New cyber-defence system for NZ
Spy boss Ian Fletcher has both hands tied behind his back justifying cyber-security defence system Project Cortex
The director of the Government Communications Security Bureau says he can't say how Cortex will work or exactly which organisations will come under its protection. To do so would risk exposing vulnerabilities, he says. Nor will he say how much Cortex is costing.
Nevertheless, he wants to talk about why the GCSB is making the investment in the system, the existence of which was brought to light by Prime Minister John Key in the lead up to Kim Dotcom's "moment of truth" event in September.
The Government is due to review the country's spy agencies and their legislative underpinning next year. Fletcher says the GCSB's biggest challenge is recruiting the right people in a tight labour market.
The internet has made it easier for "both good things and bad things to happen", he says.
"For people who want to steal and break things, it takes a great deal of the risk out of it. The 'barriers to entry' to serious malware are lowering.
"Stuff that was hard to get, expensive or sophisticated five or 10 years ago is increasingly available commercially on the black market. What was previously the preserve of states is starting to bleed onto the private market."
At the same time, with phone, power and banking networks increasingly controlled by internet protocol (IP) devices, there is more critical infrastructure exposed to attack.
"IP-based systems have become genuinely ubiquitous over the last decade," Fletcher says. "Our challenge has been to think about how we provide the public good of 'defence' over privately-implemented networks.
"What we have done is to start thinking through the systems we should be concerned about and that are essential if we are going to be able to provide the Government and the wider New Zealand public some level of assurance."
Fletcher says Cortex is a set of tools, rather than a single product, designed to protect key organisations in the public and private sector from cyber-attacks launched from overseas.
"I'd get into trouble if I said exactly what it does, but it is more than one idea and more than one service. That menu is adjusted to reflect the circumstances of the organisation we are dealing with."
The criteria organisations need to meet to qualify for Cortex' protection are also secret, but it appears significant economic targets as well as vital network utilities may come under its umbrella. "We have looked very broadly," is all Fletcher will say.
Although Key has likened Cortex to "Norton AntiVirus" in an effort to distinguish it from a tool of mass surveillance, Fletcher clarifies the GCSB is not attempting to be another cyber-security company, providing tools that organisations could and should buy commercially.
"It has many analogous qualities, but our objective is to try to deal with threats of the level of sophistication that a well-managed commercial organisation would not be able to deal with.
"We can draw on insights that come from sources and methods that we very much hope aren't in the public domain," he adds.
Fletcher says figures from the National Cyber Security Centre show a "consistent rise in the number of reported serious incidents each year", which he says may reflect both a rising number of attacks and a growing willingness by organisations to report them.
"When you look at the numbers, versus other developed economies, what emerges is that we are completely normal. We are not being picked-on particularly, but the challenges we face are proportional to our size and clearly the conclusion we have come to is we need to plan accordingly."
Surprisingly perhaps, Fletcher says he isn't aware of our allies having similar projects in train.
"The approach we have taken has been a New Zealand specific-one," he says. "New Zealand does not have a big indigenous defence supply chain so we have been in a position where we have been able to think broadly from the outset.
"But everyone I talk to, both our close partners and others, are really focused on answering the question of how governments provide the 'public good' that is called 'defence' over what are broadly privatised networks and global flows of data. That remains the central question."
Institute of Information Technology Professionals chief executive Paul Matthews isn't particularly surprised Cortex might be cutting new ground.
"You would expect if it was effective, other people would be doing it, but I'm not surprised New Zealand would be innovating in this space," he says. "We have got some pretty smart thinking and companies that are doing some amazing things."
Slides leaked by National Security Agency whistleblower Edward Snowden in September suggested that what the GCSB said was a precursor to Cortex, Project Speargun, involved tapping into the Southern Cross cable network which carries almost all internet traffic to and from New Zealand.
But the cable network's boss, Anthony Briscoe, is adamant that hasn't happened. He suggested that from a practical point of view, it would make more sense for any probe to sit just beyond its landing stations. The level of data compression used to cram traffic through the six pairs of subsea optical-fibres that run into Auckland from east and west is so advanced as to be akin to an extreme level of encryption, he points out.
One of the techniques used by Cortex may be "deep packet inspection", which involves "sniffing" each packet of IP data as it passes through a network to detect where it is going and the instructions or data it contains.
But its focus on threats coming in from overseas suggests Cortex might not protect against the world's most famous cyber attack; the Stuxnet virus that infected a Siemens industrial control system and was used to cripple centrifuges at Iran's Bushehr nuclear plant in 2010, as that virus appears to have been uploaded directly at the facility from a USB stick smuggled into Iran. Though Fletcher says it wasn't a direct response to Stuxnet, the GCSB helped produce a set of security guidelines last year aimed at organisations, such as power companies, that rely on industrial control systems.
He says he "genuinely doesn't know" whether Cortex would protect organisations from the destructive malware allegedly produced by North Korea that has ravaged Sony Pictures, and which is now gaining almost as much notoriety as Stuxnet. But he says it is a valid question.
"It is too soon to tell. Clearly, there is a serious response and investigation process under way and we must all, I suspect, wait for that to work its way through."
Nor is Fletcher making any promises about how effective Cortex will be at all.
Although implementation has begun, "you'll have to come back in a year or two and ask again," he says. "Like any piece of technology it always has an iterative quality to it. That process of continually making it better will be a central task."
And if the GCSB didn't bother? "It would significantly reduce our ability to provide a level of assurance to the Government and the community more widely that we were aware of some of the more advanced and damaging threats and had an ability to begin to respond to them," Fletcher says.
"It is likely that over time, information, data and systems in New Zealand would be more vulnerable to intrusion and that would be a social and economic risk that is probably avoidable."
THE DOTCOM SAGA
If there is a cloud hanging over public trust in the GCSB it may be its involvement in the Dotcom saga.
The assistance the spy agency provided Police in the run up to Dotcom's 2012 arrest on copyright-related charges was illegal at the time because Dotcom was a permanent resident of New Zealand.
But it also meant the GCSB's snooping powers were used to further a United States prosecution that many legal experts characterise as a "test case", sitting near the boundary of civil and criminal law.
Under a 2013 law change, the GCSB can currently only provide assistance to the Police, the Security Intelligence Service and the Defence Force.
But given Police have agreements to assist their overseas counterparts, doesn't that still mean the GCSB could on occasion find itself asked to serve some controversial foreign agendas?
Director Ian Fletcher responds that in a country the size of New Zealand it would be difficult to replicate the technical capabilities of the GCSB within each agency, which is the rationale for its role in providing assistance to Police.
But he says the beefing-up of the resources of the Inspector-General of Security and Intelligence means the GCSB is now subject to "much more detailed oversight than was possible previously".
"I think we have learned a lot," he says. "We are now an organisation that approaches these matters very carefully indeed with exactly [these] kinds of questions in mind," he says.
Is that a tacit recognition that the GCSB would have handled the Dotcom situation differently under the current regime? Fletcher says he can't speak to that, as the matter is before the courts.
- The Press