Your browser version is outdated. We recommend that you update your browser to the latest version.

Share this page...

DEFSECMEDIA

DEFSEC Media is New Zealand's defence, security and fire B2B/B2G publishing group. Our leading magazines, NZ Security, Fire NZ - and our latest title - Line of Defence, are read by key business, government and military decision makers. This website is the online home of cutting-edge content from each of our titles.


 

New Zealand lacking true dialogue on cyber security

NZ Security, Feb/Mar 2017

Massey University's Dr Andrew Colarik paints a dystopian picture of NZ cyber resilience.Massey University's Dr Andrew Colarik paints a dystopian picture of NZ cyber resilience.

 

December’s NZ Security Magazine covered cybersecurity expert Andrew Colarik’s presentation to Massey University’s Future NZ Forum held at Auckland’s Aotea Centre on November 10. Here, we catch up with Dr Colarik to talk about what needs to happen to make New Zealand truly cyber resilient.

 

Internationally we’re linked

In his November 10th talk, Dr Colarik warned that New Zealand hasn’t invested heavily enough in infrastructure to make the country resilient against denial-of-service attacks, or to keep data safe.

The problem, he said, “is that the infrastructure we have built is scaled for New Zealand’s population, but that same infrastructure connects us to the rest of the world.”

His argument is simple. New Zealand covers a population of 4.5 million and – at any given time – around, say, one million visitors. That means our infrastructure needs to be able to handle six million users at full capacity. It’s a drop in the bucket relative to the populations of, for example, Indonesia and China, which could easily overload our entire infrastructure.

“If only one percent of mobile devices globally were to be focused on attacking New Zealand via Denial of Service (DoS), then we’re done for.” It’s not about population based usage; but rather the need for our infrastructure resiliency to match the global reach of our connectedness.

“We connect to the world via four undersea cables. Increase the number of cables and where they go,” he suggests, “There are lots of ways to connect up. It won’t mitigate the risks completely, but this is the kind of thinking we need to be having.”

 

Domestically we’re isolated

With New Zealand’s international connectedness a source of cyber risk, it is the ‘organisational isolation’ of our government agencies and businesses that – ironically – is one of our biggest barriers to addressing the threat.

“The government is doing exactly what everyone else is doing. It’s a ‘siloed’ cyber security effort – organisation based. Each agency has its own approach but using the same playbook. They would say that it's connected because they’re using the same set of standards. We’re still operating at the organisational level, just multiple baskets of it.”

 

Enjoying this article? Consider a subscription to the print edition of NZ Security Magazine.

 

“Within government, cyber efforts are not operationally connected,” explains Colarik. “Responsibilities for cyber are heavily distributed, rather than being a unified platform for policy and operational excellence.”

The result is an absence of a larger strategic, long term approach – an absence that isn’t helped by an eight-page New Zealand Cyber Security Strategy that reads more like an introduction to the topic than a meaningful, future-thinking strategy for comprehensive national cyber resilience.

 

We lack real public-private partnership

Government is in a great position to do something about this. The problem, says Dr Colarik, is politicians. Cyber is a national security problem that is more than just the government’s responsibility to address, he says, but politicians tend to deal only with the biggest corporate players.

The big players are important, as our telecommunications infrastructure is in the hands of monopolies or those in a monopolistic position. But it is the disproportionality of input, he argues, that needs to be eliminated. “We need cross collaboration between a diverse range of agencies, organisations, large enterprises, SMEs and citizens.”

“The reality is that information is now integrated into our daily lives – so all people need to be part of the dialogue to solve this. The whole of society uses the infrastructure, so the whole of society needs to be consulted on policy.”

It’s a symptom, he says, of the larger environment. “We’re all connected now. You cut someone off from what they are used to and you have a major problem.”

Citizens understand this, but business not so much. This is because the ‘modality’ of business is efficiency, and until security rises to a critical level of acknowledgement or importance, people will not do anything about it.

“When your EFTPOS card doesn’t work, now it becomes important. The more dependent we become, the more likely we will do something about it when a catastrophic event occurs”.

“If government sent a cyber infrastructure representative from each agency, and each top-100 business sent one representative and every association sent one representative to a conference to have actual dialogue you’d be so far in advance of any other nation on cyber policy.”

 

We need policy, not legislation

Ultimately, it comes down to a question of how much of cyberspace New Zealand actually controls, and what can we control.

According to Colarik, we can control the information we’re putting through the system, and we can control partners’ access to our slice of the internet, but little else.

“We can mandate that personal data packets stop at our border, or that software has this filtering capability built in,” he suggests, “and we can work with a coalition of other nations to develop protocols around this.”

He sees the potential for solutions as lying in policy as opposed to legislation, but that existing approaches continue to be grounded in the latter, not the former. “We’re not focused on policy; we tend to see things in terms of regulation and law or otherwise total free market.”

 

Understanding risk and consequence

Colarik has a deeper appreciation of – and respect for – cyber security threats than most. He doesn’t carry a smartphone, preferring an old school Nokia with a screen that clearly accommodates nothing more than a phone number.

The security endeavor is a layered approach. “At its foundation it is insecure, with layers of security needing to be added to it,” he explains. “It is ultimately an exercise in risk management in which risk can be lessened but not eliminated.”

The problem is that the market doesn’t necessarily see it that way. “For 15 years I’ve been pushing a giant rock uphill, but now there’s no rock and no hill,” he says, alluding to the market’s claims that todays solutions provide adequate threat coverage.

“Globally, $100 billion has been invested annually in cyberspace infrastructure over the past ten years, but the size of this investment has done little to shore up the overall security of this environment.”

Like the array of other non-military threats we face, such as earthquakes, extreme weather events and terrorist attack, Colarik sees the potential of a catastrophic cyber event as a case of not ‘if’, but ‘when’. And it’s a certainty of likelihood matched by severity of consequence.

Here, he uses the example of 9/11. The damage inflicted by that singular event on the US, he explains, was far in excess of the immediate loss of life. It affected the very fabric of the nation.

“Societies and economies have momentum. When a country loses its momentum, culture can shift and bad things can happen.” Many of the very things that we take for granted, such as our sense of safety and security, law and order and economic wellbeing, can – in an instant – be changed for the worse.

It is not dissimilar to the type of societal disruption – or discontinuity – that might be experienced in the wake of a large-scale cyber attack.

One day we’re sharing our lives via Facebook, the next we’re not connected… to anything… at all. We functioned just fine in the pre-internet world, but that’s history, and our present – for better or worse – is wholly dependent on our shared assumption of full-time connectivity.

Dr Colarik’s message is dystopian as it is simple: we need a cultural shift in relation to how we acknowledge and collectively mitigate against cyber threat… otherwise we run the risk of an attack that will change our culture for us.

 

Back to Cyber

Follow us...

 

 

 

 

 

 

 

© 2015. Defsec Media Limited. All Rights Reserved.

Defsec on YouTube...