Crowdsourcing Project Cortex

6:00 Oct 5, 2015 43

Acting Head of the Government Communication Security Bureau Una Jagose was interviewed by Patrick Gower for this week’s episode of TV3’s The Nation. Much of the Bureau’s work was off limits in the interview (including any discussion of the GCSB’s involvement in any “full-take” capability as part of the US-led Five Eyes network), but Jagose was interviewed at length about Cortex, the Government’s cybersecurity programme.

The existence of Cortex was announced during the heat of the election, after Glenn Greenwald’s Snowden disclosures about Project Speargun. Keith Ng considered the release a smokescreen:

Instead, what Key has done is release a bunch of documents about a programme called CORTEX. This was a plan to provide malware detection and disruption services to companies and ISPs.

CORTEX has nothing to do with SPEARGUN

The Nation contacted Nicky Hager, who gave his view that cybersecurity was about 10% of the GCSBs work. We don’t know the extent to which Speargun happened. Maybe what we think has happened, has happened, but has a completely different name.

I can’t solve that here. But we do now have a little more information about Cortex, which apparently aims to protect the government and major corporations from cyber attacks.

According to Jagose, one of the requirements for an agency to receive Cortex protection is that it must advise “people that come into contact with that network, that their communications may be screened for cyber defence purposes”. She continued:

you will know in advance that your communications will be screened for cyber defence purposes if this is a Cortex product we're talking about, so you'll already know that in your engagement with whatever the company or agency is.

...

Gower: Yeah, but I would be told, would I, by the company that they've now put Cortex on?

You'll be told that your communications will be screened or may be screened for cyber defence purposes.

Right. How do you get told that?

In terms and conditions of use, for example.

On the extended Sunday panel, Bryce Edwards and Jessica Williams were somewhat scathing of this, noting that almost no-one reads the terms and conditions.

But to know whether an agency is protected by Cortex, we don’t need everyone to read the Terms and Conditions, or Privacy Policies of every organisation they’re in contact with, we really just need one person to read them. And that could even be a different person for each one.

Which is Where You Can Help.

I can’t do them all, but I have looked at a few Government departments and major companies to see, based on the advice of Ms Jagose, which agencies have such protection (and the risk that our contact with them will be screened by the GCSB as part of project Cortex (if I might be screened under some other programme, I doubt they’re going to tell us).

I have looked, where applicable, at the terms and conditions, and the privacy statements, and the contact pages and contact forms of a number of agencies and can confirm that, if Ms Jagose was correct when she said that those in contact with agencies protected by Cortex would be informed in advance of the possibility that their contact with those agencies may be screened for cyber defence purposes, then:

The Department of Prime Minister and Cabinet is NOT protected by Cortex (their privacy policy records that when you voluntarily provide them personal information they will only use that information to communicate with you, and will keep any such information secure and will not disclose it to any third parties.)

The Ministry of Defence is NOT protected by Cortex (according to their privacy policy information you provide them is only used to communicate with you, and they keep any such information secure and will not disclose it to any third parties).
The GCSB is NOT protected by Cortex (there is no mention of monitoring in either the privacy section, or on the contact page).
The National Cyber Security Centre is NOT protected by Cortex (no mention of monitoring in either the privacy section, or on the contact page).
The New Zealand Security and Intelligence Service may be protected by Cortex (its privacy policy records that it may communicate information in the interest of security, but there is no mention of monitoring, suggesting they may not be protected either).
The Ministry of Foreign Affairs and Trade is NOT protected by Cortex (no mention of monitoring in either the privacy section, or on the contact page)
Transpower is not protected by Cortex (there is no mention of monitoring in their terms and conditions, nor on their contacts page).
Fonterra is NOT protected by Cortex (their terms of use only allow them to provide personal information to “permitted third party service providers as identified in this Privacy Policy”, and the GCSB is not identified).
ANZ is NOT protected by Cortex (their privacy policy allows your emails to be monitored by for security issues, but only by ANZ employees)
BNZ is NOT protected by Cortex (the privacy section in their terms and conditions, notes that BNZ can monitor your accounts and other information, but makes no mention of others)

Kiwibank may be protected by Cortex (again, not as clear as it should be, but their terms and conditions say they can release your information if it will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences, and they lack the terms used by eg ANZ and BNZ about how such use is limited to bank employees. Of course, with no specific mention of monitoring or cyber defence, so they may not be protected either.

None of the agencies I looked at have information in their terms and conditions, or privacy statements that would provide the clarity that the Head of the GCSB states will be provided by those agencies that are benefitting from the protection against cyber attack that the GCSB's Protect Cortex is supposed to provide. But I’ve far from looked at everyone, so maybe there is some agency out there that clearly describes that contact with it will be screened for the purposes of cyber defence. I’m guessing that no-one provides the level of clarity, as minimal as it was, that Una Jagose described as a "precondition" for cyber protection by the GCSB.

