Time for a National Security Strategy

Author: Rothery, C.
Published in National Security Journal, Volume 1, Issue 1, October 2019

Cyber Security

The evolution of global trade and communication has increased global interconnectedness, where states are now connected through a vast number of complex networks. This comes with significant threats to New Zealand’s national security. With estimates that cyber-crime cost the global economy USD 6.6 trillion last year, it is vital for the New Zealand economy that New Zealand has an effective cyber-security framework.14 The coordination of cyber-security sits within DPMC under SIG. The National Cyber Police Office (NCPO) is responsible for the development of cyber security policy advice to government. NCPO reports formally to the Minister of Broadcasting Communications and Digital Media,15 all of which broadens the span of organisations with input or responsibilities into the national security framework. It would make more sense for organisations that are responsible for national security to have tighter reporting lines to fewer ministers, rather than the spread that is becoming evident. New Zealand has a whole-of-government approach to national security, but this does not mean that the whole-of-government needs to be involved in every aspect of it. A better formula would be for one organisation to be responsible for cyber-security that can reach out to resources from the whole-of-government and the private sector.

Two organisations from two different agencies are responsible for the operational response to a cyber-attack. The National Cyber Security Centre (NCSC) within GCSB is responsible for providing protective cyber services and guidance to ‘organisations of national significance’, as well as taking the lead on cyber incidents at the national level.16 Within the Ministry of Business, Innovation and Employment (MBIE), the Computer Emergency Response Team (CERT) provides a lower level of cyber security advice to organisations that do not require the level of specialist skills that the NCSC possess. In addition to these organisations, the Protective Security Requirements (PSR) is an organisation that is supported by both the GCSB and the NZSIS. PSR sponsors the New Zealand Information Security Manual, which sets out the guidelines for the protection of information in the cyber domain. Additionally the New Zealand Cyber Security Strategy 2015 articulated how the government will adopt a whole-of-government approach to whole-of-society cyber security. This document recognises the need for close partnerships with the private sector and non-government organisations, and it details how these connections will be made (New Zealand Government 2015). Unfortunately, the eight-page long strategy, which is mostly filled with diagrams and pictures, does not fit into the category of a comprehensive strategic document. In 2018 the Minister of Broadcasting, Communications and Digital Media released an Action Plan for the refresh of New Zealand’s Cyber Security Strategy, due to an upward trend in security threats.17 The New Zealand cyber-security framework is quite broad, however, its control suffers from being dispersed across many different organisations. There are five different agencies that have a cyber-security responsibility: NCPO, NCSC, CERT, PSR and Connect Smart. These agencies report to