NCSC Director Lisa Fong shares cyber insights in 2022 Gallipoli Memorial Lecture

Lisa Fong

NCSC Director Lisa Fong

 

As part of international Anzac Day commemorations for 2022, NCSC Director Lisa Fong delivered the Royal United Services Institute’s (RUSI) annual Gallipoli Memorial Lecture. The RUSI is a leading United Kingdom-based defence and security think tank whose mission is to inform, influence and enhance public debate to help build a safer and more stable world.

As the first woman ever invited to deliver the lecture, Lisa acknowledged the service of women during World War I, as well as the women who served as code-breakers, computer operators and analysts at Bletchley Park during World War II. Lisa also provided insights into the international cyber threat environment from a New Zealand perspective, and reflected on the ongoing importance of international partnerships for our collective defence.

Click here to watch the RUSI’s annual Gallipoli Memorial Lecture delivered by Lisa Fong.

 


Full text of the RUSI's Gallipoli Memorial Lecture by Lisa Fong

Insights on the cyber challenges and opportunities facing NZ and the importance of working with allies to mitigate the increasingly complex global threats that exist today.

 

Ki te whare e tū nei

Ki te papa e takoto nei

Tēnā koe!

 

Ki ngā hōia i tū ki te pae o te riri

Ka maumahara tonu tātou ki a rātou!

 

E ngā iwi o te motu,

e ngā iwi kei tua o ngā moana

Rau rangatira mā

Tēnā koutou katoa!

 

My utmost gratitude to this building and

the earth for its warmth and protection.

To our soldiers who fought at the battlefields

They will not be forgotten

To our people across the lands

And those across oceans

Chiefs one and all

Greetings to you all!

 

Good morning for those of you joining us from the United Kingdom. Good evening to our Australian and New Zealand participants. It is an honour to commemorate Anzac Day with you today.

In the century and more since the ANZAC troops landed at Gallipoli Peninsula, Aotearoa New Zealand has developed a distinct national identity. This can be traced through our public holidays. On Waitangi Day we reflect on the past and future of the Māori-Crown relationship since the signing of the Treaty of Waitangi. This year we recognise Matariki, the Māori new year, as a public holiday.

Observed since 1916 in New Zealand, Anzac Day remains a nationally significant day of remembrance.

These days the vast majority of New Zealanders have not have the privilege of travelling to Gallipoli. With the passage of time and as an increasingly multicultural society we have fewer direct connections to the ANZAC soldiers. I count myself among them.

And yet here in New Zealand, tens of thousands of people have turned out to the Dawn Service and other civic ceremonies around the country. We acknowledge the service of the ANZACS from the Gallipoli campaign and those who served in other theatres of the “Great War”. We remember the conflicts and deployments which have followed and our people at service around the world today. We think of our family and their contributions to geopolitical events that can seem at once personal and remote.

New Zealand’s Anzac Day commemorations have been matched with similar events across Australia, and on a lesser but no less significant scale in the United Kingdom, Turkey and places around the globe where our people have served, fallen and are buried and remembered. ANZAC commemorations remain a vital part of our national psyches.

With all that in mind, I am humbled to be here. When the Royal United Services Institute contacted me inviting me to deliver this lecture, I responded with offhand ‘Greetings from New Zealand’, anticipating they would soon realize they had the Head of the wrong National Cyber Security Centre. Perhaps preferring not to admit their error, here I am. Here we are. Called together to commemorate a time and a place that remains symbolic of something deeper for us all.

I want to acknowledge an aspect of our shared service heritage which our distinguished hosts have brought into focus today. The Gallipoli Memorial Lecture was first held in 1985. I am the first woman to be invited to deliver this address, out of countless more accomplished women in the decades (and cyber security centers) since.  

It is not possible, in a few short words, to properly acknowledge the women who have contributed to our security and wellbeing since 1915. So I offer an incomplete but respectful homage to the nurses in the hospital ships in the Dardanelles and those caring for the wounded from the Western Front; and to the later Women’s Royal Navy Service, Women’s Auxiliary Air Force and Women’s Auxiliary Army Corps who served across a wide range of non-combat roles at home and abroad, including transport, signalling and piloting the air transport auxiliary.