It's unfortunate that this sort of information can't be to hand during an interview, but the big story from Patrick Gower's interview may be even that no-one meets the preconditions for cyber-protection by the GCSB and it isn't actually protecting anyone. Or, of course, that the promised openness, even when limited solely to the GCSB's cyber security function, is another smokescreen.

But maybe you can find a statement about monitoring for cyber defence that's as clear as they're supposed to be, so please feel free to look them up and link to them in the comments. If everyone who reads this does one or two, we'll know the reach of Cortex in almost no time at all :-)

UPDATE: two lists of the state sector organisations in NZ; first from the State Services Commission, and second from the govt.nz portal. And the wikipedia list of companies in the NZX50 index of New Zealand's largest listed companies.

Thanks to Alex in the comments for kicking us off. Information provided voluntarily to the Courts (such as via email) is kept secure, and is not disclosed to any third parties.

Keep them coming!

UPDATE 2: Found some: the NZDF, the Army, Navy and Air Force, Cadet Forces and Veterans Affairs!

43 responses to this post

First ←Older Page 1 2 Newer→ Last

Graeme Edgeler, 06:33 Oct 5, 2015

You'd have thunk, for a blog post I specifically asked for comments in, that I'd remember to turn comments on.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Alex Coleman, 08:45 Oct 5, 2015

Not the Courts
https://www.courtsofnz.govt.nz/utilities/privacy

Wellington • Since Nov 2006 • 247 posts Report
linger, in reply to Graeme Edgeler, 08:53 Oct 5, 2015

thunk = the sound your brain makes when you try to make it do anything in the wee small hours. (Hence also references to Cortext protection; Protect Cortext.)
More seriously – now look out for these organisations to hurriedly update their terms and conditions…

Tokyo • Since Apr 2007 • 1944 posts Report
Ian Dalziel, 09:02 Oct 5, 2015

Hmmm Cortex, a few thoughts….
Cortex sounds similar to Gore-Tex©
- blocks transit of hard water in, yet allows vapour out…
okay, maybe a stretch….
(and we all know John Key swears by PTFEs as well as PPPs.
PTFE expands to Polytetrafluoroethylene – which makes Key’s favourite compound – itself an anagram of ‘ no left’ – spooky!!)
and here’s hoping it’s not impacting the ‘core business’ of Auckland-based web application developers – er, Cortex…
Anatomically a cortex is just an outer layer – so it’s much like the other ‘thin skinned’ responses from this government, then.
Jagose’s ‘jargon’, referring to ‘Cortex products’ tries to reinforce Key’s earlier assertions that Cortex is just a ‘Norton’s Anti Virus’ kinda thang…
They may have our backs, (and back-ups), but who has theirs?
I note the National Party – despite all its high flying corporate connections, only has a privacy policy and doesn’t mention ‘monitoring for public good’ in any way.
National respects your privacy.
We endeavour to take all reasonable steps to keep secure any information that you submit to this website. Information you submit may be used for site customisation.
By becoming a web user, subscribing to email newsletters, submitting comments, or contacting us via the site, you agree to receive emails from the National Party or its elected representatives. You can opt out of email newsletters by using the unsubscribe link at the bottom of each email.

Christchurch • Since Dec 2006 • 7953 posts Report
Graeme Edgeler, in reply to linger, 09:10 Oct 5, 2015

(Hence also references to Cortext protection; Protect Cortext.)
I typed that pretty much every time, and did correct a lot of them, but it was after midnight, and I had to get up at 5:00am!

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
izogi, in reply to Ian Dalziel, 09:17 Oct 5, 2015

Cortex sounds similar to Gore-Tex©
- blocks transit of hard water in, yet allows vapour out…
Gore-Tex© also doesn’t work anywhere near as effectively as it’s marketed in typical New Zealand conditions, for what it’s worth. It’s mostly marketed and sold here because NZ just latches onto global demand trends, and it’s easier not to specialise. You can draw what metaphors from that as you will.

Wellington • Since Jan 2007 • 1142 posts Report
Bill Eaton, 09:50 Oct 5, 2015

IRD T&C and Privacy Policy seem quite clear and I could not see anything like this. T&C cover:
www.ird.govt.nz
www.kiwisaver.govt.nz
www.whatstax.govt.nz

Auckland • Since Sep 2014 • 15 posts Report
Bill Eaton, 10:02 Oct 5, 2015

Orcon (ISP) have wonderfully vague T&C including this labile (sic) one:
13.6 We may appoint subcontractors to discharge any of our obligations under our Terms and Conditions
provided that we will at all times remain primarily labile to you for those subcontractors’ acts and omissions.
As a matter of fact, Orcon does virus screening for emails and their wide-ranging definition of network "abuse" by customers would imply a wide-ranging monitoring ability to detect and trace that.

