On Wednesday night TVNZ7 ran a live debate on privacy and security issues on the internet. It covered a lot of ground and if you’re interested in the whole debate watch the clip here.
I was in the audience and got to ask the panel a question about NZ’s cyber security – threats such as computer viruses, worms, Trojans and malware (malicious software). Unfortunately there wasn’t much time for discussion, but it’s already generating some debate within the internet community and no doubt the public sector.
Globally, many governments take active cyber-defence roles through CERTs (Computer Emergency Response Teams), but New Zealand remains one of the few countries that lacks a national CERT.
This was the gist of my question:
Thinking about if where and how the government intervenes on the internet, education and awareness and parents taking responsibility for what their children do is important. But where the government could and should intervene is around cyber attacks to the internet and to our data systems.
Recently the Australian Government established a Computer Emergency Response Team (CERT).
Should we be considering a similar response here around protecting us, having a civil defence system online and if so should it be funded through the private sector or the public sector?
A couple of days ago I lodged a series of questions on this issue to John Key as SIS Minister. Have heard they’ve been redirected to Communications Minister Steven Joyce who says it’s his responsibility! Await the responses with interest.
I think we need to discuss whether the government should have an over-arching vision in place for beefing up NZ’s cyber-security. At the moment it does seem to be piecemeal.
If you’re interested:
A bit of background
An emergency response team is needed not so much for the doomsday scenario but as a day-to-day point of contact for internet security threats for NZ businesses and consumers. If we proceed with establishing a Response Teamthe process must be open and transparent with support from across the industry and consumers.
A Response Team needs to be trusted and have the support of the community it protects.
In the same way there are easy points of access to report faults in essential services like water, electricity and the roading network, a CERT would provide an easy point of contact and help New Zealanders be more prepared for cyber-attacks. It would have both a proactive and reactive role. It’s kind of like the job of Civil Defence towards natural disasters, Civil Defence can’t prevent disasters from occurring, just like a CERT can’t always prevent global cyber-attacks, but a NZ CERT would help Kiwis to be more aware and prepared online and get through a cyber-emergency if it occurred.
Here’s the questions I’ve lodged with the PM (re-directed to Steven Joyce):
- In light of the recent initiative by the Australian Government that established a Computer Emergency Response Team – CERT Australia, does the Minister have any plans to establish a New Zealand CERT, if not, why not?
- If the establishment of a NZ CERT is envisaged, does the Minister have a preference for a (partly or wholly) privately contracted model or an entirely state-operated CERT? What reasons can the Minister give for his preference?
- If a New Zealand based Computer Emergency Response Team (CERT) is being established, how would the government’s tender process be conducted, if any?
- If a New Zealand based Computer Emergency Response Team (CERT) is being established, can the Minister guarantee that any tender process will be conducted in a transparent and fair manner?
- Is the Minister aware of any proposals to create a New Zealand based Computer Emergency Response Team (CERT) that have been received by his department in the last 12 months?
I think bio-analogues apply… and in the end, the best defence against disease is bio-diversity. The reason computer viruses spread like they do is that everyone uses the same operating system.
Or to put it another way, stop using windows and start using linux.
There are other single-points of failure of course… and a single point of failure is basically a monoculture of one… and monocultures are inherently risky and unstable. The long-term goal should not be (I don’t think) to get all paranoid and pour a gazillion dollars into (secretive and unaccountable) top-down-control… which a) probably won’t be that effective and b) will probably wind up being worse than the original problem.
In the meantime though, we have single points of failure. Go talk to the Estonians and find out what they did.
And don’t stress out too much. If the danger was as great as those that would profit from it claim it to be, it’d already be happening.
I read a story recently (in the Listener I think) that stated over the last few year cybercrime/interference has been increasing exponentially… Definitely something to be worried about…
Cyber defence – surely we have a very poor continuous service from the ISPs now. Why invest effort in something that has a minor effect compared to the outages, slowdowns, and over loaded local proxy servers
We already have CCIP – http://www.ccip.govt.nz/ . Not a CERT but seems to me it is already, to quote you Clare:
“… a day-to-day point of contact for internet security threats for NZ businesses and consumers”
The issue with computer security is that all current operating systems are a monoculture. Windows, OS X and Linux are essentially limited by design to allow viruses to run just as other programs will run.
