New Zealand Cyber Security Summit 2016 Report

Transcription

1 New Zealand Cyber Security Summit 2016 Report KEEPING NEW ZEALAND S ECONOMY CYBER SECURE On 5 May 2016, 300 chief executives, board chairs, directors and senior business leaders took part in New Zealand s first Cyber Security Summit. The aim was to advance New Zealand s cyber security through a public private partnership.

2 Cyber incidents and attacks threaten our economy. They can undermine our strategic and competitive advantages and cost our economy millions of dollars each year. This Government takes the protection of our businesses and economy from this growing threat seriously. Businesses, both big and small, also need to accept that cybercrime poses an enormous and immediate risk to their bottom line. A discussion about cyber security needs to happen across business, from boardrooms to the front desk. PRIME MINISTER, RT HON. JOHN KEY Improving New Zealand s cyber security is not simply about employing the right technical tools. If you think cyber security is an issue that sits in the IT department, you ve missed the critical part of this. The conversation needs to shift to the boardroom and to the CEO s office. Cyber security represents one of the most serious risks to any major business and therefore must be an executive-level responsibility, informed by the very best internationally-sourced information. That s why we re all here. For our part, the Government is taking this issue extremely seriously. Just as on the national level we benefit from sharing information about threats and solutions, so too our agencies benefit from working with international colleagues. This is already happening. Several agencies are networked with partners in the Asia-Pacific region and beyond. CERT NZ will also play a major role in this, joining a network of CERTs once it is stood up. We also need to play our part in the broader international discussion on cybersecurity and cybercrime. ANNOUNCEMENTS CERT NZ will be a central part of New Zealand s cyber security architecture. NZ$22.2 million has been allocated in Budget The CERT will take reports of cyber incidents, analysing, triaging and referring them to the right agencies for assistance. The CERT will analyse incidents to understand active threats and trends. It will develop advice and alerts on threats, vulnerabilities and prevention. It will deliver information on mitigation of threats in real-time. It will support sectoral information sharing forums. CERT NZ will be a primary point of contact with CERTs and similar organisations from other countries. As a first step, CERT NZ will be established as a branded unit within MBIE. Nominations have been sought for a CERT Advisory Board. Cyber credentials scheme for small businesses: Self-assessment. Independent verification through a certification process. The Cyber Credentials scheme will provide targeted and accessible stepping stones for businesses to improve their cyber security maturity. It will enable businesses to indicate to their customers and suppliers their recognition of the cyber security issue and the actions they have taken to address it. MINISTER FOR COMMUNICATIONS, HON. AMY ADAMS

3 GLOBAL INSIGHTS James Lewis CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES Matt Thomlinson MICROSOFT Richard Bejtlich FIREEYE Ten years ago, cybersecurity was not an issue. Now it is a central issue for policy. The digital economy is like electrification at the start of the 20th century it is transforming economies no one can ignore it. But the effects of the cyber revolution are more profound, as they involve global connectivity and information. New Zealand is not far away on the Internet just over a tenth of a second from Washington or Beijing. The issue for nations is how best to manage these new risks without sacrificing opportunity. Cyber security is a problem for national policy. Governments need to think how they can mobilise their societies; how they can orient them to take collective action to protect themselves. It requires sustained senior level political attention. And it is the same for companies it requires the attention of the c-suite. Cyber security is dynamic. You have to manage it. It s not like you can put something in place and go away and think you have fixed it. New Zealand faces real threats; companies are at risk. But it is a manageable risk if you take action. You need to take action in a way that empowers growth and innovation and at the same time protects our societies. New Zealand s Cyber Security Strategy is principles driven. It includes the core concepts and emphasises partnership. It has four specific goals and takes an agile approach to cyber security through an annual review and update of actions. The technical and policy challenges are intertwined. We need to work together the public sector and the private sector. We need the right risk management to stay ahead of the threat. The speed and scale of attacks, and the destructiveness of attacks are increasing. RANSOMWARE ON THE RISE A CASE STUDY: Between 22 February and 28 March 2016, ransomware as a percentage of blocked malware went from 33% to 91% worldwide. Dealing with ransomware: Block attacks at the front line: reduce easy entry points make it harder for the attacker. Contain attackers: isolate the damage from a compromise rapid response. Data backup: have a full back-up of your business s critical data stored offline. SPONSORS Cyber threats are like a campaign. It is not like a duel or a fight between two combatants where once it s over, it is over. It is a series of engagements over time.cyber adversaries are operating multiple mutually supportive tactics (such as phishing, internet-facing attacks, insider threats, physical access, etc). These tactics are all part of a campaign to get into your environment and steal your data. The threats are not static but iterative. Some questions chief executives could ask of their IT team: Who is responsible for finding intruders? How many bad things happened over the last year? How quickly did we detect those bad things? How long did it take to contain those bad things? The aim is fewer bad things ; and less time spent dealing with bad things. Score the game and figure out how well you are doing. TERABYTE KILOBYTE BYTE

