At last! A CERT for New Zealand

Andrew Cushen A blog post from Andrew Cushen, Work Programme Director at InternetNZ
6 May 2016

Yesterday, the Government announced that they are providing $20 million over four years to fund the building of a Computer Emergency Response Team (CERT) function for New Zealand - CERTNZ.

We've written about what a CERT is and how it's important a number of times - this is a critical piece of Internet security infrastructure for a modern society like NZ. As such, we're really delighted to finally see action on building a CERT for New Zealand.

At InternetNZ, we've been advocating for a CERT since 2005. You may also remember we've put a lot of effort behind the New Zealand Internet Task Force's work last year in terms of standing up such a function for New Zealand. The NZITF put that work on hold when the Government released its Cyber Security Strategy late last year (on which we published a briefing note).

Yesterday's announcement is a really important milestone. Here's some more thoughts about what we like, and what more we'd like to see, to ensure that New Zealand gets the CERT it needs.

Excellent to see a CERT Advisory Board

Yesterday, Minister Adams started seeking nominations for a new Advisory Board to help her, and the Ministry of Business, Innovation and Employment, spin up and grow CERTNZ. This early stage broad community approach to shaping CERTNZ, its priorities and how the rest of New Zealand's Internet Community can contribute to CERTNZ, is excellent to see. We will definitely be considering who we think would be a good addition to this board - so if you're keen, put your hand up. The ConnectSmart site has more information about this advisory board and how to apply.

What does a good outcome look like? Our essential criteria

In 2014, we commissioned some advice from an Australasian expert on setting up CERTs and what New Zealand could, or should, be doing. From this, we have identified some success criteria for creating a new CERT.

  • Incident Response is the essential service of a CERT.
  • A CERT's greatest asset is the trust others have in it.
  • Government support, endorsement and/or funding is critical for long-term viability.
  • A CERT needs to engage a wide cross-section of industry, academia and government when developing its strategic direction.
  • A national CERT needs a close relationship with law enforcement.
  • CERTs need to periodically review and redefine what they do due to rapidly changing technology.
  • A new CERT should initially focus on constituencies not already served by others.

From what we can tell so far, CERTNZ will measure up quite well against these criteria. It will deal with and triage incidents and the Government is clearly seeking out multi-stakeholder views from across New Zealand through the new Advisory Board.

We'll be keeping an eye on things from here. We have a positive and productive relationship with the National Cyber Policy Office (NCPO) who are responsible for shepherding the CERT into being, and we're working regularly with them to help make this the best it can be.

If you're interested in learning more, Ben is the man to talk to. Ben's email is ben@internetnz.net.nz.

Let us know what you think.