The threat to cyber security in New Zealand is real; it’s large, growing and it affects local government. That was the message delivered to the 2017 ALGIM Annual Conference by Paul Ash, director of the National Cyber Policy Office in the Department of the Prime Minister and Cabinet.
The good news, Paul Ash told delegates, is that “central government, and a number of other organisations, have your back and the range of resources on which to draw is wide”.
One of the big problems with cyber security is the paucity of good information about the extent of the problem. “What we do know, from some of the work that’s been done in the past year or so, is that one in five of New Zealand’s small and medium businesses were hit by a cyber attack in the preceding year and that happens year after year.
“Of those, about 70 percent are through an email or phishing scam which is one of the most common ways of getting into systems these days. Some 47 percent were targeted by a hacking attempt; the average financial loss for those smaller businesses was about $19,000 per annum.”
This, he explains, directly impacts on the work of local government because of the sector’s multiple connections to many of those businesses. “Many of them are providing services to local government. There can also be peripheral or incidental impacts because of the kick-back effects for businesses that make up part of a council’s rating base or part of their constituency.”
Paul says it is hard to gain a clear picture of the threats to local government. “I’ve spent quite some time talking to my colleagues across the National Cyber Security Centre, Cert NZ and a few private sector folk and their answer was ‘we know very, very little about the state of cyber security in local government’.”
SOURCES OF RISK FOR LOCAL GOVERNMENT
While there are multiple sources of risk, perhaps the most easily overlooked group is insiders.
“People inside your organisation – who because of what we call ‘thick-thumb’ problem – get stuff wrong which causes a risk. Or they have malicious intent. They’re either disgruntled or looking for financial reward.”
Paul notes that many major reports indicate 15 to 20 percent of all cyber incidents come from insiders. “So it’s a category worth thinking about.”
Then there are the cyber criminals: “Organised criminals attempting to monetise their activity and seeking monetary benefit.” These are not just kids in hoodies, says Paul, but well-organised groups, some the size of councils themselves, employing 2000 to 3000 staff with reconnaissance teams, monetisation teams and exploration teams, looking to try and profit. “You’re up against some quite significant adversaries there.”
And the list goes on. “Councils have probably seen a bit of hacktivism. Depending on the kind of by-laws or regulations being implemented there may well be people who are unhappy with the council and look to take that out through website defacement or other efforts.”
These are all physical events that can cause problems with IT systems and councils will be aware of that in their business continuity planning work, says Paul.
“Increasingly, we’re starting to think about the challenge of terrorist groups getting hold of sophisticated tools. We’ve seen some minor incidents of that in New Zealand.”
He cites an instance a year or two back “when a bunch of medical practices in Southland had their website turned into Jihadist advertisements. You ring your doctor and can’t get through because their systems are down so you look on the internet and you’ve got an ISIS flag looking back at you.”
That is where terrorist work is at the moment, he says, but there are concerns that, over time, essential services provided by councils could be the target of physical attacks.
The last threat Paul highlights is espionage and while, by and large, this is directed at the commercial sector or central government, there may have been instances where local government platforms worldwide have been used for espionage efforts.
Ransomware & DDoS
Paul says ransomware is by far the most common issue that his office is seeing at the moment. “Distributor denial of service (DDoS) attacks that take down the website are often used as a form of ransomware. These are sometimes used by hacktivists as well.”
Website defacement & APT
Website defacement is another issue local bodies need to be aware of, although Paul points out they don’t see so much of the advanced persistent threat (APT) profile – where a network is broken into with the purpose of harvesting information – in local government.
Conversely, he says his office sees “a lot of garden variety fraud”, or attempts at fraud, in local government.
He cites credential misuse as another challenging issue both within and outside the local government sector, “particularly where systems are being run inhouse or there are stand-alone systems”.
An example is the well-documented 2012 LinkedIn hack which initially involved the theft of 6.5 million passwords; four years later the number had grown to 117 million.
“We know from that hack that out in the dark net there are a large number of local government addresses from New Zealand. So if you have concerns, hop on haveibeenpwned.com to see if your details are there.”
WHAT DOES RISK LOOK LIKE?
Cyber security insurers have done a great job quantifying and breaking down the risks and how they materialise, says Paul, and wind turbine technology company American Superconductor is a great case study around intellectual property theft.
A graph shows how its stock price flatlined after its IP was stolen. “They were basically taken out of business by sophisticated hacking and insider effort.”
Reputations are also at stake. “Public trust in government IT in Australia was undermined when a couple of small DDoS attacks and configuration issues took the census down.”
The unpleasant effects of hacking were also demonstrated by the 2016 hack of the Ashley Madison extra-marital affairs website, which Paul says had many people thinking about their business model.
Such hacking events can create third-party risk. In one US case, both the CIO and CE lost their jobs when some 70 million credit card credentials were leaked. “Funnily enough,” says Paul, back in New Zealand, this caused some “real problems for credit card issuers that weren’t as well plugged into what was happening as the Americans might have been”.
That’s just one example, he says. “We saw the TAB taken out by DDoS attacks on Boxing Day 2014 – the most significant day of their year when revenue is at its highest and they weren’t able to service their customers.”