4 WORKSHOP OUTCOMES CYBER RESILIENCE BUILDING A CERT CYBER CAPABILITY MAKING A DIFFERENCE TO THE CYBER SECURITY OF SMALL BUSINESSES To be successful CERT NZ should develop good public awareness, recognition and trust. It should have strong public and private partnerships domestically and internationally, and provide timely, relevant and valuable information. For the CERT to be an effective collaborative venture, it should be trusted, add value by being relevant to its customers, have a truly representative board and strong relationships with other CERTs and industry partners. There must be mutual benefit for partners. The CERT must have sufficient resources and capabilities. CERT NZ should be readily accessible and responsive to its customers. To ensure a Cyber Credentials scheme is effective participants agreed: it should be simple, low- cost, relevant, non-technical, and attractive to small businesses. Commercial incentives (or nudges ) might encourage small businesses to acquire a Cyber Credentials certificate. These could include linkages to insurance or procurement programmes, or as part of finance offerings. There is a role for larger companies to assist and mentor smaller businesses, including through requiring Cyber Credentials as part of their supply chain contractual requirements. Internet Service Providers or cloud services providers could play a role in driving take-up of Cyber Credentials by small businesses. Other initiatives to help small businesses improve their cyber security include on-line cyber security education tools, cyber security assessment apps, and promoting work experience opportunities for cyber security students with small businesses. A CERT Advisory Board will be appointed by August A project team based in MBIE is working to stand-up the CERT. CERT NZ will be operating by March A project reference group has been set up to provide advice and guidance on content and certification options for the development of a Cyber Credentials scheme by the end of A small business reference group will be established to test the effectiveness of the Cyber Credentials scheme by the end of August 2016.

5 CYBER CAPABILITY CLOSING THE CYBER SECURITY SKILLS GAP ADDRESSING CYBERCRIME CONNECTING SMART AND PREVENTING CYBERCRIME The cyber security skills shortage was highlighted as a key issue for New Zealand participants were keen to address this challenge. A public-private-academic taskforce could develop initiatives to build the cyber security workforce. This work must be driven by the private sector, with government input and support. Building a cyber security skills pipeline requires action across multiple fronts. This includes addressing diversity, retention of skills, links with industry, internships and practical training. Cyber hygiene skills should be front-loaded into the school curricula - start early to educate children. Our teachers need up-skilling to be able to do this. A follow-up workshop in June continued this conversation and set the scene for next steps. Participants identified opportunities to improve New Zealand s cyber capability and prevent cybercrime. Connect Smart material can be tailored to target audience(s), and use examples and case-studies of breaches to make it real. Practical, interactive tools should be developed for individuals and small businesses (e.g. the Cyber Credentials scheme or an online phishing awareness tool). Multiple media channels would lift visibility of Connect Smart (including possible use of a spokesperson to reiterate best practice following incidents reported in the media). The Connect Smart network of partners and members can become more involved in promoting cyber security messages (e.g. partners could give talks to each other s organisations). A public-private sector taskforce, involving participants from the workshop, will be set up to develop initiatives to build the cyber security workforce by August The National Cyber Policy Office will work with Connect Smart partners to extend the content of Connect Smart messages and develop new tools to help businesses improve their cyber security capability.

6 WHAT S AT STAKE FOR NEW ZEALAND? UNDERSTANDING THE THREATS AND OPPORTUNITIES. TAKING ACTION. New Zealand s geographical isolation is no barrier to cyber threats. The threat is real for New Zealand. Where do we want to sit as a country? How do we achieve both innovation and security? New Zealand s small scale could become an advantage including building good information-sharing across sectors. We need to manage risk, without sacrificing opportunities arising from technological innovations. Innovation cannot be stopped we need to make it safe. $34 billion COULD BE ADDED TO THE NEW ZEALAND ECONOMY if businesses made more effective use of the Internet. 1 Only 23% of boards of directors ACTIVELY PARTICIPATE IN SECURITY POLICY 2 Improving cyber security is not just about technical defences. We need to understand the human element. Cyber security is a risk that should be mainstreamed for business. Technical specialists need to speak to business leaders in ways that can be understood. CEOs can ask smart questions: Where are our weaknesses? How would they hack into us? What would be the impact on the business? Is there a role for independent audit? Trusted collaboration is the new black. No one owns the whole picture. The government has a role; the private sector has some capabilities. If we want to get on top of this threat, we need to work together. The problem is bigger than any one part of the system. No-one can handle it in isolation; no-one has all the competencies. This is a fast-changing 21st century issue we need agile responses. 3.9 million MOBILE PHONES ARE CONNECTED TO THE INTERNET 86 active connections for every 100 New Zealanders 3 AS A RANSOMWARE TARGET, New Zealand ranked 4th in the Asia Pacific and 21st globally with an average of 108 ransomware attacks per day 4 Connect Smart a public private partnership The Connect Smart partnership is a public-private collaboration focused on driving cyber security improvement in New Zealand. All New Zealanders will benefit if we can unlock the potential of the Internet by using it in a safe and secure way. Protect yourself online FIND OUT MORE ABOUT HOW TO CONNECT SMART: FOLLOW 1 The Value of Internet Services to New Zealand Businesses, 31 March 2014: 2 PwC Global State of Information Security Survey 2016, October 2015: 3 Internet Service Provider Survey, October 2015: 4 Internet Security Threat Report, April 2016: