Open letter to Right Honourable Ministers Ginny Anderson and Andrew Little - help pause the decision to move CERT NZ into GCSB/NSCS
Kendra Ross ??
Entrepreneur l Dyslexic Thinker ??l IFSEC Global Top 20 Cyber Security Influencer l Strategist l Governance, Advisory & Investor
Right Honourable Ministers Ginny Andersen?& Andrew Little
Minister for Digital Economy and Communications & Government Communications Security Bureau
New Zealand Parliament
Wellington
Dear Ministers
Subject: Concerns regarding the Placement and Lack of Consultation for CERT NZ within the National Cyber Security Centre Orginal source https://tinyurl.com/j3pdx4rm
We are writing to express our deep concerns regarding the recent decision to place CERT NZ, an outward-facing non-intelligence organization, within the National Cyber Security Centre (NCSC), which falls under the auspices of the Government Communications Security Bureau (GCSB). While the objective of strengthening New Zealand's cybersecurity capabilities is commendable, we believe that this decision, combined with the lack of broad consultation and the rushed implementation, poses significant risks and could have far-reaching negative consequences.
?
First and foremost, the placement of CERT NZ within the National Cyber Security Centre raises concerns about the potential blurring of lines between intelligence operations and the provision of vital cybersecurity services to ALL Aotearoa New Zealand. While it is important for intelligence agencies to collaborate and share information with organizations like CERT NZ, it is equally crucial to maintain a clear distinction between their roles and mandates. Placing an outward-facing non-intelligence organization under the umbrella of an intelligence agency could create conflicts of interest and compromise the independence and transparency necessary for effective cybersecurity operations.?
?
Furthermore, the lack of broad consultation with industry partners, communities, and other stakeholders is deeply troubling. The cybersecurity landscape is constantly evolving, and it is imperative to engage a wide range of expertise and perspectives to ensure the development of effective strategies and policies. By excluding key stakeholders from the consultation process, creates the risk of overlooking valuable insights, creating unnecessary resistance, and hampering the successful implementation of any initiatives. Genuine consultation fosters trust, promotes inclusivity, and results in more comprehensive and informed decisions.
?
Equally concerning is the apparent rush to implement this decision without a clearly defined government strategy for the cybersecurity sector. Five years without a government strategy in such a critical area is worrisome, and the urgency with which this decision is being pushed through raises doubts about the level of due diligence conducted. Rushing such a significant reorganisation could lead to unintended consequences and undermine the very objectives it seeks to achieve. The retention of staff, continuity of current programs, and other important areas could be adversely affected by a rushed implementation, potentially leading to operational inefficiencies, reduced effectiveness, and a loss of valuable expertise.
This is not a reflection on the good or capable people at NCSC but in the process that has arrived at a “like for like action” as seen in other countries, whom have different budgets, regulatory environments, and level of Cyber Security maturity within their markets. ?
领英推荐
Given the gravity of this matter, we respectfully urge you to pause the decision to place CERT NZ within the National Cyber Security Centre and to take the following actions:
1. Conduct a comprehensive and inclusive consultation process with a wide range of industry partners, communities, and stakeholders to gather diverse perspectives and ensure the development of robust cybersecurity strategies.
2. Allocate the necessary time and resources to develop a government strategy for the cybersecurity sector that addresses the evolving threats, identifies key priorities, and outlines a roadmap for the future, with the potential to explore an independent Digital / Cyber Ministry.
3. Ensure that any reorganisation or realignment of CERT NZ is based on careful analysis, extensive consultation, and thorough consideration of potential impacts on staff, programs, NZ Citizens, and other relevant areas.
4. Strengthen collaboration between CERT NZ and the intelligence community through structured information-sharing mechanisms that preserve the independence and transparency of both entities.
?
By taking these steps, the New Zealand government can demonstrate its commitment to fostering a resilient and secure digital environment while ensuring that decisions are made with the utmost care, transparency and consideration.
?
We kindly request that you give these concerns the serious consideration they deserve and take appropriate action to address them. We are confident that by doing so, we can collectively work towards a more secure and prosperous future for New Zealand.
?
Yours sincerely,
Kendra Ross
On behalf of members of New Zealand Cyber Security Community and Industry (please sign in comments section)
Ex CERT NZ Establishment Board (2016-2019)
Origination Advisor at EXCEND
1 年Carlos Cordero. Principal at CONVERGNCE Founder and Honorary Board Member Dominio Consultores
Communications, marketing and research specialist
1 年In full agreement with Kendra Ross ?? Olivia Lacey
Digital Safety Advocate, Founder and Tech Entrepreneur, Board Member, International Public Speaker, previous EY NZ Entrepreneur of the Year (services category)
1 年Agree entirely! This might be a great move or it might be a disaster, but how can we know and give relevant feedback without consultation and transparency? We all know our reliance on tech is fundamental not only to NZ’s economy, but education, health, national security and just about every other factor of our lives. This isn’t just about technical “cyber-security” any more but our peoples’ “Digital Safety” in their daily lives. To achieve that we need a current, well planned, well coordinated and well executed strategy, which includes not only these Govt agencies but also the InfoSec professionals out there fighting the good fight everyday. The rushed process shows a lack of strategy, and zero coordination… Frustrating as we all want the same outcome, which is better cyber-resiliency for NZ and a safer digital world… Surely? So, whether this change goes ahead or not, the key question is “How will NZ Govt now work with NZ’s InfoSec and Cyber-Security professionals to achieve success?”
Executive Security Lead
1 年I couldn’t agree with you more Kendra, this is a retrograde step and completely at odds with international CERT positioning. Embedding CERT into the NCSC is a slap in the face for the fine reputation, respect, and international relationships Rob Pope and his hard working team have developed since CERTNZ was conceived. Not forgetting the transparency, guidance, awareness and general service CERTNZ openly shares with all New Zealanders without prejudice. A worrying step backwards is my sense.
PCI QSA, ISO 27001 and 27701 Lead Auditor Investor and Mentor
1 年Cyber threat is a threat for an economic prosperity of the country including its people and industry. The threat leads to soft dismissal of money, reputation and business through out the year. Calculating volume of breach in dollars against the population provides a justification for an entity that looks after the information security of its people and sovereignty. Though the decision seems good however it will cause issues for intelligentsia and people of New Zealand, as both have distinct security classification. As suggested by John, Chris, there should be seperate division dedicated to counter the problem without compromising the security of information. Similarly have seperate entity may also look into cybersecurity issues faced by New Zealand and apprise the government.