With a nod to our signals intelligence function and the enduring value of cryptography, I also extent my gratitude to the code breakers, computer operators and analysts of Bletchley Park. Around 75 percent of those who worked that secret endeavour were women. One of the last surviving women who served at that now-iconic site, Jeanne Sampson, died last month in Lower Hutt, near Wellington, at the age of 100.

I wish to remember Jeanne and her colleagues today, alongside all those who earlier served in World War One, and in conflicts and deployments since.

Today major conflicts continue. In the Russian invasion of Ukraine we see how traditional warfare can be combined with cyber elements. More often we see cyber threat playing out far from the traditional theatre of open conflict.

I have been invited to share with you the cyber challenges and opportunities facing New Zealand and the importance of working with allies to mitigate increasingly complex global cyber threats. The setting for today’s topic highlights acutely its relevance.

It is almost protocol at international cyber security exchanges to begin by describing your domestic role and function. For all that our partners have broadly similar agencies, we have different mandates, legislative frameworks and customers. These differences make for long introductions, but offer diverse insights which form part of the value of our relationships.

I will begin then by outlining our role, before sketching the New Zealand cyber threatscape as we see it. I will then turn to the opportunity we see in scale and partnership, including internationally.

Role

The GCSB is a signals intelligence agency, delivering the New Zealand Government similar services to the United Kingdom’s GCHQ and the Australian Signals Directorate. As part of our functions we all have a national cyber security centre to deliver our cyber security mandate.

In New Zealand we operate in accordance with the Intelligence and Security Act 2013 (or ISA) to “protect New Zealand as a free, open and democratic society”.

The GCSB has three principal functions under this legislation. The first is collecting primarily foreign communications intelligence in accordance with Government priorities. The second is provision of cyber security services to organisations of significance to New Zealand’s security and wellbeing. The third is support to other agencies. NCSC delivers against each of these, and leads the cyber security function. 

The GCSB’s role as a signals intelligence agency gives it access to technical capabilities, legal authorities and international relationships not available to other cyber security providers in New Zealand.

At our heart we are communications security specialists in cryptography and technical counter surveillance. So while the NCSC turned 10 last year, our whakapapa or lineage is pre-cyber. We continue to deliver these core services in order to protect our government’s most sensitive information, reforming ourselves in recent years in response to challenges to longstanding operating assumptions.

These days, with a complement of powers and specialised capability at our disposal, we also focus more widely on nationally significant organisations. This includes most government entities, critical infrastructure providers, key economic generators and developers of intellectual property. While they tend to hail from the private sector these entities embrace the contribution they make to the security and wellbeing of New Zealand and the steps they can take to protect themselves.

Through the NCSC’s cyber threat assessment function we maintain situational awareness of our operating environment, inform decision makers and develop our capability for enduring relevance. It is our analysts' insights I draw on to outline our cyber threatscape.

Cyber threatscape

Over the past few years we have observed significant changes in the malicious cyber activity New Zealand experiences. Changes in tactics, techniques and procedures take advantage of rapidly evolving technology and its global use. We have also seen a shift in the strategic priorities of state sponsored actors and pursuit of new revenue streams by sophisticated criminally motivated actors.

Staying abreast of these changes and adjusting the national defensive posture is a significant undertaking for any nation. Being part of a wider international network, with shared interests and values, is fundamental to New Zealand’s resilience as a small nation. The changes we have observed in New Zealand reflect global trends and partner reporting.

We are seeing an increase in the speed and scale of the mass exploitation of recently disclosed vulnerabilities. These are existing security flaws in a device, system or software. Malicious actors quickly take advantage of newly discovered vulnerabilities, scanning for and targeting every device and organization potentially vulnerable to exploitation. They do this to establish a foothold into networks then selectively pick their targets for further compromise.

A recent example was the targeting of Microsoft Exchange vulnerabilities, which affected organisations with on-premise Microsoft exchange servers. The New Zealand Government publicly attributed this compromise with international partners to Chinese state sponsored actors.

There has been a change in approach to supply chains. Malicious actors continue to compromise suppliers to access their intended targets. They are shifting, however, to more strategic access through critical global providers.

