FutureFive New Zealand logo
Consumer technology news from the future
Story image

The who’s who of NZ’s government & public cybersecurity agencies

By Sara Barker
Thu 30 Sep 2021

Aotearoa, New Zealand, is a young nation cutting its teeth on innovation and digital capabilities. Our tech sector is growing; our people use digital tools in business and at home to explore and invent. But, with every new technology-enabled path we forge, we must also defend ourselves from cyber threats and exploitation. New Zealand’s national cyber defence involves many agencies and strategies. Here we take a look at some of the main players.

Government ministers, policies, and legislation

The New Zealand Government has two primary Ministers responsible for technology and security: Andrew Little, Minister for the GCSB and NZSIS, and David Clark, Minister for the Digital Economy and Communications. They are involved in developing New Zealand’s cybersecurity policy with the help of the Government's chief information security officer/GCSB director-general Andrew Hampton and the broader Government. In addition, The ICT Security and Related Services Panel enables commercial organisations to supply security services to the Government to protect New Zealand’s cybersecurity and defence.

Clark, Little, and their predecessors in previous governments have put significant effort into protecting New Zealand against security threats through the National Cyber Policy Office, established in 2012. In addition, there are specific forms of legislation and policies to plot New Zealand's cybersecurity journey. The most notable of these is the Cyber Security Strategy launched in 2011 and was updated until 2019. The Government also follows the Cyber Security Emergency Response Plan (CSERP), which was last updated in July 2021.

The CSERP outlines the government response to a cybersecurity emergency in terms of roles and responsibilities, the private sector’s understanding of the government approach, an effective and coordinated response, and the swift restoration of services and operations. The CSERP focuses on five principles: Cooperation, coordination, sustainability, timeliness, and trust. The CSERP is also activated when the National Cybersecurity Centre (NCSC) or CERT NZ identifies a cybersecurity emergency based on reports from partners, the public, or technical capabilities that identify threats that could lead to an emergency.

The Government Communications Security Bureau (GCSB)

Currently led by Director-General Andrew Hampton, the GCSB has been operating since 1977. However, the modern form of the GCSB started to take shape in 2003 when it became a public service under the Government Communications Security Bureau Act 2003. Since then, the bureau has continued to build out its capabilities whilst administering the network security provisions of the Telecommunications (Interception Capability and Security) Act 2013 and delivering its mandate under the Intelligence and Security Act 2017.

The GCSB was drawn into the public eye after attacks on its Waihopai spy base in 2008 and its involvement in the Five Eyes intelligence network. However, the GCSB’s remit is much broader than these incidents. Essentially, the GCSB exists to protect New Zealand from threats, both online and offline. 

Hampton explains, “We have two primary missions. One is intelligence gathering or signals intelligence, which is generally foreign intelligence. We do that by electronic means, following priorities set by Government. This means finding out about global and national issues that are relevant to New Zealand decision-makers."

“The other role we have relates to the NCSC, specifically cybersecurity and information assurance for organisations of national significance. We don’t provide the country’s firewall, and we don’t duplicate services provided by the commercial providers. Instead, we help to protect organisations of national significance from advanced persistent threat actors."

“There is a relationship between those two missions: the fact that we are an intelligence bureau means that we have access to legal authorities, partner relationships and technologies. These give us more capabilities in cybersecurity that other organisations may not be able to achieve.”

The GCSB is also involved in security risk assessments for new technologies such as 5G and even space launches under the The Outer Space and High-altitude Activities Act 2017. For example, in the last year alone, the GCSB assessed 24 space-related activities from New Zealand - these assessments covered launches, payloads, and high-altitude vehicles.

“If anyone wants to launch a space vehicle from New Zealand, we need to assess the payload. This is to make sure there are no national security risks,” says Hampton.

New Zealand’s National Cyber Security Centre (NCSC)

The NCSC was launched in 2011 and led by Lisa Fong since 2016. It operates within the GCSB to protect and provide incident response for New Zealand’s most significant public and private sector organisations from cyber threats. 

