*t.

T OF
,. 9,114*.
.'- * .., .
4 '^
44/11G*
UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
Cabinet Committee on
State Sector Reform and
Expenditure Control
Minute of De(;ismn
This document contains information for the NewZea/and Cabihet. It must be treated in confidence and
handled in accordance with anysecurity classification; orother endorsement. The information can onlybe
releasedrlhcludihg under the Ohioiallnformation Act 7982, by persons with the appropriate authority.
Creating an Effective National'Cyber Security Centre
Portfolio: Minister Responsible forthe GoSB
On 3 April2012, the Cabinet Committee on State SectorReform andExpenditure Control:
Background
I noted that December 2010, the CabinetCommitteeonDomestic andExtemalSecurity
Co-ordination:
1.1 noted that establishing aNatibnalCyber Security Centre (NCSC)to address
advanced and persistent cyber intrusions-is a priority cyber security action;
agreed to establisliphase one of the I\ICSC within the Goveinment Communications
Security Bureau (GCSB);
IDES Min (10) 4/11
2 noted that the thi'eatfa. GingNewZealand is more comprehensive than previously estimated;
3 noted that thethi. eatfaces public andprivate'sectors equally;
4 noted that theNCSC as currently resourced does not adequately addressthe ^isk that
New Zealand as awhole faces, posing ongoing economic and security risk;
5 noted tlie needto extendthe scope of thenCSC to a Wider range of public, critical national
infrastructLire providers and organisations of nationalsignificance;
6 noted that cyber security is bestaddreSs^d through reducing the vulnerability that allows
attacks to occur and defeating threats asthisy occur;
7 noted that the threatrequiresanenhancedapproach;
8 noted that the proposed approachcomprises asetofinter-dep^ridencies whiclitogether
provide a significant enhanced cyber security capability;
9 noted that agovemment-industry partnership is required to addresstheproblem;
SEC Min (12) 4/4
Copy No:
1.2
.-.... ",-,~
. .
,
1417/2vi UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
. I ,.. I, -14'1-'. t, I .-- .. .. .,, I. _, . ..
10 noted that the fullcapability would provide enhanced'protection to govermnent and industry
and would provide some protection to most}.!ew Zealanders against advanced cyber attacks;
11 noted the twooptions:
11.1 Option I: extends NCSC protection to the core. public-sector, critical national
infrastructure and organisations of national significance, provides an automated
investigation qapability and an "effects" defence option;
11.2 Option 2:includes Option I above, and the development of a Detailed Business case,
the high-speed detection and defence capabilities to protect government and industry
and potentially extends a degree of protection to allNew Zealanders to be developed
in consultation with unD and the National Cyber Policy Office onCo);
12 noted that the implementation of Option 2 is preferred, .buttsquires significantscoping and
consultation in order to identify tlie fontange ofrtsks and dependencies for the governmeitt;
Implementation
13 agreed to extend the scope of the NCSC to cover central government, critical national
infrastructure operators and specified organisations of national significance;
14 agreed toproceedwith Option Imparagraph 11.1 above;
15 directed the GCSB to develop a Detailed Business Case for implementation of Option 2 in
2013;
....'. I ...-.; I, .!; I, . .., ., .
16 directed theNCPO to work with the GC^13 and drier agencies on any wide^ cyber security
policy issues related to Option 2 ill paragraph 11.2 above;
Resource
17 noted that on 28 March 2012, BudgetMinisters agreed to the following additional
appropriations for Vote: Communications'Secuiity and'Intelligence, subjectto confirmation
by Cabinet:
UNC LASS IFIED (PREVIOUSLY S ECRETl/NZEO)SECMin(, 2)41,
, .. ... .
Vote Communications Security and Intelligence
Intelligence and Security Department Expenses and
Capital Expenditure:
Communications Security and Intelligence
(funded by revenue crown)
Net Asset Schedule of the Government
Communications and Security Bureau: Capital
Investment
18
agreed that the. staff^equired for NCSC Phase I be metftom the wider Public Service
staffing cap;
20/2/13
^, .; . .,^
^
1417/2vi
Sin -increase/(decrease)
20/3/14
..
. .
^
UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
20/4/15
,.
^
20/5/16 & outyears
^
^
^
, .
2
19
UNCLASSIFIED (PREVIOUSLY SECRET/INZEO)SECMin(, 2)41,
noted that on 28 March 2012, BudgetMinisters agreed that Option 2 in paragrapli11.2
above would be funded from atagged contingency of$. Inillion for capital expenditure
and associated operating expenses, as set. outbelow; subjectto Cabinet approval of a
Detailed Business Case:
Vote Communications Secu, .ity and Intelligence
Intelligence and Security Department Expenses and
Capital Expenditure:
Communications Security and Intelligence
(funded by revenue crown)
Net Asset Schedule of the Government
Communications and Security Bureau: Capital
Investment
Saln Gleisnei'
Committee Secretary
20/2/13
Present:
in HonJohn Key
Hon Bill English (Chair)
HDiiJudith Collins
HDn Tony Ryall
Hon David Carter
Hon Panla Bennett
Hon Craig EOSs
Hon John Banks
Distribution:
Cabinet Conimittee on State SectorReform and Expenditure Control
Office of the Prime Minister
ChiefExecutive, DPMC
Director, PAG
FAG Subject Advisor, DPMC
Simon MacPherson, FAG, DPMC
Diiectoi. , SRG, DPMC
Director, ICO, DPMC
Director, NZSIS
Director, GCSB
Secretary to the Treasury
Richard Forgan, Treasury
ChiefExecutive, MED
Bi'o0k Barrington, Justice
State Services Commissioner
Peter Brown, SSC
Secretary of Defence
Chief of DefenceForce
ChiefExecutive, MED (Communications and IT)
Secretary for Internal Affairs
Controller and AuditorGeneral
^
Sin - increase/(decrease)
20T3/14
^I
^
20/4/15
.,.
