The Government Communications Security Bureau says it will not be intercepting the email or other internet activity of individuals, as part of its new role as the country's cyberspace monitor.
The bureau has been chosen to run a planned Centre for Critical Infrastructure Protection (CCIP), following a report into the need for such protection, co-ordinated by the State Services Commission’s e-government unit. GCSB spokesman Mike Spring dismisses the scenario of the CCIP snooping on a suspected hacker's activities.
“The GCSB is not a law-enforcement agency and has no power to investigate individuals.”
GCSB sees itself obtaining intelligence on cyber-attacks in similar ways to which it learns of other planned attacks. This will include liasion with bodies working in the area overseas, particularly in the US, where the parallel body comes under the FBI, in the UK and in Canada.
Beyond CCIP’s “watch and warn” function, it has been assigned an “investigative” role. In this part of its operation it will “dismantle” worms, viruses and the like when they arrive to gain a better idea of how they work, says Spring. But it will be the organisation’s responsibility to install fixes for security problems, not CCIP’s or GCSB’s, he says, though the bureau will, if requested by the organisation, investigate its vulnerability.
Government and GCSB see the centre also performing an educative function, encouraging critical infrastructure operators, government departments and the general public to take appropriate protective measures against threats, such as installing software patches. This persuasion "will be achieved by close personal contact with those organisations, particularly the infrastructure operators,” Spring says, but it won't be intrusive.
“There is nothing [in the bureau’s operation of CCIP] that is intended to detract from their right to run their own operation,” he says.
Most of the six-figure sums budgeted annually for the centre’s operations will be spent on IT equipment for intelligence gathering and analysis of the cyber-weapons used, he says. In the first year of its operation, the CCIP will be funded to the tune of $506,000 in operating provisions and $269,000 capital. The operating budget will rise to $953,000 in 2002-03 and subsequent years but no capital expenditure is included. All funding will be provided by the Crown, despite Treasury suggestions that the organisations that benefit – businesses and infrastructure operators – might contribute.
Cabinet papers reveal government agency candidates for the role candidates included the Department of Prime Minister and Cabinet; the Ministry of Civil Defence and Emergency Management; the Police; the New Zealand Defence Force; the State Services Commission; and the GCSB.
The options were whittled down to three: a CCIP totally within the SSC, totally within the GCSB or shared between the two. Government agencies, businesses and infrastructure providers surveyed chose the government's "security people" as the favoured location for the new centre because of its specialist IT security knowledge, says the SSC's Colin Jackson, who project-managed the exercise that resulted in the CCIP's formation.
Activities of the GCSB in preventing viruses and worms from infecting critical infrastructure components will be adequately controlled by the powers of the Inspector-General of Intelligence and Security, and by the provisions of the GCSB Bill, currently before parliament, he suggests.