These organisations can include government departments, telecommunications companies, transport and energy companies, and much more. In 2018 there were more than 250 organisations in New Zealand classified as being of national significance. The NCSC provides advisory services, support, advice and education for these organisations. It also collaborates with the information security community, technology industry and Government.

The NCSC runs a malware detection and disruption service called Cortex. While Cortex's inner workings remain classified, it leverages threat intelligence from a range of sources to protect a select group of New Zealand organisations. Cortex is an ambitious service that is still shrouded in secrecy. Still, its prowess is apparent: In 2018, Cortex won two awards. The iSANZ Awards dubbed Cortex ‘Best Security Project’ and the Institute of Public Administration (IPANZ) recognised Cortex in the Excellence Award for Building Trust and Confidence in Government.

“Much of what we do is classified by necessity so it was fantastic to be able to win awards that recognise the services we provide to ultimately protect organisations and New Zealanders,” says Hampton.

Malware-Free Networks is a threat detection and disruption service similar to Cortex, but it is more widely available through cybersecurity providers and managed service providers. It also provides a curated threat feed informed by information from various sources, including classified ones, from the NCSC and its partners. Malware-Free Networks protects all organisations of national significance.

The service has been live since June, and the NCSC is working with network operators and commercial security service providers to enable the Malware-Free Networks service to be offered to their existing customers and accessible within the IT security market to new customers.

The NCSC’s Cortex and Malware Free Networks services aren’t available to every New Zealand business or individual. So who else can help out when an incident happens? CERT NZ is the next port-of-call.

CERT NZ
 
A CERT is a Computer Emergency Response Team. CERT New Zealand (CERT NZ) was established in 2016 as an agency that provides security updates, and it investigates and reports security risks to businesses, IT teams, and individuals.

CERT NZ works with other government agencies and other CERTS worldwide, such as AusCERT (Australia), HKCERT (Hong Kong), and US-CERT (the United States). 

The agency also partners to share intelligence, update and technical advice alongside the Department of Internal Affairs, the NCSC, the New Zealand Police, Netsafe, and international partners in Australia, the United States, Canada, and the UK. In addition, CERT NZ runs a Pacific Partnership Programme that supports Pacific countries to build their cybersecurity capabilities. 

CERT NZ director Rob Pope explains, “We help protect people in three main ways: We analyse the international cybersecurity landscape for what threats and vulnerabilities are relevant to New Zealand, and pass on these warnings so that others can be vigilant. Secondly when an incident occurs, we are there for people to report to so we can offer our trusted and expert information and advice to help them deal with and recover from the attack. Lastly, we raise awareness of cybersecurity impacts and deliver up to date, actionable advice on cybersecurity best practice.”

Pope says ransomware is amongst the most disruptive types of attacks in New Zealand and worldwide. Still, there are also lessons to be learnt from the speed at which attackers can exploit software vulnerabilities to conduct attacks. Every three months, CERT NZ publishes a Quarterly Report, which touches on the most commonly reported security incidents. 

“The pressure is on organisations to be able to get their software updated before they can be impacted. Cybercrime is opportunistic and we see small to medium businesses being targeted frequently, and in the current economic climate as budgets are tightly constrained, often cybersecurity might seem like a line item organisations struggle to afford.”

Pope believes it’s important for businesses and New Zealanders to report cyber attacks or online fraud quickly.

“Incident reports are important because we can offer immediate support to help understand, mitigate and recover from cyber attacks. We can act as a triage service, putting people in touch with the right law enforcement contacts, and advising where to turn for IT help.”

CERT NZ treats all reports as confidential, and those submitting reports need only share as much as they feel comfortable.

He adds, “We are seeing attitudes move away from the ‘shame’ of being a victim of a cyber attack and people becoming more willing to report them and ask for help. The more reporting done, the more awareness and knowledge we're building, and the more we're helping each other to keep secure online.”