And, he says, IT specialists will be interested in the Operation Cloud Hopper report documenting a joint effort between PWC UK and BAE Systems, which revealed both sophisticated and simple malware targeting service providers worldwide. The scammers established what looked like genuine credentials and affected a range of sectors including government and finance, mining, logistics and retail.
“It was a pretty indiscriminate combing for information that required a combined international effort to push them off those systems and indicates just how scaled some of the stuff is becoming these days.”
With risk comes opportunity, says Paul. “The opportunities that really smart IT can bring to local government will transform the way councils work.” He says the productivity impact of businesses making better use of the internet has been estimated at around $34 billion a year and, within government, the estimated gains for better use of data by businesses and government, around $4.5 billion.
But we’re yet to really push the bounds and explore what that looks like in government, he says. “Local government is a place where a lot of the innovation is happening because there’s more freedom. In effect we can’t talk about cyber security risk without talking about opportunity.” There’s been a big shift in the way people think about this, he says. “Three to five years ago our office found it difficult to have conversations about cyber security because people thought we were coming to stop them doing innovative stuff.”
That’s shifted, he says, to the point where good cyber security management is seen as necessary but perhaps not presenting sufficient conditions for innovation. “We don’t want to lose sight of that opportunity picture. That’s why we want to manage cyber security risks – so we can maintain customer confidence; so we can innovate; so we can do those things in a way that maintains trust in the systems we use as we move forward.”
So what’s the thinking on managing cyber security? One of the great challenges for organisations, says Paul, has been that it’s often thought of as a pure technology play.
“People thought that managing cyber security risk was about managing business risk. You have to assess it, understand the system well, then treat it or minimise it as you would any sort of risk – through managed security services, inhouse capability or through education.”
Given the scale of many New Zealand organisations, he suggests thinking about common capabilities is a much smarter way to go “either by getting IT provided through the cloud or by banding together with others to work on things like shared security operation centres. In a sense that’s going to be New Zealand’s strength over time. We’re small enough to collaborate in that way and be able to build some critical mass.”
Then there’s the option to transfer the risk through cyber security insurance. “In New Zealand we’re making pretty good progress on this. It’s a relatively new product and the pricing is still pretty wobbly because the actuarial base under it is not as good as it could be. But we’re seeing New Zealand companies making some quite significant strides in this area.”
No system is completely secure, says Paul. It’s about accepting the risk. “If you’ve got an IT system – a smart phone in your pocket – you’re accepting risk. The question is, do you understand that no system is completely secure?
“Assume you will have an issue, understand what you’re accepting and document the level of risk. Local authorities should be making sure they have business continuity plans in place for when that risk materialises.”
Improving cyber security isn’t just a defensive tool, says Paul. “We’re not sitting here taking it from hackers. It’s about making sure we have the right sorts of systems that build trust and confidence in online activity.” That has really big spin-off effects for their collective work, he says.
“Local government information managers play an absolutely critical role in making the most of that digital opportunity. With local bodies exactly where growing numbers of citizens connect with government, knowing there are good security practices in place builds confidence in doing that.”
Where to go for help
Local authorities can get help from a number of sources, says Paul Ash, director of the National Cyber Policy Office in the Department of the Prime Minister and Cabinet.
Cert New Zealand was established in April 2017 and, says Paul, is the place to get triaged following an incident. “They operate as a trusted clearing house; share information with them and it’s not going anywhere unless you’re comfortable with that happening.”
The group helps build a heat map of what’s happening in New Zealand, he says, and collaborates with the Network of International Nation Certs. “Cert is looking for partners like local bodies to help spread sensible cyber security messages.”
The National Cyber Security Centre, which sits within the Government Communications Security Bureau (GCSB), deals with the most sophisticated of the threats referred to above; advanced persistence threats which are beyond the point where they can be dealt with by most commercially available products.
“In short, they deal with the stuff that needs an intelligence lens to provide security. They’re able to work with any organisation, public or private, and have a team that’s top-notch at working with organisations needing support.”
Paul also recommends having a look at the New Zealand Internet Task Force – a trusted community of security experts. This is a non-governmental organisation that brings together people in the security and information sectors to share information.
Risks are just one of the challenges for those in the cyber security sector. Finding staff with security capabilities is growing. “Globally there will be somewhere between 1.5 and 1.8 million cyber security vacancies by 2022. We have a small share of that – probably somewhere between 2000 to 4000 vacancies. The collaborative Connect Smart community practice not only promotes ways for organisations to protect themselves online but is also tackling workforce development. Government doesn’t have all the answers; the private sector doesn’t have all the answers but together there’s a better chance of delivering a secure, resilient and prosperous New Zealand.”
FUD – fear, uncertainty and doubt – may convince oversight groups to buy products, but Paul believes there’s a real issue around the translation between governance language and the technical language organisations use to describe cyber security.
He recommends the Institute of Directors’ Cyber Risk Practice Guide as one of the most useful tools he has seen.
This drew on work by the National Association of Corporate Directors in the US and the Global National Directors Institute which was a reaction to a significant hacking event for Sony Pictures around the movie The Interview.
The guide takes a principle-based approach that helps put security practitioners in the core of discussions using governance language. “It’s well worth a read.”
This article was first published in the February 2017 issue of NZ Local Government Magazine.