Budget 2022 saw a collective $30 million invested in the country's cyber resilience, including funding for a world-first measurement framework, Marc Daalder reports
David Clark, the minister for all things cyber, says record investment in New Zealand's online resilience comes as cyber crime becomes an increasingly common experience.
"The public has been alerted through events like the Reserve Bank, the NZX and particularly the Waikato DHB to the dangers of cyber crime. And as time goes on, more and more New Zealanders have their individual stories of friends and family who've been the victims of cyber crime," he told Newsroom this week.
"And, over time, the threats are growing."
Budget 2022 saw more than $30 million directed towards cyber initiatives, including a one-stop shop for reporting cyber incidents and cash for victims of cyber crime.
The initiative that may make the largest difference in the long term is the modestly-named "cyber resilience measurement framework". Newsroom first reported on this project at the start of the year, based on documents obtained under the Official Information Act. Now, government officials are able to speak publicly for the first time.
They say this effort to quantify New Zealand's cyber resilience could lay the foundation for starting to improve it.
"We haven't, to date, been able to find a country that has done this at this scale," Nicte Lopez, Computer Emergency Response Team (CERT) NZ's manager of insights and reporting and the official in charge of the project, told Newsroom.
The world-first framework will take an expansive view of what it means to be cyber resilient and try to find ways to measure each of those aspects. That could range from the amount of money lost to cyber crime in the past quarter to the uptake of security patches to how comfortable people report feeling in their online transactions.
"The DHB incident, when we think about it, the first thing that comes to mind is a hospital being hacked. There's also the impacts on the people around there, the community around them, the trust of individuals. It's quite hard to measure the real effect that's had," Lopez said.
"Those sorts of events in the macro landscape could potentially offer a view on, have we done better? As a community, as a government and private industry, how have we wrapped our services around organisations that need that support?"
Officials have already developed a prototype framework as a pilot. This revealed the difficulty of gathering data that sheds light on the hard-to-quantify aspects of cyber resilience.
"Resilience is about being able to plan, you absorb an attack, you are able to bounce back but you learn from it so you don't end up in that cycle again."
The $2.45 million in Budget 2022 will be spent over four years to turn that prototype into a working product.
"There's a lot of interest in the international community to see us succeed. Where we are right now is understanding that baseline and trying to define the size of the problem and how do we engage with our communities, our partners and the private industry," Lopez said.
"This stage is very much about reaching out to private sector, agencies and even individuals. We want people to reach out to CERT to say, 'I think this framework could be useful to my agency. This is how I think we can use it. These are the sorts of things that I think we would want from it'.
"From there, we can understand how we can build this stage by stage."
Clark said the framework will play a role in improving the country's cyber resilience for years to come.
"It's a building block that I hope will continue to be looked upon over time. Government currently is subject to hundreds of thousands of attacks a day. When you've got hundreds of thousands of attacks a day, you've got a serious situation. Only one of those needs to succeed to have often dire consequences," he said.
"That's true across our whole population. We've got to continue to build on what we're doing. We've got to continue to seize the opportunity."
So, once the framework is up and running, what will it say about the current state of our cyber resilience?
"I think it will tell us that we need to keep working at it," Clark said. "We will be the first to do it, so we won't have anyone to compare ourselves to, but I think we know enough already to know that people are, in New Zealand, sometimes a little too easy-going. A little too much 'She'll be right'."
