GCSB's 'Cortex' sought tie-up with ISP
By Paul McBeth
Sept. 17 (BusinessDesk) - The Government Communications Security Bureau may expand its 'Project Cortex' to sharing malware-disrupting technology with local internet service providers, according to Cabinet papers declassified by Prime Minister John Key.
The project is described as countering advanced cyber threats and would see the communications-focused spy agency deliver advanced malware detection services to an undisclosed number of entities including government agencies and "organisations of high economic and/or operating critical national infrastructure", including niche exporters and research institutions. Those services would be an "active disruption" of foreign-sourced advanced malicious software, known as malware, reducing vulnerability to attack and mitigating harm by technical countermeasures acting before the fact by blocking the ability of malware to target organisations.
The GCSB recommended the extension of the 'active' programme to an internet service provider under pilot conditions, to see how it would work in a commercial context.
"If the pilot is successful, a proposal will be prepared for Ministerial consideration outlining the costs and benefits of wider deployment," according to an undated document entitled 'Project Cortex Business Case' that appears to have been written in late June or early July, based on dates on other documents. "This wider deployment would be led by industry, on a cost-recovery/profit basis, not by GCSB."
Spark New Zealand, the country's biggest ISP with about 49 percent of the market, hasn't had formal discussions with the GCSB about the project, according to a spokesman, while Vodafone New Zealand, which has about 32 percent of the market, declined to comment.
The GCSB met with an undisclosed number of major private sector firms deemed to be of national importance, all of whom "confirmed interest in engaging further on the proposals in the event that funding is secured." It considered charging users, but rejected that in the short-term as it would need an amendment to legislation.
The spy agency's business case focuses on "cyber-borne threats that are foreign-sourced and particularly advanced in terms of technical sophistication and/or persistence," said the document.
Under threat are intellectual property and damage to IT systems that can't be countered by commercial available tools, and malware had already targeted "key economic generators", including a large New Zealand firm, niche exporters in knowledge-intensive industries, major IT service providers and government agencies, the documents say.
"The economic harm caused by advanced malware is significant, although hard to quantify at the macroeconomic level or even for individual organisations. It is hard to quantify because, for example, in the case of loss of intellectual property (IP) - often the most immediate target of a successful malware attack - there is no widely accepted means of valuing IP prospectively."
A key plank of last year's legislative amendment governing the GCSB was splitting its information assurance activities from its cyber-security and cooperation functions to let the agency play a major role in the wider cyber-security domain, as host of the National Cyber Security Centre and sharing its capabilities and expertise with other agencies.
The GCSB won't procure or develop bespoke systems, instead integrating and components already available and tested over several years, including widely available commercial off-the-shelf systems, single source systems, and some available only through government-to-government agreement.
Key released the declassified papers yesterday in response to claims by Intercept journalist Glenn Greenwald and former US National Security Agency contractor-turned-whistleblower fugitive Edward Snowden, that New Zealand's GCSB embarked on plans to implement mass metadata surveillance, including the tapping of the Southern Cross Cable, in 2012 and 2013, in an initiative called 'Speargun'.
Key has insisted that the GCSB hasn't undertaken mass surveillance of New Zealanders or collects their metadata, and said the highest form of protection considered by the agency was never completed nor put to Cabinet.
Project Cortex wasn't seen as causing material privacy issues, with controls including how data is access, stored, shared and disposed of. The business plan said there will be no mass surveillance, and that data will be accessed by GCSB only with the consent of owners of relevant networks or systems.
According to a minute to a July 28, 2014 meeting, Cabinet decided against pursuing the GCSB's recommended option, which included the pilot ISP sharing programme. Instead, it directed the spy agency to consult with the Minister for Communications and Information Technology, currently Amy Adams, on plans to involve an ISP, and to report to Key, the Minister responsible for the GCSB, and the IT minister on the implications of including an ISP in the project.
The 'active' option backed by Cabinet would be 10 percent cheaper than the 'proactive' option preferred by GCSB, and would forgo a third of the benefits with "far fewer" organisations receiving the malware disruption service. That in turn would reduce security risk as GCSB technology wouldn't be shared with an ISP.
The GCSB is to report back to ministers with an option to embark on the pilot by September 2015, and a funding contingency was extended to Jan. 31, 2016.
The business case was reviewed in May and June of this year by Key as GCSB minister, Adams as IT minister, Finance Minister Bill English, Economic Development Minister Steven Joyce, Foreign Affairs Minister Murray McCully, Defence Minister Jonathan Coleman and Attorney-General Chris Finlayson.