^
20/5/16 & outyears
^
^
..^ .
^
Officials presentfrom:
Office of the Prime Minister
Officials Committee for SEC
Government Communications Security Bureau
Reference: SEC (12) 12
1417/2v I UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
3
\*.$ OF, '
.@
I ,
t Ljj:6'
UNCLASSIFIED (PREVIOUSLY SEC RET/INZEO)
Cabinet
This documenf contains information for the NewZealand Cab!het. It must be treated in confidence and
handled in accordance with anysectirity classification, orcther endorsement. Tlie information can only be
released. including under the Official InformalIbn Act 7982, by persons willIthe appropriate authotity
Minute of Decision
Additional Item: Vote Communications Security and Intelligence:
Contingency Item
Portfolio: GCSB
011 2 Septeniber 2013, Cabinet:
I noted that in 2012 tlie CabinetCommitteeoiiState Sectoi. Reform and ExpenditureControl
(SEC) coilsideied options to Gilliance NG\\, Zealand's cyber seoul'it^ and directsd the GCSB
to develop a detailed business case for'inIPIemeiitatioii of Option 2 in 2013
ISEC Mill (12) 4/11;
2 rescinded ^Ile decision refei'red to in patagraph I above on the development of adetailed
business case for. Option 2;
noted that ill April 2012, as pal't of the 2012 Budget package, Cabinet aoreed to operating
and capital contingencies for this initiative (Ieferred to as Initiative 7418) in Vote
Communications SccLinty and Intelligence ICAB Mill(12) 13/3(4)l;
4 rioted Inat in April 2013, as part of the 2013 Budget package, Cabinet agreed tliatthe
operating and capital contingencies for Initiative 7418 illVote Conimunications Security
and Intelligence be rolled foi. ward to a new expiry date of 30 nine 2014
ICAB Min (13) 12/6(3)l;
5 note(Ithatitisno\\, ploposedthatthe operating-and capital contingencies setaside for
Initiative 7418 will no longer be used for this pulpose;
6 noted that tlie Ministei' Responsible for the GCSB willshortly be writing to the Minister of
Finance \\, it11 an alternative proposal for tile use oftlie contingency funding set aside for
Initiative 741 8.
CAB Min (43) 30/25
a
,
Copy No:
Scci. etary of the Cabinct
Distribution: (seeover)
14/797vl UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
... ..
,
. ..
Distribution:
PI'jine Minister
ChiefExccuiive, DPMC
Director, PAG, DPMC
Director, ICG, DPMC
Managei, NCPO, DPMC
Director. GCSB
Diicctor. NZSlS
Minister of Finance
Seci. etary to the Trcasiiry
UNCLASSIFIED (PREVIOUSLY
SECRET/INZEO
CA Min (13) 30125
141797vl
UNCLASSIFIED (PREVIOUSLY SECRET//NZEO)
2
*$TOF
o *
I. , "
I . I
*.' "+
CLING
UNCLASS IFIED (PREVIOUSLY SECRETllNZEO)
Cabinet
This document contains information forthe NewZealand Cabinet. /tmustbe treated in confidence and
handled in accordance with anysecurity classificatibn, orother endorsement. The informatibn can onlybe
released, including under the On701allnformatioiiAct 7982, by persons with the appropriate authority.
Minute of Decision
Project CORTEX Business Case
Portfolio: Government Communications Security Bureau (GoSB)
On 28 July 2014, Cabinet:
Background
I noted that countering advanced cyber threats is a government priority, as set out in tlie
New Zealand Cyber Security Strategy (2011);
2 noted that in March 2012, the Cabinet Committee on State SectorRefoim andExpenditure
Controliioted tliat Budget Ministers had agreed to set aside atagged contingency of
$. million over five years, including $. million for, capital expenditure, to counter
advanced cyber threats ISEC Min. (12) 4/11;
3 noted that in December 2013, the Minister Responsible forthe GCSB wrote to the
Minister of Finance with a proposal for use of the tagged contingency referred to above, and
that it was agreed that the Governmeitt Communications Security Bureau (GCSB) would
prepare a business case forthe proposal. (project. CORTEX), in accordance with Treasury
guidelines;
4 noted that ill May and June 2014, the business case wasteviewed by Joint Ministers
comprising the Minister Responsible forthe GCSB, the Minister of Finance, the Minister for
Economic Development, the Minister for Communications and Information Technology, the
Minister of Foreign Affairs, the Minister of Defence, and the Attorney-General;
Implementation
5 noted that projectCORTEX:
is consistent with and will contribute significantly to the overall objective of 5 . I
countering advanced cyber intrusions;
will operate under the provisions of the amf:rided Government Communications
Security Bureau Act 2013 (the qC$BAGt) artd warrants and access authorisations
approved by the Minister Re$pqi!sib!^ j^I;t!19. qqSB andthe Commissioner for.
