Published by Dan Richardson, Executive Director Strategy & Risk (Strategy & Consulting), CyberCX New Zealand on 17 June 2024
OPINION: The New Zealand Government has reportedly begun preparing a new cyber security strategy. Amidst rapid technological change and worsening cyber threats, a new strategy is an important opportunity for the Luxon Government to explain how New Zealand will tackle the challenges of our digitally disrupted future.
Since the current strategy was written in 2019, cybercriminals have debilitated the NZX disrupting the stock exchange, brought down the communication systems of the Waikato District Health Board, and stolen the data of hundreds of thousands of Kiwis after a hack against a major media organisation. Meanwhile, it was revealed in March Chinese-backed hackers had undertaken a cyber-espionage attack on our Parliament.
Recognising that the threat landscape is shifting, our major allies and trading partners – the United States, the United Kingdom, and Australia – have all launched ambitious and comprehensive cyber security strategies in the past two years.
Speaking with business and government leaders, it’s clear that New Zealand faces some stark choices. If we get this wrong, New Zealanders risk being left more exposed to the harms of cyber attacks and less able to benefit from the rewards of a healthy digital economy. New Zealand will also be a less appealing security partner, as strong cyber security will be an essential prerequisite for future defence and intelligence technology partnerships.
Should the New Zealand strategy look toward 2030, like Australia and the UK, there are five primary objectives to focus on over that timeframe: protecting critical infrastructure, fighting scams, bolstering the South Pacific, hardening government systems, and deepening collaboration between government and industry.
A notice advising of a “computer outage” at Waikato Hospital’s emergency department in 2021 – actually the result of a crippling cyber attack.
Image: Kelly Hodel / Stuff / Waikato Times
While destructive cyber-attacks on New Zealand critical infrastructure have historically been rare, incidents are increasing worldwide, especially ransomware attacks which have brought hospitals, telecommunications networks and energy suppliers to their knees.
Comparable countries are placing obligations on critical infrastructure operators to better protect themselves, while ensuring minimal impact on service delivery and cost to consumers. Our government can learn from this. Australia’s Security of Critical Infrastructure (SOCI) legislation offers a useful model for placing new cyber security obligations on critical infrastructure providers.
Cyber-enabled scams impact the largest portion of the community, with an estimated $200 million lost by New Zealanders last year. A new cyber security strategy must seek to reduce the harm caused by these crimes to households and small businesses, while restoring trust in institutions and organisations that are often impersonated by criminals to defraud victims – from government agencies to banks and telecommunication companies.
Some nations have helped address online scams by consolidating law enforcement and regulatory functions into national anti-scam bodies that improve information-sharing, intelligence collection and engagements with the community that build awareness of new scam methodologies.
Dan Richardson is the Executive Director of Strategy & Risk at CyberCX
The New Zealand Banking Association chief executive Roger Beaumont has already called on the Government to support a New Zealand anti-scam centre.
New Zealand has always had a special partnership with the countries of the South Pacific, taking on responsibilities to help in times of need. Cyber security should be no different. These nations are being deliberately targeted by state and non-state groups due to their smaller scale.
Cyber attacks have the potential to harm the safety of those living in the South Pacific and impede the development of these countries as sustainable digital economies. The next cyber security strategy must contain practical, actionable steps to be taken by the New Zealand Government and businesses to ensure our neighbours are not left behind.
It is clear that new standards and procedures are required to ensure that the software, devices and technical infrastructure surrounding sensitive government networks are as hardened and trusted as possible. The next strategy needs to be informed by a frank and honest evaluation of current government IT procurement procedures and identify where checks and balances can be established to keep untrustworthy tech or providers out of government systems.
Against the backdrop of a fiscally challenging environment, the strategy should look to streamline IT procurement and capability development to find opportunities to reduce duplication through shared services.
New Zealand’s cyber security will continue to rely heavily on how effectively regulators, law enforcement and intelligence services can partner with industry. Structures are needed for industry to share technical tradecraft and threat information with government agencies, and those agencies will need to provide more industry-relevant information in return.
New joint executive bodies where ministers and senior business leaders collectively shape cyber policy have been set up overseas and should be adopted in New Zealand. Options should be explored to establish industry secondments into government to augment the nation’s cyber security workforce. For example, embedding industry analysts in the National Cyber Security Centre where they can work at the unclassified level.
Finally, successful implementation of additional cyber security requirements needs to be accompanied by a shift in attitude in government and industry to recognise that in our new threat environment cyber security is not a sunk cost but a critical enabler of New Zealand’s growth in the modern world.
This article originally appeared as an opinion piece in The Post
