Hon Andrew Little
Minister for the Public Service
Minister Responsible for the GCSB
Hon Ginny Andersen
Minister for the Digital Economy and Communications
A lead operational agency will be established to strengthen cyber security readiness and response as well as make it easier for people and organisations to get help, Minister for the Public Service Andrew Little says.
“The cyber security threats New Zealand faces are growing in scale and sophistication. We’re committed to staying ahead of the hackers, to protect communities, businesses and our public services.
“That’s why we’re acting on the recommendation of the Cyber Security Advisory Committee to bring New Zealand’s Computer Emergency Response Team (CERT NZ) into the National Cyber Security Centre (NCSC).
“Having a single agency to provide authoritative advice and respond to incidents across every threat level is international best practice, and will ensure New Zealand is well placed to take advantage of the opportunities in the digital economy and provide secure government services to our citizens,” Andrew Little said.
“Since 2018 this government has invested $94 million in improved cyber security capability. We’ve delivered world-leading protection products, such as Malware Free Networks to protect internet service providers and private networks, and we’ve rolled out baseline security templates that make it easier for organisations to take advantage of innovative cloud services while better protecting their information,” Minister for the Digital Economy Ginny Andersen said.
“But we know there’s more to do. $5.8 million of direct financial losses from cyber incidents were reported to CERT NZ in the first quarter of the year. The NCSC prevented $33 million of harm to our economy over the whole of last year. We know the true scale of harm to our economy is underreported.
“Creating a dedicated new lead operational agency ensures New Zealand is best positioned to fight back against the hackers we know cause real harm to individuals and to our economy,” Ginny Andersen said.
Operational integration of CERT NZ into the NCSC will begin on 31 August and will phased over several years. All current services will be maintained in the interim.
- A single point of entry for cyber security incident response was recommended by the independent Cyber Security Advisory Committee (CSAC) set-up in December 2021 to review New Zealand’s resilience to cyber threats. The CSAC’s report is attached.
- The lead operational cyber security agency will include the advice and response functions now provided to the public and businesses by CERT NZ, and the support provided to nationally significant organisations by the NCSC.
- A process is in place to transfer CERT NZ’s staff, responsibilities and funding to the NCSC. This is currently planned for 31 August 2023. The integrated agency will look at how it can better use its increased span and scale to develop an improved operation model to take effect in 2024.
- CERT NZ was established in 2017 as a public-facing cyber security agency for government, to support a broad range of businesses, organisations and individuals who are or may be affected by cyber security incidents. CERT NZ provides information and advice, collates a profile of the threat landscape in New Zealand and offers incident response support to those that need it. See www.cert.govt.nz for more information.
- The NCSC is part of the GCSB and provides a range of cyber security services which include preventative advice, threat detection and disruption services to nationally significant organisations, protection of classified information, and support to regulatory decisions over a range of sectors. The NCSC hosts the Government Chief Information Security Officer function. The NCSC responds to high-impact cyber incidents at a national level. See www.ncsc.govt.nz for more information.