Security Warrants;
will in all cases operate with. the consent of the participating organisations;
CAB Min (14) 25/9
Copy No:
. ~. .. ,
5.2
5 .3
1418/3vl
' ""' In. IIJ
UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
^ .,, ...,.,
I, ,:. : ,.....
' .,; I
.. ...
. . . J .
UNCLASSIFIED (PREVIOUSLY SECRET/INZEO)
CAB Min (, 4) 25/9
6 agreed that the preferred option fortheini^16mentation of project CORTEX is Option 3
('Active') as set out in the paper under CAB. (14) 409;
7 directed theGCSBto implement the preferred option;
Resource
8 noted that the capital expenditure requirements to deliver the capabilities under Option 3
have been estimated as $,^ million';
9 noted that themcrementaloperating-expenditurerequired-to operate the capabilities in-
service has been estimated as $^ million over5 years, with $^million outyear
operating costs from 20/7/18;
noted that $.. million capital 21nd $^million operating expenditure can be Instftom
GCSB baselines;
11 agreed to increase expenditure to provide for costs associated with the proposal in
paragrapli 6 above, with a corresponding impact on the opetating balance and debt:
10
Vote Communications Security and
Intelligence
Minister Res onsible forthe GCSB
Operating jin
Debt impact
Totals
12
act
approved the following changes to appropriations and net assets to give effect to the
proposal in paragraph 6 above:
Vote Communications Security and
Intelligence
Minister Responsible forthe GCSB
Intelligence and Security Department Expenses"'
and Capital Expenditure:
Communications Security and Intelligence
(funded by revenue Crown)
20/3/14
^
Sin - increase/(decrease)
13
20/4/15
^
agreed that the operating balance and debtimpacts niparagraplt 11 above of expenses and
capital expenditure incurred under paragraph 12 above be charged againstthe Initiative 7418
tagged contingency established ill March 2012, referred to in paragraph 2 above;
agreed that tile changes to appropriations. for 20/4/15 ^^bQve be included in the 20/4/15
Supplementary Estiiiiates and that, in the interim, the increases be metftom Imprest Supply;
noted that it is anticipatt3d that in future years boyonq?0171/8, .the GCSB will require
Crown appropriations, limited by the value of depreciation funds retortied froin GCSB to the
Crown, to replace and maintain project assets beyond 20/7/18;
14
^
20/5/16
^
. \
Is
^
20/3/14
^
20/6/17
^
':. $in-increase/(decrease)
^
^
20/4/15
^
20/7/18 &
outyears
, , . " .
' This figure does notinclude any contingency funding forthe project.
^
..
^
20/5/16
^
1418/3vl
^
.. ~
I, a
^
20/6/17
UNCLASSIFIED (PREVIOUSLY SECRETllNZEO)
^
20/7/18 &
outyears
^
I, *,; : . .
2
Contingency
16 agreed that the expiry date of the initiative 7418 tagged contingency be extended to
31 Januaiy 2016;
17 agreed that the balance ($^million)required to fund Option 4 (Proactive) remain in tlie
Initiative 7418 tagged contingency pending. the outcome of the reportback referred to in
paragraph 19.2 below;
Reporting
18 directed theGCSBto:
18.1 consultthe Minister for Communications and Infonnation Technology on the
proposal in Option 4 (as set outjnthe paper. attached to CAB (14) 409), to involve an
Internet Service Provider (ISP) nthe pioject;
18.2 report to the Minister Responsible forthe GCSB and the Minister' for
Communications and InfonnatioriTectm. o10gy on the implications of including an
ISP in the project as proposed in, QptiQp*4;^
19 directed the GCSB torepoit to Cabinet(through the relevant Cabinet coinniittee) by
September 2015 on the:
19.1 progressofprojectCORTEX;
19.2 subject to Ministers' consideration of the re. port referred to ill paragraph 18.2 above,
with an option to expand the SCO^e of the project from Option 3 (Active) to Option 4
(Proactive).
UNCLASS IFIED (PREVIOUSLY SECRET//NZEO)
CAB Min (14) 25/9
Secretaiy of the Cabinet
Distribution:
Prime Minister
ChiefExecutive, DPMC
Directoi, PAG, DPMC
Deputy ChiefExecutive (Intelligence and Security), DPMC
Director, National Cyber Policy Office, DPMC
Director, IntelligenceCoordinationGroup, DPMC ,,
Diiector, GCSB
Director, NZSIS
Minister of Finance
Seeretary to the Treasury
Minister for Communications and Information Teclmology
. . .
.. .
. , .
. :.. !,..
.,
I.
