The GCSB and the Security Intelligence Service worked with Microsoft and Amazon Web Services to boost cyber security in government agency cloud deployments during the 2021 financial year.
A report to Parliament this month said the agencies and vendors delivered baseline security templates for Azure and AWS cloud offerings to the public service.
Also this year, the GCSB completed a $440 million cryptographic products infrastructure project, which, "broadly speaking", encrypted Aotearoa New Zealand’s most important information.
The Cryptographic Products Management Infrastructure (CPMI) project was a multi year effort to replace existing infrastructure and to high grade cryptographic infrastructure for government communications classified higher than "restricted".
"We still need organisations to ensure they have the effective cyber-security governance, understand their critical systems and risks, and particularly understand their supply chains, and have a plan for how they will respond to a cyber-security incident," Andrew Hampton, the director general of the GCSB, told the intelligence and security committee mid-month.
Working in partnership with organisations to help build their cyber-resilience was a priority.
"As the Government chief security officer, my focus is on understanding the key information security threats and vulnerabilities facing the public sector," Hampton said.
It had been another high-tempo year operationally for both the community's intelligence and cyber-security missions, he reported.
"Organisations holding particularly sensitive personal or commercial information are especially at risk," Hampton said. "These days, it is also not sufficient to just ensure the cyber-security resilience of your own organisation; you also need to consider how secure your supply chain is."
A recent development in supply chain attacks had been compromising software updates as a means of establishing a presence on customer systems, he said.
Last year, the National Cyber Security Centre released guidance to organisations of national significance on managing their supply chain risks.
In 2021, the New Zealand government had publicly attributed two malicious state-sponsored cyber campaigns, one to Russia and the other to Chinese state actors, based on technical assessments by GCSB and its international partners.
Throughout the year, the bureau also provided classified briefings to members of the committee about state actors targeting key government organisations and the role of the NCSC in identifying and evicting the attackers and "helping the victim agencies restore their systems."
"International partners have publicly called out Russia for engaging in malicious cyber-activity to support the invasion of Ukraine, although this activity was not of the scale expected," Hampton said.
The intelligence community had also seen capabilities only in the possession of states previously now in the hands of criminal actors.
"We also have criminal actors often being given safe havens by states to operate," Hampton said. "I think it’s fair to say we’re increasingly focused on criminal actors, more so than we were before, even though the state sponsored threat hasn’t gone away."