the obvious first. After all, what burglar doesn’t try for an unlocked window first, even if she can hack through your household security system? So too, an adversary will not risk deploying their expensive, covert and hard won cyber-attack capabilities if they can slip in the ‘open window’ in your system.

So what are the basics? Our Australian counterpart ASD has some good mitigation strategies on its website – four recommended in particular are patching systems and applications as patches become available, ensuring that people don’t bring their own software to work (white-listing – only allowing approved software to run), limiting administrator privileges, and strong control of passwords. See more on our website: ncsc.govt.nz (or gcsb.govt.nz can take you there) or google “catch, patch, match” for ASD’s site.

These basic policies provide a very solid basis for building and maintaining more cyber secure systems and networks. The basics of an effective cyber security system can be built on some relatively simple concepts, as I’ve outlined. But the serious, high end sophisticated threats to significant New Zealand entities and infrastructures needs a more complex response, and CORTEX is an important part of that.

I hope my presentation today has helped inform your own understanding of the role and functions of the Bureau, along with the important security challenge we all face. If you look at our website you will see, along with handy tips for thinking about cyber security, some internal policies that we work to in various areas. They’ve been declassified, of course, for public consumption. More material is to come as we progress our commitment to greater transparency. We are also working on some very detailed information on CORTEX for the website. I’m determined that the Bureau keeps talking publicly and providing the public with more information about the work we do, because, as I’ve said, we understand that this is an important part of the controls and transparency to our work. 

Thank you very much for your time. I am happy to take a few questions.