To understand Project Cortex, look to Einstein

If New Zealand spy agency GCSB wants to be more transparent, it should forget media charm offensives and take a lesson from the US Department of Homeland Security.
Written by Rob O'Neill, Contributor

The head of New Zealand's Government Communications Security Bureau, Una Jagose, is working hard to repair trust in the agency, giving a series of media interviews about its obscure Project Cortex cyber defence programme.

Inevitably, however, there is much she cannot or will not say. To some, that's perfectly fine -- you can't give too much detail on such systems without potentially compromising their effectiveness.

To others, she is simply not coming clean, hedging around providing details that would reveal more about New Zealand's contribution to the Five Eyes spy alliance and New Zealand involvement in and use of mass surveillance locally and abroad.

Jagose's media blitz comes after revelations GCSB illegally spied on 85 people, including Mega Upload founder Kim Dotcom, and tarnished trust in the organisation.

Material leaked by former NSA contractor Edward Snowden also provided embarrassing detail on New Zealand's role in spying on its Pacific and Asian neighbours, even in the seemingly trivial cause of getting trade minister Tim Groser a job with the World Trade Organisation.

While some are busy fact-checking Jagose's public statements -- and finding them wanting -- looking further afield may help the curious and concerned, and those who suspect Cortex is a Trojan horse for mass surveillance get under Cortex's skin. In particular, they should have a good look at the US Department of Homeland Security's National Cybersecurity Protection System (NCPS), also known as "Einstein".

is a platform DHS has developed to defend the US federal civilian government's information technology infrastructure against advanced cyber threats.

It was developed in three phases, so far. Tellingly, the third phase is being extended beyond the government perimeter.

Jagose has said Cortex could be extended to cover internet service providers and that is exactly what appears to be happening with Einstein.

"DHS will not only be able to detect malicious traffic targeting Federal Government networks, but also prevent malicious traffic from harming those networks. This is accomplished through delivering intrusion prevention capabilities as a managed security service provided by internet service providers," DHS says.

"Under the direction of DHS, ISPs will administer intrusion prevention and threat-based decision-making on network traffic entering and leaving participating federal civilian Executive Branch agency networks."

The similarities between Einstein and Cortex, at least Cortex as described by Jagose, are such that you might suspect they are the same system. Not so, says GCSB -- at least not mainly.

"The technology has been developed by GCSB using its own resources with input from the private sector and overseas partners," the agency told ZDNet. "We have drawn information from many sources -- private sector and other -- but we do not comment on the specifics of our capabilities."

It's pretty clear there is extensive information and technology sharing going on, including the sharing of threat signatures, between the Five Eyes partners.

But why is GCSB being so coy about Cortex?

Take a look at the detail DHS has released about Einstein, including this public privacy impact assessment [PDF], and you have to conclude that Jagose and her agency is not being anywhere near transparent enough.

Apparently there is an assessment on the way and it will be public. That document has been subject to Official Information requests and has been a long time coming.

Where DHS shares detailed information about the structure of Einstein, its capabilities, what is collected, how it is managed and how personal information is handled and minimised during analysis, New Zealanders to date have had to be satisfied with assurances that systems are in place and the people using them are trustworthy.

"There are many controls that are in place to make sure that what is done with that information is what is entitled to be done or allowed to be done, which is about cyber defence in our example. The particular analyst that needs to look at it needs to record why they are doing something with it and what is happening with it, how it is being stored and what they found out when they looked at it.

"And all of that is auditable and reviewable by our systems, by the Inspector General. I've got great confidence in my people that they use that information for the purpose for which we've got it, which is to build up a good picture of cyber defence."

If your email is being viewed it's because it has malware attached: "They're not interested in your personal communication, I can assure you."

Jagose is also careful to make clear these remarks are limited to the context of cyber defence, not GCSB's broader surveillance role within the Five Eyes.

The fact is, we would probably still be in the dark about Project Cortex if it wasn't for Edward Snowden. The programme was revealed by Prime Minister John Key to counter the election-season threat posed by the Moment of Truth event, into which Snowden beamed to talk about New Zealand's role in mass surveillance.

Cortex, we were told, replaced plans for a mass surveillance system called Project Speargun.

Journalist Glen Greenwald said at the time he found it amazing that Key had decided to suddenly declassify information about the cancellation of Speargun and the implementation of Cortex.

The government didn't have the right to classify such information in the first place unless it would seriously harm public safety, he said. Key was releasing it to defend his reputation and for political gain.

In that case it was a highly effective strategy. But Greenwald's point remains: Why was even the existence of Project Cortex classified in the first place?

How could Einstein be so public for so long when Cortex was and remains largely under wraps? The answer, sadly, is New Zealand Government and GCSB have been secretive by default.

Jagose has acknowledged GCSB has been slow to embrace transparency and is trying to change that, but the PR efforts to date are not enough.

The US DHS has shown how matters of disclosure should be handled with the result that Einstein is largely uncontroversial. After a series of hacks on US government agencies, the argument is about whether Einstein is working, not whether it should exist.

Editorial standards