Published on the 15/08/2023 | Written by Heather Wright
Key threats report and critical infrastructure consultation highlight new focus…
Foreign interference, espionage and mis- and disinformation threats, including actions by China, Russia and Iran, are called out in the New Zealand Security Intelligence Service’s first ever unclassified look into the threats New Zealand faces.
The report notes the potential use of data processing, encryption and tracking by foreign states and violent extremists and says technological innovation, along with strategic competition, declining social trust and global economic instability are the biggest factors shaping the threat environment.
“If there is a critical failure with one of the cloud providers, a huge percentage of NZ’s critical systems will be affected at once.”
The SIS report comes as the New Zealand government consults on how to strengthen the resilience of New Zealand’s critical infrastructure system.
Consultation on a discussion document closed earlier this month. It’s looking at current barriers to infrastructure resilience and options for reform – something the government says is ‘urgently’ required to provide a more comprehensive and co-ordinated approach to critical infrastructure regulation.
“A more robust and resilient critical infrastructure system will ensure we are better placed to manage the complex intersecting challenges posed by climate change, a deteriorating national security environment, economic fragmentation and rapid technological change.”
In releasing the SIS report, Andrew Hampton, NZSIS director general of security, says New Zealand businesses, institutions and communities can make use of the information ‘to make informed decisions about risk and mitigation’.
The report has made waves for naming China, Russia and Iran as three states involved in foreign interference activities, saying their ability to cause harm is ‘significant’.
“Only a small number of states engage in interference against New Zealand, but some do so persistently and with the potential for significant harm,” the report says.
“This report highlights the activities of three states in particular: The People’s Republic of China, the Islamic Republic of Iran and Russia.”
Last year, Tom Burt, Microsoft corporate vice president for customer security and trust, told iStart increased cyber activity by Russian cyber espionage and influence activity had been seen in Australia and New Zealand, with activity on the China front also stepping up.
The SIS report says the SIS is aware of ongoing activity in and against New Zealand, linked to China’s intelligence services.
It also notes human and cyber-enabled foreign interference and espionage, seeding disinformation and use of economic coercion, among other methods, that states harness to further their advantage.
It says the speed of tech advancement poses new challenges for security, and sees technology ever more closely linked with other factors, such as social disruption and strategic competition.
Increasing interconnectivity between people and the delivery of services online is generating an exponential growth in the volume and complexity of data, with that data of significant interest to not only the commercial world, but also states, the Security Threat Environment 2023 report says.
“The ability to process large swathes of data means that data leaks and cyber security compromises become particularly valuable to both governments and the criminal world.”
At the same time, technology is bringing people together online via social media and encrypted communication technologies which have contributed to radicalisation by making access to extremist content easier and more secure.
Social media algorithms create feedback loops of violent and extreme content, while encryption and the proliferation of new sharing services make detecting and countering content ‘very difficult’.
The value of technological innovation for intelligence collection and disruption has seen states investing heavily in R&D – but not adverse to stealing R&D and IP visa cyberespionage.
“Cyber-enabled espionage poses a significant threat to New Zealand’s national security and economic prosperity. Foreign states highly likely target New Zealand individuals, industry and government to gather information for their own economic military or political advantage.
“The threat to critical national infrastructure is a particular area of concern. The impact of malicious cyber activity targeting NZ’s critical national infrastructure, such as electricity grids or telecommunications networks would likely be significant.”
Opportunistic or inadvertent compromise of critical infrastructure through network vulnerabilities could leave the sector exposed.
That’s one area of focus of the recent consultation on critical infrastructure resiliency in New Zealand, which notes data storage and cloud providers among critical infrastructure in need of protection.
The discussion document notes that the government has not taken a comprehensive or coordinated approach to critical infrastructure regulation, with no agency having policy or regulatory responsibility.
Instead, New Zealand’s response has been on an ad-hoc basis, protecting assets within given sectors.
Now, the government appears to be looking to follow the global trend, already seen in Australia and the EU, of moving from sector level regulations to a ‘system-wide regulatory approach’.
That document also pinpoints a deteriorating national security environment as increasing the risk of cyberattacks, espionage and sabotage, while rapid technological change is also amplifying risks, including providing more links between critical infrastructures, causing failures to spill further across the system. Economic fragmentation and climate change are also cited as global megatrends heightening the risks.
Doug Dixon, former CEO of Kiwi cloud provider Catalyst Cloud, says the consultation documents show New Zealand is moving in the right direction.
“I want to encourage them not to settle for convenience, but to strive for real long-term resilience when it comes to cloud computing,” he told iStart.
He presented an individual submission calling for all critical infrastructure to be sufficiently New Zealand owned and controlled.
“The present effort to improve New Zealand’s critical infrastructure resilience acknowledges that we’ve got this far by a mixture of luck and regulation of some infrastructures – but many critical infrastructures have evolved without oversight and need to be legislated and regulated to ensure a minimum level of resilience,” he says.
Nowhere is this more evident than in the case of trend of rapid technological change.
He welcomed the inclusion of cloud computing as a critical infrastructure, but says he has grave concerns about cloud resiliency.
“Next to power and water, cloud is New Zealand’s most critical infrastructure. Why? Our government and our economy literally cannot function without it. If we lose access to cloud systems, or those systems are damaged or withdrawn, it’s game over,” he says.
But our digital systems are largely between Microsoft, AWS and Google, with no failover between them, he adds.
“On the contrary, there is significant vendor lock-in. This means if there is a critical failure with one of the providers, a huge percentage of NZ’s critical systems will be affected all at once, and that failure is likely to cascade.”
Dixon has also flagged concerns over the lack of New Zealand ownership, or control, of any of the cloud infrastructure, raising questions over not only resilience, but sovereignty.
“We need long term, inter-generational thinking. Yes, wholesale adoption of the US clouds by the New Zealand government may seem like a permanent, inevitable reality today, but that is an illusion caused by our inherent human short-sightedness: what we can’t see, we sometimes can’t imagine. And what is convenient to believe, we easily accept.
“But we must not give up on building NZ-owned and controlled cloud computing, and indeed whatever other technologies emerge over time. We must catch up, invest over decades, and gradually take back sufficient sovereign control of our critical digital systems.”
Further consultation on the critical infrastructure resiliency is expected in early 2024, subject to the outcomes of the general election.