Speech: Refresh puts spotlight on cyber security
It is my pleasure to be here at the Wellington launch of Auckland University’s Cyber Security Foundry, following the establishment of the Foundry in Auckland last November.
Thank you to the Director of the Cyber Security Foundry, Associate Professor Giovanni Russell.
The Cyber Security Foundry is an excellent initiative – designed to bring a multi-disciplinary approach to cyber security training and research, and support collaboration between academia, industry and government.
So I am pleased to look around the room and recognise representatives from a number of education institutions, a range of cyber security practitioners from the private sector, and a number of government officials involved in cyber security policy and operational responses.
This is multi-disciplinary collaboration in practice.
Auckland University’s approach to the Foundry shows it understands the complexity of the cyber security challenge we face.
The Foundry’s staff includes academic staff from a variety of disciplines.
There are computer scientists but there are also representatives from a much broader range of disciplines: mathematics, cryptography, law, economics, psychology and behavioural analysis, software engineering and electrical engineering.
I hope this multi-disciplinary approach to cyber security research and training will also be reflected in increased collaboration between New Zealand’s tertiary education institutions.
New Zealand education institutions must work together to help grow the necessary people resources and expertise required to effectively deal with the cyber security threats we face.
Research by the Greater Wellington Regional Council, released in September 2016, revealed there had been little growth in tertiary student enrolment in the technology sector over the previous 5 years.
In fact in 2014, only 2% of students in the technology sector were enrolled in cyber science – and 50% of those students were international students.
I hope the Cyber Security Foundry will attract students and researchers, as well as promoting diversity within the cyber security research and training sector.
Globally, for example, only 11% of cyber security workers are women. So late last year, I was pleased to see GCSB award scholarships worth $10,000 to four female students to enable them to further their studies in science, technology, engineering or maths (STEM) subjects at Victoria, Otago, Canterbury and Auckland universities. This is a useful initiative.
I would also like to emphasise the scope for international collaboration on cyber security research. The Prime Minister highlighted this in her joint statement with Australian Prime Minister Malcolm Turnbull in early March.
Australia-New Zealand research collaboration will focus on “post quantum cyber security” and “artificial intelligence for improved cyber security”. It will include joint research projects, and provide for PhD and researcher exchanges.
The establishment of the Cyber Security Foundry reflects the priority that New Zealand now places on addressing cyber security threats.
As we emphasise the value of technological innovation for the success of New Zealand’s economy and community benefit, it is vital that we also focus on cyber security.
Just as the Foundry is taking a multi-disciplinary approach to cyber security research, so too, must organisations and businesses take a multi-disciplinary approach to their own cyber defences.
If we focus on cyber security through a narrow technical lens, then we will remain exposed to risk.
This also applies to the role of the government in addressing the cyber security of the nation.
We are dealing with a range of threats from states, organised criminal groups, terrorists and, most recently, vigilante hackers.
There are also a range of cyber threats - disruptive malware, denial of services, theft of data etc.
And there are a range of victims - government agencies, the corporate sector, small businesses and individuals.
This means that we require multiple actions, involving a range of government agencies in partnership with the private sector, to drive improved cyber security in New Zealand.
Cyber security intersects with the portfolios of a number of Ministers: national security and intelligence, responsibility for the intelligence agencies, defence, police, foreign affairs, justice, trade and economic development, and government digital services.
Yesterday, CERT NZ – a key part of the government’s cyber security architecture - celebrated its first anniversary.
CERT NZ is New Zealand’s Computer Emergency Response Team and works to help all New Zealanders and businesses understand cyber security threats and stay resilient.
In its first year of operation, CERT NZ received almost 2,000 incident reports that were either handled by the CERT NZ team, or by key referral partners such as the NZ Police and NetSafe.
Those reports mean that CERT NZ is collating a more informed profile of New Zealand’s cyber threat landscape.
Based on this information, and inputs from the international CERT community, CERT NZ provides trusted and authoritative information and advice about the cyber threats experienced in the New Zealand environment.
In the first year of operation, CERT NZ issued over 30 advisories about threats that could affect New Zealanders and their businesses.
CERT NZ’s latest Quarterly Report, released in March, shows that increasingly sophisticated phishing and credential harvesting were the most common types of reported incident in 2017.
The attackers often use social engineering techniques to trick people into giving up their information, their credentials and their money.
As a result, New Zealanders who reported to CERT NZ lost over $5.3 million from cyber incidents in 2017. This includes nearly $265,000 from cryptocurrency scams.
We think the total loss to New Zealand, including through unreported cybercrime, is much large than this figure.
The National Cyber Security Centre (within the GCSB), which focuses on countering sophisticated cyber threats and protecting New Zealand’s networks of national importance, recorded 396 incidents over the 2016-17 year, providing hands-on intensive incident response on 31 occasions.
Cyber threats are growing in number - and increasingly sophisticated. Widespread use of connected devices has intensified the problem. We are grappling with the security challenges of the Internet of Things and other emerging technologies.
We are preparing for the introduction of 5G technology, which promises faster broadband speeds for mobile devices and will enable a vast number of Internet of Things devices. But here, too, we must also consider the security and resilience implications
In short, digital technology has provided new avenues for criminal and hostile actors to gain advantage and cause harm.
Last year, we witnessed the disruptions from Wannacry and NotPetya ransomware incidents. Globally we are seeing organised cybercrime and disruptive intrusions on a massive scale.
For the government’s part, I see cyber security as a critical element of our effort to build a connected digital nation.
That is why I’m announcing today a refresh of New Zealand’s current Cyber Security Strategy and Action plan which is now three years old.
The government’s work on cyber security will complement our focus on digital rights, digital inclusion, digital innovation and digital government services.
I want to test whether the government has the right resources and the right arrangements to address the increasing cyber threats facing New Zealand.
And I am very keen to work hand-in-hand with the private sector and non-government organisations on cyber security.
That includes researchers in our universities looking at solutions to cybersecurity problems. I welcome your views as to what more the government can do to improve New Zealand’s cyber security.
There will be a variety of ways that the private sector and civil society can feed into the refresh of the Cyber Security Strategy – including through workshops in Auckland, Wellington and Christchurch.
New Zealand’s approach to cyber security should be as joined up as possible. As part of the review, I want to explore new ways to expand and maintain our engagement with the private sector and civil society on cyber security.
There are a number of areas that might be covered by the refresh. For example
• testing whether our institutional arrangements are optimal;
• thinking about more structured engagement with the private sector;
• considering what more needs to be done to address cybercrime;
• expanding our international efforts and looking at deterrence mechanisms;
• focusing on the scope to build New Zealand’s cyber security industry and research capability, and to grow a skilled cyber security workforce; and
• ensuring that we approach new technologies with security in mind.
I want to emphasise the opportunities.
We need to grow a vibrant cyber security research and development sector in order to deliver protection for the broader economy, and to contribute to New Zealand’s economic growth.
I look forward to further opportunities to engage with New Zealand’s cyber security community as we work together to ensure that this country truly benefits from the advantages of digital innovation.
Thank you and congratulations to Auckland University and the Cyber Security Foundry.