Image / 123rf
Australia is significantly ramping up its cyber defences.
Overnight, Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country's public and private networks against hackers - such as the unnamed "sophisticated state actor" that launched a massive attack on government agencies and private businesses last month.
The 10-year funding plan includes A$470m that will be used to create more than 500 new jobs within the Australian Signals Directorate, the agency responsible for repelling cyber attacks. That will take the agency's total staff to around 2500.
A number of commentators have blamed China for the recent, orchestrated attacks, but there have also been a number of high profile attacks on Australian targets by independent, criminal ransomware gangs, who often operate out of Eastern Europe. Companies hit have included BlueScope Steel and Toll Group.
GCSB Minister Andrew Little said malicious cyber activity was not beyond usual levels during the June 19 co-ordinated attack on Australia.
But NTT cyber security head Matthew Lord told the Herald: "The problem will be NZ organisations operating in both countries. Those organisations should prepare as the attackers could compromise a New Zealand organisation thinking it's an Australian business."
This year we've seen Toll's NZ operation hit twice as collateral damage in ransomware attacks on its Australian parent, as was Lion.
And some NZ-headquartered companies appear on hackers' radars anyway, such as the Auckland-based Fisher & Paykel Appliances, which was targetted in a ransomware attack last month. Like Lion, it says its systems are now restored, but there was a fortnight of manufacturing and supply chain chaos for both.
And despite Little's reticence to comment on what "state actor" could be behind last month's attack on Australia, in 2018, the GCSB said the Chinese government has ties to a group called APT 10 that was at the time carrying out commercial espionage in multiple countries, including New Zealand.
So what is being done on this side of the Tasman? Little's office forwarded questions to Communications Minister Kris Faafoi, who said the Government provides a range of cyber security support to individuals and organisations in New Zealand.
Faafoi's bottom line was that security agencies are expanding their efforts and will use their security tools to defend a broader range of New Zealand organisations.
But the various cyber security budget increases he detailed were in the single-digit millions - an order of magnitude behind Australia's.
Businesses and individuals can access advice and information through CERT (the Computer Emergency Response Team), and the Government works closely with our international counterparts to prevent and respond to cyber security incidents and address cyber crime, Faafoi said.
Cert was created in 2016 with a $22.2m budget. Faafoi points out the agency's budget was increased by $9.3m over four years (that is, by $2.3m per year) in Budget 2019.
"Also in Budget 2019, the Government allocated $8m over the next four years to help implement Cyber Security Strategy."
What has that $8m yielded so far?
"Initiatives making use of these funds will be announced as they are being implemented," Faafoi says.
Cert, headed by director Rob Pope, is a public-facing agency.
The National Cyber Security Centre (NCSC), part of the GSCB, provides advanced cyber defence capabilities to a cross-section of New Zealand's organisations of national significance to protect their information systems from high impact and advanced cyber-borne threats, Faafoi says.
"The NCSC is in the process of scaling up the availability of one of those defence, capabilities, Malware Free Networks, to a much broader range of organisations," Faafoi says.
The NCSC's staff are all within the GCSB's total headcount of around 500. The director-general of the GCSB, Andrew Hampton, doubles as the Government's chief information security officer (GCISO), putting him in broad charge of every Crown agency's cyber security, from MPI to your local council. The NCSC's director is Lisa Fong, recently profiled by the Herald as an emerging tech leader.
Budget 2020 included $146m over four years for the intelligence agencies that is, the domestic-focussed NZSIS and the GCSB. That works out to $36.5m per year.
An NZ intelligence community spokesman would not say how much of that annual budget is devoted to cyber security.
"To give specific amounts allocated to particular functions as that may give adversaries an indication of our capability in any one area," he said.
Last year, the agency advised around 800 "customers" beyond Government agencies, including "key economic generators and niche exporters" on how to counter cyber threats.
The NCSC is best known for its Cortex - a suite of cyber defence systems to detect and disrupt attacks on "organisations of national significance" that may or not include some of our largest export earners and holders of intellectual property, such as Fonterra (the agency won't confirm or deny exactly whom it protects).
Last week's cyber attacks on Australia did not succeed in disabling any infrastructure or the theft of any data, according to initial reports.
And, as noted, the GCSB did not detect any threats out of the normal here.
But cyber attacks are costing our economy, as we've seen from the disruption caused by the Toll, Lion and F&P Appliances incidents. A report by security company Emsisoft estimates ransomware attacks have cost NZ at least $37.5m this year, while a recent NortonLifeLock survey found NZ losses to cyber crime of $108m in 2019.
In a report delivered in February, the GCSB said: "We have continued to improve and advance our Cortex cyber-defence capabilities, which we calculate have prevented almost $100m of harm to nationally significant organisations since June 2016."
It said $27.7m in harm was prevented by Cortex last year.
The GCSB reported there were 339 cyber attacks on NZ "organisations of national significance" in 2019. Of those, 131 had "links to state-sponsored actors - the same proportion as the previous year," when there were 347 attacks.
It's clear, however, that more help is needed. Toll Group got hit in January, tightened its defences, then got hit again in May. Lion's systems were compromised despite a big-money move to SAP's Hana platform.
In Australia, Morrison has floated the idea that private firms will have to meet minimum cyber-security standards - and chip in for the cost of a regulator who would ensure compliance.
Here, GCSB Minister Little said the NCSC would continue work for free for qualifying organisations, to advise them on their own security and bring them under the umbrella of systems like Cortex.
Minimum standards, and enforcing them, don't seem to be on the table.
"During the development of the Cyber Security Strategy in 2018, consultation with the community and industry did not identify a case for regulatory measures to set cyber-security standards in the private sector," Faafoi said.
"Officials continue to monitor the cyber-security policies of other nations including Australia."
Meanwhile, within government, Faafoi points out that the New Zealand Information Security Manual (NZISM) sets out required information security standards, policy and guidance.
The NZISM was recently updated to tighten up protocols over when the popular but relatively low-security video chat service Zoom can and can't be used, for example.
Is TradeMe about to be traded?; Top ad execs' new outdoor business; Big Stuff changes.