New Zealand announces comprehensive refresh of cybersecurity approach
New Zealand’s Broadcasting, Communications and Digital Media Minister Clare Curran has announced a comprehensive refresh of the country’s approach to cyber security.
This is being done in view of the increasing number and sophistication of cyber threats and the opportunities for criminals and other states to gain advantage and cause harm in New Zealand. New Zealander’s widespread use of connected devices and the security challenges of emerging technology are intensifying the problems.
The National Cyber Security Centre estimates that advanced cyber threats could potentially cause $640m harm annually to New Zealand’s organisations of national significance.
The Ardern Coalition Government has specifically stated an aim to close the digital divide by 2020 and it has committed to the objective of ICT being the second largest contributor to GDP by 2025.
A modern, responsive cyber security system would be essential for achieving these objectives. “We must protect the information and network systems that are vital to our economic growth, ensure the integrity and security of our increasingly digitalised government services and make sure Kiwis can interact online without suffering harm,” Minister Curran said.
Hence, the 2015 Cyber Security Strategy and Action Plan is going to be refreshed in close collaboration with the private sector and citizens. The refresh will be led by the National Cyber Policy Office (NCPO) within the Department of Prime Minister and Cabinet (DPMC) and involve a wide range of government agencies.
Progress on the 2015 Cyber Security Strategy and Action Plan
The Department of the Prime Minister and Cabinet notes that there has been good progress to improve New Zealand’s cyber security under the Cyber Security Strategy and Action Plan approved by Cabinet in 2015.
This includes establishment of CERT NZ in April 2017, delivery of CORTEX malware detection and disruption services, cyber security awareness campaigns, the first Cyber Security Summit in May 2016, Protective Security Requirements for government agencies, work to improve the cyber security of small businesses, a focus on building a cyber security workforce, developing NZ Police skills to respond to cybercrime and international engagement on cyber security issues.
On the international front, there has been particularly close trans-Tasman cyber cooperation, with areas highlighted annually in the Prime Ministers’ Joint Statements. New Zealand has held two cyber dialogues with China and one each with India and Singapore. There have also been useful cyber security discussions with Israel, the Netherlands and Japan. Regional cyber security is pursued through the ASEAN Regional Forum and the ASEAN Defence Ministers Meeting (Plus).
Scope of the refresh
The refresh of the Cyber Security Strategy and Action Plan will require collaboration across a number of Ministerial portfolios. Minister Curran is proposing to work closely with all of the relevant Ministries to determine the priorities and initiatives to be incorporated in a refreshed Cyber Security Strategy and Action Plan.
A successful refresh will also involve hand-in-hand partnership with the private sector and non-government organisations to seek their views on “what more the government can do to improve New Zealand’s cyber security”.
The Minister is also proposing a refresh of the Digital Strategy to consider ways to promote a more joined-up approach to cyber security by government agencies, in cooperation with the private sector and non-government organisations.
The refresh provides an opportunity to look at the cyber security roles of agencies. The Government will continue assessing whether it has the optimal arrangements and resources for effectively addressing cyber security efforts across government. The State Services Commission will be closely involved if any machinery of government issues arise in this context.
Work is underway to improve the system-wide understanding and mitigation of cyber security risks to government agencies.
The Minister also plans to explore innovative models to achieve strong cyber security collaboration between the government and the private sector and non-government organisations. A structured approach to ensuring private sector engagement with the government’s work (and vice versa) through models such as advisory boards or a cyber security council, might be one option.
The refresh will assess whether NZ Police and other agencies have sufficient resources and appropriately trained staff to protect New Zealanders from online crimes and deal with the challenges of emerging technologies. Since cybercrime is a transnational issue, the opportunity provided by the refresh will also be used to explore whether NZ Police’s existing international links are sufficient to deliver a comprehensive response to cybercrime.
The current Action Plan proposed that New Zealand’s policy and legislative framework should be tested to see whether it remains fit for the purpose of dealing with cybercrime in the digital age. This action has yet to be completed and it will remain part of the agenda.
Work is now underway - led by the National Cyber Policy Office and Ministry of Justice - to outline what measures might be required to bring New Zealand’s laws and investigative processes in line with the Council of Europe Convention on Cybercrime (known as the Budapest Convention). The Cabinet will consider whether New Zealand should formally express interest in accession to the Convention, and the steps towards accession.
Cybersecurity industry, research and skills
In this area, the Minister plans to focus on expanding New Zealand’s cyber security industry, investing in cyber security research and development, and dealing with the shortage of skilled cyber security workers.
A strong domestic cyber security sector would lift the cyber security of New Zealand’s businesses and enhance New Zealand’s reputation as a stable, innovative and safe environment in which to invest, find business partners, and do research and development.
According to the proposal, the refresh of the Cyber Security Strategy and Action Plan should also advise on the role that government should play in addressing the security challenges arising from the Internet of Things and other emerging technologies such as Artificial Intelligence or Quantum computing. should include an assessment of the extent to which such technologies are empowering criminals and malicious actors.
The Refresh process and governance
The NCPO will establish and chair a “Cyber Security Strategy and Action Plan Refresh Working Group” (the Working Group) including representatives from the following agencies amongst others: GCSB (Government Communications Security Bureau), CERT NZ, MFAT (Ministry of Foreign Affairs and Trade), NZ Police, GCDO, SSC and (State Services Commission). This Working Group will engage with a broader range of other agencies.
The Working Group will work closely with government agencies, the Chief Technology Officer, the Human Rights Commissioner, the Privacy Commissioner, the Inspector-General of Intelligence and Security, non-government organisations and the private sector. Engagement with the private sector and other stakeholders can occur through the Connect Smart partnership – a community of practice to drive improved cyber security in New Zealand – and more widely as needed.
The NCPO will provide a report to the Minister of Broadcasting, Communications and Digital Media with recommendations for a revised Cyber Security Strategy and Action Plan at the beginning of July 2018.
Governance will be provided by a “Cyber Security Strategy and Action Plan Refresh Governance Group” to ensure the refresh is conducted in a robust and effective manner, provide executive oversight and accountability; and advise on strategic direction. The Governance Group will include senior representatives from DPMC (Department of the Prime Minister and Cabinet), GCSB, MBIE (Ministry of Business, Innovation and Employment), MFAT (Ministry of Foreign Affairs and Trade), NZ Police, GCDO, SSC and other agencies as necessary.
The Minister will report back to the Cabinet External Relations and Security Committee by 31 July 2018 with a revised Cyber Security Strategy and Action Plan.
DPMC has released two documents relating to the refresh of New Zealand’s Cyber Security Strategy and Action Plan. They can be accessed here.