It started with a Tweet from Steve Cotter, CEO of REANNZ:
Trying to do the same in NZ, but govt's TICSA legislation makes deploying SDN/NFV in backbone networks challenging http://t.co/91MUpxfOnw
— Steve Cotter (@SteveCotter) February 22, 2015
Before we go any further let’s unpack some of those acronyms and add one more:
- REANNZ – “REANNZ is the Crown-owned company that owns and operates New Zealand’s high capacity, high performance advanced network… in order to ‘establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand’.”
- TICSA – The Telecommunications Interception Capability and Security Act passed by the National Government alongside the GCSB Act in 2013. It gives the GCSB oversight and control of New Zealand’s data and voice communications networks. See our articles for more.
- SDN/NFV – Software Defined Networking and Network Functions Virtualization. Two up and coming methods of controlling complex networks, REANNZ has been doing useful work testing and developing SDN.
- NCSC – the National Cyber Security Centre – the people at the GCSB responsible for enforcing the ‘security’ part of the TICSA law.
So this is a statement by the CEO of a government owned company whose purpose is to “establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand” saying that they can’t do the research and development work they need to do because the bureaucrats in the NCSC at the GCSB are holding them back.
Apparently the NCSC were willing to help, but the law was inflexible enough that making any significant change – like you might want to do quite frequently on an experimental network – was going to require the full notification and authorisation procedure. When asked for an exemption the reply was that this would be extremely unlikely to be granted.
But wait, there’s more
Apparently Google has also been involved with research and development into SDN in New Zealand. We’ve been told by multiple sources that they were so annoyed by the TICSA’s requirements and the NCSC’s administration of them that they have closed the New Zealand section of this project and redeployed the hardware to Australia and the USA. This can only be seen as a loss to New Zealand.
This is a problem
We think it’s a real worry that companies like Google and REANNZ, who are both pushing the boundaries of network research, are giving up in New Zealand due to the constraints imposed by government legislation.
It’s exactly the sort of thing we worried about in our submission to the government about the TICS Bill:
It will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions.
Some people have suggested that these companies, REANNZ and Google, just needed to work harder to jump through the NCSC’s hoops. The reality is that they obviously thought that this was not worth the effort and they abandoned the work. How many other companies in New Zealand are experiencing these exact same problems and deciding to just give up… or spend their research dollars in countries with a friendlier environment?
We stand by our original position that a spy agency can’t intercept traffic on one hand and then provide security advice on the other. We don’t believe that New Zealand’s national security is enhanced by giving the GCSB more control of our telecommunications networks than any other spy agency has in any other comparable country. We don’t believe that network operators should have to answer to a layer of micro-managing government bureaucracy to run their businesses. We think that this is in direct contravention of the GCSB’s statutory objective of contributing to the economic well-being of New Zealand.
The TICS Act is proving to be a brake on innovation. It needs to be changed.
More on the story from Juha Saarinen at the NZ Herald.
2 thoughts on “The GCSB’s brake on innovation”
Comment on: “spy agency can’t intercept traffic on one hand and then provide security advice on the other”.
They can. That’s a fact.
Should they do it? No. It’s not the same job. Same knowledge yes, but definitely not the same set of skills. Oh, and there is something else called segregation of duties that should apply as well, but governments are above best practices aren’t they?
And please, let’s use the proper wording for people who use or create back doors for spying and disrupt others: “script kiddies”.
The reason I say they can’t, is that the best protection and security advice is to use secure encryption everywhere – which totally undermines their ability to intercept and spy. Those two purposes are opposed to each other.
As you point out, this doesn’t stop them, but it makes me question the value of their advice. Looking at TICSA in particular, will they be rejecting changes proposed by ISPs because they weaken security – or because they strengthen it too much?
Comments are closed.