GOVIS 2023 Digital Resilience
Friday 16 June 2023
Museum of New Zealand Te Papa Tongarewa, Wellington
What did we hear at the conference?
Our conference theme was all about how to build digital public sector resilience in a global period of change and uncertainty. In just the last three years this country has faced many challenges - including major floods exacerbated by climate change, high inflation, a pandemic, reduced social cohesion, geopolitical tensions, supply chain issues, and cyber attacks. What do these challenges mean for working in the cloud, for designing digital services, and for protecting data? What can we do to foster institutional and personal resilience, so we can deliver for Aotearoa New Zealand? What opportunities and challenges are posed by generative AI, as it becomes immensly more capable and accessible than before?
Here is a quick summary of what we heard:
National resilience. Our strategic environment is no longer benign, rather it is becoming increasingly competitive with actors constantly trying to secure access to digital systems. We heard from Michael Jagusch at NZ's National Cyber Security Centre (NCSC) about how they deal with about 350 incidents every year - of which about a third are state-sponsored, and a quarter are due to organised crime. However despite the scale and sophistication of these attacks, virtually all of can be prevented if organisations adopt unique/strong/long passwords and carefully manage administrative access to systems. We should be looking to the NCSC's highly accessible Cyber Security Framework - this contains tangible security objectives that go far beyond the direct responsibility of a cyber security team, for example having good documentation and processes around your organisational information and data. Nationally signficant New Zealand organisations can also make use of the NCSC's Malware Free Networks service.
Institutional resilience. In order for our public institutions to be resilient and adaptable they need to have the right internal capability, a flat org chart, and unapologetically prioritisng the needs of customers. This is what we heard from Damon Rees - the recent head of Service New South Wales. Service NSW and its 114 service centres (plus mobile centres) was able to support customers through floods, droughts, bush fires, a mouse plague and COVID-19 by prioritising them over everything else. This customer focus become a powerful cultural lever that over about 10 years enabled digital transformation efforts, the ability to get ahead of chronic 'failure demand', and better collaboration with partner organisations.
Personal resilience. We heard from both senior managers and regular public servants about how achieving personal resilience and wellbeing can be a huge challenge. While increased levels of working from home bring more freedom and flexibility; they can also contribute to loneliness & isolation, impact teams' ability to plan and collaborate, and create difficulties for new starters and early-career staff. Many of our jobs have been very stressful over the last few years, and burnout & health scares are a very real threat - if this sounds like you then a proper break and/or career shift might be prudent! And look out for your colleagues as well.
Incident response. When is the best time to plan and prepare for a potential incident? Before it happens! While obvious, this advice is not always followed... so now is the time to understand your responsibilities when it comes to potential cyber incidents, privacy breaches, or natural disasters - dust off and review your incident planning (even if it is just a basic BCP) and run some exercises! We heard from Mike Chapman (Archives NZ), Simon Mason (Stats NZ) and Fiona Dally (MBIE) about how to pivot a census when confronted with #1 COVID-19 and #2 a major cyclone - even to the point of hiring helicopters, jetskis and horses to deliver and collect census forms, and making pragmatic trade-offs on data quality. We also heard about the realities of working in incident response - the need to be able to quickly resolve bureaucratic hurdles around data sharing and access (or better still - pre-empt these) and for organisations to develop a 'wider bench' of reserve capability that can step up as needed and manage the pressure on the individuals involved. Interested in being involved in incident response work? Get yourself trained in the Coordinated Incident Management System (CIMS).
Resilience and sovereignty in the cloud. With several multinational technology companies announcing their intentions to set up on-shore cloud services in New Zealand, what should we expect and what questions do we need to be asking? We heard from Phil Pennington (RNZ), Dr Te Taka Keegan (University of Waikato), Louisa Joblin (Duncan Cotterill) and Don Christie (Catalyst IT) about the need to ensure Māori sovereignty over cloud services, data & AI; what legal and governance issues are at stake; and the case for strengthening NZ's domestic cloud and AI capabilities through procurement decisions and use of open source technology.
Cyber security. We wrapped up the day with some great cyber security tips and tricks from Steve Honiss and Elf Eldridge (ZX Security). Good governance is essential for cyber security - so you can refer your senior managers to this Cyber Risk Guide from the Institute of Directors New Zealand! But it is also on us to be identifying and raising the risks that we see (rather than sweeping them under the carpet...) and making sure that they are addressed, or are accepted by a manager with the appropriate level of seniority. One category of cyber attacks are those intentionally targeted at our organisation - we can and should be preparing for these - for example by implementing these Critical Controls from the Computer Emergency Response Team (CERT) - see here for they could help prevent a ransomware incident. However we also need to think of a second category - opportunistic attacks. These are generally based on newly-discovered software vulnerabilities, and cannot be anticipated. Instead we need to be investing in our people and putting in place good incident response processes (e.g. by ensuring incident response plans are kept in one place and have a clear summary. Finally - don't put sensitive information in ChatGPT, because it will be used to retrain the model and could be accessed by another user!