But whether this blog post is pointing out the absurdity of Cortex not protecting the DPMC, or if it is pointing out that the DPMC etc. are lying by providing a privacy statement which forswears use of Cortex, or if it is pointing out that Jagose is wrong when she described the pre-conditions of the use of Cortex, I’m pretty happy with it, because those seem to be the only options.
There's other possibilities. DPMC haven't got around to it. There is a disclaimer that says:
Although the information on this web site has been prepared with care and in good faith, this site is an information service only, and no guarantee is given that the information is complete, accurate or up to date, or that it can be relied upon for any particular purpose.
That's not where the handwashing of any responsibility for anything ends in that disclaimer, either.
Or, they may have assessed the risk to their site as minimal and pretty much don't feel the need to protect it. It's not a totally absurd proposition. There's certain basic protections that don't even really need to have any kind of written permission, and which technically protect against cyber attack by collecting information.
But yes, all of the others are possible. In short, we don't really know anything. They don't have to tell us, so they won't tell us, and assurances that it's all for our own good are to be expected, and not to be trusted, unless you're a trusting soul.
Ben, what’s your alternative solution?
What’s the problem, exactly? Finding out exactly how far Cortex reaches? I don’t have a solution. If it’s further than what seems right to people on the inside, I’d expect we’d find out via a whistleblower. But who knows what kind of people would want to work there. I mean:
There is thorough vetting before people can work for or with us: aside from comprehensive psychological tests, people agree to reviews of their financial background, what they do in their spare time, personal relationships, online habits, any other habits … it is a very intrusive process. Our people have very high levels of integrity and loyalty. They share a real sense of the burden and the privilege of the material they work with, and the importance of what they do, day to day.
is hardly the kind of process that breeds whistleblowers. They’re self-selected as the kind of people who already think it’s OK for the organization to go right through their own personal lives, and they buy into the whole “threat to the nation” schtick. Why would they give a shit about my privacy? There is always the fallback that they had some kind of “fingerprint” that meant they had to have a look. As if the Ombudsman is going to be able to go over that and refute it on a case by case basis. Who even knows what is normal practice for panty sniffing spooks? Only they do.
TBH, I doubt that they do actually sniff panties. More likely they block cyber attacks. It's dull work that needs to be talked up, both in importance and difficulty. Keeping the details secret is a pretty awesome way of doing that.
There’s other possibilities. DPMC haven’t got around to it. There is a disclaimer that says:
The alerting of those who are in contact with your computer systems to the possibility of cyber defence monitoring is supposedly a pre-condition to use of Cortex by an agency. If DPMC haven't got around to alerting users yet, then my same three options apply:
they aren't protected by cortex
they have misled someone in order to be protected by cortex
contra claims by Jagose, advise is not necessary to be involved in cortex
I'll note that I'm not talking about protecting the website. I'm mostly talking about email. They way that the system was described, it was anti-malware protection, because eg malware can be a security risk. I suppose it is possible that DPMC has protection from malware excluding that which might come via attachments to emails, but that seems a pretty big hole, and is not far removed from the first of my options.
Protection from malware could also cover submissions to websites -- eg, infected Office documents or PDFs. So one could plausibly claim that a website is protected by Cortex if user-generated content is filtered in some way.
I think Ben is right and there are no keys under this lamp post. Now, I don't plan on reading the entire NZISM but it looks perfectly genuine. That, and Cortex, seem likely to serve NZ cyber security as touted.
The task of developing+documenting security policy is significant in itself. Far larger is the worthy effort to implement, maintain, monitor, audit all of that. I can't tell you how much is done by GCSB staff but there must be some number working on it. Quite a few honest workers but nothing nefarious to see here, move along please.
Anyway, it is often supposed that any dragnet surveillance is outsourced offshore. Most Kiwi traffic of interest goes offshore and not much is lost by playing nice locally. Only a small minority of insiders (possibly not GCSB) need have access to, or knowledge of, the dark side.
Which leads to two sets of staff - a bit like the two sets of books of Enron, Lehman et al. The innocents can readily be wheeled out to courtrooms, inquiries, whatever and swear solemnly. I might even believe that Una Jagose is one of them.