You can report cyber attacks, security breaches or online fraud at cert.govt.nz/contact-us.

New Zealand Police

The NZ Police Cybercrime unit was created in 2009. Back then, its focus was to coordinate the response to technically complex crimes. It had a dual reactive and proactive focus on these crime types. Five years later, the unit expanded to cover complex and serious cybercrime, including the Cryptopia theft and the recent Waikato District Health Board ransomware attack.

The team works closely with other New Zealand agencies, including the NCSC, CERT NZ, Netsafe, the Department of Internal affairs, and international partner organisations like INTERPOL and other like-minded law enforcement agencies. 

The Police Financial Crime Group Asset Recovery Unit has also been involved in investigating money laundering and cybercrime when New Zealand organisations get caught up in the mess. A prime example of this type of event is the Canton Business Corporation and BTC-e investigation, which resulted in the largest restraint of funds (NZ$140 million) in New Zealand Police history.

“New Zealand Police recognises cybercrime is a growth area which requires a targeted and meaningful response. We are continually working to strengthen the strategies Police use to address this type of offending,” says NZ Police Cybercrime Unit detective senior sergeant Greg Dalziel.

Dalziel echoes observations that ransomware attacks, cryptocurrency scams and business email compromise scams are becoming more common.

“Outside of this there are the volume crime cases where the losses are smaller, and often not connected to a particular campaign, hitting New Zealand."

"Prevention messaging remains a key response to cyber enabled crime. There is often a user interaction that results in the loss, and if we can prevent this occurring, we can stop a crime before any loss occurs.”

Netsafe

Netsafe is a charity whose mission is to work with schools, parents, education providers, and the wider public. Netsafe aims to encourage positive use of technology, prevent online harm, and provide support for people who have negative and often devastating online experiences. The agency has been operating for 20 years and runs a confidential, free helpline and other services.

Netsafe CEO Martin Cocker says, “Individuals are never more than a few clicks away from trolls, bullies, scammers, objectionable content and a range of other unpleasant online experiences. According to Netsafe’s research, one in five adults and nearly twice as many young people received a digital communication that had a negative impact on their life."

“Our job is to make it easier for people to enjoy the opportunities being online offers and to help them if something goes wrong. We do this by providing free support, advice and education, and by working collaboratively with the community, tech industry and Government.”

Netsafe and its collaboration partners strive to achieve the best outcomes for New Zealand. The agency is involved in everything from the Facebook Safety Advisory Board and the Twitter Trust & Safety Council to working groups such as the Global Internet Forum to Counter Terrorism (GIFCT), the NZ Pornography Working Group, and many partners in between.

Over the last couple of years, Netsafe noted a rapid uptake in technology during the pandemic, which has produced benefits and downsides for New Zealanders. Unfortunately, the negatives added to existing anxiety about health, stress, and physical separation. Cocker says that during this time, many people contacted Netsafe for self-help and incident support. Unfortunately, these experiences have sometimes resulted in physical, financial, and psychological harm, decreased user confidence, and undermined the digital economy and social investment.

“Some of the main threats facing the community relate to misinformation, the need to build resiliency, and providing equal access to content. Large parts of the internet function as an egalitarian platform. This means that the infrastructure of the internet treats the information it delivers as functionally equivalent,” he says.

In other words, the internet can present a scam and a genuine service alongside each other almost in the same breath. Fringe ideologies can divide people and also create their own communities. While the internet does have platforms, moderators and online safety mechanisms, they can’t always catch content designed to misinform or misdirect people.

“With more and more contentious issues debated online, many of these centring around internet technologies themselves, it takes a team effort to support people who have been the subject or recipient of this content and to better develop tools and processes to reduce this in the long term,” says Cocker.

"Aotearoa New Zealand’s digital society is full of challenges, and some are highly complex – but there are organisations people can turn to for help. There are processes, systems, self-help advice and tools that work – if only we can connect people to them fast enough.”

You can report an online safety incident on Netsafe's website at netsafe.org.nz/reportanincident.