The most secure available OS is openbsd, but most people don’t like the hassle of configuring it.
Secondly, I thought CCIP at the GCSB handle computer security issues for critical infrastructure. Even so, I have no confidence that they have anyone capable of creating a secure OS environment for ordinary users, as like other government departments, they think computer science is best learnt at uni.
Which brings me to my last point, NZ will only have a short period where there is a need for a CERT because you already have some adults who gained computer literacy at the same time as basic literacy and numeracy.
The real issue is making sure that people don’t use the same password for every website, especially for banking sites and email. If you can remember several phone numbers, you can remember several passwords.
Do we currently have much of an ability to detect network intrusions from offshore?
I didn’t get a chance to answer the question during the debate. So for the record – NetSafe supports the call to develop proper CERT capability for NZ.
I’ve covered it in a bit more detail in the NetSafe Blog (http://blog.netsafe.org.nz).
Clare – I’m genuinely surprised that they got redirected (although I guess I shouldn’t be – it’s the cynical approach afterall). From memory it’s GCSB and DPMC that were the agencies typically providing advice to government on cyber-security in the past.
Good work Clare!
Section 7(c) of the Government Communications Security Bureau Act: “The objective of the Bureau is to contribute to the national security of New Zealand by providing…advice, assistance, and protection to departments of State and other instruments of the Executive Government of New Zealand in order to—
(i) protect and enhance the security of their communications, information systems, and computer systems; or
(ii) protect their environments from electronic or other forms of technical surveillance by foreign organisations or foreign persons.”
Just be careful with tinkering with the Internet, though. I wouldn’t like to see NZ erect a national firewall like Australia or China which could be used to block something like Wikileaks.
FFS Clare – are you aware of CCIP?http://ccip.govt.nz/index.html
To help you out:
Mission:
The Centre for Critical Infrastructure Protection (CCIP) is dedicated to improving the protection and computer security of New Zealand’s Critical National Infrastructure (CNI) from cyber based threats.
Using military analogies on the net is probably not going to help. You have to keep it in context; any militant force wanting to actually conduct war might initially use the net to disrupt the enemy, but ultimately will be using real bullets.
Obviously we should be promoting responsible computing, ensuring that we have security that is not easily compromised. But there is an inherent risk in the net, in the same way that giving people human rights can interfere with Police collecting evidence. There are risks, but the benefits outweigh those risks.
Remember that security is context sensitive. The level of security that is appropriate for my one man web site is far less than that required for critical infrastructure control, such as power stations, telecommunication systems and trading systems. Having some generic group protect “The Internet” is not what is needed. We need to ensure that proper security is implemented in critical infrastructure.
Central Government in this case has a role as an enabler – ensuring there is support and education available to organisations with these risks, but not as some kind of big brother imposing filtering and restrictions for “our own protection”.
@ everyone Just to be clear and sorry I wan’t in the post. I put the questions to the Prime Minister in his capacity as both Minister in charge of the NZ Security Intelligence Service and Minister Responsible for the Government Communications Security Bureau (GCSB). I am surprised and dismayed by the flicking off of the questions to Steven Joyce. Watch this space.
What do you all think?
Oh and yes I do know about CCIP. But the issue is about whether NZ needs a CERT. Does it?
In my opinion the functionality you seem to want from a CERT that isn’t already provided by CCIP falls into the realm of private sector providers.
BTW, why do we need our own CERT? The internet connects us to the world, couldn’t we just piggy back of Australia?
What value could a NZ CERT add compared to receiving threat alerts from a McAfee or Trend Micro based in the US? Threats that reach NZ have usually already been detected overseas and alerts issued.
http://us.trendmicro.com/us/trendwatch/?cm_re=Threatbox-_-CorpMkt-_-TrendWatch