Ministerial Address to 2016 Cyber Security Summit
Good morning and thank you for being here at New Zealand’s first Cyber Security Summit.
We’ve come together to address a significant challenge facing New Zealand’s $231 billion economy.
I invited you as Chief Executives, Board Chairs and business leaders from across the public and private sector because you play an essential role in driving New Zealand’s economy.
You don’t need me to tell you the significant opportunities the Digital Economy offers. The innovative and widespread uptake of information communication technology has transformed New Zealand.
It has added hundreds of millions to our economy, created new and exciting jobs we never thought possible, and has the potential to add $34 billion more.
Businesses up and down the country, big and small, play a critical part in ensuring New Zealand realises the benefits of connectivity. But, in the same way, you also play an essential role in managing the risks arising from malicious activities and crime conducted across the Internet.
Cost of cybercrime to our economy
Malicious cyber intrusions can eat away at these hard-earned advances.
Cyber-attacks have the very real ability to damage our economy.
These attacks cripple businesses and bring them to a standstill. They target the pockets of hard-working New Zealanders and take private information. They aim to steal highly-valuable research and intellectual property and cause havoc with our critical infrastructure and telecommunications networks in an attempt to disrupt or weaken our economy.
These attacks can be motivated by financial gain, political activism or simply because they can. What’s more, these incursions come from anywhere and at any time.
We must address this risk head-on and at every level.
One report has put the cost to New Zealand at $257 million last year alone – though I suspect the real cost may be higher still.
In 2015, Netsafe reported an average of 25 attacks per day and reported $13 million in damage – an increase of 68 per cent on the year before.
On average, 51 Distributed denial-of-service (or DDoS) attacks are investigated per day by one of New Zealand’s largest telecommunication companies. And these aren’t always small incidences – just one of these DDoS attacks represented almost 20 per cent of their total network capacity.
In the year to April 2016, the Government’s National Cyber Security Centre logged 316 incidents – up from 190 in the 12 months to June 2015.
In a typical month, the GCSB through Project CORTEX detects seven potentially significant cyber intrusions affecting one or more substantial NZ organisations.
On one email platform alone, nearly 70 per cent of all email was identified as spam, phishing attacks or containing viruses.
And these statistics are just the tip of the iceberg.
It’s essential that we protect our $231 billion GDP against this constant barrage of attacks.
How we are responding
I invited you here today because the business community needs to own and manage this risk.
Improving New Zealand’s cyber security is not simply about employing the right technical tools. If you think cyber security is an issue that sits in the IT department, you’ve missed the critical part of this.
The conversation needs to shift to the boardroom and to the CEO’s office. Cyber security represents one of the most serious risks to any major business and therefore must be an executive-level responsibility, informed by the very best internationally-sourced information. That’s why we’re all here.
For our part, the Government is taking this issue extremely seriously.
We have strengthened the Police Cybercrime Unit and are bolstering the High Tech Crime Group to improve our ability to investigate cybercrime.
We launched the launch the Connect Smart partnership to work together on building New Zealander’s ability to protect themselves online.
We vested functional leadership of public sector ICT through the Government Chief Information Officer, including ensuring government manages citizen and other data securely.
We have invested in initiatives to combat online harassment and bullying, including passing the Harmful Digital Communications Act.
We have built teams working on countering harmful spam and protecting children from online sexual exploitation in the Department of Internal Affairs.
We have established the National Cyber Security Centre in the Government Communications Security Bureau, and invested in Project CORTEX to help protect our most significant infrastructure against advanced threats.
That’s a large number of moving parts. To bring that all together coherently, we established the National Cyber Policy Office in the Department of the Prime Minister and Cabinet, with a mandate to improve coordination of cyber security policy and reach out in partnership to work with the private sector.
NCPO reports to me and has been responsible for developing our national Cyber Security Strategy and is charged with overseeing its implementation.
So Government is taking decisive action to secure our economic interests and minimise online harm and damage.
But this is not a task for the public sector alone.
A strong partnership between the Government, business and NGOs is required to confront this challenge.
It was a public-private partnership that was at the heart of Cyber Security Strategy I launched in December. This strategy included a number of actions to improve the protection of New Zealand’s information assets.
But New Zealanders remain overwhelmed by cyber security – 73 per cent want more advice and only 23 per cent of boards are involved in their organisations cyber strategy.
We can do more to equip communities and institutions with the tools they need to help protect themselves against and in an event of a cyber-attack.
Today, I want to focus on three initiatives we have underway to do exactly this.
A National CERT
The first is the establishment of a national CERT.
You heard from the Prime Minister this morning that we are providing a significant investment of $22.2 million from Budget 2016 towards this new national institution to deal with cyber incidents.
