Do not merge CERT into GCSB
The Herald reports:
A cybersecurity shake-up, revealed in an open letter by an angry security industry insider, is being considered by Cabinet, Government Communications Security Bureau (GCSB) Minister Andrew Little has confirmed to the Herald.
His plan to move Cert NZ (the Computer Emergency Response Team) under the GCSB’s National Cyber Security Centre (NCSC) has not been previously publicly confirmed.
“The current system is fragmented, creating a ‘merry-go-round experience for business victims’ of cybercrime,” Little said.
He wanted “a single front door for cyber security reporting, triage and response”, as recommended by a 2021 cybersecurity advisory committee, whose members included Z Energy chief digital officer Mandy Simpson, Kiwibank tech boss Hamish Rumbold and then Consumer NZ CEO Jon Duffy.
Cert NZ was created in 2016 under Sir John Key’s National-led Government to act as a “triage unit”, issuing public alerts about cybersecurity threats and aiding individuals and small businesses who had suffered a cyber attack toward the right help.
Throughout InternetNZ I was involved in a small way in advocating for the creation of a NZ CERT. We were one of the few developed countries without one.
Both CERT and GCSB are involved in cybersecurity, but that does not mean they should be merged together. The GCSB can focus on Government and critical infrastructure and CERT on businesses and consumers.
If you put CERT under GCSB, there will be some reluctance to report things to CERT, if they think it means reporting to an intelligence angry of Government.
In an open letter posted to LinkedIn, a cybersecurity advisor and former Cert NZ board member Kendra Ross said: “While the objective of strengthening New Zealand’s cybersecurity capabilities is commendable, we believe that this decision, combined with the lack of broad consultation and the rushed implementation, poses significant risks and could have far-reaching negative consequences.
“Placing an outward-facing non-intelligence organisation under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cybersecurity operations.”
This is correct.