In some instances this involves tampering with products prior to market release. A recent example was the SolarWinds Orion exploitation, which involved the compromise of a legitimate software update prior to its distribution by the software provider. This had widespread international impact and was publicly attributed by the New Zealand Government and international partners to Russia.

As the regular economy increases its reliance on outsourcing to bring in specialized skills and services, so too do criminal actors. We are seeing greater use of “malware as a service” that reduces technical barriers to entry. These enable more complex campaigns with highly disruptive impact to be carried out by malicious actors at a much lower technical base, assisted by alternate currencies.

There has been a pronounced trend in the blurring of lines between state sponsored and criminally motivated actors. We observe criminal actors using capabilities that a few years ago were in the hands of sophisticated state actors. Some criminal groups appear to operate without sanction from “safe havens” in their resident countries.

Conversely, while in 2018 NOTPETYA masqueraded as a criminal ransomware campaign, its intended purpose to damage and disrupt Ukrainian systems. Its primary targets were Ukrainian financial, energy and government sectors, but its indiscriminate design cause it to spread around the world affecting many more industries. The New Zealand government joined partner countries and others attributing this activity to the Russian Government.

An illustration of some of these challenges is a recent ransomware compromise in the New Zealand health system.  Ransomware involves the deployment of malicious software to encrypt a system or data to make it unavailable for use. In exchange for payment, the actor promises to provide the key that will decrypt and restore the data or system. I am able to speak about this incident because it is already in the public domain, as is the NCSC’s involvement.

In the early hours one morning in May last year, one of New Zealand’s largest public health regions, known as the Waikato District Health Board, identified a large number of their servers had been encrypted. Determining they had been ransomed, the District Health Board shut down their systems, including those for all five hospitals they operate, and disconnected themselves from other local and national health services to limit the malicious actor’s reach. The district health board continued to access email in the cloud.

NCSC incident responders describe an eerie experience when they arrived onsite that first day. While there was a hive of activity, all computer screens were black, with hand written “do not touch” signs. Medical professionals had reverted to using a small handful of still-working laptops, but mainly pen and paper. The first week or so involved a 24 hour continuous response effort with staff working across 3 different shifts.

This incident featured some of the changes we have seen in ransom incidents. Volume based campaigns are giving way to targeted efforts against organisations perceived as susceptible to extortion because of their profile, critical services or sensitive data. Malicious actors put effort into understanding what will pressure victims to pay ransom demands. In the Waikato incident, the malicious actor exfiltrated private health information before encrypting systems. They made this available to media outlets, with some choosing to read and publish the content.

The Waikato incident had significant national impact on health services for months, at the same time as we also faced the global pandemic. It offered painful insight into why cyber security is foremost a strategic and operational problem, rather than one to be solved within IT departments. It is an experience shared by nations around the world who have had similar damaging incidents in their health systems and economies. This is just what is public of course. Not all cyber intrusions are visibly destructive. The hardest to detect and disrupt can be the most damaging to national interests.

So what is the opportunity here?

There is a glazing over I sense when I speak about cyber security that isn’t solely down to virtual meeting fatigue. Technology seems to put us on the back foot – we intuitively understand it is hard to keep pace with. Yet we all work in IT now. This was true before the global pandemic and truer two years in. Digital platforms are critical to ordinary business and government operations, and our providers are global. For those who can keep up, even our leisure and friendships have sprawled into these platforms and evolved as a result.

As technology presents us with opportunities, the nature of the threat evolves along with it. How we keep that challenge proportionate to the opportunity also changes over time.

The NCSC is focused on the resilience of our nationally significant organisations and national level harm. When I took up my role in 2016, this was synonymous with a focus on advanced state sponsored threat actors with long term strategic interests. We engaged one to one with nationally significant organisations to improve their understanding of cyber security governance. We painstakingly stood up detection and disruption services to a cross section of consenting organisations in the public and private sector. We had just commenced the regulatory supervision of notifiable changes in public network operators.

