Our Views:
New measures for improving national cyber resilience
Australia recently published its new cybersecurity strategy that articulates direction and key focus areas for 2023 to 2030. The strategy acknowledges how difficult it is for organisations to operate safely in the current global cyber-attack landscape and strongly signals a desire for Australia to adopt a leadership stance in cyber security. We look below at two issues outlined in the strategy that we believe are as relevant to the New Zealand organisations as they are to our friendly neighbours across the ditch.
Accessing Incident Response Advice and Support After a Cyber Incident
The ability to rapidly respond to a cyberthreat significantly improves an organisation’s chance of minimising the impact of any incident. A rapid response also allows a quick return to business-as-usual activity. Unfortunately, many organisations struggle to gain timely support after an incident, making an already stressful situation, worse. The identified issues preventing easy access to cyber incident response advice and support include:
The need to report a cyber incident (either as a regulatory obligation or voluntarily) to multiple external agencies.
Not only does an organisation need to fully understand to who and how they report cyber incidents, the regulatory reporting processes can be a time-consuming distraction in the immediate aftermath of a severe incident. Additionally, agencies (such as New Zealand’s Office of the Privacy Commissioner and Financial Markets Authority) will require timely and regular updates as to the status of any response. The New Zealand regulatory reporting requirements are currently less complicated than Australia’s; however, they do exist. Others that may need to be notified include the NZ Police, CERT NZ as well as your commercial obligations including cyber insurers and customers. Additionally, many New Zealand organisations must comply with various industry and international regulations as they operate in a global marketplace making this an issue across Australasia.
Organisational reluctance to share information with government agencies, particularly the details surrounding any cyber incident or response, due to believing this may trigger a regulatory penalty or increased scrutiny.
The fear of sharing information makes it challenging for national agencies to assist organisations in the event of a cyber incident and seriously limits the ability for any national government to accurately understand or report on the current attack landscape.
Difficulty engaging private incident response services in a landscape of inconsistent industry service levels, and unclear professional standards.
National agencies have limited capacity and ability to support organisations during a cyber incident. Therefore, being able to access high quality, trusted and professional private incident response services is crucial to gain valuable support. Currently the industry is indicating a greater need for more professional and trusted incident response providers.
The Australian National Cybersecurity Strategy has outlined several new initiatives in response to the challenges identified above, as follows:
Firstly, they intend to appoint a national cyber coordinator to lead any government response during a major cyber incident. We believe this action broadly follows good practice incident management guidance such as that outlined in the Coordinated Incident Management System (CIMS) framework in New Zealand. Provided a clear RASCI is developed and understood across all of the public agencies responsible for crisis management and that this role is well-supported, it could provide a critical coordination point lacking in the environment to date.
Secondly, the Australian government indicate they will streamline incident reporting by developing a single regulatory reporting portal and furthermore investigate whether regulatory requirements can be streamlined. Streamlining legislation will benefit all by creating a less complicated environment. A single location to find information and see how and where to fulfil regulatory reporting obligations during a cyber incident is a valuable step. New Zealand would benefit from a similar national one stop location for cyber response assistance and information. We have available an automatic tool that generates notifications to agencies and communications to stakeholders to ensure reporting post incident are managed in a timely and efficient fashion.
The Australian Government intends to drive greater information sharing by “co-designing” a “limited use obligation” agreement. Essentially this is an agreement that will limit how their government agencies may use or share any information an organisation provides to them around a cyber incident. Note, this will not provide immunity from legal liability or law enforcement actions. We think this is an interesting idea and may go some way toward building trust between public and private entities in cyber and therefore allow national agencies to collect valuable data around the threat landscape. In regard to enabling better government support to organisations during a cyber incident, a greater government capacity and capability may be required in this area should the same levels of cyber activity continue. We believe that building stronger interpersonal relationships between external incident support resources and internal cyber resources within organisations is key. Developing trust through jointly planning, testing, and successfully executing response actions is ultimately a better way to drive more information sharing and achieve a more successful incident response.
Finally, the government intend to “co-design” an industry code of practice for incident response providers. This aims to grow confidence in cyber security professionals by clearly outlining quality and professional standards and expectations. Creating greater professionalism around all aspects of the cybersecurity industry is a positive move forward. As managing cyber risk is now critical, all cybersecurity practitioners should be held to an appropriate level of professional standards, similar or equivalent to those required by any other professional services industries. The New Zealand Government manage this process via the ‘Marketplace’ which involves a robust acceptance procedure.
In lieu of these standards we recommend you ensure confirming that any incident response provider you consider can demonstrate they have professional qualifications or certifications, show extensive experience in incident response, are following well renowned and tested cybersecurity and incident response frameworks (e.g NIST, SANS), and are using industry standard tools.
All the actions outlined by the Australian government are positive steps to improve incident response in Australia; however, it is crucial to note that they do not take any onus away from organisations who must be responsible for understanding that they have obligations to fulfil during a cyber incident and ensuring they have adequate additional support in place to fulfil these and guarantee the best outcome.
Pressure-testing critical infrastructure to identify vulnerabilities
The strategy highlights how all organisations must be prepared to defend, respond to, and recover from major cyber incidents; however, it emphasises the vital nature of critical infrastructure to maintaining essential services. It therefore outlines a plan to increase national cyber readiness by using cyber security exercises and incident response plans to ensure vulnerabilities are identified and responses are tested.
The Australian government intend to conduct national cyber security exercises across all sectors to test a wide spectrum of incident response plans, measures, and communication channels. This will be led by the new national cyber coordinator role and involve exercising existing cyber incident response plans and processes to ensure they are adequate. It aims to identify vulnerabilities and possible improvements across industries. We believe if industry engage positively with the exercise, and it is run competently this could be a truly valuable action to significantly increase national cyber resilience. Our existing clients will understand how beneficial a cyber incident simulation can be to fast-track awareness of cyber risk within an organisation and quickly see where immediate cyber incident response improvements can be made. More recently we have been involved in simulations that involve organisations and third-party providers to test the communications and response flow across the ecosystem which is vital for an effective real-world response. We would like to see more of this activity in the New Zealand landscape and invite any industry or organisation keen to start improving and testing their response plans to contact us for assistance in arranging a cyber simulation exercise.
Finally, the national cyber coordinator in Australia intends to develop a series of “playbooks” for incident response. All organisations should at least have a basic set of playbooks in place for the most common cyber risk scenarios applicable to their businesses. National playbooks (as described in Australia’s strategy) make sense as a starting point for guidance; however, each organisation must ensure they adopt tailored response playbooks that suit their unique context, data, systems, risk tolerance and resources.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 