Just last December, I announced my intention to establish a national CERT and I’m delighted that funding has been secured and we’re progressing at pace.
The fact that we’re moving so swiftly on these issues speaks to the importance the Government places on cyber security. It also speaks to our understanding of the necessity of a joined up response.
Currently we have a range of agencies dealing with various aspects of the cyber security threat.
We are not yet as joined up as we could and should be.
Most simply don’t know who to turn to in the event of an attack or if they suspect their system has been compromised.
This makes it difficult to build up a comprehensive picture of the size, nature and impact of current and future cyber security threats.
And it means New Zealanders may be confused by information relating to cyber security. They may not know what is authoritative or how to deal effectively with a cyber incident.
In the absence of a comprehensive and coordinated approach to cyber security, we risk undermining our credibility as a safe and secure international trading partner.
CERT NZ will be a central part of our cyber security architecture.
I see this as a considerable opportunity to draw on resources from across the country and to collaborate effectively – and to do so in a readily accessible, coordinated fashion that matches the approach taken by our international partners.
Work is already underway to get this new institution set up quickly, in a way that works in the New Zealand context.
This has involved extensive engagement with the private sector and key stakeholders – many of whom are in this room today.
Importantly, it has also involved working with international partners – learning from the experiences of other countries with national CERTs.
The best national CERTs are “trusted clearing-houses”, building resilience and sharing the work of protecting the economy. That’s exactly what I want from CERT NZ.
To achieve this, we will need to work together to build a trust-based, collaborative model.
Our National CERT will be a one-stop shop.
It will provide incident response and triage – taking reports and reports of cyber incidents and analysing, triaging and referring these incidents to the right agencies for assistance.
This means that anyone wanting to report cybercrime or cyber-enabled crime knows who to go to right away.
This includes individuals and families who want to report cybercrime, small and medium enterprises who are struggling for help with cyber threats, government agencies, and larger enterprises and sectors.
Our CERT will analyse the broad range of incidents to understand active threats and trends in cybercrime and cyber security at the national level. In other words – it will produce an aggregated, informed picture on the cyber security threat for New Zealand.
Drawing on this information, and other sources, the CERT will develop advice and alerts on threats, vulnerabilities and prevention.
It will also deliver information on the mitigation of threats in real-time, ensuring information quickly gets to those who need it.
The CERT will support sectoral information-sharing forums. This will enable companies in particular sectors to see across the threat landscape and protect themselves and each other more quickly and with better information than is possible at present.
The CERT will maintain close links with the Police, the National Cyber Security Centre within GCSB, and other agencies, like the anti-spam unit in the Department of Internal Affairs, and a range of private sector partners and academic institutions.
It will also play a role in coordinating serious cyber incidents, where necessary.
CERT NZ will be the primary point of contact with CERTs and similar organisations from other countries.
This is vital. Most cyber security incidents emanate from other countries. Coordination and practical cooperation with other countries is invaluable in addressing this.
New Zealand will join the growing, global network of CERTs and international bodies working on improving cyber security.
I want to get CERT up and running as quickly as possible.
So as a first step, I am setting up CERT NZ as a branded unit within the Ministry of Business, Innovation and Employment.
This means the CERT can stand-up without delay. It’s also in keeping with our emphasis on the economic benefits of improved cyber security and making the most of the digital economy. And while I see this as the best way to hatch and incubate the CERT to allow us to hit the ground running, it is not what I envisage for the long-term structure of CERT NZ.
We know from our international partners that that involvement of the private sector is critical to success of the CERT.
There is substantial experience in cyber security in the private and non-government sectors – and I intend to tap into that as CERT NZ will not, in my view, reach its full potential without a strong voice representing our private sector guiding its establishment and operation.
So I am today inviting nominations for a CERT Advisory Board.
The Board will have up to nine members, made up from private sector and non-government cyber security experts.
It will provide advice directly to me on the establishment and operation of our national CerT and options for its longer-term structure.
The Board will help to ensure that CERT NZ meets the cyber security needs of its customers and stakeholders.
I encourage those with the cyber security know-how to put your hand up and be considered for the CERT Advisory Board. Nomination details and process will be made available online from today.
Cyber Credentials Scheme
The second initiative I want to talk about is building the cyber capability of our small businesses.
This reflects both the significant contribution SMEs make to the New Zealand economy but also the fact that small businesses are increasingly vulnerable to cyber-attacks.
International research shows cyber criminals are increasingly focusing on smaller businesses.
Symantec’s threat report revealed that in the last five years, spear-phishing has risen to 43 per cent of attacks in 2015.
A US study found 60 percent of small businesses went out of business within six months of a data breach.
