Experts dub Government's $22m investment in a new cyber security strategy toothless without it being mandatory for organisations to report cyber breaches

Experts dub Government's $22m investment in a new cyber security strategy toothless without it being mandatory for organisations to report cyber breaches

By Jenée Tibshraeny

Questions are being raised over whether the Government’s commitment to spending $22.2 million to set up a Computer Emergency Response Team (CERT) is too little, too late.

Prime Minister John Key announced at New Zealand’s first ever Cyber Security Summit on Thursday that the investment over the next four years will go towards setting up a group, aimed at getting the public and private sectors collaborating to defend New Zealand against cyber attacks.

The idea is to get those who have suffered a cyber security breach to report it to the CERT, which will be equipped with the resources to provide advice and resources to deal with the aftermath of the incident and prevent it from happening again.

“Presently, many small businesses are not aware of, or don’t have the capability to deal with cyber attacks on their business,” says Key.

“The CERT will assist by working with the major sectors of the economy to ensure they have relevant and targeted information and intelligence about threats.”

Speaking to Interest.co.nz, the Minister for Communications Amy Adams explains: “In terms of information coming into Government, we don’t have a very good picture of that [cyber attacks]. We know some of it, but it’s not comprehensive.

“From the government’s side, we obviously have the advantage of a lot of international co-operation through our security community – through our police networks. But the CERT itself will join up with the international network of CERTs and be able to share information.

“It really is a symbiotic relationship. We need to know what businesses are seeing and experiencing, and business need us to share with them the information we’re able to obtain through our international partners and co-operation.”

Why would organisations report breaches if they don’t have to…

Yet Symantec cyber security firm’s technology strategist, Mark Shaw, says the CERT is toothless without it being mandatory for organisations to report significant cyber security breaches.

While he acknowledges the CERT is a step in the right direction, he says it isn’t enough.

He admits there might not be a great incentive for an organisation to voluntarily report a breach to the CERT, other than it being for the greater good perhaps.

He believes making it mandatory to report cyber breaches will encourage organisations to take more responsibility for the data they hold by ensuring their cyber security is up to scratch.

“That for me is where it has teeth.”

He says organisations are aware of the reputational damage a cyber breach could do, so will do what they can to prevent being targeted, especially if they know they can’t just deal with it privately.

“Prevention is better than the cure,” Shaw says.

He maintains the Government should follow the lead of other jurisdictions and implement thresholds around which sorts of organisations need to report breaches, based on their revenue or size for example.  

'It’s unrealistic this can be kept under a veil of secrecy'

The Insurance Council of New Zealand’s chief executive, Tim Grafton, says the insurance industry is yet to form a position on mandatory reporting, yet he personally supports some form of mandatory reporting.

He applauds the Government on the CERT initiative, noting the $257 million our economy lost to cyber attacks last year, is on par with the economic cost of natural disasters.

Yet he says, “On balance, mandatory reporting of some form is required.

“The question is the detail around what level of reporting would be required to be public, and what the sanctions for not reporting would be.”

Grafton acknowledges mandatory reporting could cause organisations reputational damage, so work would have to be done to decide what’s made public.

“The overwhelming argument is that we do live in a world where people have a right to know if their privacy’s been breached. We live in a world where so many people are connected and can be affected. It’s unrealistic this can be kept under a veil of secrecy.

“Having greater transparency does provide a stronger discipline on everyone to have more robust security systems and de-risking is important from an insurance perspective.”

…Organisations will see the value of opting in to the CERT

Adams disagrees.

“My view at this stage is that a mandatory sharing scheme is not the right way to go.

“Other countries around the world have tried that, and they’ve had a limited response to it and it’s been of limited value because companies are very reluctant to be forced to share.

“It’s far better to create a situation where there is benefit to them in sharing, than to create some legal structure where you then have to enforce and push.”

The head of KPMG New Zealand's Security Advisory Services, Philip Whitmore, says organisations in jurisdictions where reporting is mandatory have been known to beef up their security initially, but this hasn’t lasted.  

“We still see many incidents out of the US for example, where most of the states have mandatory reporting,” he says.

“Mandatory reporting or other forms of regulation are just part of the answer.”

Adams adds: “Businesses have felt very vulnerable about admitting any weakness in their systems and so they’ve been reluctant to share that information, and we can understand that, and we don’t want to create difficulties for them.

“But equally, business is starting to understand no one can fight this on their own. What they’ve been looking for is a forum in which they can share in a very trusted space that isn’t going to become public information."

Adams says the CERT will have to work through how to package the information reported to it in such a way it’s helpful, yet remains anonymous.

The Government is seeking to set up an Advisory Board, comprising of nine cyber security experts from the public and private sectors, to provide advice on the establishment and operation of the CERT. It’s expected to open its doors at the beginning to next year.

Mandatory reporting still on the cards through a different channel…

Yet the Government hasn’t written off mandatory reporting altogether.  

Wearing her hat as the Justice Minister, Adams says the Government is sticking to its plans to amend the Privacy Act 1993, which will see mandatory reporting made a legal requirement in some cases.

“It’s not going to get down into the, ‘oops I left an email with your name on it at the bus stop’, but if there’s been a significant breach – and we’re working through the crafting of exactly what that is – then there’ll be a mandatory obligation to report that to the Privacy Commissioner and to consider whether there’s a need to report it to all the individuals. This would likely be the case unless the Privacy Commissioner considers it inappropriate.”

Adams can’t confirm when the legislation will be introduced to Parliament.  

Symantec has been lobbying the Government to amend the Privacy Act with much more urgency than it has.

Shaw says that world-wide, there’s been an 85% increase over the year in the number of companies that have said they’ve suffered a breach but have chosen not to disclose how many of their records have been affected, or the extent of the information exposed, because they weren’t legally required to do so. See this story for more on the Privacy Act.

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

2 Comments

1. We don't have mandatory reporting of other crime, why should we have it for "Cyber Breaches:"?

2. There is no legal definition for what "Cyber Breach" even means, so how would a business recognise one in any event?

3. In other places where reporting is mandatory I know of no evidence that shows crime went down, so what is actually achieved for all that cost and effort?

4. "“Prevention is better than the cure,” Shaw says." The implication being Symantec customers don't have Cyber Breaches. Yeah right.

On the other hand, it has been illuminating for Joe Citizen to see what's happening at large Corporate and Government levels through access to material from cyber breaches.

Perhaps the FMA, SFO, and OIO and others could actually harness the skills of some contracted ethical hackers - they may keep the financial landscape cleaner.