Auckland • Since Sep 2014 • 15 posts Report
Graeme Edgeler, 10:05 Oct 5, 2015

Found one!
While the Ministry of Defence has not met the preconditions for protection by Cortex, the New Zealand Defence Force has something. It doesn’t mention monitoring for cyber defence in particular, but I guess we can’t be too picky:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
As have the New Zealand Army:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
The Royal New Zealand Navy:
The Royal New Zealand Navy systems to which this web site connects and related equipment may be subject to monitoring.
And the Royal New Zealand Air Force:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
Along with both the Cadet Forces and Veterans Affairs.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Alfie, 10:26 Oct 5, 2015

Vodafone possibly uses Cortex – section 3 of their Privacy policy.
3. Sharing your information
There may be times when we need to disclose your personal information to third parties (some of which may be based outside of New Zealand). If we do this, we will only disclose your information to:
Much of this section contains some pretty broad strokes and Cortex could almost be covered by the general “suppliers” clause.
3.2 those who provide to us or our group companies products or services that support the services that we provide, such as our dealers and suppliers;
But 3.9 is probably the relevant section.
3.9 anyone who assists us in protecting the operation of the Vodafone networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;
Do I win a kewpie doll or something?

Dunedin • Since May 2014 • 1440 posts Report
Graeme Edgeler, 10:30 Oct 5, 2015

Find one, and then Google does your work for you!
Two further possible Cortex-protectees:
The Charities Service!
And
The New Zealand Debt Management Office!
Similar language appears in the Privacy Statement on the website of The Maori Land Court which says "The Ministry of Justice systems to which this web site connects and related equipment may be subject to monitoring." However, the Ministry of Justice website states, however, that the monitoring done is Google Analytics.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Graeme Edgeler, 10:52 Oct 5, 2015

And more:
there is language sufficient to fulfil the precondition about disclosure of monitoring at the National Infrastructure Unit within treasury, but not Treasury itself.
And the Energy Safety unit within Worksafe NZ says "WorkSafe New Zealand systems to which this website connects and related equipment may be subject to monitoring." However, Worksafe NZ, disagrees, carrying no language capable of fulfilling the disclosure pre-condition, as does the Ministry of Business, Innovation and Employment of which both are a part.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Idiot Savant, 12:08 Oct 5, 2015

AgResearch is a no (note: I did not have written permission for that link; Public Address may wish to delete it to avoid packs of rabid AgResearch lawyers trying to enforce the world's most stupid website TOU)
Landcare is a no.
NIWA is a no (also here)
Plant & Food is a no.
GNS doesn't even appear to have a privacy statement.
Scion is a no.
Callaghan Innovation is a no.
So much for "research institutions".

Palmerston North • Since Nov 2006 • 1717 posts Report
steve black, 13:38 Oct 5, 2015

If I take a strict reading of what we are supposed to be told in the terms and conditions:
You’ll be told that your communications will be screened or may be screened for cyber defence purposes.
and compare that to the phrasing we've seen so far
may be subject to monitoring.
then the sites found so far are failing to say what use the monitoring is for. What happened to the "for cyber defence purposes" guys?

sunny mt albert • Since Jan 2007 • 116 posts Report
Graeme Edgeler, in reply to steve black, 13:58 Oct 5, 2015

compare that to the phrasing we’ve seen so far
may be subject to monitoring.
then the sites found so far are failing to say what use the monitoring is for. What happened to the “for cyber defence purposes” guys?
They are indeed. I wonder if there is any agency that is as explicit as Ms Jagose implied they need to be as a precondition to receiving cyber protection services from the GCSB as part of Cortex? My guess, is probably not.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Mark Robinson, 14:30 Oct 5, 2015

The Aotearoa People's Network which provides free WiFi through Public Libraries has required acceptance of conditions including "monitoring" for years.

NZ • Since Nov 2013 • 2 posts Report
Alex Coleman, in reply to Graeme Edgeler, 18:05 Oct 5, 2015

My guess, is probably not.
I'm wondering if Paddy Gower is following this. 'You told me this, but Oh Noes', is pretty much his brand.