Small businesses bear a higher cost when hit by cybercrime.
The Global 2015 Cost of Cyber Crime report highlighted that the per capita cost of cybercrime for small organisations is three times greater than for a larger organisation.
The most recent MYOB Business Monitor Survey found that 70 per cent of New Zealand SMEs now register concerns in one or more cyber security risk areas, an increase of 10 per cent in just six months.
Small businesses often lack the expertise or resources to improve their cyber security. They struggle to invest at scale, or to access the support that could assist them.
CERT NZ will be part of the answer.
But we can do more.
In December I announced work on a Cyber Credentials scheme for small businesses. This scheme will allow small businesses to demonstrate publicly to customers, partners and their business supply chain that they have basic cyber security measures in place.
It will encourage small businesses to manage risk by taking up and maintaining these security measures.
Similar to the UK’s “Cyber Essentials” scheme, it will involve self-assessment and independent verification through a certification process.
The Cyber Credentials scheme will provide targeted and accessible stepping stones for businesses to improve their cyber security maturity and indicate to their customers and suppliers their recognition of the issue and action to address it.
This Summit is a good opportunity to hear from key business and government leaders about how we achieve this.
I want this cyber credentials scheme up and running later this year and I look forward to having more to say on this in the next few months.
The third and final element I want to address today is our international connections.
We are confronted by a security challenge that knows no national boundaries and that means partnerships well beyond our shores are critical to success.
It’s no accident our national Cyber Security Strategy has a strong emphasis on International Cooperation.
At its most practical, our international work involves operational linkages between New Zealand’s agencies and their counterparts overseas.
Just as on the national level we benefit from sharing information about threats and solutions, so too our agencies benefit from work with international colleagues.
This is already happening. Several agencies are networked with partners in Asia-Pacific region and beyond.
CERT NZ will also play a major role in this, joining a network of CERTs once it is stood up.
We also need to play our part in the broader international discussion on cybersecurity and cybercrime.
As you heard this morning from other speakers, the development of international norms and rules around cybersecurity will take time and patience, and will no doubt bring with it challenges to New Zealand values.
But it is critical to building the longer-term stability that can enable New Zealand to thrive, to be secure, resilient and prosperous online.
We are working directly with key partners. With our closest partner, Australia, we have a regular cyber dialogue, working on policy and practice in our single economic market. I’d like to acknowledge Australia’s recently released strategy, and the opportunities in it to continue our close working relationship.
I look forward to engaging with my Australian colleagues as we each lead the implementation of our strategies.
In 2013 New Zealand and the UK jointly committed to work together on cyber security. We work closely with the US and Canada on policy and practice.
We are deepening work with others in the Asia-Pacific region on measures to build confidence and stability.
We have long contributed to the ASEAN Regional Forum’s work on cyber.
Officials are working on capacity-building and support to our nearest neighbours in the Pacific, including as a member of the Global Forum for Cyber Expertise.
And we talk directly with countries in our region. Officials held our first bilateral cyber dialogue with China in February, and are currently working on a dialogue with Japan.
This is a fluid, evolving and challenging area.
That’s reflected in efforts to develop norms of behaviour and “rules of the road” for states. It’s also apparent in the gradual emergence of cybersecurity regulation as a trade issue.
New Zealand is actively involved in these discussions, through forums such as the Global Conferences on Cyberspace launched by the UK, OECD work on cybersecurity settings for its members, and discussion with partners on issues such as standards and regulatory best practice.
In our interconnected world, it’s critically important that we have an eye, and ear and a voice in those discussions.
Today’s Summit is about safe-guarding our economy as a whole and protecting the interests of New Zealanders when they use the Internet. That involves technical elements, but at its core, this is a much bigger issue.
When I launched New Zealand’s Cyber Security Strategy in December I said this was about delivering a step-change in our approach. And I acknowledged that could only occur if we build strong, effective partnerships, supported by leaders across all of New Zealand’s communities and sectors.
That’s why I’m tremendously encouraged to see you here today, working together to build a collective endeavour.
Cyber is a multi-faceted and fast evolving type of crime and commercial attack. The harsh reality is it presents economic and reputational risks that none of you want to face.
We have the opportunity though to ensure our businesses grasp and respond to this pervasive new threat and protect themselves from the many thousands of international players who seek to do us harm.
The Government wants to partner with business and provide the expertise and linkages we have to support you, but we need you at the table and engaged.
I hope today’s event demonstrates once more our commitment to ensuring New Zealand is positioned to take full opportunity of the digital opportunities without laying itself open to those that would do us harm.
Can I thank you all for your participation in this important discussion. We intend to produce outcomes today – and work with you to take these forward in a truly collaborative public-private partnership.