Documenting the activities of New Zealand government agencies for the tax-paying public ensures one consumes a range of essential, if largely indigestible, reading matter. Annual reports often form a cornerstone of this unglamorous fodder, and many are long and unnecessarily tedious in their discourse and disclosures.

It's refreshing then to come across the 25-page Cyber Threat Report 2020/2021, for the fiscal year ending 30 June, from the National Cyber Security Centre (NCSC). The NCSC is located within the Government Communications Security Bureau, and this report was released in mid-November.

The NCSC describes itself as: "the lead organisation for  responding to cyber threats that could  have an impact on national security and wellbeing". This report focuses on giving details about major cyber security incidents the Centre has documented and, in some cases, prevented, engagements it has undertaken with a wide range of significant organisations and on trends observed in the cyber threatscape during the year.

Some statistics at a glance

In the 2020/2021 fiscal year, the NCSC recorded 404 incidents with a possible national impact, or affecting New Zealand's nationally significant organisations. This figure is up 15% from the previous year when 352 incidents were recorded. Suspected state-sponsored activity accounted for 28% of incidents this year, compared to 30% in the last.

More significantly, incidents involving non-state actors with criminal or financial motivations rose from 14% in 2019/2020 to 27% in 2020/2021.

Unattributable incidents this year accounted for 26% of all incidents, which the NCSC describes as having "insufficient information to make any assessment about the actor responsible or their motivation, and  the suspected actor was recorded as unknown."

The Centre goes on to say: "The remaining share of incidents comprised proactive or preventative efforts, false positives, data leaks, or other incidents not associated with a suspected malicious actor."

NCSC estimates its interventions, advice, and assistance have prevented $119 million worth of harm in the year to 30 June 2021, an increase from $70.5 million reported in the year to 30 June 2020. This figure is based on incidents the Centre has prevented and the likely cost of incidents its assistance has prevented or aided in response to and recovery from malicious cyber attacks sustained by significant public and private entities.

Engagement by NCSC with the wider community increased with 1872 engagements with 200 organisations, recorded in 2020/2021, compared with 1770 engagements with more than 250 organisations in the previous year.

22 security information exchanges were hosted, compared with 20 in the previous year. 23 reports and advisories were issued to general customers, and 94 incident reports were delivered to customers.

Looking inside the numbers: Comment from inside and out

Lisa Fong is the director of the NCSC and has been employed by the GCSB since 2016. She was the bureau's Chief Legal Advisor and acting director before taking up her current role.

Fong believes the rise of 13% in criminally or financially motivated incidents is the most significant figure expressed in this year's report.  Though the distinction between state and criminal actors becomes more blurred with time, she says motivation is the key difference between the two groups.

"Where we see state actors continuing to operate is in ways where they're trying to avoid detection because their outcome is strategic information. Whereas criminal and financially motivated actors may be looking to have impact to create leverage. The use of media during recent ransomware attacks is a good example. The persistence you're looking at  with state actors means they are willing to explore a range of different techniques whereas there may not be as much sophistication in use of tools by criminally and financially motivated actors," Fong says.
 
The unattributable incidents mentioned in this report are concerning but not surprising to Lisa.

"That's where we've caught the incident at an early enough stage that we can't actualy distinguish between whether or not its state sponsored or criminally or financialy motivated. That's significant in the sense that it demonstrates the sophistication of the tools now available to that criminally and financially motivated group, which they didn't have historically. It also potentially indicates significance of those safe harbours that state sponsored actors have been providing."

Chris Hails is a consultant with ZX Security in Auckland and a former employee of the NCSC. He believes the apparent increase in criminally motivated incidents is significant but not disproportionate.

"Overseas data will show cyber crime activity rising between 40% to 400% during COVID-19 lockdowns in 2020/2021 in particular, depending on country and industry sector. The ability to exploit staff working from home, where security controls may not be as effective, and where people are tired, stressed and vulnerable, has provided ripe pickings for offshore criminals," Hails says.

To Hails, the percentage of unattributed incidents is no surprise.

"Accurate attribution is incredibly hard given the skills of threat actors and their ability to anonymise their activity and use commoditised attack tools available freely online to any motivated offender," he remarks.

Hails believes how the crime is committed matters more to New Zealanders than who commits it.

"Cyber crime is a global business and many companies are relying on cyber risk insurance to provide cover for clean up and recovery. Attribution is of little interest as long as costs and resources to remediate and get back to business as usual as soon as possible, are prioritised," he says.
 
The NCSC records a 70% increase in the financial harm prevented as a result of its activities between this year and last year. Since June 2016, it estimates a total of $284.5 million worth of harm has been averted for nationally significant organisations, and Lisa Fong says the model and associated tools used to calculate these figures have been a collaborative and labour-intensive effort.

"We worked with a global consultancy to draw on international and domestically available data there was, to construct what is a reasonably conservative algorithm for the nature of the organisations we seek to support and the nature of the incidents we seek to detect and protect against. We've recently reviewd the methodology to make sure it remains fresh and have updated some of the international research that helps form that calculation. It remains valid and is conservative as we would rather undercount economic value than overcount it," she says.

