- Posted December 18, 2023
Lisa Fong, Deputy Director-General GCSB and head of the NCSC, recently spoke at the New Zealand Internet Task Force 2023 Conference, where she discussed the past year and shared some insights into the future of the NCSC.
Read Lisa’s full speech below.
Kia ora koutou katoa, ko Lisa Fong ahau.
2023 was a particularly big year for us. In July, the New Zealand Government decided to create a lead operational cyber security agency and integrate CERT NZ with the National Cyber Security Centre.
However, the CERT NZ transfer wasn’t the only big thing that happened in 2023, so I do want to firstly focus on some of the other highlights.
At the beginning of November, we released our annual Cyber Threat Report(external link), which provides our view on the domestic and international cyber threat landscape.
For the first time, we linked more domestic incidents to financially motivated criminal actors than we did to state-sponsored actors.
This is concerning because it’s a clear sign that the growing availability of effective malicious cyber tools, compromised credentials, and vulnerabilities in public-facing infrastructure has made it easier for these cyber actors to work at scale, and with the sophistication required to cause national-level harm.
We chose to take a more technical focus in our report this year, which we hope has increased its usefulness. It has been great to read the thoughtful commentary online from some of you. This suggests our report has been good food for thought.
We won some awesome awards.
While we were pleased and surprised to be joint winners of the Public Service Commission’s Service Excellence Award, along with the 28th Māori Battalion unclaimed medals initiative, we were left literally ‘speechless’ when we then won the overall Prime Minister’s Award.
It was a huge honour to be recognised alongside other amazing pieces of work across government. To be honest, we didn’t think we stood a chance, and we were just looking forward to a nice dinner.
While it was an award for us and our industry partners, I’d also highlight that this award symbolises that government clearly understands the real-world impact that good cyber security can have for New Zealanders. It was recognition for the entire community.
We released the NCSC Cyber Security Framework.
In our changing threat scape, we recognise the need to always improve how we are communicating sound cyber security practice. So, this year we also released our own Cyber Security Framework(external link) after getting feedback from experts across the country.
The framework sets out how we think about, talk about, and organise cyber security efforts. Its five functions represent the breadth of work needed to secure an organisation.
The main point of difference between our framework and the NIST one is that we have chosen to place greater emphasis on security governance and culture by separating it from the Identify function. I like to think that NIST were inspired by us in the development of their NIST 2.0 framework.
You’ll also see we have published investment guidance(external link) for both executive and technical readers, in keeping with our efforts to improve the utility of our work.
And finally, my staff got access to Microsoft Teams!
While this might sound insignificant to many of you, this is a huge win for us as it better enables us to collaborate and engage with the people we serve.
We now have people working outside of the secure facilities on a regular basis and we are able to offer more flexible and fit-for-purpose working.
Our work needs to have rapid, reliable, real-world impact – having access to collaboration and communications tools like Teams, and working where customers work, is critical to our mission.
Then, of course, one of the biggest developments this year has been the Cabinet decision to integrate CERT NZ with NCSC to create NZ’s lead operational cyber security agency.
The New Zealand stock exchange DDoS attacks and the Waikato DHB ransomware incident illustrated to New Zealanders and decision-makers the real-world impacts that cyber security events can have.
Ministers also established an independent industry advisory board that reported directly to them – called the Cyber Security Advisory Committee (CSAC). CSAC reported back to the Government, following interactions with a broad range of interest groups. One of the recommendations from CSAC was the establishment of a ‘single front door’, hosted by the NCSC, to triage cyber incidents and dispatch victims to the relevant service provider.
The Department of Prime Minister and Cabinet then performed policy analysis and some further focussed consultation, including with the NZITF, to help inform the Government’s decision. The feedback from the engagements highlighted a few key themes:
- Groups saw the benefits of creating a single lead operational government cyber security agency, including having a better overall picture of the impacts of cyber harm to New Zealand, and better clarity for victims of cyber incidents about where to go for help and advice.
- However, some were concerned about reduced engagement and information sharing, given the intelligence functions also hosted by the GCSB.
So, with these inputs in mind, Cabinet made a decision in July 2023 to integrate CERT NZ with the NCSC to create a lead operational cyber security agency for New Zealand.
This creates a similar cyber security agency structure to those operated by Australia, the UK and Canada – single agencies with a wide span of responsibilities and customers.
Up until 31 August, the NCSC focused on organisations of national significance and national-level harm. With the CERT NZ transfer we are now also responsible for cyber incidents and advice for everyday New Zealanders, and small-to-medium-sized businesses. This represents consolidation of scope and mandate, rather than expansion. There are areas which the consolidation will offer benefits over time:
Having a single operational agency will:
- improve clarity about where victims of malicious cyber activity can go to get help – recognising, however, that there still remains a wider system of commercial and public sector service providers who victims must still navigate,
- it will get the data that will also help government better understand the overall cyber threat landscape and use this information to provide guidance to New Zealanders, and
- finally, it will help New Zealanders at an individual, business and government level to protect their data and systems by creating a single source of cyber security advice from government.
The decision and transfer happened quickly, but the reality is the entire process is going to take time, and there are many aspects that require further planning.
But I can give you a sense of what today looks like.
CERT NZ formally transferred to NCSC on 31 August.
I use the word transfer deliberately - the focus has been to transfer CERT NZ staff employment to GCSB, transfer accountabilities to GCSB, and to transfer appropriations.
We’ve worked really hard to minimise disruption - both for our staff and for our customers.
Access cards still work, the power has stayed on, and people are being paid.
People are the centre of any successful change. Our CERT NZ staff bring different skills and valuable engagement approaches to the cyber security ecosystem. We are keen to hold on to our people so we can foster that expertise and ethos.
