Acting Head of the Government Communication Security Bureau Una Jagose was interviewed by Patrick Gower for this week’s episode of TV3’s The Nation. Much of the Bureau’s work was off limits in the interview (including any discussion of the GCSB’s involvement in any “full-take” capability as part of the US-led Five Eyes network), but Jagose was interviewed at length about Cortex, the Government’s cybersecurity programme.
The existence of Cortex was announced during the heat of the election, after Glenn Greenwald’s Snowden disclosures about Project Speargun. Keith Ng considered the release a smokescreen:
Instead, what Key has done is release a bunch of documents about a programme called CORTEX. This was a plan to provide malware detection and disruption services to companies and ISPs.
CORTEX has nothing to do with SPEARGUN
The Nation contacted Nicky Hager, who gave his view that cybersecurity was about 10% of the GCSBs work. We don’t know the extent to which Speargun happened. Maybe what we think has happened, has happened, but has a completely different name.
I can’t solve that here. But we do now have a little more information about Cortex, which apparently aims to protect the government and major corporations from cyber attacks.
According to Jagose, one of the requirements for an agency to receive Cortex protection is that it must advise “people that come into contact with that network, that their communications may be screened for cyber defence purposes”. She continued:
you will know in advance that your communications will be screened for cyber defence purposes if this is a Cortex product we're talking about, so you'll already know that in your engagement with whatever the company or agency is.
...
Gower: Yeah, but I would be told, would I, by the company that they've now put Cortex on?
You'll be told that your communications will be screened or may be screened for cyber defence purposes.
Right. How do you get told that?
In terms and conditions of use, for example.
On the extended Sunday panel, Bryce Edwards and Jessica Williams were somewhat scathing of this, noting that almost no-one reads the terms and conditions.
But to know whether an agency is protected by Cortex, we don’t need everyone to read the Terms and Conditions, or Privacy Policies of every organisation they’re in contact with, we really just need one person to read them. And that could even be a different person for each one.
Which is Where You Can Help.
I can’t do them all, but I have looked at a few Government departments and major companies to see, based on the advice of Ms Jagose, which agencies have such protection (and the risk that our contact with them will be screened by the GCSB as part of project Cortex (if I might be screened under some other programme, I doubt they’re going to tell us).
I have looked, where applicable, at the terms and conditions, and the privacy statements, and the contact pages and contact forms of a number of agencies and can confirm that, if Ms Jagose was correct when she said that those in contact with agencies protected by Cortex would be informed in advance of the possibility that their contact with those agencies may be screened for cyber defence purposes, then:
- The Department of Prime Minister and Cabinet is NOT protected by Cortex (their privacy policy records that when you voluntarily provide them personal information they will only use that information to communicate with you, and will keep any such information secure and will not disclose it to any third parties.)
- The Ministry of Defence is NOT protected by Cortex (according to their privacy policy information you provide them is only used to communicate with you, and they keep any such information secure and will not disclose it to any third parties).
- The GCSB is NOT protected by Cortex (there is no mention of monitoring in either the privacy section, or on the contact page).
- The National Cyber Security Centre is NOT protected by Cortex (no mention of monitoring in either the privacy section, or on the contact page).
- The New Zealand Security and Intelligence Service may be protected by Cortex (its privacy policy records that it may communicate information in the interest of security, but there is no mention of monitoring, suggesting they may not be protected either).
- The Ministry of Foreign Affairs and Trade is NOT protected by Cortex (no mention of monitoring in either the privacy section, or on the contact page)
- Transpower is not protected by Cortex (there is no mention of monitoring in their terms and conditions, nor on their contacts page).
- Fonterra is NOT protected by Cortex (their terms of use only allow them to provide personal information to “permitted third party service providers as identified in this Privacy Policy”, and the GCSB is not identified).
- ANZ is NOT protected by Cortex (their privacy policy allows your emails to be monitored by for security issues, but only by ANZ employees)
- BNZ is NOT protected by Cortex (the privacy section in their terms and conditions, notes that BNZ can monitor your accounts and other information, but makes no mention of others)
- Kiwibank may be protected by Cortex (again, not as clear as it should be, but their terms and conditions say they can release your information if it will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences, and they lack the terms used by eg ANZ and BNZ about how such use is limited to bank employees. Of course, with no specific mention of monitoring or cyber defence, so they may not be protected either.
None of the agencies I looked at have information in their terms and conditions, or privacy statements that would provide the clarity that the Head of the GCSB states will be provided by those agencies that are benefitting from the protection against cyber attack that the GCSB's Protect Cortex is supposed to provide. But I’ve far from looked at everyone, so maybe there is some agency out there that clearly describes that contact with it will be screened for the purposes of cyber defence. I’m guessing that no-one provides the level of clarity, as minimal as it was, that Una Jagose described as a "precondition" for cyber protection by the GCSB.
It's unfortunate that this sort of information can't be to hand during an interview, but the big story from Patrick Gower's interview may be even that no-one meets the preconditions for cyber-protection by the GCSB and it isn't actually protecting anyone. Or, of course, that the promised openness, even when limited solely to the GCSB's cyber security function, is another smokescreen.
But maybe you can find a statement about monitoring for cyber defence that's as clear as they're supposed to be, so please feel free to look them up and link to them in the comments. If everyone who reads this does one or two, we'll know the reach of Cortex in almost no time at all :-)
UPDATE: two lists of the state sector organisations in NZ; first from the State Services Commission, and second from the govt.nz portal. And the wikipedia list of companies in the NZX50 index of New Zealand's largest listed companies.
Thanks to Alex in the comments for kicking us off. Information provided voluntarily to the Courts (such as via email) is kept secure, and is not disclosed to any third parties.
Keep them coming!
UPDATE 2: Found some: the NZDF, the Army, Navy and Air Force, Cadet Forces and Veterans Affairs!