Published by Dan Richardson 3 November 2023
For the New Zealand cyber security industry, the release of the National Cyber Security Centre’s (NCSC) Cyber Threat Report is something of a yearly ritual. Year after year the report is a go-to for an authoritative and unique perspective on New Zealand’s cyber threat landscape.
So when the NCSC released their Report for the 2022/23 reporting period this week, cyber nerds, like myself, began pouring over the data to understand how the landscape is evolving and what the trends tell us about cyber in New Zealand.
Breaking down the statistics on cyber incidents
National cyber incident statistics
The national cyber incident statistics always get a lot of attention and this year should be no exception. While overall incident numbers are down year on year – 316 in 2022/23 compared to 350 in 2021/22 – I would be hesitant to suggest that indicates a softening of the cyber threat environment.
Rather, this would appear to be a longer-term trend – 404 incidents were reported in 2020/21 – and it should also be noted that how incidents are categorised (from C1 or “National Emergency” to C6 “Minor Incident”) has changed and evolved in recent years. I’m speculating, but it’s possible this trend indicates the NCSC are focusing on fewer incidents that are larger and more impactful.
State sponsored actors
A corresponding reduction in cyber incidents attributed to suspected state sponsored actors is also noticeable in this year’s Cyber Threat Report. This reduction – 23% of incidents compared to 34% in 2021/22 – could reflect a shift in targeting priorities for state sponsored actors, for example to other jurisdictions or to sectors or organisations outside of the NCSC’s traditional constituency of nationally significant organisations. This change could also reflect changes in state sponsored actors’ TTP’s (Techniques, Tactics & Procedures) making them harder to both detect and/or attribute.
Criminal and financially motivated actors
A corresponding increase in incidents attributed to criminal or financially motivated threat actors reflects the experience of CyberCX and the cyber security industry more broadly. This is a timely reminder to review your organisation’s cyber resilience posture and incident response preparedness. On that note I’d highly recommend the recently released Ransomware and Cyber Extortion Best Practice Guide and undertaking regular structured cyber incident exercises.
It’s great to see a breakdown of incidents by phase included in the report and this type of information can really help defenders identify where control gaps may exist in their own organisations.
NCSC in a typical month
The source of cyber incidents recorded by the NCSC also provides some interesting insights. The ‘NCSC in a typical month’ stats show that the majority of incidents (20) are referred to the NCSC by domestic or international partners, with a lower proportion being self-reported (8) or detected by the NCSC’s cyber defence capabilities (7).
This is positive as it shows the NCSC is well connected to those domestic and international partners. On the other hand the proportion detected by the NCSC’s cyber defence capabilities has remained the same as the 2021/22 reporting period and has dropped by 46% since the 2020/21 period (7 compared to 13). This could reflect changes in the threat environment, mitigation of potential incidents earlier in the attack cycle or coverage changes in the NCSC’s cyber defence capabilities.
Malware Free Networks
On another note, it’s really pleasing to see the growth and success of the NCSC’s Malware Free Networks ® (MFN) programme – a threat detection and disruption service that provides real-time threat intel sharing – and the move into more widespread disruption of cyber threats across the country called out in the Cyber Threat Report.
I even noticed the registered trademark symbol attached to MFN ® in the report. I was not aware that it was a registered trademark and this shows the MFN brand has a level of recognition in the market which is a strong endorsement of its wider community importance and cut through.
It will be interesting to see the next developments in the NCSC’s cyber threat disruption services. A useful adjunct to organisations receiving MFN protection would be to investigate other sources of threat intelligence that can also be consumed in conjunction with MFN. Perhaps an opportunity for accredited threat intelligence providers to submit indicators of compromise in an automated way to the NCSC to distribute to MFN partners might be a good next step.
The continued focus on supply chain and third-party risk management called out in the Cyber Threat Report reflects a number of high-profile incidents during the reporting period. For many more mature organisations third-party and supply chain risk is a pressing challenge, and this is certainly an area of focus for cyber security professionals, including myself and my colleagues at CyberCX.
While the NCSC has previously issued supply chain security guidance and it forms part of the NCSC Cyber Security Framework this area remains a key challenge and further uplift across both industry and government is needed as this risk continues to emerge and confront organisations of all shapes and sizes.
Overall, the main takeaway points are the perennial themes that the cyber threat environment continues to evolve. This means that organisations need to regularly assess their cyber risk – being prepared for a cyber incident is infinitely preferable to not being prepared. I have firsthand experience of how arduous a task it is to pull together the Cyber Threat report so a massive virtual pat on the back for the team at the NCSC for another informative and relevant report – a fantastic resource for the wider New Zealand cyber security sector for the year ahead.