1418/3vj
UNCLASSIFIED (PREVIOUSLY SECRET//NZEO)
I, I '.:,
Reference: CAB (14) 409
3
UNCLASSIFIEDtPREWOUSLYSECRE77/NEWZEALANDEYESONLYj
Cabinet
PROJECTCORTEX BUSINESS CASE
Proposal
I. The purpose of this paper is to seek Cabinet approval for CORTEX, a Government
Communications Security Bureau (GCSB) project to counter advanced cyber threats
Executive Summary
2. GCSB proposes acquiring capabilities to protect selected entities against advanced
malicious software ('inalware'). The proposal is consistent with and will contribute to
the objectives of the New Zealand Cyber Security Strategy (2011). The proposal takes
into accountthe amended GCSB Act and necessary warranting procedures, and will in
all cases operate with the consent of the participating entities.
3. Detail on the proposal is set outin a business case that has been considered by Joint
Ministers (the Minister of Finance, the Minister for Economic Development, the
Minister for Communications and Information Technology, the Minister of Foreign
Affairs, the Minister of Defence, the Attorney-General and the Minister Responsible for
GCSB). Joint Ministers agreed the recommendations made in the business case and
provided detailed direction on safeguards to be put in place regarding the protection of
information supplied to GCSB by private sector and other consenting organisations
The safeguards will be specified in the warrants and access authorisations that will
govern the operation of the capabilities. All points raised by Joint Ministers during
review of the business case have been addressed
Office of the Minister Responsible forthe
Government Communications Security Bureau
4
The business case presents four options for investment and compares their expected
benefits, risks and costs. A preferred option is identified and the remaining options are
ranked in descending order of preference should Cabinet wish to select an alternative
option.
The preferred option involves . entities - . government departments and . private
sector organisations of national significance - receiving one or more layers of defence
against advanced inalware. The layers combine detection of advanced maiware with
technical countermeasures that actively disrupt it. Alerts and advisories generated
from the inalware detection service would be issued widely across the public and
private sectors - to approximately ^ organisations in total - and so have a broader
national benefit.
5
6.
The capital expenditure requirements to deliver the capabilities have been estimated
as ^. Delivery would occur over . months. The incremental operating
,,, j^jjr:;:!^I^:,;: ^^^"I. ^'^^^11::^ :;:^^^; :;;^,^^:^ ;;^^^^. d ,,
7.
costs would be metfrom a tagged contingency set aside forthis purpose in 2012.
GCSB is not proposing to procure or develop bespoke systems. No material level of
software development is required of GCSB or a second party. The proposal is to
procure then inte rate ca abilit components airead available and tested over several
ears
t11
UNCLASSIFIEDIPREWOUSLYSECRET/NEWZEALANDEYESONLyj
UNCLASSIFIEDIPREWOUSLYSECRE77/NEWZEALANDEYESONLW
8 The inalware detection and disruption services will operate in respect of foreign-
sourced cyber threats that are particularly advanced in terms of technical
sophistication andbr persistence. The focus will be on inalware that cannot be
meaningfulIy countered by commercial tools and which is
-^
Background
In March 2012 Budget Ministers agreed to set aside a tagged contingency of ^
over 5-years, including ^ for capital expenditure, to counter advanced cyber
threats: SEC Min (12) 4/1 refers.
10. In December 2013 the Minister Responsible for GCSB wrote to the Minister of Finance
with a proposal for use of the tagged contingency. It was subsequently agreed that
a. GCSB would prepare a business case for the proposal, in accordance with
Treasury guidelines; and
b. the business case would be considered by Joint Ministers comprising the Minister
of Finance, the Minister for Economic Development, the Minister for
Communications and Information Technology, the Minister of Foreign Affairs, the
Minister of Defence, the Attorney-General and the Minister Responsible for GCSB
11. Joint Ministers considered the business case in May and June 2014. They agreed the
recommendations made in it and provided detailed direction on safeguards to be putin
place regarding the protection of information supplied to GCSB by private sector and
other consenting organisations. These safeguards will be specified in warrants and
access authorisations that will govern the operation of the capabilities. The warrants
and access authorisations will in all cases be approved by the Minister Responsible for
GCSB and the Commissioner of Security Warrants.
12. The present paper summarises the business case proposal and incorporates
Ministerial feedback on it. The paper seeks approval that the preferred option set out
in the business case can be taken forward.
9.
Why investment is needed
13. The Internet is of immense economic and wider benefit to New Zealand. For New
Zealand firms, it allows global access to suppliers and markets, mitigating the impact
of geographic isolation. Benefits to New Zealand citizens arise in many practical ways,
including in terms of the efficiency and cost of interaction with government. However
there is a downside of evenincreasing use of the Internet: greater exposure to cyber
borne threats. Countering such threats is a Government priority, as set out in the New
Zealand Cyber Security Strategy (2011).
