New Zealand could have its own Computer Emergency Response Team (NZCERT) to complement similar organisations in Australia and the US and deliver timely alerts of infrastructure security threats.
NZCERT is “in the policy development stage” says Paul McKittrick, spokesman for the Centre for Critical Infrastructure Protection (CCIP).
Formation of NZCERT was discussed as part of reorganisation plans for the CCIP and the Government Communications Security Bureau, of which it forms a part. The plans were revealed by McKittrick and CCIP chief Jonathan Berry to a select audience at a security conference in Wellington late last year under a non-reporting restriction.
Approached then and subsequently, McKittrick has until now declined to talk on the record about the possibility of an NZCERT.
Such a unit would complement CERT in the US and AusCERT in Australia in providing a sharper focus for early warning of potential intrusion into private-sector and consumer computer systems, leaving other sectors of the organisation to look after government systems and critical infrastructure.
The need for an NZCERT, periodically discussed in ICT circles, was floated again this month, following hacking of a database owned by Shell – but run by an independent contractor – containing data on applicants for a fuel budget management card (Shell Card). Data relating to as many as 1,400 Shell Card applicants locally and another 4,500 in Australia were apparently illicitly accessed. New Zealand and Queensland police are investigating.
“The information obtained is equivalent to what would normally be found on business cards and cheques — including company names, address details, email addresses and some bank account details,” says Shell spokeswoman Jackie Maitland. The reason only “some” bank details were included is that some applicants had not provided those on the form, she says.
Martin Cocker, head of internet safety organisation Netsafe, suggests an NZCERT could have provided earlier warning of the vulnerability and perhaps stopped a good proportion of the damage. The equivalent US and Australian organisations “monitor traffic across the infrastructure of their country and look for specific traffic associated with attacks; so they can [take preventative measures] very early in the process,” he says.
“A New Zealand Computer Emergency Response Team could have been useful in preventing this situation, by providing prior warning of the threat,” says McKittrick. “However, the functions of an NZCERT have yet to be determined.
“This is being worked through as part of the policy development, however the CCIP’s mandate is limited to critical infrastructure protection and it is expected that the mandate of an NZCERT would be wider than this.”