Hard News by Russell Brown

The Infrastructure Spooks

This story on IDGNet this week - noting threats of a new wave of cyberterrorism from a British-based cohort of Osama Bin laden - prompted me to contact the Centre for Critical Infrastructure Protection (CCIP), a unit established last year (before the September 11 attacks) within the Government Communications Security Bureau (GCSB).

The rationale for the CCIP is laid out in this December 2000 report, which surveys the risk to New Zealand's infrastructure - financial systems, telecommunications, power networks - from attacks directed at IT systems. It has eight staff, including some who a rostered onto a 24-hour watch. I talked to Mike Spring, who is director of information systems security at the GCSB and hence director of the CCIP. The interview was for my column in the Listener, but by the time I'd added some other research I only had room for a couple of paragraphs from it - so here's the full whack.

The CCIP was of course announced in August last year, before terrorism became the identified threat it is now. What effect has the more hazardous international enviromment that developed subsequently had on its work?

Nothing that's happened since September the 11th has changed our mandates and objectives. We're still doing the same type of things we were set up to do.

You were anticipating politically-driven attacks as a possibility at the time of establishment?

It was a possibility. If you go back and read the original 8th of December paper, it gives a bit of an outline as to the sort of things that can happen. Attacks could come from anywhere - disaffected groups, political groups - or there could be national attacks. Cyberwarfare - one state using the Internet to attack another.

So what are you doing that private advisory services out there aren't doing already?

We're not really trying to do what the privately-owned services are doing. Things like CERT and commercial companies that are providing CERT-type services, we're encouraging government departments to sign up for one of those and get their warnings. There are probably 10 to 15 alerts that come in every day and we're not turning those around - we're looking for the more serious stuff, targeted against the infrastructure itself.

How do you go about looking for that stuff?

We don't. We're pretty much reliant on the infrastructure owners, departments on so on letting us know they're under attack.

How often do threats like the one reported in Computerworld US last week come through?

You can almost pick up any paper and find word of new attacks, so they're fairly persistent. They come and they go and I guess each one's got to be looked at on its merits.

I do wonder whether at this stage these [terrorist] groups do have any more competence than your average spotty hacker. Teenagers have done some serious things with denial of service attacks, haven't they?

Yes. And even then there are levels. With your script kiddies you can go onto the Internet and get into hacker sites and download tools and with not much more knowledge than it takes to turn the computer on, you can become a jacker. There's that level, then there are some very sophisticated ones - I guess it's the distributed denial of service attack that's one of the biggest threats at the moment.

We've seen those - and they generally didn't last longer than 24 hours and western civilisation didn't come tumbling down, did it?

No it didn't - which says a fair bit for the resilience of the Net.

There are still activist, Islamic sites that appear to offer information on network attacks - do you go looking for those?

We don't monitor those websites. We're using our intelligence channels to get that information. We're also looking at some of the better sites that are monitoring the network to see what's happening.

Do you know whether there have been any suspect sites identified in New Zealand?

No. I couldn't answer that.

How well protected are New Zealand organisations against this kinds of threat? It's about professional competence as much as anything else, isn't it?

Yes it is. One of the things we're leaning towards pretty heavily is education to infrastructure owners and departments. Your security is your issue. You've got to get your systems tight. You've got to luck them down so that you're not vulnerable to attack. I think in general terms, New Zealand's doing pretty well. Sure there are vulnerabilities out there, New Zealand websites get defaced from time to time. And mainly the problem is that they haven't applied their patches. It's known vulnerabilities that are being implemented.

When it comes to DoS attacks, I presume you approach those at the carrier level. Do you talk to the big telecommunications carriers?

Yes we do.

What kind of discussions do you have?

I guess one of the things that we are pretty careful on is not divulging information that we pass between each other, because for us to be successful they've got to have confidence that any information they give us will be protected. So we're talking to them pretty constantly, they're on our mailing lists and I guess we try and get to see them at least every couple of months.


For further reading, check out Islamic Terror Sites on the Web.