Monday, October 05, 2015

Did Una Jagose lie about CORTEX?

Last week, GCSB Director Una Jagose went on a PR offensive about her agency, talking up its uncontentious IT security role while refusing to talk about spying, which is by far the bulk of its work. She followed this up on the weekend with an interview on The Nation. On both occasions, she talked about Project CORTEX, the GCSB's cybersecurity surveillance operation which monitors "government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure" against malware and intrusion. And on both occasions, she was very clear that organisations protected by CORTEX have to tell people that their communications could be screened. Here's what she said in her speech:

But, also, the organisation obtaining the capability must consent to receiving it – and agree to a number of conditions (for example, each recipient must conduct the highest level of basic cyber-hygiene, advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes and, for the reason above, maintain confidentiality about the services it is receiving).
[Emphasis added]

And on The Nation:
Gower: Yeah, but I would be told, would I, by the company that they’ve now put Cortex on?

Jagose: You’ll be told that your communications will be screened or may be screened for cyber-defence purposes.

Gower: Right. How do you get told that?

Jagose: In terms and conditions of use, for example.

The problem? According to research by Graeme Edgeler, a whole host of government departments and key economic generators which you would think would be top of CORTEX's protection list - organisations like DPMC, the Ministry of Defence, National Cyber Security Centre, MFAT, Fonterra, ANZ, the BNZ, and even the GCSB itself - have no such warning in their T&C. There are two possible conclusions: either CORTEX doesn't protect these organisations and Jagose has misled us about what it is supposed to protect, or Jagose was lying about notification. Either way, it doesn't suggest that the GCSB's new "opennness" is particularly trustworthy.