14. The business case is concerned with cyber-borne threats that are foreign-sourced and
particularly advanced in terms of technical sophistication and/or persistence. The
harms at issue - theft of intellectual property, or damage to IT system, for instance -
are caused by malicious software ('in alware') that cannot be adequately countered by
commercially-available tools and that are
harms are being felt in New Zealand, as overseas
directed against networks or systems owned by:
a.
key economic generators. For example, over several months in 2012 the network
of a Iar e New Zealand firm was coin romised in separate attacks ^
t21
UNCLASSIFIEDtPREWOUSLYSECRET/NEWZEALANDEYESONLYj
Advanced inalware is being
These
UNCLASSIFIEDIPREWOUSLYSECRET/;^'NEWZEALANDEYESONLW
b. niche exporters including in knowledge-intensive industries;
c. major IT service providers. In this case the attacks are of particular concern
because exfiltration of data could extend to customer networks; and
e.
ovemment a encies including
Short-listed options
15. The business case considers a wide range of ways in which the threat posed by
advanced inalware could be countered. The four short-listed options are summarised
below, contrasted with the status quo - the 'Do Nothing' option. Incremental 5-year
costs are stated for each option
a. Option O 'Do Nothing':limited visibility of the threatfrom advanced inalware
Detection depends almost entirel on GCSB's access to networks owned b
overninent departments
b
Option I 'Do Minimum' (^ including ^ capital): . government
agencies - . more than at present - receive a GCSB-supplied advanced
inalware detection service. This will allow greater visibility of the advanced
inalware threat and increased 'network hardening' (vulnerability reduction) as a
consequence. No active disruption of advanced inalware.
C
Option 2 'Modest'(I^. including ^ capital): as for o tion I except
that the advanced maiware detection service is provided to , government
agencies plus . organisations of high economic value and/or operating critical
option 3 'Active' ^ including ,;!,,. Capital): GCSB delivers .an
plus . organisations of high economic value and/or operating critical national
infrastructure. In addition GCSB delivers a limited inalware disruption service to
. of the same . entities. This option will provide substantially greater visibility
d
national infrastructure.
and understanding of the advanced maiware threat, so improved vulnerability
reduction. Because there is active disruption of advanced inalware through
technical countermeasures, there will be direct - before-the-fact - mitigation of
harm as well.
e. Option 4 'Proactive'(^ including ^ capital): as option 3 except
that, in addition, GCSB shares technology and classified information with an
Internet Service Provider so that it can disrupt advanced maiware for . of its
customers under pilot conditions in the first instance. As in option 3, advanced
in alware will be 'blocked' and notjust'detected'
Assessing the options
16. Because the main benefits at issue cannot be monetised, the short-listed options were
assessed through use of multi-criteria decision analysis (MCDA), in line with Treasury
guidance. The MCDA considered how each option compared to all other options
(including 'Do Nothing'), against pre-defined criteria relating to cost, benefit and risk.
The criteria themselves were weighted. Senior policy leads drawn from DPMC, MBIE,
NZSIS and GCSB participated in the process. An independent decision sciences
t31
UNCLASSIFIEDIPREWOUSLYSECRET7'/NEWZEALANDEYESONLYj
UNCLASSIFIEDIPREWOUSLYSECRET\'NEWZEALANDEYESONLYj
consultancy was appointed to test the robustness of the selection and evaluation of
options.
The key finding of the MCDA is that option 4 offers greatest value for money in terms
of balancing benefit, risk and cost. The second best option is option 3 and least
preferred option is Option I. Sensitivity analysis performed on the MCDA shows that
the selection of Option 4 is highly robust. However the other short-listed options,
option I aside - which offers less value for money than even the status quo - are
viable alternatives. The main trade-offs in selecting between the options are
summarised in the table below. The options are contrasted with option 4
17.
Option 3
Option 2
over five years) . A 10 per cent reduction in cost(
. A third of benefits would be foregone. Farfewer
organisations would receive an active in alware
disruption service - . organisations rather than .
. A reduction in security risk relating to the unauthorised
disclosure of classified tools. Option 3 does notinvolve
Option I
GCSB sharing technology
over five years) . A 44 per cent reduction in cost(
o 60 per cent of total weighted benefits would be
sacrificed. There is a significant reduction in benefits
because the number of entities receiving a in alware
detection service would reduce from . to . and
because there would be no active disruption of
advanced inalware
Proposal - the preferred option
Capabilities
with an Internet Service Provider
t8. The foundation of the preferred option is a maiware detection service delivered to .
consenting organisations. ^ of the . organisations will be government agencies.
The other . will be drawn from a list of approximately ^ organisations of national
. Option lis notrecommended
. It would increase visibility of the advanced threat to
government agencies. However the translation into
vulnerability reduction for operators of critical national
infrastructure or key economic generators could be
limited and the benefits would not be outweighed by the
delive risksand costs.
importance developed by DPMC's National Cyber Policy Office (NCPO) and approved
by ODESC on 7 June 2013. The list includes key economic generators, niche
exporters, research institutions and operators of critical national infrastructure.
Alerts and advisories generated from the in alware detection service will be distributed
widely, including to all government departments and all I. organisations on the
NCPO list. Benefits from the investment would be realised across the public and
private sectors and have a national impact.
19
t41
UNCLASSIFIEDIPREVIOUSLYSECRET/NEWZEALANDEYESONLYj
UNCLASSIFIEDIPREWOUSLYSECRET/INEWZEALANDEYESONLYj
20
The proposal includes an active disruption capability as well as maiware detection.
