GCSB Minister Andrew Little. Photo / Mark Mitchell
A cyber security shake-up, revealed in an open letter by an angry security industry insider, is being considered by Cabinet, Government Communications Security Bureau (GCSB) Minister Andrew Little has confirmed to the Herald.
His plan to move Cert NZ (the Computer Emergency Response Team) under the GCSB’s NationalCyber Security Centre (NCSC) has not been previously publicly confirmed.
“The current system is fragmented, creating a ‘merry-go-round experience for business victims’ of cybercrime,” Little said.
He wanted “a single front door for cyber security reporting, triage and response”, as recommended by a 2021 cyber security advisory committee, whose members included Z Energy chief digital officer Mandy Simpson, Kiwibank tech boss Hamish Rumbold and then Consumer NZ CEO Jon Duffy.
Cert NZ was created in 2016 under Sir John Key’s National-led Government to act as a “triage unit”, issuing public alerts about cyber security threats and aiding individuals and small businesses who had suffered a cyber attack toward the right help.
It is still run by founding director Rob Pope, the ex-cop best known to most Kiwis for his role as the detective inspector who led the investigation into the murders of Ben Smart and Olivia Hope.
A Cert NZ spokesman said the agency today has 35 staff. Questions were referred to Little’s office.
In an open letter posted to LinkedIn, a cyber security advisor and former Cert NZ board member Kendra Ross said: “While the objective of strengthening New Zealand’s cybersecurity capabilities is commendable, we believe that this decision, combined with the lack of broad consultation and the rushed implementation, poses significant risks and could have far-reaching negative consequences.
“Placing an outward-facing non-intelligence organisation under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cyber security operations.”
Ross told the Herald she learned about the merger plan through industry contacts early last week. She informed members of a “closed security group”, to which she was affiliated.
Members of the group took concerns to the National Cyber Policy Office, which reports to Communications Minister Ginny Andersen. The members were given until Friday to give feedback, and told not to discuss the plan publicly.
Ross said she resigned from the group so she could speak out. She told the Herald she had co-founded two cyber security forums representing some 1600 security professionals between them.
She criticised the “apparent rush to implement this decision without a clearly defined government strategy for the cyber security sector”.
In her open letter, she criticised the Government for a lack of consultation on such a “substantial reorganisation”, in the context of what she saw as a half-decade of cyber security directionlessness.
“Five years without a government strategy in such a critical area is worrisome,” she said.
The lack of consultation could build resistance, and mean key trends in a fast-moving threat landscape were missed.
“Cert NZ does an excellent job, but since it was established in 2016, the cyber security threats New Zealand faces have become more sophisticated and costly to protect against and remediate,” Little told the Herald last night.
“Much of the NCSC’s work is public-facing, and is delivered to customers across the public and private sector in the same manner as Cert NZ’s.
“However, the NCSC’s responsibilities for supporting the cyber security resilience of New Zealand’s nationally significant organisations and responding to national level harm means they have access to cyber threat information which is only accessible to intelligence agencies, such as intelligence about the advanced state-based threats which are increasingly a concern for nationally significant organisations.”
Bringing the two agencies together would improve co-ordination and help to boost low reporting of cyber security incidents.
Ross countered that Cert NZ being under the GCSB’s NCSC unit would make embarrassed victims even more reluctant to admit their systems had been breached by hackers, or that they had fallen for a scam.
The Herald understands a key catalyst for the formation of the cybersecurity advisory committee, whose recommendations led to the plan to move Cert NZ under the GCSB, was an unco-ordinated response to the DDoS (distributed denial of service) attack on the NZX in 2020, which took the exchange offline for days.
Little ordered the GCSB’s NCSC to help the exchange, the Herald understands – a move the minister apparently thought should not have been necessary given the simple, brute force nature of a DDoS attack, where a swarm of bots try to access a site, effectively crowding out regular users.
A 2021 Financial Markets Authority report on the incident was sharply critical.
The Cyber Security Advisory Committee (CSAC) was formed in December 2021.
“Over the following year the CSAC surveyed and consulted with businesses and organisations and found the current system is fragmented, created a ‘merry-go-round experience for business victims’, and did not present a safe experience for Māori, especially when information sharing goes unchecked. The CSAC found there is a significant gap between the current state and a high-performance future state for cyber security prevention and defence,” Little said.
“The CSAC recommended the creation of a single front door for cyber security reporting, triage and response, and that it should be placed under NCSC, in part because the NCSC has empowering legislation that creates detailed obligations on it and protections for the public, whereas Cert NZ does not.”
A Five Eyes craze
Little’s proposed restructure follows moves by the other Five Eyes countries to bring their Cert equivalents under security agency control.
“This unified model is increasingly the international standard and would also help Government to better understand the overall cyber threat landscape and use this information to provide guidance to New Zealanders.”
Ross said anecdotal feedback from staff in those countries (the US, the UK, Canada and Australia) was that the measure hadn’t worked and should be unwound.
Little maintained there had been consultation.
“Since CSAC made its recommendations there has been further consultation to seek input from organisations who represent other voices from the information security sector and everyday New Zealanders,” he said.
Asked if all Cert NZ jobs would be safe under the NCSC plan, a member of Little’s staff said the plan was still being finalised. “But this is not a cost-cutting exercise.”
CSAC members
The 2021/2022 Cyber Security Advisory Committee was chaired by Mike “Mod” O’Donnell, the one-time Trade Me chief operating officer who now sits on multiple boards, including NZTE and RNZ. Its members included:
Sheridan Broadbent, Kordia chairwoman
Vanessa Clark, research developer in Māori engagement at the University of Waikato
Jon Duffy, Consumer NZ CEO
Steve Honiss, director of Cyber Strategy and Risk at ZX Security
Victoria MacLennan, co-chair of NZRise (now head of IT Professionals NZ)
Hamish Rumbold, chief digital and technology officer at Kiwibank
Mandy Simpson, chief digital officer at Z Energy
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is technology editor and a senior business writer.