The world of cyber security is fast-moving and complex. The more our personal, work and business lives are conducted online, the more opportunities are created for cyber attacks. Boosting New Zealand’s cyber resilience requires a collaborative, multi-pronged approach and CERT NZ is one of a number of agencies that make up New Zealand’s cyber security ecosystem.
CERT NZ works in partnership with the following government agencies and organisations to respond to cyber security threats in New Zealand.
Department of Internal Affairs (DIA)
DIA investigates complaints about spam in New Zealand, and is responsible for enforcing the Unsolicited Electronic Messages Act 2007. The Act:
- sets requirements that encourage good marketing practices
- prohibits sending unsolicited messages of a commercial nature (‘spam’)
- sets out the requirements for commercial electronic messages that businesses must meet
- prohibits the use of software to harvest email addresses and create address lists for sending spam
- works as a deterrent against the use of spam.
CERT NZ refers any reports of spam directly to the Electronic Messaging Compliance Unit at DIA. The unit investigates and takes action against any organisation, business or individual who breaches the Act. DIA also:
- promotes education and awareness of the Act
- provides information to businesses on how to comply with the legislation
- tracks emerging technologies and spam threats
- reports on, and provide warnings about, current scams in NZ
- works with international agencies to tackle spam.
DIA’s Censorship Compliance Unit (CCU) team investigates and prosecutes offences against the Film, Videos, and Publications Classification Act 1993. The Act makes it an offence to possess or trade in objectionable publications. CCU’s focus is on material depicting the sexual abuse or exploitation of children.
CERT NZ redirects reports of objectionable material online directly to the CCU team for investigation.
National Cyber Policy Office (NCPO)
NCPO leads the development of cyber security policy advice for the New Zealand government.
In partnership with the private sector and government agencies, NCPO provides advice on the strategic direction for addressing cyber security. They’re responsible for providing advice on investment in cyber security initiatives, including CERT NZ.
NCPO also has a coordinating role. They make sure that the operational and policy agencies responsible for cyber security initiatives work together to respond to issues, and ensure that these agencies focus their activities on the government’s desired outcomes. They oversee the development, implementation and review of New Zealand’s Cyber Security Strategy 2019, and assesses the progress of the Strategy’s Action Plan.
NCPO works closely with the Ministry of Foreign Affairs and Trade (MFAT) to lead engagement on cyber security policy internationally.
NCPO is part of the Department of Prime Minister and Cabinet.
New Zealand National Cyber Security Centre (NCSC)
NCSC’s role is to protect New Zealand’s most significant organisations from cyber security threats. They focus on providing specialist information security advice and support to these organisations, which include:
- government departments
- key economic generators
- niche exporters
- research institutions, and
- operators of critical national infrastructure.
NCSC helps these organisations protect their networks from the type of threats that are typically beyond the capability of commercially available tools. They also help protect them from any threats that could impact the effective functioning of government administration or key economic sectors.
NCSC works in close cooperation with other agencies to protect New Zealand from advanced cyber threats. While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.
NCSC is part of the Government Communications Security Bureau (GCSB). The functions of the NCSC and the GCSB form part of New Zealand’s Cyber Security Strategy 2019.
Netsafe is an independent, non-profit New Zealand organisation focused on online safety. They’re committed to helping everyone in New Zealand take advantage of digital opportunities by providing education and support to manage and resolve online safety challenges.
To achieve this, Netsafe:
- operates a free and confidential helpline that’s available seven days a week. People of all ages can use it to report online issues and get help
- provides education, guidance and incident management advice to individuals, schools, community organisations and businesses
- collaborates with government, non-government and industry, both locally and internationally.
Netsafe also investigates complaints of online bullying, abuse and harassment under the Harmful Digital Communications Act 2015. The Act provides quick and efficient ways for people to get help if they’re experiencing serious or repeated harmful digital communications. This includes:
- sending or publishing threatening or offensive material
- spreading damaging rumours
- sending or publishing sensitive personal information such as embarrassing photos and videos
- any other form of harassment online.
Netsafe can provide advice on what to do, and may contact the person responsible for the harassment to get them to stop. If Netsafe can’t resolve an issue, the District Court may be able to help.
Complaints made to CERT NZ about online abuse or harassment are redirected to Netsafe for investigation. Netsafe may also refer any relevant reports to other organisations for further investigation.
New Zealand Police
New Zealand Police works to prevent, investigate and prosecute crime within our communities. This includes crimes that are enabled by technology, like:
- money laundering
- serious harmful digital communications, and
- online child exploitation.
The Cybercrime Unit within Police focuses specifically on ‘cybercrime’, which includes:
- account compromises
- computer system attacks, and
- criminal networks online.
CERT NZ takes reports of these types of cybercrimes. In cases where a criminal offence has been committed, CERT NZ will — with the consent of the individual — pass the details of the report to the Police Cybercrime Unit for assessment. Where appropriate, Police will investigate a report and take action against an offender when an offence has been identified.
Police also has a separate team working to protect children from online child abuse, known as the Online Child Exploitation Across New Zealand (OCEANZ) team. CERT NZ redirects reports of online child abuse directly to the OCEANZ team for assessment and, where appropriate, further investigation.