GCSB will deploy technical tools to 'block' advanced inalware targeting . of the .
organisations receiving the in alware detection service
In addition, technology will be shared with an Internet Service Provider - a provider of
21.
test how the technology would operate in a commercial context. If the pilot is
successful a proposal will be prepared for Ministerial consideration outlining the costs
and benefits of wider deployment. This wider deployment would be led by industry, on
a cost-recovery/profit basis, not by GCSB
Statutory framework andpoliby
22. The GCSB Act has recently been amended. A key driver of these amendments was to
ensure the continued lawfulness of GCSB's information assurance and cyber security
activities. Those amendments have also made the processes for obtaining interception
warrants and access authorisations (pursuant to which such activities must be
undertaken) far more prescriptive than previously
23. In particular, information assurance and cyber security-related warrants and
authorisations cannot be issued unless both the Minister Responsible for the GCSB
and the Commissioner for Security Warrants are satisfied that GCSB is capable of
meeting certain statutory thresholds, including implementing "satisfactory
arrangements" appropriateIy regulating what information is collected, how it is
collected, and how it is stored and used. Further, it is the responsibility of the
InspectorGeneral of Intelligence and Security to audit the effectiveness and
appropriateness of controls in these (and other) respects.
24. This framework ensures not only that cyber security activities are always undertaken
pursuant to an appropriate legal authority (i. e. a warrant or access authorisation) but
that the manner in which it is undertaken is subject to externalIy audited controls
ensuring that such activities are appropriate, including proportionate in terms of
balancing privacy and security interests.
25. The CORTEX proposal is consistent with the amended GCSB Act and necessary
warranting procedures, and will in all cases operate with the consent of the
participating entities. The warranting procedures involve a two-step process with the
overall effectthat GCSB staff will have access to 'personal communications' (a term of
defined by relevant warrants and access authorisations) only when it is relevant to a
specific threat and when needed to confirm or mitigate it. Technology can be used to
separate personal communications from other data, so that privacy issues associated
with GCSB activities to be proportionate to cyber threats
26. GCSB is subject to some of the principles governing the privacy of personal
information under the Privacy Act 1993, as well as the principles governing collection,
retention, use and disclosure of personal information set out in the amended GCSB
Act. A Privacy Impact Assessment (PIA) has been prepared for the project. It
concludes that, because of controls that will be put in place, the proposed capabilities
do not give rise to any material privacy issues.
27. The controls in question - which Joint Ministers have considered when reviewing the
CORTEX proposal - will be specified in relevant warrants and access authorisations.
They will include attention to how data is accessed, stored, sharing and disposed of.
There will be no 'mass surveillance', and data will be accessed by GCSB only with the
consent of owners of relevant networks or systems.
email, internet or network security services - so that it can disrupt advanced in alware
for . of its customers. This will occur under pilot conditions because of the need to
151
UNCLASSIFIEDIPREWOUSLYSECRET7'/NEWZEALANDEYESONLYj
UNCLASSIFIEDIPREWOUSLYSECRE77'/NEWZEALANDEYESONL\7
Benefits
28
The proposal is consistent with and will contribute significant!y to the overall policy
objective of countering advanced cyber intrusions, which is one aspect of the New
Zealand Cyber Security Strategy.
Investment would reduce the economic and broader national security harms caused by
advanced maiware. Networks of high national interest would be made less vulnerable
to attack, because of provision of alerts and advisories, and attempted intrusions
would be blocked through technical means before harm is caused.
Such investment would align with the Business Growth Agenda (because protections
will be afforded to key economic generators and operators of critical national
infrastructure) and to Better Public Services Result Areas 9 & 10 (because advanced
in alware targets public networks as well as private sector ones)
The economic harm caused by advanced maiware is significant, although hard to
quantify at the macroeconomic level or even for individual organisations. It is hard to
quantify because, for example, in the case of loss of intellectual property (IP) - often
the most immediate target of a successful inalware attack - there is no widely
accepted means of valuing IP prospectiveIy
Investment is justified in financial terms even if only a small number of advanced
in alware attacks are frustrated each year. The direct cost of resolving an attack after
the fact can be high. It requires extensive work to clearly identify the nature of the
intrusion and to remove it, which can take months. It often requires taking the system
off-line forthe actual removal, which can result in days or weeks of system downtime
This is not acceptable in the case of key infrastructure, such as power generation
systems. Replacement of entire systems may be more financially viable than cleaning
them
29
30.
31 .
32.
Financial implications
33. The business case details the cost implications of the preferred option and plans the
year-on-year funding requirements. The predicted spending profile for the preferred
option is summarised below.
Estimated Operating Expenditure
Estimated Capital Expenditure
Total
less GCSB Operating contribution
less GCSB Capital contribution
Total
34. The 5-yearthrough life cost has been estimated as ^^. The capital ex enditure
requirementstodeliverthecapabilitieshavebeenestimatedas The
incremental operatin ex enditure required to operate the capabilities in-service has
beenestimatedas over5-years, with^out-yearoperatingcosts
20/3/14
^
^
20/4/15
I.
from 20/7/18
^
$in - increase/(decrease)
^
^
^
t61
UNCLASSIFIEDIPREVIOUSLYSECRET/NEWZEALANDEYESONLyj
20/5/16
^
.