New Zealand’s cybersecurity sector - diversity, pathways, and careers in homegrown tech

One of the most important ways to develop New Zealand’s cybersecurity capabilities is through fresh thinking, recruitment, and skills development. But this can be difficult - the world is facing a technology skills shortage, especially in cybersecurity. Private organisations and universities also offer scholarships and degrees, but what are our government agencies doing to help?

As an equal opportunity employer, The GCSB runs initiatives such as the Gender Pay Gap Action Plan and Diversity and Inclusion Strategy to attract more women, Māori, Pacific and Asian peoples within the GCSB and NZSIS. If that wasn’t enough, the GCSB also runs Women in STEM scholarships to help pave the way for STEM careers and within the GCSB itself. To top it off, The GCSB received the Rainbow Tick for diversity and inclusion.

Hampton says diversity and inclusion are important to the GCSB - as they should be for any organisation. The cybersecurity industry is facing challenges that require many different perspectives to solve. Diversity is not just about the usual things like gender, ethnicity, or sexuality - it also means different ways of thinking. Groupthink, Hampton says, is not welcome.

The GCSB is also growing as the Government invests more in New Zealand’s security. That means the bureau needs to represent the very New Zealanders it serves. 

“Organisations like ours operate in secret by necessity, but it’s also important that we’re open to people with different views and different perspectives, and that we reflect New Zealanders. That’s what we try to achieve through our recruitment.”

“Cybersecurity is a great career to pursue, particularly when there is a skills shortage. If you’re after job security and if you want an in-demand role, cybersecurity is a great fit. It helps if you have a technical background so STEM (science, technology, education and mathematics) subjects are important, but you also need to balance that with curiosity, an understanding of context, and a keenness to learn.”

He continues, “Cybersecurity doesn't exist in isolation. It's actually something that should be pervasive in business and in society. Even if your aspiration isn't to have a career in cybersecurity, learning something about it's going to be important for whatever job you do because it's likely to involve technology in some form or another. Technology also creates a whole lot of risk and so having some understanding of that and how to manage it will be important whatever you choose.”

Rob Pope adds on behalf of CERT NZ, “The best way to get involved is to find your local cybersecurity community groups. Often there will be technical or social meetups. These are excellent ways for people looking to join the field to learn from people involved in the industry and get advice on how to move into cybersecurity as a career path. There are also tertiary study options now.

“The other important thing is to just be curious, as there are a wealth of resources available to learn about cybersecurity available, and anyone can dive in and begin learning about the field.”

