Lisa Owen: Welcome back. Over the past few years the GCSB has been at the centre of a series of spy scandals. Now the new acting director, Una Jagose, says she's on a campaign to bring more transparency to the organisation. While talk that we spy on our Pacific neighbours and are part of America's "full-take collection" network is still largely off-limits, Jagose this week gave a speech about Project Cortex, designed to detect and stop cyber-attacks. In the past six months New Zealand has been hit by more cyber-attacks than the whole of 2014. Political Editor Patrick Gower sat down with her and asked just who is under attack.
Una Jagose: We focus our attention on New Zealand companies that are holders of information, assets of importance to New Zealand, so nationally important infrastructure companies and some key government departments. So, yes, we're definitely seeing attacks there.
Patrick Gower: So what you're talking about – banks, telecom companies, those kinds of things?
Well, those parts of the infrastructure, the nationally important, those sorts of things. We actually don't talk about who they are or specifically what types of organisations they are, because revealing that also reveals to an adversary where we might have our best and richest sources of data that they might be interested.
Yeah, and when you talk about an adversary, who is trying to get this information? Is it individual criminal organisations, or is it countries? What use is that information to someone?
Well, information is valuable. It can be used and added to other data sets and sold, or it can be manipulated or destroyed in order to have an impact on a company or on a network. At best it's criminals. It's often foreign-sourced sophisticated malware that we're seeing. We don't spend too much of our time trying to track down who did that, because, in fact, we want to use our time and our technology protecting networks and systems.
Yeah, and would some of it be what would be called industrial espionage, I guess, getting these secrets of Kiwi businesses?
Yes, it could be industrial espionage. It could be IP theft. It could be just having an in to important sovereign communications or discussions by government agencies, policies, positions governments might take, positions companies might take. If you can imagine yourself being able to get into someone's computer, imagine what you could reveal to yourself about what they were planning.
Sure, and, I guess, in terms of adversaries, one thing that is said is that a lot of these attacks come from China and, indeed, from the Chinese military or the Chinese government. Is that what you're finding?
Well, again, I say we don't spend our energy looking at— attribution is really difficult. It is apparently a very technical and difficult thing to work out where did that come from, who's doing it and why are they doing it? We spend our energy on defence.
In terms of getting to the broader issues of the GCSB, mass surveillance versus mass collection is something that people have often talked about. What's your take on it? Is it just playing with words to say mass surveillance and mass collection are different?
Well, mass surveillance – we don't use that term, because nobody has the same view about what it means. It gives an image of collection without purpose, collection without control, collection just for the hell of it, and we certainly don't do that. So it's not a concept that we use.
Can you guarantee, though, that in this sweeping up of information or whatever that Kiwis have not been accidentally spied on or snooped on unwillingly?
Well, using words like 'spy' and 'snoop' are other words that we don't use either. But the process for collection of information— for cyber defence purposes, are you talking?
That is used for cyber defence purposes, so it is used to defend networks.
So, say, for instance, my personal information could somehow get taken up and used for cyber-defence purposes?
Let's say that you are in communication with a company that has deployed a Cortex service that is protecting its network. The way it does that is by identifying fingerprints or signatures of malware in the internet traffic, and so your internet traffic, if it is infected by malware, will have the fingerprint associated with it, and we will be able to, usually by a mechanised means, either identify that and tell the company or block it.
And at that point, my personal information that is in that email or what have you, can the GCSB see that? What does it do with it? How is my privacy protected at that point?
In the first instance, most steps are taken in a mechanised way so the system itself can identify the malware, identify the fingerprint and either block or defend— block or identify. Our assessment or our experience tells us that in about 0.005 percent of instances of data does the machinery throw up a question that can't be answered by the system itself, and so an analyst will have to look at it in order to see what is this malware, is it new, is it something we haven't identified yet? So in a very limited 0.005 percent, our experience to date tells us of data an analyst might have to look at a particular piece of internet traffic.
What does the analyst do if there's a personal email there?
Well, the analyst is looking at it not for its content but for what the email and the traffic tells us about the fingerprint or the adverse attack that is occurring. So that's what they do with it.
But the analyst can see the content if they want to?
And they ignore it, effectively? Is that the protection of privacy there?
Well, there are many controls that are in place to make sure that what is done with that information is what is entitled to be done or allowed to be done, which is about cyber defence in our example. The particular analyst that needs to look at it needs to record why they are doing something with it and what is happening with it, how it is being stored and what they found out when they looked at it. And all of that is auditable and reviewable by our systems, by the Inspector General. I've got great confidence in my people that they use that information for the purpose for which we've got it, which is to build up a good picture of cyber defence.
Is a warrant needed in the first place?
Yeah, there are two things, sort of a double-gated approach to the Cortex capabilities. First of all, there is a warrant, and it goes through the same process as set out in the legislation, by the Minister and the Commissioner of Security Warrants proving the capability. And the second gate is that the company that receives the service consents to that, and there are a number of preconditions that that company must meet, such as undertaking basic cyber-hygiene but, importantly, to your point, advising people that come into contact with that network, that their communications may be screened for cyber defence purposes.
Is there still a sort of way there that I'm sending an email and it's seen by someone at the GCSB without my knowledge?
Well, you will know in advance that your communications will be screened for cyber defence purposes if this is a Cortex product we're talking about, so you'll already know that in your engagement with whatever the company or agency is. And the reason that the analyst has to look at that communication is because it has an advanced form of malware attached to it.
They're not interested in your personal communication, I can assure you.
Yeah, but I would be told, would I, by the company that they've now put Cortex on?
You'll be told that your communications will be screened or may be screened for cyber defence purposes.
Right. How do you get told that?
In terms and conditions of use, for example.
Transcript provided by Able. www.able.co.nz