Deloitte cyber and privacy lead Anu Nayar. Photo / Supplied
Deloitte cyber and privacy lead Anu Nayar. Photo / Supplied
Meagre cyber-security spending will undermine the Government's goals in key areas like mental health and child poverty, Deloitte partner Anu Nayar says.
Budget 2019 saw the Government earmark $2 million a year to support the rollout of a cyber security strategy
No details of the strategy were announced today butCommunications Minister Kris Faafoi said it would be one that "supports New Zealand's response to the growing scope, scale and sophistication of cyber threats" and will be "done through providing funding to support activities that address cyber security threats and improve cyber security resilience".
The funding is coming from Vote Prime Minister and Cabinet, starting from the 2020 financial year.
Separately, in a move that will draw wry smiles after the Treasury's website contretemps earlier this week, the Parliamentary Service will get an extra $250,000 a year from 2020 to "enable a lift in cyber security capability to meet the expectations of customers and to protect systems from external threats".
The two-year-old Computer Emergency Response Team (CERT) New Zealand is also getting a funding boost of $2.2 million a year, plus a $560,000 capital allocation to meet its mandate. That comes on top of the $3.9m CERT was allocated in 2018 to cover four years of operations.
The appropriations left Nayar unimpressed.
"From all the work I've done across government, corporate and critical infrastructure, that level of funding for cyber-security is actually extremely low," he told the Herald.
Certainly, it pales next to the Australaian Government's Budget 2019, which saw the creation of "cyber sprint teams" under the Australian Cyber Security Centre (ACSC), as well as a Cyber Security Response Fund as part of a $855m cyber-security push.
Deloitte cyber and privacy lead Anu Nayar says good digital systems have to underpin new systems in areas like mental health and child wellbeing as big data and analytics are increasingly used to drive policy.
"We're increasingly reliant on data to provide these services we need to provide but, as Kiwis, we also feel very strongly about our personal information being secure. It's integral to our culture."
The Government needs to honour this "social licence" by building resilient cyber-systems that the public can have confidence in in an age of constant news about information being stolen by hackers and social networks being careless with privacy, Nayar says.
The Deloitte partner acknowledged various departments spend money on cybersecurity, but he says that's inefficient. A centralised strategy is better, but $2m to fund it is a drop in the ocean. Nayar won't say the dollar figure for that he thinks funding should be. He says cyber spending should be a set amount - possibly around 10 per cent - of total spending.
'Woefully inadequate after Treasury hack'
"While it is always good to see new funding for cyber security, it is difficult to see how $2m per annum is going to have a significant impact," security consultant Daniel Ayers said.
"There is a great deal to be done in that area, as demonstrated by the woefully inadequate IT security at Treasury and the apparent lack of any functional data leak prevention solution which many corporates would consider to be an essential protective measure."
The country's security and intelligence units got extra money to bolster national security in the wake of the Christchurch terror attack, with the GCSB getting an extra $39m, front-loaded over the next two years.
The outward-facing intelligence unit has a budget of $180m in the year just ending and $173.8m for next year, before it drops to $144.6m.
GCSB/SIS boost
Meanwhile, the Security Intelligence Service gets an extra $11m over the forecast period, taking this year's budget of $83.6m to $106.1m in 2020. The SIS budget will fall back to around $85m in the out-years.
"The cyber-security initiative is worth the increased spending, and that will be useful for playing cyber-defence - and perhaps a little cyber-offence -against foreign and domestic intruders across a variety of digital platforms," security expert Paul Buchanan told the Herald.
Security expert Dr Paul Buchanan. Photo / Michael Craig.
"But Christchurch is being used more as a cloak for the increases to the SIS and GCSB budgets, very little of which will be specifically dedicated to the detection and prevention of lone wolf/small cell terrorist attacks committed by white supremacist extremists - which is the specific threat that exposed New Zealand vulnerabilities.
The exception could be in the SIS, where increased resources will likely be made available so as to better detect and monitor a variety of internal threats via human intelligence gathering that includes recruitment of new officers and repurposing of more experienced ones, Buchanan said.
"They also will be directed to the counterespionage role that the SIS performs. The increase then drop in GCSB funding undoubtably has connection to reinforcing cyber-security but is not reducible to it.
"The GCSB has fish to fry that are not part of the cyber-security initiative/strategy, so the funding boosts respond to those demands as well as cyber-security."
In the former Pentagon adviser's view, "The structuring of the allocations reflects the political cycle: more now and next year in order to produce tangible short-term results, then reduced levels in a context of electoral uncertainty that can be increased at a later date."