To continue to have impact we have made a gradual shift to working at scale. Scale is not the first word that springs to mind when you think of New Zealand. We are acutely aware of the size of our contribution to international partnerships with nations that will remain vastly more resourced with larger workforce catchments and specialization than our own. We specialise in prioritisation and delivery. We are small enough to be able to pick up the phone. We are seasoned late adopters. We have mastered the tradecraft of generalisation, or end to end problem solving.

In the New Zealand context, intervention at scale means partnering with others to secure key digital supply chains, through both technical and policy avenues. We are focused on building relationships that allow us to achieve greater national resilience than we could alone. We are pairing our knowledge with others’ to greatly improve the value of our respective work.

We continue to offer detection and disruption services to a range of consenting organisations. The evolution of this work is a New Zealand specific threat feed, known as Malware Free Networks, which we make available through a growing number of private cyber security service providers. These Malware Free Networks partners use our information to help protect their customers through the commercial services they provide. Through this partnership model we are able to disrupt known threats to many more New Zealand organisations, before they can cause harm. As we mature these relationships we see further opportunities to enhance our respective analytic and response capabilities.

As the Government Chief Information Security Officer we set information security standards for the public sector and administer a self-assurance framework. Uptake and continuous assurance against these standards has rapidly improved as a result of our implementation work with private cloud providers. By incorporating our information security controls into their products, providers are making it easier for government and their suppliers to assure their security. There are now more than 400 New Zealand cloud instances using our free baseline security templates. The New Zealand information security industry judged our first releases with Microsoft and Amazon Web Services the Best Cyber Security Initiative for 2021.

We increasingly exercise a range of non-technical tools, particularly mandate and policy settings. We conduct technical security risk assessments to inform strategic supply chain decisions under an ever-increasing number of regulatory regimes. Where we have no statutory role, we share our knowledge with regulators in banking, finance and other sectors to support standard setting and incident response capability within existing regimes.

Looking to the future, we are excited to embrace our relationships with iwi and Māori enterprises and broaden our view of nationally significant organisations.

NCSC’s offering is hardened with partner capability. Key relationships with international cyber security partners – particularly the United Kingdom, United States, Canada and Australia, underpin our ability to help defend New Zealand’s most important information and systems. Partners play an important role in informing our threat landscape, in the development and support of our cyber defence capabilities and in our incident response.

During Waikato district health board, for instance, we sought partners’ insights to help identify and understand the actor, trace their activity on the network and share indicators of compromise. Such international support is an integral part of our incident response model, along with inputs from other government agencies and commercial cyber security service providers.

When we developed our original detection and disruption tools we benefited from a range of insights from our partners’ cyber defence programmes. Whether it was overcoming the barriers to sharing threat indicators, or understanding the challenges of engineering complex tools, partners provided information, experience and even people to assist. 

That support continues to make a real difference to capabilities that are today a central platform in our cyber defence. The Malware Free Networks initiative is a real manifestation of the ongoing value of our global relationships.

Sharing is a two way process. The relative size of the New Zealand economy and cyber ecosystem means we are sometimes uniquely placed to gain insights into malicious actor behavior that we can share with our allies and partners. This contributes to overall understanding of the threat environment and discovery of previously undetected compromise. We also provide people from our own teams to support partners’ investigation and incident response.

Our international alliances are a source of strength less for their formality and more for the benefit and sense of purpose we derive from our collective security and wellbeing.

We share common values over the long term. We all have strong commitment to systems of government with democratic freedom at their heart. We are committed to the international rules based order, which amongst other things, stipulates global conventions about accepted behavior in cyber space. There are a number of nation states that routinely operate outside those norms. Their activity, and that of sophisticated cyber criminals, drives an ever-evolving threatscape we engage with our partners to defend against.

Day to day, the opportunity in our international partnerships, as in our domestic, comes down to the quality of the relationships between our people. It takes effort to maintain mutual trust, willingness to experiment and respect for our relative contributions. It takes responsiveness to rapid context-shifting and a shared expectation that in moments of vulnerability we will be there for each other.

I observed at the outset that ANZAC commemorations remain a vital part of our national identity. I have outlined a technical operating environment the ANZACs could not readily have comprehended. I like to think, however, that they would recognise the relationships we continue to foster and be heartened by our ongoing commitment to our collective defence.

Ngā mihi.

Thank you for the privilege of speaking with you today.