^
^
^
^
20161,7
^
.
^
.
^
20,7118 &
outyears
^
^
^
^
^
5-year
^
^
I^
^
^
^
^
UNCLASSIFIEDtPREVIOUSLYSECRET//NEWZEALANDEYESONLY7
35. The estimated costs were subjected to Quantitative Risk Analysis (QRA) by a
consultant from the State Services Commission panel of QRA providers. The QRA
indicates that ^ of the ^ capital expenditure allocated to GCSB should
be held back by the Director, GCSB as a contingency forthe project. The contingency
will not be used for new items or increased scope without referral back to Joint
Ministers.
36. The table above indudes GCSB baseline contributions. By re-prioritisin existin
plans and resources, GCSB can meeta112013/, 4 operating expenditure ( )
and ^ of total capital expenditure.
37.
In 20/3/14 fiscal year GCSB moved to a single-line appropriation that includes
operating, depreciation expense and capital. This will ensure the security of GCSB
financial information going forward. Any underspend is returned to the Crown
therefore cash does not accumulate on the balance sheetforfuture re-investment. A
consequence is that GCSB is limited in its expenditures per fiscal year to the single-
line appropriation. A project the size of CORTEX will require incremental capital
funding on an on-going basis to ensure timely replacement of assets. Any capital
funding required beyond the five years of this business case, which is likely to equal
the value of the on-going depreciation of the original asset, will be either (1) negotiated
with Treasury or (2) presented in a separate business case and subject to Ministerial
approval.
The business case explains that user charging was considered as a possible option
but rejected forthe short term. An immediate reason is that user charging could not
proceed without amendment to the GCSB Act
Treasury has confirmed that the spending profile is within the overall tagged
contingency to which paragraph 8 refers. The tagged contingency is as follows
38
39
Operating
Capital
Total
Implementation matters
Risk
40. A risk management strategy and initial risk register have been established for the
project and shared with monitoring agencies. The risk register records that key risks
exist around scarcity of specialist technical staff over the next 12 months and around
GCSB's ability to retain and recruit staff in sufficient numbers to operationalize and
then maintain the new capabilities. The mitigation strategy for these risks involves
outsourcing key recruitment tasks, improving the timeliness of vetting processes, and
the targeted use of security cleared contractors for some aspects of system
engineering and certification.
Technology
41. GCSB is not proposing to procure or develop bespoke systems. No material level of
software development is required of GCSB or a second party. The proposal is to
t71
UNCLASSIFIEDtPREWOUSLYSECRET/NEWZEALANDEYESONLYj
20/3/14
^
I^
20/4/15
^
$in - increase/(decrease)
^
^
20/5/16
^
^
20/6/17
^
^
20/7/18 &
outyears
^
^
.
5-year
^
^
^
^
UNCLASSIFIEDIPREWOUSLYSECRET/NEWZEALANDEYESONLYj
rocure then inte rate ca abili
commercial-off-the-shelf (COTS) systems, through to single-source COTS, to systems
only available through government-to- overriment a reement. All of the technolo
has been in use for some time,
42. The Government Rules of Procurement have been integrated into the proposed
commercial approach. Aspects of Government Chief Information Officer's (GCIO's)
Government ICT Strategy and Action Plan, and the Government Enterprise
Architecture, have been incorporated as well
Selection of private sector organisation
43. Sign-off for service delivery to a particular organisation will form part of the warrant and
access authorisation process - i. e. subject to approval of the Responsible Minister and
Commissioner for Security Warrants. As noted above, a condition of service delivery
will be that the organisation consents to it
44. Senior officials will oversee the process by which candidate organisations are
identified. Three criteria will be involved in the selection process
a. The extent to which the entity owns or operates 'an information asset of national
interest', as drawn from NCPO list;
b. Ensuring there is a broad coverage of sectors represented; and
c. Intelligence or other evidence that an organisation, or particular sector, has or is
likely to be targeted by advanced inalware.
Project assurance
45. GCSB has prepared a project assurance plan for CORTEX, in line with requirements
of the GCIO. This plan has been reviewed by monitoring agencies. These agencies
will have an on-going role in reviewing progress on the project
The hardware and software components range from widely available
coin orients alread available and tested
Schedule
46. A summary of the project plan is presented in the business case. It shows delive
would be phased over . months, with discrete capabilities becoming operational
Consultation
months after project approval
47
This paper and the supporting business case were prepared by GCSB in consultation
with DPMC (NCPO), MBIE and the NZ Security Intelligence Service. The State
Services Commission has been informed
48.