Chris Hails acknowledges NCSC's effort regarding nationally important organisations but believes the full picture of financial losses for all New Zealand business sectors may look much darker. He cites the Australian Cyber Security Centre's self-reported losses from cybercrime, which its current annual report places at $33 billion. Based on that figure, Hails deduces that our total losses may be as much as $6.6  billion annually.

"In New Zealand we don't know the full picture of harm from cyber crime due to fragmentation in reporting. But you can aggregate from data provided by NCSC, CERT, The New Zealand Police, the Privacy Commissioner, and other non-government entities like Netsafe, to provide a view. We need better coordination as they have in Australia to involve the banks and telcos, in data sharing and the aggregating of impacts across the country," Hails observes. "Victims can fall between stools here and be deterred from submitting a report."

Engaging with the public

Though it is not a regulator or enforcement agency, the NCSC is heavily involved in helping business in critical sectors such as education, logistics, energy and finance. Engagements range from phone calls or video teleconferences and the issue of reports to customers on incidents, to much larger dialogues like the 22 security information exchanges it facilitated in the 2020/2021 year.

"Those are forums we facilitate in the public and private sector to enable technical specialists to come together in trusted environments to share information around threats and vulnerabilities they're observing in their sectors," Lisa Fong says. "These are environments where they might have useful insights which might not otherwise be shared commercially."

Fong says her Centre's part in these often lengthy exchanges is primarily dictated by those participating in them.

"They are usually led by their members," she observes; "we provide a facilitative function and we can assist by providing content but we will take direction from members about what they want from us. They also determine membership of those groups," she says.

The Centre released two publications this year to assist businesses. 'Supply Chain Security: In Safe Hands' and 'Incident Management: Be Resilient,  Be Prepared'  are part of a series created by analysing 250 New Zealand organisations for the biggest cyber security challenges facing NCSC customers.

"What they're designed to achieve is a better conversation between technical parts of an organisation and governance layers, to make sure there's visibility of risks and greater governance and appropriate investment in those technological areas," Fong says.

"In terms of uptake, we've found it has unfortunately been very relevant this year and there's been a great deal of interest in hearing from us about these resources. We make a deliberate effort to be available to brief boards and sectors who want to hear the latest from us."

Major events and incidents

The NCSC was involved in 3 major events during this fiscal year: the general election in October 2020, the hosting of the virtual APEC summit between November 2020 and November 2021 and the COVID-19 vaccine rollout. The lattermost has seen NCSC staff assisting everyone from medical service and transport providers, to government agencies like the Ministry of Health. All have required a wide range of help, as Fong relates.

"For instance, supply chain risk and conducting risk assessments and ensuring cyber resilience is generally good in organisations that'll be critical to the rollout. They may be core government agencies as well as some smaller providers such as logistics companies. We've also been able to provide cyber inteligence reporting on cyber threats that might be specific to the rollout or which we've seen globally, that might indicate specific protective measures which need to be put in place."

Fong believes public sector agencies in particular would have endured serious disadvantages without assistance from NCSC.

"They would not have been able to backfill from the private sector, the intelligence threat reporting or the cyber defensive services they needed. The connections to our international partners were particularly critical to providing global insights both on intelligence and technological fronts."

Three major cyber incidents commanded NCSC attention this year also. They were a data breach at the Reserve Bank, a series of distributed denial of service attacks on the New Zealand Stock Exchange and a crippling ransomware attack on the Waikato District Health Board in May.

"We were able to use our 24/7 incident response capability to deploy to Waikato DHB, and we also were able to provide system support connecting up different parts of government who needed to be involved in the response. We provided the lead on the technical incident response in this case," Fong says.

This incident is called a category two (highly significant) incident. The category is assigned in a matrix ranging from C6 (minor incidents) to C1 (national emergency).

Jamie, whose full name and title we've agreed not to disclose, is from NCSC's Cyber Threat Unit. On C2 incidents in general, he observes:

"that might involve us having people on-site with the victim organisation, providing advice and guidance. It might be undertaking forensic analysis, -  assessing what happened, what risk there is to the organisation, how to return it to a safe stage. We may have to make sure that we've effectively removed a malicious actor from a  network," Jamie says.

At categories one to three, the NCSC will support commercial vendors of IT and security services which the victim organisation relies on.

"When an incident reaches a threshold where it requires an all of government response, there is a National Cyber Security Response Plan on the DPMC's website, that sets out that response. We would typically play a lead role in coordinating that," says Jamie.

Looking forward 

For Lisa Fong, new partnerships and reaching out to new customers are focuses for the next fiscal year and beyond. The much-publicised launch of Malware Free networks through nine private sector partners is one example of NCSC ensuring it can produce customer-facing services which businesses outside the public sector can utilise. Fong cites another specific and less visible example of a new initiative that can involve more than just government agencies.

"In our cloud security templates we're really focusing on partnership. These see us working with cloud providers to make sure that the New Zealand Information Security Manual standards for government are integrated into cloud offerings. This means that there's continuous assurance available for public sector agencies wanting to increase their cloud uptake or conduct digital transformation. These aren't exclusive to the public sector and many government agency suppliers will want to adopt those standards as well and they're available to them."