The Government's latest budget increases the money made available to ward off cyber attacks against critical national infrastructure

The Government is increasing funding to protect vital infrastructure from cyber attacks.  

Extra money was unveiled in last week's budget for this purpose. The money will go to a sub branch of the Government Communications Security Bureau (GCSB). 

It is the National Cyber Security Centre (NCSC), and its extra funding is going up by $1.7 million, $2.0m, $2.7m and again, $2.7m, over four years.  This is on top of the NCSC's existing expenditure. That money comes out of the total budget for the GCSB, which at $234m is eight times what it was 20 years ago.

In its statement, the Budget says the extra money will pay for "technical advice and engagement to improve the cyber resilience of critical national infrastructure."

The statement does not say what the infrastructure is, but comments over several years have listed several key installations, such as police national headquarters and the control room at Transpower that runs the national electricity system. 

There have been several reports of cyber attacks on electricity grids overseas, either by state agencies or by criminal gangs.

The Minister in Charge of the GCSB, Andrew Little, is keeping quiet about the latest budget announcement, beyond saying the Budget continues the Government's work of "investing in the strategic capabilities and operational effectiveness of our intelligence agencies.

"The NZSIS and the GCSB contribute to New Zealand's national security, our international relations and our economic and general wellbeing," Little says.

The moves in the Budget follow repeated warnings that the danger of cyber attacks is constantly rising.

The most recent report by the NCSC cited 350 cyber attacks in a year on "nationally significant organisations." Of those, 118, or 34%, had links to "suspected state-sponsored actors."  Since 2016, the NCSC says it has prevented an estimated $317m worth of harm to nationally significant organisations.

While the NCSC has responsibility for cyber security at the highest level, a lot  of operational work for New Zealand businesses and individuals is overseen by the state agency CERT NZ.   

Its most recent quarterly report says over 8000 incidents were reported in 2022, of which about one fifth involved financial loss, amounting to $20m. 

CERT NZ reports that after rising for five years, the number of actual incidents dropped slightly last year, though the value of financial losses rose.

This matches comments from NCSC, which says the number of incidents slipped last year, but their intensity and sophistication increased.   

'It is not a thing we take as seriously as we should'

Commenting on these dangers, a private sector cyber expert said any extra money was welcome, but the Government could have increased funding still further. 

Adam Boileau, Executive Director of security, testing and assurance at cyber security provider CyberCX, says the hacks that people learn about are just a fraction of the total number of attacks that actually happen.

"It is not a thing that I feel we take as seriously as we should," he says.

"Also, the New Zealand Government is not super forthcoming about some of these things. I think we are a very trade-focused nation and the Government is always trying to put a rosy picture on everything.

"Trade is the main part of our international relationships and not great power conflict."

But Boileau says cyber attacks are a serious menace and the Government needs to take them as seriously as other countries are doing.  

In contrast to GCSB funding, the work of the New Zealand Security Intelligence Service (NZSIS) is not getting significant increases, with just over half a million dollars in extra funding each year, suggesting the tradecraft of spies is not changing exponentially year to year, as that of striving to combat computer hackers is.   

*Also see: Geopolitics and the rise of cybercrime, and what can be done to fight back against the criminals.