11 February 2001

Government Addressing Cyber-Crime And IT-Based Threats

State Services Minister Trevor Mallard has ordered a programme of work to improve protection for New Zealand’s critical infrastructure from cyber-crime and other IT-based threats such as computer “hacking” and viruses.

Trevor Mallard said the programme was aimed at anticipating risk, improving protection, and guarding against IT-based risks that could have an impact on New Zealand’s national welfare or New Zealand’s international standing.

Trevor Mallard said the programme included:

* Determining whether New Zealand should have its own unit to monitor IT security and risks on a day to day basis, and to provide advice and training on securing infrastructure from cyber-attacks.

* Advice to the Government on potential improvements to New Zealand law, and New Zealand’s role in international treaties, particularly to outlaw ‘denial of service’ attacks over the Internet. The Ministry of Justice is already considering legislation on this matter.

The Minister said he had received a report – prepared by the State Services Commission’s E-government Unit – that assessed the main cyber-risks to New Zealand’s critical infrastructure.

The report assesses levels of risk due to IT-based threats in finance and banking; transport; electric power; telecommunications and the Internet; oil and gas; water; and critical State services that support national safety, security, and income.

Trevor Mallard said the overall picture painted by the report was encouraging.

"Nonetheless, I have drawn the report to the attention of Ministers responsible for agencies or departments discussed in the report, so that they can seek reassurance as to levels of risk and measures to address that risk, where they see it necessary.

"I anticipate that some Ministers will seek reassurance from agencies for which they are responsible that they are prudently managing these risks.

"The most important thing is that New Zealand takes steps to anticipate risks in this area, and joins the international community in cooperative efforts that will enhance protection of infrastructure and make enforcement easier wherever cyber-crimes are committed."

The Minister said the work that he had already agreed to was part of existing departmental outputs. No extra funding was required.

Trevor Mallard said the report was being made public because the Government believed that citizens should have the maximum amount of information about the management of risks to New Zealand’s critical infrastructure.

The report looked at information-based threats to national welfare.

"The immediate role for the Government is to manage the main national risks, to New Zealand and New Zealanders, that come from cyber-crime or IT-based crime," he said.

Attached: Recommended strategy which the Minister has agreed to.

The report is available on the State Services Commission website: www.ssc.govt.nz

Recommended Strategy
The protection of critical national infrastructure from information related threats is an issue which merits taking notice, and is being taken seriously by other western nations. While owners of critical infrastructure in New Zealand are conscious of the need to protect it, this report has raised some concerns over specific issues. The recommendations below are aimed at providing infrastructure owners with the tools and information they need to protect against information related threats, and to promote cooperation toward a common view of infrastructure protection.

Recommendations
a The E-government Unit should investigate the establishment of a New Zealand-based security monitoring and incident handling organization with the following functions:
* provide timely information to critical infrastructure owners and government departments about threats, actual attacks and recovery techniques
* build local capability in incident handling and security research
* monitor global security issues and gather IT security intelligence
* build relationships with similar organisations, e.g. CERT.
* promote cooperation among clients in respect of IT security
* maintain statistics and incident databases
* promote standards and tools for IT security and risk management
* communicate to raise provider and public awareness of computer security issues
* maintain a model security service level agreement for use in outsourcing arrangements
* encourage production and adoption of relevant standards
* facilitate independent security/protection audit capability,

Rationale: By providing a New Zealand based centre of expertise the IT security skills and awareness of infrastructure providers and government departments can be bolstered.

b Government should consider harmonising computer crime legislation with that of other Western nations and participating in international cybercrime treaties. Furthermore, the Bill on this matter currently before the House should be extended to address denial of service attacks.

Rationale: There is currently little deterrent against casual attack on infrastructure. Improving our computer law will help. Furthermore, other jurisdictions are more likely to help with trans-border crime if New Zealand’s legislation parallels their own.

c The New Zealand Police should consider what is necessary to investigate computer break-ins and related attacks and prosecute perpetrators. This would involve:

* building investigative capability, while maintaining respect for privacy of Internet users; and
* building relationships with law enforcement authorities responsible for pursuing malefactors across national borders and co-operating with other countries who wish to pursue here.

Rationale: There is currently little deterrent against casual attack on infrastructure. Improving our computer law will help. Furthermore, other jurisdictions are more likely to help with trans-border crime if New Zealand’s legislation parallels their own.

d Establish an ongoing cooperation programme between owners of critical infrastructure and Government.

* Invite Responsible Ministers to write to critical infrastructure owners asking them to declare their support or otherwise of relevant security standards.
* Engage critical infrastructure providers at a senior level on the subject of IT threats to ensure that all infrastructure owners undertake and maintain formal risk analysis and management of information-related and physical threats.
* Direct the State Services Commission to review the state of critical infrastructure protection after 12 months.
Rationale: This will seek and maintain the commitment of infrastructure-owning organizations to an adequate level of protection, and will show the government’s commitment, on behalf of New Zealanders to the issue.

e Invite Transpower to lead a power industry infrastructure protection group, possibly as part of the group in recommendation d, to provide knowledge and cooperation in respect of infrastructure protection among power industry players, particularly lines companies.

Rationale: This is a highly competitive and technically complex industry with many players, some of whom have effective monopolies over power distribution in large areas. There is little or no evidence of cooperation in security or infrastructure protection matters. Transpower is uniquely positioned to assist the industry.

f Through the State Services Commission, direct government agencies to adopt specified appropriate IT security standards.

Rationale: As part of the movement toward e-government, the Government needs assurance that its own agencies are taking prudent steps to manage their own IT security. Though many of the large and critical agencies have already adopted relevant IT security standards, there are others who may lack understanding of the issues or technology.

© Scoop Media