The country’s National Cyber Security Centre has more positive news on voluntary self-reporting

Cyber-attacks against New Zealand’s most critical organizations are evading detection for longer and having a greater impact, new figures from the country’s National Cyber Security Centre (NCSC) have revealed.

However, the NCSC’s latest annual report claims its detect-and-disrupt program – CORTEX – has helped prevent NZ$27.7 million (US$17.7 million) worth of damage from hostile activity in the year to June 30, 2019.

The CORTEX program detects about 12 cyber intrusions a month.

The Cyber Threat Report 2019 (PDF) shows that 83% of reported incidents – characterized as high-impact or affecting nationally significant organizations – were detected before significant harm occurred.

This was down from 85% in the previous reporting period (PDF).

The gap was wider for attacks caught in the final of four incident-lifecycle phases identified by the NCSC, with 12% uncovered in the ‘effect/consequence phase’ compared to 8% in 2017-2018.

“In 2018-19 more incidents were detected at a later (post-compromise) stage in the threat cycle, when actors have been able to establish their presence on a network and potentially have an effect on it,” said NCSC director Lisa Fong.

However, the total number of incidents reported to the NCSC actually fell slightly year on year, from 347 to 339.

State-sponsored activities

Although Fong noted that state-sponsored activities were better resourced and “generally more sophisticated than criminal or non-state activity”, their frequency is clearly not to blame for the overall increase in detection times.

Some 38% of incidents in the 2018-2019 period bore the hallmarks of state-funded attackers, barely changed from the previous year (39%).

Fong admitted that “in previous years more state-sponsored incidents were detected at an early phase before the actors were able to cause harm.”

NCSC analysis informed the New Zealand government’s decision to join allies in publicly condemning Russia and, two months later, China for malicious cyber campaigns last year.

False flag operations, such as Russian government-backed groups’ suspected commandeering of Iranian hacking tools, makes assigning blame for state-sponsored attacks a minefield.

The NCSC noted an increase in self-reported incidents, suggesting New Zealand’s business leaders were more aware of their responsibilities around cybersecurity.

This was despite the fact that notifying relevant authorities of data breaches remains voluntary in the country. Since neighboring Australia made reporting mandatory in February 2018 notifications have soared by 712%.

The NCSC produced 121 reports alerting customers to incidents or vulnerabilities in the latest tax year, as well as helping organisations understand the extent and nature of breaches and how to respond.

Efforts to boost organizational resilience have centered on governance, investment, readiness and the technology supply chain, said the NCSC, which was instrumental in the development of voluntary standards for industrial control systems.

Detect and disrupt

The NCSC says the latest harm-avoidance savings it credited to its award-winning CORTEX program – NZ$27.7 million (US$17.7 million) – takes the total figure since its inception in June 2016 to NZ$100 million (US$64 million).

In 2020 the NCSC is expanding a pilot program – called ‘Malware Free Networks’ – for sharing threat intelligence with private and public organizations. Participants receive a threat intelligence feed either directly from the NCSC or via their network operator.

The NCSC works closely with the global infosec community as well as counterpart cybersecurity agencies in the Five Eyes intelligence alliance.

“In today’s globally interconnected world, New Zealand’s relative geographic isolation provides no protection from cyber threats,” an NCSC spokesperson told The Daily Swig.

“Our international relationships provide vital cyber threat insights to inform our cyber defence and incident response work.”

YOU MIGHT ALSO LIKE Paris Call, one year on: Assessing the impact of global cybersecurity declaration