Cyber-attack targets on govt officials, telco company revealed by GCSB

A powerful cyber-attack has targeted certain officials in a government department in a possible effort to access sensitive information.

Another major IT firm received help from the Government Communications Security Communications Bureau (GCSB) after it was discovered their computer network had been compromised for some time.

The incidents have all occurred this year, and were revealed today in a rare public speech by GCSB acting director Una Jagose, who moved to reassure the public that data used in cyber security programmes was properly handled.

"Several officials in a key government agency have been directly targeted through email and website exploits in order, we think, to gain access to personal information and maybe compromise that department's network," Ms Jagose said.

"We were able to assist that department in detecting the attack, and mitigating against it before important information could be taken out of the network and lost or compromised.

"We have identified and resolved a long term compromise of a major IT firm. We have helped a telecommunications provider respond...after identifying suspicious overseas activity on their network."

A willingness to share such information - albeit without going into further detail - reflects increased public relations efforts by the GCSB.

Both the domestic intelligence agency the SIS and GCSB, with its foreign intelligence mandate, have come under intense scrutiny after a series of revelations and allegations.
Ms Jagose provided new details about how the GCSB's cyber security programme, called Cortex, works.

Cortex's existence was first revealed by Prime Minister John Key before last year's election, ahead of Kim Dotcom's "moment of truth" event in Auckland and in response to claims New Zealand had tapped the Southern Cross cable network.

What organisations are protected by Cortex is secret, but significant economic targets and vital network utilities are likely to be included.

Cortex is mostly automated, with machines using information and patterns gleaned from previous attacks to scan data and systems for points of weakness and possible intrusions.

Of all data analysed, less than 0.005 per cent has to be reviewed by GCSB staff, Ms Jagose said, and there were "extraordinary" controls about how it was handled.

"Rules limit the number of people who can access it - all of them who can are computer defense specialists - who must indicate and show they have a clear understanding of the rules.

"And the Inspector General [of Intelligence and Security, Cheryl Gwyn] can view all of it. She can see a complete log of what has happened, and recorded reasons why any of that activity has been taken in relation to that data, or why an analyst is viewing that data.

"We cannot and don't use it for any other purpose. That intelligence - sorry, that information gathered - is used for defending out networks. It is all about cyber security."
Asked if customers of a company that is protected by Cortex were likely to understand that data may be reviewed by GCSB staff, Ms Jagose said organisations had to advise those who interact with their security systems that communications may be accessed for security purposes.

Cortex was not designed to duplicate commercial cyber security programmes and software, and protected against sophisticated foreign attacks that "tend to be too powerful for commercially-available tools".

Cyber-attacks are increasing. Last year the National Cyber Security Centre, a division of GCSB, recorded 147 incidents. In this year's first six months alone 132 were recorded.
Ms Jagose had been due to give her talk earlier this month, but when protesters unfurled a banner labelling it a propaganda exercise, it was called off.

She said there was a natural tension between the agency's desire to reassure the public that its activities were proper and proportionate, and its natural need for secrecy.

She told the audience the GCSB did not carry out mass surveillance, and was critical of recent media reporting on documents released by former NSA contractor Edward Snowden.

NSA and GCSB are sister organisations in the Five Eyes intelligence alliance of US, Britain, Canada, Australia and New Zealand.

Ms Jagose began her relieving role in March, the same week that documents taken from Snowden relating to New Zealand were published by the Herald.

The revelations included that there was a "full-take collection" of information from New Zealand's Pacific neighbours, sweeping up information from the region and passing it on to the NSA.

Ms Gwyn, in her watchdog role as the Inspector-General of Intelligence and Security, subsequently launched an investigation into complaints that such activity would include the communications of Kiwis working or travelling in the South Pacific.

It is illegal for the GCSB to collect the communications of New Zealanders.

Asked after today's speech if she could explain what "full-take" involved, Ms Jagose said it would not be appropriate given Ms Gwyn's announcement.

She expressed frustration with "misinformation", and said some media reporting had exposed some of New Zealand's vulnerabilities.

"I think it is an issue that I would quite like to talk more with media outlets about - at what point does New Zealand's interests become compromised, and how can we get over that.

"So if a media response is to say - with a document that has been stolen and is still classified - 'hey, look at this', and print it, that risks exposing us to vulnerabilities, and does risk New Zealand's interests."

Full speech below: