At the recent press conference on the cyber attacks against New Zealand, the UK and the US, the director-general of the Government Communications Security Bureau (GCSB), Andrew Clark, said with barely concealed exasperation in his voice that "we're not a national firewall".
Clark was referring to his agency's expanding role in ensuring New Zealand's cyber security posture is sound, a mission that's not getting easier with time.
On the face of it, placing a firewall that sanitises digital traffic destined for New Zealand, and blocks the bad stuff, on the nation's network perimeter seems reasonable enough. We try to do that with physical goods after all.
In reality, as any information security professional will tell you, network perimeters went away a long time ago. Mobile devices, everything being Internet connected and potentially remotely accessible and cloud services hosted goodness knows where by outside organisations, are very hard to secure.
GCSB has operated a firewall of sorts, CORTEX, for over a decade now, which is aimed at protecting important organisations from Internet-borne malware and other threats.
It wouldn't be too far-fetched to surmise that the experience from operating CORTEX has taught GCSB a thing or two about what it actually means to protect a fair number of networks against ever-developing cyber threats. Never forget that the whole hacking thing amounts to very asymmetric warfare: defenders have to monitor and secure everything, whereas attackers usually just need to find a single point of entry to be successful, and it's often not obvious that they're in your network until months after.
Furthermore, if you look at the amount of entry points that the Chinese Advanced Persistent Threat 40 (APT40) hackers menacing New Zealand have amassed over the years, they have lots of options to choose from. There are likely to be more that security researchers don't know about.
It's not always clear either that something seemingly innocuous and useful can be weaponised - in a lethal fashion too. Last year concerns about Chinese-made Internet connected cameras surfaced. Some allied countries like Australia, the US and UK started to remove them from sensitive buildings, but apart from the obvious espionage use case, it wasn't spelt out what the threat of the cameras would be.
How about directing ballistic missile fire and attack drones? In January this year, Ukraine's state security services said they shut down IP cameras that were used by Russian intelligence service hackers to surveil defence buildings. The cameras, set up in a residential block to monitor a car park, were used to by the Russians to observe anti-aircraft defences and to correct missile fire, the Ukrainians said.
It's unclear how the Russian hackers took control over the IP cameras, although it is known that the software for Hikvision ones contain critical, exploitable vulnerabilities. For Russia, which does not have the satellite targeting capabilities of Western nations, literally having eyes on the ground is a massive help for their terror bombing campaigns which are designed to kill and maim civilians, and cause maximum infrastructure damage.
Ukraine security services are now trying to block the IP cameras and are warning people not to use them, particularly for cloud connected surveillance.
Long story short, in a scenario where entire populations unwittingly compromise cyber security, it's quite a challenge for an agency like the GCSB to do something about it.
There are initiatives afoot to change the thinking behind security architectures, like enterprises moving to Zero Trust which assumes no devices can be trusted and have to be verified (and verify themselves), which may limit intrusions and the "blast radius" of successful break-ins.
That's all work in progress though, and likely to take a while to achieve its goals with much educational effort required because cyber security is not at all easy to understand, and often considered a nuisance by non-technical users who just want to get on with whatever they're doing.
So crack open a cold one for our cyber spooks. They have their work cut out for them, and it's not going to stop any time soon.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.