Tough NZ comms interception, network security law kicks in

Powered by SC Magazine
 

Aussie operators in NZ must register with police.

Local and international telcos and network providers in New Zealand are now required to comply with strict and complex new communications interception and security legislation.

The new law will apply to Australian businesses and providers operating in the country, such as Vocus which runs data centres and networks in New Zealand.

Known as the Telecommunications (Interception Capability and Security) Act (TICSA), the new law requires network operators to register with the NZ Police. Similary, suppliers of a wholesale or retail  telecommunications service must provide their information to the police registry.

Registrants must tell the police their total number of connections, customers and size of their geographic coverage, and ensure that law enforcement agencies have access to customer data and connections when needed.

As part of the new law - which requires the country's main signals intelligence agency, the Government Communications Security Bureau (GCSB) to play a prime role in network and systems security - providers are now dutybound to notify the state about any design and procurement decisions before implementation, according to government guidance [PDF].

Prior to TICSA, network operators were free to design their infrastructure according to their wishes and to meet commercial demands, and to buy equipment and software from any supplier.

From this month, the GCSB has to be notified of and approve proposed changes to a provider's network operations centre, core network including gateways and interconnects as well customer databases and authentication systems.

GCSB network security vetting process schematic

Providers will also be required to have their staff vetted for security clearance. However, the GCSB will not run the security clearance process itself, and warns that this "may take a significant length of time." 

Neverthless, there are certain things that network operators are permitted to do without notifying the GCSB.

Network providers can patch and update software and firmware, and make changes to power, air conditioning and fire suppression systems.

They are also not required to inform the spy agency of emergency changes to networks, at least not immediately. Nor will providers have to notify the GCSB about home routers, servers and databases sold to customers.

Failure to comply with the new legislation, GCSB, or ministerial direction on network design and equipment, could land providers with hefty fines.

These can be as steep as NZ$50,000 (A$46,000) to NZ$500,000 a day.

The new law was slammed by web giants Google, Facebook and Microsoft last year as being from the 19th century and incompatible with international privacy legislation.

Despite this, the New Zealand government declined to exempt overseas operators from the new law.

Copyright © iTnews.com.au . All rights reserved.


Tough NZ comms interception, network security law kicks in
 
 
 
Top Stories
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
The big winners from Defence’s back-office IT refresh
Updated: The full list of subcontractors.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 994

Vote