Written by staff writer.
The New Zealand government is growing the National Cyber Security Centre’s (NCSC) role and making it the country’s lead operational agency to defend against cyberattacks. Minister for the Public Service Andrew Little and Minister for the Digital Economy Ginny Andersen announced the change on July 26.
The most tangible outcome of the change, which will take effect from August 31 and take several years to implement fully, will be to fold New Zealand’s Computer Emergency Response Team (CERT NZ) into the NCSC, which is itself an entity within the Government Communications Security Bureau (GCSB), the country’s national security and intelligence agency. The NCSC says its enlarged role will see it tackle emerging cybersecurity challenges and provide joined-up, customer-centric services for New Zealanders.
Little said the Cyber Security Advisory Committee recommended bringing CERT NZ into the NCSC, and the government was acting on that recommendation. The minister also referenced the growing number of increasingly sophisticated cyber threats impacting the country.
“Having a single agency to provide authoritative advice and respond to incidents across every threat level is international best practice, and will ensure New Zealand is well placed to take advantage of the opportunities in the digital economy and provide secure government services to our citizens,” he said.
The New Zealand government says CERT NZ reported NZD5.8 million in direct losses from cyber-attacks in the first quarter of 2023. But it admits this figure is probably just the tip of the iceberg, correlating with Kordia research that found 55% of surveyed New Zealand businesses experienced a cyber-attack in 2022. Phishing campaigns accounted for 37% of those attacks.
The NCSC’s 2021/22 Threat Assessment Report says it recorded 350 significant cyber attacks in New Zealand in that year. It said 118 of those, or 34% indicated links to suspected state-sponsored actors, while 81 (or 23%) were likely criminal or financially motivated. CERT NZ is now reporting over 2,000 incidents per quarter.
“We’re committed to staying ahead of the hackers,” said Little this week, while the digital economy minister added that the government had spent NZD94 million since 2018 on cyber security defences. But critics of the government say it has severely underfunded New Zealand’s cyber defences on a pro-rata basis compared to the other Five Eyes countries.
In an open letter published online last month and addressed to Little and Anderson, Kendra Ross, a former CERT NZ board member, said the decision to fold CERT NZ into the NCSC risked blurring of lines between intelligence operations and the provision of cybersecurity services.
“Placing an outward-facing non-intelligence organization (CERT NZ) under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cybersecurity operations,” she wrote, while also describing the lack of consultation with the cybersecurity industry and other stakeholders as “deeply troubling.”
But Anderson argues that creating a dedicated new lead operational agency best positions New Zealand to fight against the threat actors “we know cause real harm to individuals and our economy.