By Hannah Brown
As New Zealand’s allies, including neighbouring Australia, seek extra opportunities to collaborate on cyber security, New Zealand remains relatively isolated on the issue.
New Zealand’s whole-of-government approach to cyber security, led by its Cyber Security Centre, is roughly equivalent to Australia’s approach via its similar Cyber Security Centre – but Australia has recently sought and prioritised additional collaborative training opportunities for its cyber security experts that New Zealand has not.
This is relevant because collaboration is considered international best practice in cyberwar defence. In their book Cybersecurity and Cyberwar, Singer and Friedman argue that an inability to share information properly is one of the greatest threats to collectively improving cybersecurity internationally.
Cyberweapons and cyberwarfare are now considered by the FBI to be the number one threat to American national security. In New Zealand the threat level has also risen. The latter government’s new Strategic Defence Policy Statement foreshadows “compounding challenges of a scope and magnitude not previously seen in our neighbourhood.”
In 2017, Australian Foreign Minister Julie Bishop travelled to the NATO-run Cooperative Cyber Defence Centre (CCDC) in Tallinn, Estonia, to investigate the world’s biggest live cyber war simulation exercise, Locked Shields.
By contrast, Bishop’s counterpart in New Zealand, Foreign Minister Winston Peters, has not attended Locked Shields, nor sent a representative, nor made public statements on New Zealand’s cyberwar preparations (though he did contribute to the Strategic Defence Policy Statement 2018, released in July, which foreshadows a general increase in New Zealand government interest in cyber defence).
Following Bishop’s research, Australia is now increasing its involvement in the Tallinn simulation. In April the Australian government sent an official observer to the event, and a full Australian delegation is booked to participate in 2019, including a defence representative who will stay at the CCDC.
Bishop sees value in the event’s testing of experts’ practical skills. “It’s important to ensure the international community can detect and respond to cyber attacks, given recent incidents”, she says.
Research (by Skopik, Settanni and Fieldler in 2016) suggests she is right. They argue cooperation on cyber issues is worth the additional effort. “Although cooperation between international stakeholders is hampered by many obstacles, it is beneficial for all sides. Cooperating international cyber incident response teams get most benefit in terms of joint incident handling, project conducting, resource and information sharing, and (social) networking.”
This, in the context of the US and the UK issuing an unprecedented memo in April warning of an escalating use of cyberweaponry between major powers, in particular Russia.
In contrast to Australia, New Zealand’s cyber security collaborations appear to be fewer, and less hands-on.
At the Commonwealth Heads of Government Meeting (CHOGM) in April, New Zealand’s Prime Minister Jacinda Ardern signed the Commonwealth Cyber Declaration along with the leaders of all commonwealth nations – but it is a forum for cooperation and capacity-building, not a collaborative practical exercise.
Following CHOGM, former Australian Prime Minister Malcolm Turnbull pursued and signed a “deeper operational alliance” on cyber security with the UK, followed by a French operational collaboration – the first to be signed by a Five Eyes member outside the Five Eyes intelligence-sharing partnership between New Zealand, the UK, Australia, the US, and Canada.
Is New Zealand’s government making similar arrangements? If they are, they are covert.
Meanwhile New Zealand remains the only Five Eyes partner never to have signed the Budapest Convention on Cybercrime, a treaty that seeks to develop international cooperation on cyber law and information-sharing. The 2017 government briefing to the incoming Minister responsible for cyber security policy recommended that the convention be signed to enable greater collaboration with European Cybercrime Centre and the cybercrime division within the FBI – but this has not yet been done.
The only known regular training collaboration New Zealand undertakes with international security partners is Cyber Flag, an annual five eyes training session held in the US. Air Commodore Kevin McEvoy, the Acting Commander Joint Forces New Zealand, says “An effective cyber response is a team response. We need to partner with allied nations to defend our respective networks, so building good relationships through training is important.”
This raises the question of why New Zealand doesn’t do more of it. After all geographic distance is no distance at all in cyberspace.
Hannah Brown is a postgraduate student in Politics and International Relations at the University of Auckland.