07 May, 2013

Open Letter to John Key re Security Bills


With the changes to the GCSB Act and the Wiretapping you are missing the boat. Firstly these are not urgent matters and should go through the democratic process and along for public submissions at the Select Committee stage.

You are also you mixing up spying on NZers and their privacy and cyber security. Opinion in the NZ IT Security community is that the NCSC isn't working and that we need a CERT like every over country. in2security have made this point in Initiative 9 p51 of their "New Zealand Information Security Workforce Development Strategy". If you, as head of NZ security, had engaged at NZ's preeminent security conference Kiwicon or one of the monthly Info Sec Interest Group meetings you would know that community doesn't feel the NCSC isn't working. A CERT is a trusted independent civil organisation model/framework that is working well else where in the world and would be a good base to work from. A proper CERT is what is wanted by the community.

Maybe you would get more help form the Security Community if your Justice Minister didn't say "The ministry and I do not deal with hackers and we do not deal with burglars.". If you want to engage with security researchers you need to talk to them and not flat out say that you won't talk to them.

With the wire tapping can you explain how it is going to work? These days things like HTTPS means that the communication is heavily encrypted between the client and its destination and can not be intercepted along the way and HTTPS has ways of informing the user is a Man in the Middle is taking place. Most servers will belong to overseas organisations and not reside in a NZ thus you don't have jurisdiction to compel the company to decrypt the information for you. So I fail to see what this will gain and what benefit it will give you. Also more and more calls are using VoIP services like Skype and others which are encrypted user to user and even Skype can't decrypt a conversation for you, so again in this day and age what is this wiretapping actually going to do other than make it easy to get the low hanging fruit who already slip up in many others ways?

These changes are large and under urgency I don't feel they will get the scrutiny that they need without public submissions to the select committee and oversight from the privacy commissioner. It will also give you time to start a meaningful dialogue with the NZ IT Security community and help give us the tools that we need to do our job rather than wasting money on things like the NCSC which don't meant our needs.