Face of the day

Ian Fletcher -Faifax NZ

Ian Fletcher
-Faifax NZ

While in general our MSM seem determined to only focus on the negative possibilities of our Government having these kind of capabilities I for one am glad that they are trying to protect us as the threat is very real. Given the fact that the Labour Party could not even make their website secure from the average Joe on the web clicking on the links they provided aren’t you glad they are not currently in power? They called looking at all the private data and credit card details that they left totally unsecured and in public view on their website ‘hacking’ for goodness sake. Fit to run this country? I don’t think so. What they did was no different to someone not putting privacy settings on their facebook page and then being all outraged when everyone was able to look at their photos and download them.

Spy boss Ian Fletcher has both hands tied behind his back justifying cyber-security defence system Project Cortex

The director of the Government Communications Security Bureau says he can’t say how Cortex will work or exactly which organisations will come under its protection. To do so would risk exposing vulnerabilities, he says. Nor will he say how much Cortex is costing.

Nevertheless, he wants to talk about why the GCSB is making the investment in the system, the existence of which was brought to light by Prime Minister John Key in the lead up to Kim Dotcom’s “moment of truth” event in September.

The Government is due to review the country’s spy agencies and their legislative underpinning next year. Fletcher says the GCSB’s biggest challenge is recruiting the right people in a tight labour market.

The internet has made it easier for “both good things and bad things to happen”, he says.

“For people who want to steal and break things, it takes a great deal of the risk out of it. The ‘barriers to entry’ to serious malware are lowering.
“Stuff that was hard to get, expensive or sophisticated five or 10 years ago is increasingly available commercially on the black market. What was previously the preserve of states is starting to bleed onto the private market.”

At the same time, with phone, power and banking networks increasingly controlled by internet protocol (IP) devices, there is more critical infrastructure exposed to attack.

“IP-based systems have become genuinely ubiquitous over the last decade,” Fletcher says. “Our challenge has been to think about how we provide the public good of ‘defence’ over privately-implemented networks.

“What we have done is to start thinking through the systems we should be concerned about and that are essential if we are going to be able to provide the Government and the wider New Zealand public some level of assurance.”

Fletcher says Cortex is a set of tools, rather than a single product, designed to protect key organisations in the public and private sector from cyber-attacks launched from overseas.

“I’d get into trouble if I said exactly what it does, but it is more than one idea and more than one service. That menu is adjusted to reflect the circumstances of the organisation we are dealing with.”

The criteria organisations need to meet to qualify for Cortex’ protection are also secret, but it appears significant economic targets as well as vital network utilities may come under its umbrella. “We have looked very broadly,” is all Fletcher will say.

Although Key has likened Cortex to “Norton AntiVirus” in an effort to distinguish it from a tool of mass surveillance, Fletcher clarifies the GCSB is not attempting to be another cyber-security company, providing tools that organisations could and should buy commercially.

“It has many analogous qualities, but our objective is to try to deal with threats of the level of sophistication that a well-managed commercial organisation would not be able to deal with.

“We can draw on insights that come from sources and methods that we very much hope aren’t in the public domain,” he adds.

Fletcher says figures from the National Cyber Security Centre show a “consistent rise in the number of reported serious incidents each year“, which he says may reflect both a rising number of attacks and a growing willingness by organisations to report them.

“When you look at the numbers, versus other developed economies, what emerges is that we are completely normal. We are not being picked-on particularly, but the challenges we face are proportional to our size and clearly the conclusion we have come to is we need to plan accordingly.”

Surprisingly perhaps, Fletcher says he isn’t aware of our allies having similar projects in train.

“The approach we have taken has been a New Zealand specific-one,” he says. “New Zealand does not have a big indigenous defence supply chain so we have been in a position where we have been able to think broadly from the outset.

“But everyone I talk to, both our close partners and others, are really focused on answering the question of how governments provide the ‘public good’ that is called ‘defence’ over what are broadly privatised networks and global flows of data. That remains the central question.”

Institute of Information Technology Professionals chief executive Paul Matthews isn’t particularly surprised Cortex might be cutting new ground.

“You would expect if it was effective, other people would be doing it, but I’m not surprised New Zealand would be innovating in this space,” he says. “We have got some pretty smart thinking and companies that are doing some amazing things.”