Come on, government, what's the real reason you want to hire an undisclosed number of people to sit at PCs monitoring undisclosed websites and looking for undisclosed threats? And don't give me that old chestnut about the cyber-war between the US and China. I read the e-zines. It didn't happen. It was a beat up on a slow news day. Didn't you hear Jenny when she said "we" make things up?
And why stuff this cyber-threat monitoring agency inside the GCSB? In the US the equivalent, the NIPC, is part of the FBI. While some folk do consider the FBI to be an intelligence gathering unit its role is primarily that of law enforcement. In the UK its equivalent organisation, the NISCC, has a member of MI5 on its board but the unit itself is not part of any spy agency.
No, as far as I can tell, the real reason for putting the Centre for Critical Infrastructure Protection (CCIP) in the GCSB is to give the GCSB the capability to monitor not only radio waves and the like but also communications in cyberspace. That's right, rather than have GCSB pay for its own monitoring gear, we'll use the "in the public's best interest" as a way of buying some new PCs and hiring some staff. (And, better late than never, GCSB will for the first time have its own law governing what it can and can't do.) Do we really need the government providing this kind of information for us?
Auckland-based security firm Co-Logic is one of many to offer an email notification service that warns us all of new viruses or security problems. You can even get the information sent to a cellphone if you need instant warning about any new threat. Why not simply subscribe to as many of those services as you can? Why not keep an eye on the NIPC page for good measure? Hell, IDG has an email notification service for viruses and security patches and the like - just add your name to that list. We find out pretty early on in the piece, either from on-shore sources or from our offshore colleagues.
I can see the need to protect our infrastructure from such threats. I can see the need for some kind of agency to coordinate this kind of activity, even though nearly all the infrastructure components the reports talk about are in the hands of the private sector.
In the lead up to Y2K we had a very capable team at the Readiness Commission working on ways to avoid the problem, offering advice for businesses and individuals alike, and I know this kind of operation can produce good results.
The cabinet briefing paper on the CCIP says a number of departments were considered as home to the CCIP including the Prime Minster's office, ministry of civil defence and emergency management, the police, the defence force and the state services commission. GCSB was chosen in part because "the CCIP function is closely aligned to the GCSB's information systems security role", whatever that is.
For me the crunch point came when I rang Trevor Mallard's office. Mallard is the minister in charge of state services and this falls in his domain. Oh no, said his press secretary, we won't be discussing the unit any further because it's part of GCSB and that's very hush hush. I'm sorry? You won't talk about an agency charged with keeping the public informed of cyber-threats because it's part of a super-secret spy agency? Does that make sense to anyone out there?