Treasury has reviewed this paper and the supporting business case. Project
assurance responsibilities of the GCIO have been undertaken by Treasury's Portfolio
Performance Monitoring team. Comments have been provided to GCSB and these
have been responded to satisfactorily, with changes incorporated where appropriate
49. To confirm that the proposed capabilities would be welcomed - and consented to - by
potential beneficiaries of them, GCSB has held discussions with ^ major private
sector firms that feature on the NCPO list of organisations of national importance. All
t81
UNCLASSIFIEDIPREVIOUSLYSECRET/NEWZEALANDEYESONLyj
UNCLASSIFIEDIPREVIOUSLYSECRET/NEWZEALANDEYESONLYj
of these firms have confirmed interest in engaging further on the proposals in the event
that funding is secured
Human rights, disability and gender implications, regulatory impact assessment
50. The proposal involves the interception of communications and as such may engage
the right against unreasonable search and seizure affirmed by s 21 of the New
Zealand Bill of Rights Act 1990. This issue was considered in the Bill of Rights Act
analysis prepared by Crown Law at the time of the passage of the GCSB Amendment
Bill in 2013. In relation to the s 21 right, Crown Law concluded that the defined scope
and applicable safeguards for the exercise of interception powers are broadly
consistent with accepted requirements for such powers in the context of intelligence-
gathering, and are therefore consistent with the right against unreasonable search and
seizure. The interception of communications under the CORTEX proposal is entirely
within the scope of the GCSB Act as described in the Crown Law analysis. There are
therefore no human rights impacts associated with the proposal
51. Regulatory impact analysis requirements do not apply. There are no gender or
disability implications associated with this proposal
Legislative implications
There are no legislative implications associated with this proposal
Publicity
No publicity is planned
Recommendations
52
53
54. The Minister Responsible for GCSB recommends that Cabinet
Background
a. note that countering advanced cyber threats is a Government priority, as set out
in the New Zealand Cyber Security Strategy (2011);
counter advanced cyber threats: SEC Min (12) 4/1 refers;
c. note that in December 2013 the Minister Responsible for GCSB wrote to the
Minister of Finance with a proposal for use of the tagged contingency and that
GCSB would prepare a business case for the proposal(project CORTEX), in
accordance with Treasury guidelines;
note that in May and June 2014 the business case was reviewed by Joint
Ministers comprising the Minister of Finance, the Minister for Economic
Development, the Minister for Communications and Information Technology, the
Minister of Foreign Affairs, the Minister of Defence, the Attorney-General and the
Minister Responsible for GCSB.
Implementation
b.
note that in March 2012 Budget Ministers agreed to set aside a tagged
contingency of ^ over five years, including ^ for capital expenditure, to
d.
e. note that CORTEX
I.
t91
UNCLASSIFIEDIPREVIOUSLYSECRE77/NEWZEALANDEYESONLY7
is consistent with and will contribute significantly to the overall objective of
countering advanced cyber intrusions;
UNCLASSIFIEDtPREWOUSLYSECRET/!/NEWZEALANDEYESONLYj
ii. will operate under the provisions of the amended GCSB Act and warrants
and access authorisations approved by the Minister Responsible for GCSB
and the Commissioner for Security Warrants; and
iii. will in all cases operate with the consent of the participating organisations;
f. agreethe preferred option is Option 4('Proactive');
g. direct the Government Communications Security Bureau to implement the
preferred option;
Resource
h. note that the capital expenditure requirements to deliver the capabilities have
been estimated as ^.;
operate the the incremental operating expenditure required to
note that
in-service has been estimated as ^ over 5-years, with capabilities
^IOUt-year operating costs from 20/7/18;
j. note that ^ capital and ^ operating expenditure can be metfrom
GCSB baseline;
k. agree to increase expenditure to provide for costs associated with the decision in
recommendation (9) above, with a corresponding impact on the operating
balance and debt:
Vote Communications Security and
Intelligence
Minister Responsible forthe Government
CommunicationsSecurit Bureau
Operating Impact
Debtlmpact
Totals
approve the following changes to appropriations and net assets to give effect to
the decision in recommendation (9) above
Vote Communications Security and
Intelligence
Minister Responsible forthe Government
Communications Securit Bureau
20/3/14
Intelligence and Security Department
Expenses and Capital Expenditure
Communications Security and Intelligence
(Funded by revenue crowi
^
.,
^
$in - increase/(decrease)
20,4115
in.
^
^
agree that the operating balance and debt impacts in recommendation fj) above
of expenses and capital expenditure incurred under recommendation (k) above
be charges against the Initiative 7418 tagged contingency established in SEC
Min (12) 4/1 as modified by CAB Min (13) 30125;
^
20/5/16
^
20/3/14
t101
UNCLASSIFIEDIPREVIOUSLYSECRET\'NEWZEALANDEYESONLYj
^
^
20/6/17
.I
^
$in - increasel(decrease)
20/4/15
^
20/7/18 &
outyears
^
^
^
20/5/16
^
^
^I
20,6117
^
20/7/18 &
outyears
^
UNCLASSIFIEDtPREVIOUSLYSECRET/NEWZEALANDEYESONLYj
n.
note that it is anticipated that in future years beyond 201 7/18, the GCSB will
require Crown appropriations (limited by the value of depreciation funds returned
from GCSB to the Crown)to replace and maintain project assets beyond
20/7/18;
Reporting
o
direct GCSB to report back to Cabinet on progress of project CORTEX by
September 2015.
Rt Hon John Key
Minister Responsible forthe
Government Communications Security Bureau
I 2014
[11]
UNCLASSIFIEDIPREWOUSLYSECRET/NEWZEALANDEYESONLYj