The Government is working on a way to quantify New Zealand’s cyber resilience as the seriousness of digital and online threats scales up, Marc Daalder reports
By the end of 2022, New Zealanders will be able to see a metric ranking the country’s cyber resilience – and track how it increases or decreases with regular follow-up reports.
In light of recent high-profile cyber incidents – like the hacking at Waikato DHB – and more attention on everyday scams and attacks, the Government is developing a framework to quantify New Zealand’s cyber resilience.
The details of the project have been released to Newsroom in response to an Official Information Act request to Digital Economy and Communications Minister David Clark. It will be developed and maintained by CERT NZ, the government’s cyber security body, and overseen by an independence reference group.
Officials from CERT have identified 20 metrics that, combined, are meant to give a rough picture of New Zealand’s cyber security. Those metrics include things like the number of devices still in use that are no longer supported by their developers, the average value of reported cyber crime losses and the number of reports of identity theft. They’ll also span four domains to take a more holistic view of cyber resilience: technical, organisational, economic and social.
Sam Sargeant, the chief security officer at InternetNZ, said it was good to see the Government doing this kind of work.
“It’s great that they’re measuring this stuff. And it is hard. They outline in the paper that this is the first time it’s been done on a national level and it is looking much wider than just the technical aspects of cyber security,” he told Newsroom.
However, he was also concerned that the Government hadn’t yet reached out to the cyber security sector to consult on the project.
“I am interested in that it doesn’t seem to have been developed with anyone else apart from CERT and the Department of the Prime Minister and Cabinet’s Cyber Policy Office,” he said.
“I think resilient technology is crucial, for all of New Zealand and New Zealanders, and we do need measures of resilience to track how we’re going. But they do need to work for the whole community.
“Security is a team sport and if we learn via an OIA of how our industry is being measured and how our new policy interventions will be designed, that doesn’t seem to be the right way to go about this problem.”
A collaborative approach to the framework could make sure that it really does reflect New Zealand’s cyber resilience. The risk is that the framework overlooks areas that need fixing or highlights problems that aren’t really significant. One potential issue Sargeant raised was the proposed inclusion of a metric tracking the number of visits to the CERT website.
“I don’t disagree with any of them in particular. Some of them seem to lack a bit of detail and fidelity,” he said.
“One of the proposed organisational metrics is ‘CERT NZ reach to the general public’ and they’re proposing that’s the hits on their website. That creates some perverse incentives. I worry about, a year or two’s time, someone saying quite reasonably, ‘We want to be better at resilience. Let’s take a marketing campaign out for our website.’ Does that actually make us more secure or does that just inflate some numbers?”
Working with the sector could also help fill gaps in the framework’s datasets. As it stands, CERT officials had only found data for eight of the 20 metrics in the framework. It’s unclear, for example, exactly how CERT might quantify and track “wellbeing incidents linked to online activity”.
“As CERT NZ works to identify the remaining 12 metrics, there is a risk that no suitable data will be identified for a particular metric in the Framework. If this occurs, the metric will be changed or, if appropriate, proxy data will be used with any associated assumptions documented,” the CERT briefing to Clark reported.
A prototype version of the eventual outcome of the project – a regular Cyber Resilience Report – found the technical domain had become more resilient and the organisational one was about the same. There wasn’t enough data for the economic or social metrics.
It would also be important for the framework to be flexible in the future.
“It is a very dynamic space. Things do move often,” Sargeant said.
“I’m really sympathetic to the Government wanting to have stable, long-term measures, but I think they need to be developed cooperatively.”