I think Ben is right and there are no keys under this lamp post.
I am not really trying to find out what Cortex does with this blog post. I'm mostly trying to hold (to the extent a blog post and some tweets can) the GCSB and others to account for the things they say.
They have said that Cortex will not monitor my emails unless I am told in some way that particular emails may be subject to that monitoring.
If this claim is true, I want to see that advice.
I think you can be fairly certain that if you send an email to mil.nz or govt.nz that your email is going to pass through several different checks - the usual antispam and antivirus checks and perhaps also some keyword checks for various things that are legitimate to their need to protect themselves and the data that sits within their walled gardens.
A very brief review of the Gower interview sees Cortex described like any reasonably intelligent IDS/IPS system. So why wouldn't agencies employ one of these if it happens to be looked after by the people charged by the govt, to protect critical infrastructure?
I would ask if you know much about how IDS/IPS systems work? By design you can see everything. In practice it's putting 'everything' through filters that will pick out behaviors known to be suspicious and flag these for attention. The vast majority of the stuff that is techncially seen - so thus has to be disclaimed that way - will never have human eyes cast upon it. I fear paranoia does us a disservice.
I fear paranoia does us a disservice.
I don't particularly care that an email I have sent the DPMC might be monitored by the GCSB computers systems, or even seen by GCSB employees.
My point is that they have said we would be told if something like this was happening, and they have yet to tell us. If Una Jagose hadn't given a speech and an interview in which she said we would be told about monitoring for cyber defence purposes, I wouldn't be here talking about this.
If the Government wants the benefit of being able to claim openness in some aspect of the surveillance state, the very least they can do is be as open as they have said they will be.
If one wants to focus on the letter of what was said by Una Jagose, then fine (and i'll be looking forward to seeing what comes out of all of this). But I wanted to flag that many of the items ripped out of website terms-of-use etc from various agencies, will be generic references to IDS/IPS type behaviors that are likely already-in-place, and likely also have nothing to do with Cortex, so assumptions should not be made.
But I wanted to flag that many of the items ripped out of website terms-of-use etc from various agencies, will be generic references to IDS/IPS type behaviors that are likely already-in-place, and likely also have nothing to do with Cortex, so assumptions should not be made.
Oh yes. Operating on the assumption that both Una Jagose, and the writers of terms and conditions on Government websites are telling the truth, we can only rule out agencies, we can't rule them in.
I have tried to be careful when reporting my findings (premised, as they are, on participants meaning what they say), and have been saying that while some organisations can be ruled out as being protected by Cortex, based on their public advice, those who are ruled in are only possibly protected by Cortex.
I don’t plan on reading the entire NZISM but it looks perfectly genuine.
NZISM, unless it's changed significantly from the last time I looked at it, is the set of rules that apply to the establishment and operation of computer systems within government vis information security. Things like "you shall not connect computers that access classified information to networks that handle information of a lower level of classification, unless there is a one-way traffic device to prevent leakage from the higher level to the lower level" (paraphrased).
It's not some secret set of instructions about doing spooky stuff, it's a public-record document that tells public-sector IT managers the rules. It's quite boring, to be quite blunt, and certainly not at all revelatory about "sources and methods" or otherwise illuminating about getting hooked up to this Cortex system.
Agreed. My thought was that it pointed to quite a lot of non-spooky stuff to do.
My thought was that it pointed to quite a lot of non-spooky stuff to do.
Yeah, it does, but Cortex doesn't really fit into the NZISM framework because NZISM is aimed at all the things that happen to bits that are not on the public intertubes. Once it's out in the wild NZISM only applies inasmuch as it sets rules on what can be sent through public networks, and what encryption is required.
Maybe the advice that communications may be monitored by Cortex only applies to certain situations?
For example, presumably an initial inbound email will receive a very high level of scrutiny but, once communication is established, checking is relaxed. For companies ‘protected’ by Cortex, the coverage might apply to communication after the initial contact, when traditionally the ‘guard is down’. In that case, the advice might appear in the footer of the first reply email.
That might be why you can’t see it on a quick google. It would also be a good way to slightly obfuscate which agencies are protected.