The project, called the National Cyber Crime Plan, which forms part of the Government’s refreshed Cyber Security Strategy, was announced – via at least four press releases – by Communications Minister Amy Adams back in December.
“Cyber-attacks can and do damage our economy,” said Adams at the launch. “One attack could wipe hundreds of millions from the NZX in a single action or steal commercially-sensitive IP directly from a laptop.”
“As a Government, growing the New Zealand economy is our number one priority.”
That partnership proposed will see the introduction of a national computer emergency response team (CERT) tasked with “providing information” to businesses, government and individuals.
“The Government and private sector need to work together on cyber security,” said Adams. “The private and public sectors must find ways to share information and expertise to address cyber security risks and this strategy relies on a close and active public-private partnership to ensure New Zealanders remain safe online.”
“New Zealand’s key international partners each have a national CERT of some form, and creation of our national CERT brings us into alignment”.
Image: Communications Minister Amy Adams
The strategy feeds into the New Zealand Police’s latest cybercrime plan, Prevention First: National Cybercrime Operating Strategy, and signals the expansion of the national Cybercrime Unit and the development of the High Tech Crime Group, which promises increased linkages to the Singapore-based Interpol Complex for Global Innovation.
“We have already got strong connections between agencies,” says Adams, “but this national shared plan truly creates an interagency and cross-sectoral landscape to improve security and respond to cybercrime”.
Craig Richardson, CEO of cyber-crime software producer Wynyard Group (which recently inked a $27m deal with a yet-to-be-named national security agency), isn’t convinced.
He says that while the government should be applauded for developing some sort of national cyber security strategy, the current proposals fall well-short of international standards.
“At the moment [the strategy] is a loose collection of ideas and initiatives without a clearly articulated, prioritised, sequenced and resourced plan to build and maintain New Zealand's ‘defender’s advantage’,” says Richardson.
This puts New Zealand years behind our international partners and makes New Zealanders target practice for cyber criminals without any clear time frames when the turkey shoot might be over – Wynyard Group CEO, Craig Richardson
“In simple terms, a defender has only one advantage over a sophisticated and persistent cyber threat adversary and that is a better knowledge of their digital assets, networks, critical infrastructure, operations and how they are being protected.”
“As a small nation with only a few network gateways into and out of the country, we have an opportunity to build a ‘defender’s advantage’ and establish a world-leading local capability that could be the envy of other countries. But, this plan doesn’t articulate that objective or the steps that will be taken to get there.”
Richardson says that the action plan has no single point of accountability for delivering outcomes, and from the details released to date, it’s not clear what even constitutes a successful outcome for the programme, making it impossible to measure the programme’s efficacy.
“In addition, my concern is the action plan appears to show that outcomes will rely on the goodwill of many government agencies and their willingness to work together on this initiative. I don’t believe many of those agencies yet understand, or will agree, on the size, scale, complexity and operational priority of the problem. It appears they don’t have the resources, operational budgets or skills to deliver on many of these initiatives.”
Richardson takes particular issue with the government’s proposed national CERT.
“This action has been assigned to five government agencies, two NGOs and an as yet unnamed group of private sector parties.”
“A national CERT was first mooted in 2008 and on the surface it appears we have only got as far as agreeing it’s a good idea. The UK launched a CERT nearly two years ago and Australia, which launched its CERT in 2009, opened the Australian Cyber Security Centre in 2014 bringing together the cyber security capabilities across Defence, the Attorney-General’s Department, Australian Security Intelligence Organisation, Australian Federal Police and Australian Crime Commission in a single location.”
“This puts New Zealand years behind our international partners and makes New Zealanders target practice for cyber criminals without any clear time frames when the turkey shoot might be over.”
At a glance
- The GCSB recently revealed that there were 190 significant incidents the 12 months to June 2015. Of these, 114 targeted government networks and systems and 56 targeted the private sector.
- A recent Norton report noted that in this country almost NZ$257 million was lost to cybercrime in the past year, affecting around 856,000 New Zealanders. Further research by PwC revealed that 56% of New Zealand businesses experience an IT security attack at least once a year.
- According to accounting firm Grant Thornton, only 50% of New Zealand businesses have a person specifically tasked with cyber security and 62% of businesses did not have an IT privacy and security strategy in place.
- A copy of the National Plan to Address Cybercrime can be found here.