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Cybersecurity
Could New Zealanders initiate a cyber attack from within?
The threat landscape is significantly increasing worldwide, and the opportunities it presents are a growing concern in Aotearoa.
Story image
PIJF
The path to bolstering supply chain security in New Zealand
A significant amount of today's business and leisure activity relies on IT supply chains. From complex international freight trades to local small business distribution channels, any supply chain that involves IT infrastructure serves as a crucial tool in our daily lives. 
Story image
Digital Transformation
SAP partners with New Zealand Rugby for digital transformation
The multi-year partnership will see SAP advance NZR with its organisational operations, team performance, fan experience and sustainability goals.
Story image
Microsoft
Microsoft NZ and TupuToa to boost diversity in cybersecurity sector
Microsoft NZ has teamed up with TupuToa to co-develop a cyber security employment programme specifically aimed at creating more diversity in Aotearoa's cybersecurity sector.
Story image
Apple
Apple previews new features for users with disabilities
Apple says new software features that offer users with disabilities new tools for navigation, health and communication, are set to come out later this year.
Story image
Wireless
Hands-on review: Steelseries Aerox 9 Wireless and Aerox 5 gaming mice
Steelseries offered two interesting mice for review, the Aerox 9 Wireless, aimed at MMO/MOBA players, and the Aerox 5, a wired mouse for multi-genre use.
Story image
Logitech
Logitech releases new mouse with ergonomic and sustainable focus
Logitech has announced the Logitech Signature M650 Mouse and the Signature M650 for Business Wireless Mouse, both with new ergonomic features and capabilities.
Story image
Wireless
Sony to bring new 1000X series WH-1000XM5 headphones to the market
Sony has announced the newest edition of its award-winning wireless headphones, with the 1000X series WH-1000XM5 noise-cancelling model.
Story image
TUANZ
TUANZ to address rural connectivity at 2022 symposium
TUANZ is hosting the Rural Connectivity Symposium for the first time in person since 2019, providing a forum to discuss the state of rural connectivity.
Story image
Gaming
Hands-on review: The A500 Mini Retro Gaming Console
Retro Games, the UK outfit responsible for a range of retro gaming devices from joystick to full-sized Vic-20s and C64 emulators, have launched their A500 Mini Retro Gaming Console.
Story image
Gaming
PNY launches XLR8 Gaming EPIX memory products in A/NZ
PNY has launched its XLR8 Gaming EPIC-X RGB™ DDR4 Silver 3200MHz and 3600MHz memory products in Australia and New Zealand.
Story image
Gaming
Hands-on review: 32GB PNY XLR8 Gaming MAKO 6000MHz DDR5 memory kit
PNY’s XLR8 Gaming MAKO DDR5 memory modules are designed to get the most out of systems based on Intel’s 12th generation Alder Lake CPUs.
Story image
Microsoft
Microsoft unveils adaptive accessories for disability access
Microsoft is introducing an expansive Inclusive Tech Lab to give people with disabilities greater access to technology through new software features and adaptive accessories.
Story image
Jabra
Jabra reveals its latest portable headset Engage 55
Jabra has launched the Engage 55, the newest product in Jabra's Engage series designed for ultimate call security and quality.
Story image
Digital Signage
MAXHUB's Digital Signage range to bolster boardroom productivity
The new MAXHUB Digital Signage technology is purpose-built to make every kind of team meeting more effective.
Story image
Review
Hands-on review: MSI MPG Z690 Carbon WIFI motherboard
It’s all change with Intel’s 12th generation CPUs. We have a new chipset in the 600-series, a new socket with the LGA 1700, and new DDR5 memory.
Story image
IDC
IDC finds 3.9% decline in worldwide tablet shipments
Preliminary data from IDC's Worldwide Quarterly Personal Computing Device Tracker has found tablet shipments reached 38.4 million units during Q1 2022, a year-over-year decline of 3.9%.
Story image
Review
Hands-on-review: Creative Outlier Air V3
Creative is back with the third version of its affordable Outlier Air wireless earbuds range - aptly named the ‘V3’. And this time, they come boasting ambient mode and active noise reduction.
Story image
Collaboration
TikTok launches community-inspired effect capability
TikTok has announced the launch of its Effect House feature to allow its users to create and share Community Effects.
Story image
Phishing
WhatsApp and QR codes the next scam threat - report
KnowBe4 has warned it expects to see an increase in QR Codes and the WhatsApp chat platform being used for phishing and other scams. 
Story image
Wireless
Hands-on review: HyperX Pulsefire Haste wireless mouse and HyperX Pulsefire XL Mat
With its lightweight Pulsefire Haste wireless mouse and RGB lit Pulsefire XL Mat, HyperX sets out to up your game and add a little colour to your desktop.