In a break from our standard operating procedure, and in keeping with our approach to welcoming our colleagues in, CERT staff were not required to be cleared to join our organisation. Some of you who know what it’s like to work in the GCSB will understand the complexities involved with onboarding staff with varying clearance arrangements - especially considering the GCSB corporate tools are protected by thousands of impenetrable acronyms.
So, if you haven’t noticed a difference in existing service delivery, that’s great. That’s been our goal.
Transfer represents the beginning – we have the hard work of integration to now step through. Bringing our staff to the same sites, working on the same tools and bringing parallel functions closer together is ahead of us.
In the meantime, we are enjoying finding small and meaningful ways to collaborate more closely. You’ll notice our joint engagement during Cyber Smart Week, including the release of the annual threat report. It was satisfying to use the week for the entire spectrum of cyber security, from helping New Zealanders ‘own your online’ all the way through to reporting the technical details and mitigations for the most significant incidents reported across the country.
We have achieved our first milestones around transfer and commencing integration planning. While that is complex and challenging, it reflects just a small part of the work needed to create the new agency.
We know there will be a range of views about the integration, and also different levels of interest – we’re not the first or last integration in the cyber security industry.
What we have in common is our passion for the cyber security of our nation. The amount of commentary about this decision reflects the importance we all place on having an effective, well-integrated cyber security system. We have heard:
- The interest in practitioner consultation.
- The concern about loss of public engagement and reporting by integrating with an organisation with intelligence functions.
- We’ve heard how important it is to maintain the things that CERT NZ do well.
We recognise the drivers for these comments. It may offer reassurance that these areas were identified in the policy analysis leading up to the Ministers’ decision and have carried through as important considerations in our programme management.
We are taking the time to get this right. This isn’t about taking CERT NZ and making them more like NCSC. But equally, this isn’t about walking away from what makes the NCSC unique. This is about figuring out how we make the most of our strengths to better respond to rapidly changing cyber security challenges.
How can we truly make the most out of the combined expertise we have in public engagement, our role in public-sector leadership, our technical knowledge and capabilities, and all the crucial relationships we have domestically and internationally?
These considerations are central to how we are thinking about developing our new agency strategy.
Prior to the Government’s integration announcement, we were already in the final year of delivery of the NCSC’s strategy to June 2024, while CERT NZ’s was designed to run until 2025.
The reshaping of our mandate and creation of the lead operational cyber security agency for all New Zealand means we need to look at our strategy beyond 2024 quite differently.
A new strategy has a lot of work to do. It needs to:
- Look to the future, giving New Zealanders a sense of how as an agency we want to improve cyber security as part of a wider system of support. It also needs to describe what functions the agency performs now we’ve integrated with CERT NZ.
- It needs to set us up for future planning. It needs to set the foundations for the integration and future work programmes. It needs to speak to our workforce and our stakeholders and to guide our effort and investment.
- We know how we develop our strategy also needs to look different. We want to reflect stakeholder feedback about accessibility and proactive engagement from the outset.
Let me share our creative process to date.
As our just-released Cyber Threat Report shows, we are navigating a complex world.
The geopolitical environment is changing, and we know that cyber security trends develop alongside geopolitical changes. There are conflicts literally happening right now, and we know our area of the world is becoming more geopolitically contested.
Threat actors are changing too: we see heightened determination from cyber-criminal actors attempting to extort payment from organisations that are increasingly aware of – and resilient to – extortion and manipulation tactics. Meanwhile, state actors are adopting new techniques and technologies, challenging orthodox detection methods.
To add to the complexity, the types of technologies being used by organisations are changing. With the rapid arrival of emerging technologies like generative artificial intelligence (AI), organisations seeking to benefit from these advancements must be prepared to govern their use, and control for privacy and security risks associated with their adoption.
People are also conducting more and more of their life online. Every aspect of life from society to the economy, to government services is becoming more and more digitised. But unfortunately, there remains a low awareness about the types of risk this can create for individuals, and behavioural research suggests a low uptake in best practice security.
And in this complexity, cyber security matters more than ever.
As the Government’s operational cyber-security leader, we need to identify:
- Our role in the system of government agencies.
- Individual organisational responsibilities.
- How to influence digital supply chain security, regional security and international standards and norms.
We know New Zealanders and New Zealand organisations want to be secure, and for that to be easier than it is now.
As an agency, we think we can assist by:
- Being an authoritative source of neutral, trusted, practical advice.
- Sharing our unique knowledge about ‘what’s happening’ in the operating environment and improving understanding of ‘what good practice looks like’ in response.
- Using our expertise to provide support and leadership in complex technological and policy areas.
- Engaging our network of partnerships, domestically and internationally, to improve New Zealanders’ security.
- Working to mitigate the most serious threats to New Zealand.
- Being more proactive to provide information at the right time, in the right format, and relevant to the right audience.
We think we are on the right track, strategy-wise, but we know delivery won’t happen overnight.
I think of the CERT NZ integration with the NCSC as much like a major, highly anticipated software update. Like every update, we expect this could break some things, so we know we have to put in extra effort to get it right.
We are bringing together many existing strengths. What we have now is the opportunity to figure out how, by working together, we have even greater impact.
It has been a sprint to the start line, but this is a marathon. We get the chance to actually figure out how we make the most of our combined authority, scale, and expertise.
This means that what has worked in the past may no longer serve us well for the future.
One of our key principles right now is that we want to move New Zealand towards a place where good cyber security happens everywhere, all the time, by everyone.
Cyber security isn’t a problem that government can fix alone.
It requires everyone to play their part. We are too small a country to try and approach this by ourselves.