Links & thinks: refreshing the cybersecurity strategy

A blog by Ben Creet, on 30 April 2018.

The Government has announced a refresh of the National Cybersecurity Strategy (the Strategy). Released in 2015, the current strategy has made some good progress, but with a new Government and a new Minister, there is a desire to undertake a refresh. In 2015, when the strategy was released we wrote about the (then) new strategy, and what it said.

Minister Curran has set out, at a high level, the types of questions and breadth of topics that the refresh will consider. The Minister's press release states that the refresh will include a number of things, the more interesting for International relations thinkers include:

  • testing whether our institutional arrangements are optimal
  • thinking about more structured engagement with the private sector
  • considering what more needs to be done to address cybercrime
  • expanding our international efforts and looking at deterrence mechanisms.

Let's unpack those topics.

Optimising our institutional arrangements

Institutions are important, and in terms of national cybersecurity one of the most important is the national Computer Emergency Response Team (CERT). The biggest success of the 2015 Strategy was the creation and funding of CERT NZ, New Zealand's first national CERT. It was a long, long fight and process to get this the green light. At InternetNZ we are big champions of CERT NZ and want to see this vitally important part of national cybersecurity infrastructure grow, mature and own its special place in our society.

In terms of international cooperation having a national CERT is actually rather important. National CERTs turn to their counterparts to help deal with international crises and incidents such as

The UNs Group of Governmental Experts that worked on cyberspace issues managed to agree on very little. But they did agree that national CERTs are important, should not be leveraged for intelligence, espionage or cyberwarfare and that States should not target one anothers CERTs.

So, while testing of institutions is good, I do have a concern that this is code for reviewing whether CERT NZ should be closer to the National Cyber Security Centre. That would be bad, and moving our brand new, independent CERT closer into the NZ Intelligence Community would go directly against agreed international norms for CERTs.

As a small nation that supports the international rules based order and works to build so called cyber-norms, we should keep CERT NZ as far away from the NZIC as is possible. If NCSC and CERT are going to be closer, then it should only happen on the basis that the NCSC moves out of the NZIC, rather than CERT moving in.

More structured engagement with the private sector

I'll save this topic for later, as I want to cover off something broader than "private sector partnerships", multi-stakeholderism.

Considering what more needs to be done to address cybercrime

First, I sincerely hope that the refreshed strategy does not include an attempt to "do something" about encryption. It would be highly ironic if the New Zealand Government sought to implement laws or policy weakening encryption (a cybersecurity tool) as a part of this strategy. Here's hoping it does not come to that.

Secondly, as someone who worked on cybercrime policy back in the day, rather than thinking about what needs to be done to address cybercrime, this strategy should finally implement the things that we know are needed. The obvious example here is the Council of Europe's Convention of Cybercrime (the Budapest Convention). Examining whether to accede to the Budapest Convention has been in three previous government strategies on cybersecurity or organised crime. Officials need to stop talking about thinking about doing something about cybercrime and put in the effort to accede to the Convention (and make the necessary legislative changes).

Expanding our international efforts and looking at deterrence mechanisms

I fully expect to see out of this strategy the creation of a "Cyber Ambassador", similar to the role that Tobias Feakin holds for the Australian Government. It makes sense for NZ to follow our close allies on setting up a dedicated diplomat, or team, for Internet issues that relate to governance, jurisdiction, terrorism and transnational crime. "Cyber" is really big and if NZ is going to keep being a useful and human rights enabling voice for State norms in cyberspace, then having someone dedicated to that job is likely to have merit and at least be worth trying.

The deterrence mechanisms comment is... interesting. The 2016 NZ Defence White Paper also contains a similar statement about NZ's deterrence capability. When thinking from a scholarly deterrence theory angle, this would require a dramatic increase in our cyber warfare capabilities, active declaration of them, formal signalling of red lines and communicating credible consequences of crossing them. More likely, given our status as a small trading nation with a small and limited warfighting capability, the Government will be looking at stepping up naming and shaming, deterrence through entanglement, denial and other small "d" deterrence activities.

Injecting multi-stakeholderism into our cybersecurity strategy

The current strategy is very focussed on multilateral efforts and government to government initiatives. The refresh, and the Cabinet paper, prepared by the Department of Cabinet and Prime Minister refers to anyone not government as "the private sector".

In Internet Governance there is the concept of multi-stakeholderism, which seeks to gather interested and engaged parties from government, civil society, the technology community, business and academia together to collectively discuss and consider how to deal with issues that affect us all. Puting aside injecting multistakeholderism into the development of the refreshed strategy, I did want to point out the need for the Government to engage in existing Internet governance and multistakeholder fora as part of this new, refreshed strategy.

The meetings of the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF) meetings, the UN-sponsored Internet Governance Forum (IGF), RightsCon, regional IGFs and the Jurisdiction and Internet project are all examples of multi-stakeholder events and processes that help govern the Internet we have, and will shape the Internet in years to come.

There is a huge world of influence and shaping of our collective futures that goes on in multi-stakeholder fora and processes. Unfortunately, the New Zealand Government either has a minimal presence, or is absent from most of these events and processes. If concepts such as International Cooperation and partnership continues to be important for New Zealand's strategic cybersecurity goals, then engagement in the Internet's fora and ways of working is necessary and important - these are the places and processes where the future of the Internet, including cybersecurity, is being discussed and progressed.

Getting something as great as CERT out of the new strategy?

Finally, if the new strategy can secure something as useful as the creation of CERT NZ (from the previous strategy), then I almost don't care what the rest of it says so long as it doesn't harm our collective cybersecurity, or make it harder for the rest of New Zealand's cybersecurity community and profession to get on and continue to make us safer and more secure. The previous strategy enabled New Zealand to finally have a national CERT that works for and with our Internet community. More of the same this time around please!