New Zealand’s Broadcasting,
Communications and Digital Media Minister Clare Curran has announced
a comprehensive refresh of the country’s approach to cyber security.
This is being done in view of the increasing number and sophistication
of cyber threats and the opportunities for criminals and other states to gain
advantage and cause harm in New Zealand. New Zealander’s widespread use of
connected devices and the security challenges of emerging technology are
intensifying the problems.
The National Cyber Security Centre estimates that advanced
cyber threats could potentially cause $640m harm annually to New Zealand’s
organisations of national significance.
The Ardern Coalition Government has specifically stated an aim
to close the digital divide by 2020 and it has committed to the objective of
ICT being the second largest contributor to GDP by 2025.
A modern,
responsive cyber security system would be essential for achieving
these objectives. “We must protect the information and network systems that are
vital to our economic growth, ensure the integrity and security of our
increasingly digitalised government services and make sure Kiwis can interact
online without suffering harm,” Minister Curran said.
Hence, the 2015
Cyber Security Strategy and Action Plan is going to be refreshed in close
collaboration with the private sector and citizens. The refresh will be led by
the National Cyber Policy Office (NCPO)
within the Department of Prime Minister and Cabinet (DPMC) and involve a wide
range of government agencies.
Progress on the 2015 Cyber
Security Strategy and Action Plan
The Department of the Prime Minister and Cabinet notes that
there has been good progress to improve New Zealand’s cyber security under the
Cyber Security Strategy and Action Plan approved by Cabinet in 2015.
This includes establishment of CERT NZ in April 2017, delivery of CORTEX
malware detection and disruption services, cyber security awareness campaigns,
the first Cyber Security Summit in May 2016, Protective Security Requirements
for government agencies, work to improve the cyber security of small
businesses, a focus on building a cyber security workforce, developing NZ
Police skills to respond to cybercrime and international engagement on cyber
security issues.
On the international front, there has been particularly
close trans-Tasman cyber cooperation, with areas highlighted annually in the
Prime Ministers’ Joint Statements. New Zealand has held two cyber dialogues
with China and one each with India and Singapore. There have also been useful
cyber security discussions with Israel, the Netherlands and Japan. Regional
cyber security is pursued through the ASEAN Regional Forum and the ASEAN
Defence Ministers Meeting (Plus).
Scope of the refresh
Partnerships
The refresh of the Cyber Security Strategy and Action Plan
will require collaboration across a number of Ministerial portfolios. Minister
Curran is proposing to work closely with all of the relevant Ministries to determine
the priorities and initiatives to be incorporated in a refreshed Cyber Security
Strategy and Action Plan.
A successful refresh will also involve hand-in-hand
partnership with the private sector and non-government organisations to seek
their views on “what more the government can do to improve New Zealand’s cyber
security”.
The Minister is also proposing a refresh of the Digital
Strategy to consider ways to promote a more joined-up approach to cyber
security by government agencies, in cooperation with the private sector and
non-government organisations.
The refresh provides an opportunity to look at the cyber
security roles of agencies. The Government will continue assessing whether it has
the optimal arrangements and resources for effectively addressing cyber
security efforts across government. The State Services Commission will be
closely involved if any machinery of government issues arise in this context.
Work is underway to improve the system-wide understanding
and mitigation of cyber security risks to government agencies.
The Minister also plans to explore innovative models to
achieve strong cyber security collaboration between the government and the
private sector and non-government organisations. A structured approach to
ensuring private sector engagement with the government’s work (and vice versa) through
models such as advisory boards or a cyber security council, might be one option.
Cybercrime
The refresh will assess whether NZ Police and other agencies
have sufficient resources and appropriately trained staff to protect New
Zealanders from online crimes and deal with the challenges of emerging
technologies. Since cybercrime is a transnational issue, the opportunity
provided by the refresh will also be used to explore whether NZ Police’s
existing international links are sufficient to deliver a comprehensive response
to cybercrime.
The current Action Plan proposed that New Zealand’s policy
and legislative framework should be tested to see whether it remains fit for
the purpose of dealing with cybercrime in the digital age. This action has yet
to be completed and it will remain part of the agenda.
Work is now underway – led by the National Cyber Policy
Office and Ministry of Justice – to outline what measures might be required to
bring New Zealand’s laws and investigative processes in line with the Council
of Europe Convention on Cybercrime (known as the Budapest Convention). The Cabinet
will consider whether New Zealand should formally express interest in accession
to the Convention, and the steps towards accession.
Cybersecurity industry, research and skills
In this area, the Minister plans to focus on expanding New
Zealand’s cyber security industry, investing in cyber security research and
development, and dealing with the shortage of skilled cyber security workers.
A strong domestic cyber security sector would lift the cyber
security of New Zealand’s businesses and enhance New Zealand’s reputation as a
stable, innovative and safe environment in which to invest, find business
partners, and do research and development.
According to the proposal, the refresh of the Cyber Security
Strategy and Action Plan should also advise on the role that government should
play in addressing the security challenges arising from the Internet of Things
and other emerging technologies such as Artificial Intelligence or Quantum
computing. should include an assessment of the extent to which such
technologies are empowering criminals and malicious actors.
The Refresh process
and governance
The NCPO will establish and chair a “Cyber Security Strategy
and Action Plan Refresh Working Group” (the Working Group) including
representatives from the following agencies amongst others: GCSB (Government Communications Security Bureau), CERT NZ, MFAT (Ministry of Foreign Affairs and
Trade), NZ Police, GCDO,
SSC and (State Services Commission).
This Working Group will engage with a broader range of other agencies.
The Working Group will work closely with government
agencies, the Chief Technology Officer, the Human Rights Commissioner, the
Privacy Commissioner, the Inspector-General of Intelligence and Security,
non-government organisations and the private sector. Engagement with the
private sector and other stakeholders can occur through the Connect Smart partnership – a
community of practice to drive improved cyber security in New Zealand – and
more widely as needed.
The NCPO will provide a report to the Minister of Broadcasting,
Communications and Digital Media with recommendations for a revised Cyber
Security Strategy and Action Plan at the beginning of July 2018.
Governance will be provided by a “Cyber Security Strategy
and Action Plan Refresh Governance Group” to ensure the refresh is conducted in
a robust and effective manner, provide executive oversight and accountability;
and advise on strategic direction. The Governance Group will include senior
representatives from DPMC (Department
of the Prime Minister and Cabinet), GCSB, MBIE
(Ministry of Business, Innovation and Employment), MFAT (Ministry of Foreign Affairs and
Trade), NZ Police, GCDO, SSC and other agencies as necessary.
The Minister will report back to the Cabinet External Relations
and Security Committee by 31 July 2018 with a revised Cyber Security Strategy
and Action Plan.
DPMC has released two documents relating to the refresh of New
Zealand’s Cyber Security Strategy and Action Plan. They can be accessed here.