Story image
Gaming
Mastercard users can now use rewards points in gaming
Mastercard has launched Mastercard Gamer Xchange (MGX), allowing APAC consumers to convert their rewards points into gaming currency.
Story image
Surveillance
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
Chorus
Chorus and Nokia launches first trial of 25G PON broadband
Chorus and Nokia have announced the successful demonstration of 25 gigabit per second fibre (Gbps) broadband technology at the Chorus Fibre Lab in Auckland. 
Story image
Digital Marketing
Getty Images delves into the world of NFTs with Candy Digital
Getty Images and Candy Digital, the next-generation digital collectible company, have announced a new multi-year partnership agreement.
Story image
Sony
Sony launches LinkBuds S - the latest model in the series
Sony says the LinkBuds S will give users a unique sound experience through sensor and spatial sound technology, even in AR games.
Story image
Poly
Poly introduces new smart devices and announces Amazon e-store in Australia
Poly is introducing two new pro-grade devices to the market and announcing its first official Australian e-store on Amazon.
Story image
Dynabook
Dynabook refreshes Portégé X30L series with the Portégé X30L-K
The new model contains hybrid-architecture Intel 12th Gen Core P-Series 28W processor options, Wi-Fi 6E, along with Intel Iris Xe graphics.
Story image
Review
Hands-on-review: GoPro Hero 10
I have a long history with GoPro; I still remember getting my first camera when I was 16, using it to film Parkour and the day I lost it down a dingey crag. 
Story image
Review
Hands-on review: Amazon Kindle Paperwhite Signature Edition
In almost every respect it works like a book, apart from the fact that it weighs next to nothing, fits in my hand perfectly, and is soothing on my eyes.
Story image
D-Link
D-Link launches new G415 Smart Router as part of EAGLE PRO AI range
D-Link A/NZ has announced the launch of its new G415 AX1500 4G Smart Router as part of the new EAGLE PRO AI Series.
Story image
Artificial Intelligence
Google to enter the smartwatch market with the Google Pixel Watch
Google has provided a first look at its new Google Pixel Watch, which is set to make an entry into the competitive smartwatch market.
Story image
Design
Dynabook launches new Tecra A40-K and A50-K models
Dynabook has announced two new additions to its Tecra range, with both said to help promote flexible working solutions while also reducing the strain on IT managers.
Story image
Wireless Nation
Wireless Nation, N4L provide 4G network to remote NZ schools
Wireless Nation and Network for Learning (N4L) have rolled out the Rural Connectivity Group’s (RCG) new 4G network to better connect three Chatham Islands schools.
Story image
Corsair
Hands-on review: Corsair 32GB Vengeance 5200MHz DDR5 DRAM kit
Corsair’s Vengeance 5200MHz DDR5 DRAM offers PC users an entry-level upgrade to the new memory standard allowing them to get a little bit more out of their new Alder Lake CPUs.
Story image
Gaming
Hands-on review: WD_Black SN770 NVMe SSD Game Drive
Western Digital expands its WD_Black range of NVMe solid-state drives with the WD_Black SN770 Game Drive.
Story image
Mobility
Hands-on review: STM laptop bags
The advent of hybrid working has meant we need laptop bags. We got our hands on two of the most popular laptop bags from STM.
Story image
Norton
Hands-on review: Norton Anti Track 19 software
We get hands on with Norton's new privacy tool that was introduced in March 2022.
Story image
WolfVision
WolfVision announces new range of visualisers
WolfVision has announced a new range of visualisers to help meet multiple industry demands for remote learning and educational solutions.
Story image
Microsoft
Microsoft backing Māori and Pacific wāhine in tech industry
A new initiative focused on getting Māori and Pacific wāhine into the tech industry and backed by Microsoft, NZTech and the government is calling for tech companies to get involved.
Story image
Wireless
Hands-on review: Technics EAH-A800 Noise Cancelling Wireless Headphones
Designed in Osaka, Japan, these headphones just exude quality. They aren’t heavy, but they feel well built and solid.
Story image
Mobility
Tyson Beckford partners with Element Case on new AppleWatch band
Celebrity Tyson Beckford has collaborated with STM Brands' Element Case brand to create a rugged new accessory.
Story image
Sustainability
The AI Forum helps NZ pave the way with AI sustainability practices
Non-profit organisation The AI Forum is helping Kiwis learn about addressing climate change issues through the use of AI technology.
Story image
First Table
First Table set to revive restaurant commerce in NZ with platform launch
A new restaurant booking platform has launched in New Zealand, giving Kiwi diners the opportunity to save and book at a variety of restaurants around the country.