Internet NZ says it regrets the Government's decision to merge two national cyber security organisations.
It says the linkage could reduce the effectiveness of one of the joined entities. Internet NZ's comments follow the Government decision to bring the Computer Emergency Response Team (CERT NZ) under control of the National Cyber Security Centre (NCSC).
It did so as hundreds of cyber attacks take place every year against large institutions and many more target small companies and individuals. The amalgamation was proposed as a way of dealing with this threat by a review of cyber security last year.
The Government says it accepts the findings of that study that combining the two entities will help it stay ahead of the danger from increasingly sophisticated hackers.
“Having a single agency to provide authoritative advice and respond to incidents across every threat level is international best practice," says the Minister for the Public Service, Andrew Little.
But Internet NZ, a not-for-profit open membership organisation and the designated manager for the . nz country code internet domain, disagrees. It says having CERT NZ under the NCSC will make it harder for it to do its job.
The organisation made this clear earlier in an open letter to Government Ministers.
That letter noted the NCSC was part of the Government Communications Security Bureau (GCSB), so the merger would bring CERT NZ under the control of a security agency, reducing trust by the public.
"The merger could mean that individuals, organisations and small businesses from certain communities will not report incidents," the letter said.
"Some communities may not feel safe to engage with a CERT NZ that is a department or function of the GCSB. There is clear evidence that Māori in particular do not trust the security intelligence functions of government.
"Whether or not mitigations are put in place, the name association alone is a large risk to Māori engagement with CERT NZ, in part because over-securitisation is a concern for minority and marginalised groups."
The letter argued that CERT NZ relies on a voluntary network of partners and allies and the merger could undermine its ability to operate in a flexible and open way.
"Due to the nature of its work, the GCSB is likely to be less able to collaborate, share information and be flexible and fast moving," it said.
"Merging a public-oriented cyber security organisation with a security service like the GCSB without sufficient consultation, transparency, and cooperation with communities, will result in public gaps in knowledge which are too easily filled with speculation, disinformation, and conspiracy theories," the letter said.
Meanwhile the question of Māori trust was not ignored by the report that the Government relied on for its decision.
That report made many references to the need to retain Māori confidence in the new, merged organisation.
"(There should be) co-design of a reimagined approach with Māori to ensure that the single front door provides services to iwi, Māori and Māori organisations that are culturally competent and responsive," it wrote.
"It also must recognise the loss of cultural capital as well as financial capital."
That last statement was a reference to the fact that Maori culture can be exposed to cyber attacks just as easily as business or industry, and the new body should be on guard against that peril.
The integration of CERT NZ into the NCSC will begin at the end of next month and will take several years.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.