Griffin on Tech: Our approach to state-sponsored cybercrime is evolving
Griffin on Tech: A more mature approach to state-sponsored cybercrime is needed
Our security agencies appear to be waking up to the fact that cyber threats from foreign states are a real and present danger to democracy and require more proactive measures to combat.
First we had that hastily called press conference in Wellington in March, during which the Government Communications Security Bureau revealed details of a cyber breach of the Parliamentary Counsel Office and the Parliamentary Service in 2021, which was attributed to APT40, a People’s Republic of China state-sponsored hacking group.
It had the feel of a highly staged event, designed to back up Five Eyes partners who have become more vocal about China’s hacking efforts aimed at other governments.
Now we have a report released this week from the GCSB outlining its approach to more malicious cyber activity relating to China and signalling change in how the security agency plans to deal with such attacks moving forward.
The latest incident detailed relates to the Inter-Parliamentary Alliance on China (IPAC), a global body that includes New Zealand members of parliament and which has the aim of “promoting democracy and addressing threats to the rules-based and human rights systems posed by the rise of China”.
A member of Parliament complained to the GCSB that they had been the subject of malicious cyber activity and the GCSB raised a ticket, investigating and concluding that no further action was necessary. But following some alerts from international partner agencies, GCSB looked again at the case and found parliamentary systems hadn’t in fact blocked phishing emails aimed at members of Parliament.
It led to some self-reflection in the agency about how well set up its processes are to deal with these sorts of state-sponsored attacks. The report released this week suggested three improvements be made:
The NCSC’s response to incidents needs to ensure due consideration is given to wider implications of cyber security incidents, and not focus solely on the technical response to such incidents;
Where appropriate, the NCSC should consider some form of engagement with individuals in response to cyber targeting by foreign state-sponsored actors
Identifying incidents that may be appropriate to brief to the Minister Responsible for the GCSB.
The report also noted that while GCSB liaises with other government agencies, it has no formal procedures for collaborating in identifying and responding to such attacks.
It all suggests that GCSB is going to take a more proactive approach to combat China’s hacking activity, including actually talking to the targets of the attacks, who may also face intimidation or physical threats requiring responses from other parts of the government.
“It’s a definite change in tone, I think, from the top,” Dan Richardson, CyberCX executive director for strategy and risk, and former GCSB employee told BusinessDesk this week.
“And obviously, as we work through the New Zealand cybersecurity strategy, there’s going to have to be some real thought given to, not just aligning with our friends and partners, but also: what other bits of technical and non-technical capability to do we need as a country to protect ourselves and our citizens?” He added.
Christopher Luxon told the Financial Times this week that he plans to name and shame China for its malicious cyber activity, so the GCSB report, as Richardson suggests, seems to indicate a directive to get on the front foot. That’s a good thing, a sign that the threats posed by state-sponsored cyber attacks are being taken more seriously and warrant a more joined-up approach.
InternetNZ revamp needed
InternetNZ, the key New Zealand advocacy body on internet-related issues, and the group responsible for the .nz domain, is in the process of electing a new president and council.
What happened to InternetNZ? It used to be an influential voice in all things digital, but seems to have lost its way in recent years, also hit with fiscal challenges (internetNZ’s last published financial accounts showed a parent company loss of $830,000.
We need an internet body advocating strongly on behalf of consumers in areas like digital equity, net neutrality, and preserving the integrity of the internet.
I get the sense that this election will satisfy some pent-up demand for change. Nominations for the InternetNZ Council (InternetNZ members can make nominations) are open until 1 July, 2024. There are three vacancies to fill this year, with President Joy Liddicot, Vice President Brenda Wallace, and Richard Hulse seeing their terms ending.
Wallace and Hulse have been nominated again and there are some familiar names among the other nominees internetNZ has posted so far. If you are an InternetNZ member, here is your opportunity to take an interest in where the group is going.
Wellington IT industry veteran Daniel Spector has been nominated as a council member and made his pitch for election via a LinkedIn post.
“InternetNZ could benefit from more aggressive efforts at external engagement, more opportunities for public comment, and a renewed approach to active policy and community funding. These would support InternetNZ’s charter and the interests of NZ’s internet users,” he wrote.
“With InternetNZ, I’d love to support the possibility of an open-and-uncapturable internet full of fun and human connection again– not one that is primarily for harvesting data, selling fast plastic fashions from overseas, enriching a few billionaires, and harming our democracies,” he added, clearly on a roll.
Bravo to that!