Wellington • Since Nov 2006 • 247 posts Report
Frank Macskasy, 19:28 Oct 5, 2015

There's this reference in Spark NZ (The Telco Formerly Known As Telecom)'s T&C;
"The Operator and Spark Digital reserve the right to disclose end user information that it believes, in good faith, is appropriate or necessary to take precautions against liability; to protect the Operator and Spark Digital and others from fraudulent, abusive, predatory, or unlawful uses or activity; to investigate and defend against any third party claims or allegations; TO ASSIST GOVERNMENT ENFORCEMENT AGENCIES; or to protect the security or integrity of the Platform."
Also more I've written on the subject (which may or may not be useful - especially the bit about the National Cyber Policy Office (NCPO) and something called "Connect Smart".
http://thedailyblog.co.nz/2015/10/04/the-mendacity-of-ms-una-jagose-spymaster

Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report
Mark Foster, 20:34 Oct 5, 2015

Almost all of these generic 'you may be monitored' clauses (including the ones from NZDF and such) may simply refer to internal monitoring capabilities from within their security departments. The presence of a generic statement is not a tie to the GCSB.
I suspect those related to agencies who routinely handle classified material may be in another class, but consider that for the ISP's and Telco's etc - many of them have internal IA capabilities who may need to monitor their services (and be disclaimed as such) to be effective. Or have I missed something?

Auckland • Since Oct 2015 • 4 posts Report
BenWilson, 20:37 Oct 5, 2015

Um...presumably you're all joking? Because:
In terms and conditions of use, for example.
is not the same is "In the terms and conditions of use, period". You can't infer the absence of Cortex from absence of the terms and conditions saying so. That's even if you're going to hold someone's casual statement in an interview as some kind of binding contract. Someone in the job of professional spying...just the kind of person I'd be trusting to tell the truth, the whole truth and nothing but the truth, right? And even then, she carefully caveated it with "for example". If you weren't told in the terms and conditions, but instead some other completely unspecified way, how could you ever prove it had never happened? And whose head would it be on anyway?
By all means attempt to find the reach of Cortex by examining terms and conditions. I think you will discover nothing. Some will tell you you're being spied on. Others will not tell you, but do it anyway. Others won't be doing it, even though they might claim to be. How could you ever know the truth of the matter? Can we even claim that our definitions of the terms are sufficiently tight that there even is a truth to the matter?
But this is a meme, right? I'm spoiling the gag...sorry..as you were.

Auckland • Since Nov 2006 • 10657 posts Report
Graeme Edgeler, in reply to BenWilson, 21:31 Oct 5, 2015

Um…presumably you’re all joking? Because:
In terms and conditions of use, for example.
According to Jagose's speech, an organisation obtaining the capability must consent to receiving it – and ... advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes...
Now, I am a person who has interacted with DPMC computer systems, I have sent emails to the DPMC, and I have used the content submission forms on the DPMC website. If they have informed me that my interactions with their systems may be accessed for cyber security services, I have missed it. If they are going to do this, there aren't many options: it could be in their terms and conditions; it could be in their privacy policy, it could be a note on the page of the form you fill in to submit a query, but it has to be somewhere. And it's in none of those places.
If such advice isn't somewhere where I, as a person who has interacted with their computer systems, can see it, I have having difficulty seeing how they can have met the pre-condition for access to Cortex. They are required to advise those who may interact with their computer systems that their communications may be accessed for cyber security purposes.
Now, with some organisations, there is a lack of clarity because the terms may be silent, and maybe they've got Cortex, and just haven't said. But many of the agencies I've looked at aren't in that position. For example, with the DPMC, we're not just dealing with silence. The DPMC have a privacy policy in which they state that they do not disclose personal information voluntarily provided to them with any third parties. Use of Cortex in the way described by Jagose in her interview with Patrick Gower on The Nation is inconsistent with that.
Now, is it possible that either Jagose was misleading us, or the DPMC is misleading us in its privacy statement? Of course. How would I know? But whether this blog post is pointing out the absurdity of Cortex not protecting the DPMC, or if it is pointing out that the DPMC etc. are lying by providing a privacy statement which forswears use of Cortex, or if it is pointing out that Jagose is wrong when she described the pre-conditions of the use of Cortex, I'm pretty happy with it, because those seem to be the only options.
You're right that I'm not going to be able to use this process to know which one of those three options is correct, but that one of them is true is noteworthy enough.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Frank Macskasy, in reply to BenWilson, 21:58 Oct 5, 2015

Ben, what's your alternative solution?

Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report
Sacha, 22:43 Oct 5, 2015

Interesting question. Welcome Frank.

Ak • Since May 2008 • 19745 posts Report
Frank Macskasy, 23:01 Oct 5, 2015

Thanks, Sacha.

Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report
Bill Eaton, 23:02 Oct 5, 2015

Well, it has been interesting looking. Who knew there is a website called protectivesecurity.govt.nz ? There is a search box there that does not know about "cortex". There is a 562 page Information Security Manual there. All quite "open" really if probably outdated already. You are in a maze of twisty little passages...

Auckland • Since Sep 2014 • 15 posts Report