New Zealand Spy Agency To Vet Network Builds, Provider Staff

Bismillah (993337) writes "The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."

What I can't understand is...

[Kittenman]

... why NZ is seen as a hot bed of terrorism, naughtiness and general mayhem. The lead item on the news last night was a political hopeful having to pay back about $350 after claiming on a flight for a friend. Wow. This isn't a country where much happens.

As a father I do understand this...

[seoras]

If I were John Key and I had a daughter in a Paris art school I'd want to keep her tits off the screens of millions of voting Kiwi's.

http://www.dailymail.co.uk/news/article-2401561/Does-know-shes-Daughter-New-Zealand-Prime-Minister-bizarre-erotic-photoshoot-posing-octopus-Big-Macs.html

Security Clearance Requirement Explained

[BlakJak-ZL1VMF]

The guidance document as published at http://ncsc.govt.nz/assets/TICSA/NCSC-Guidance-for-Network-Operators.pdf states:

> To assist the GCSB and network operators to work together on network security risks, network operators
> may nominate a suitable employee (or employees) to apply for a SECRET level GCSB sponsored security
> clearance.
> Network operators may also, upon request, be required to nominate an individual for security clearance
> (section 75).
> Having cleared staff within network operators allows the GCSB to share certain information about network
> security risks that is classified. While these individuals cannot pass classified information to un-cleared
> colleagues, they will be able to give informed guidance on identifying and addressing network security
> risks.
> If a network operator does not have cleared staff, the GCSB will still seek to engage with them, and share
> what information it can about network security risks.

The legislation itself states:

A network operator must, within 10 working days _after being required to do so_ under subsection (2), (3), or (4),—

        (a) nominate a suitable employee to apply for a secret-level government-sponsored security clearance (a clearance); and

        (b) notify the employee of the nomination; and

        (c) give written notice of the name and contact details of that employee to the Registrar.

- so the vetting obligation isn't an obligation until the Network Operator is 'required'. The rationale for putting staff up for vetting seems sound, but as you can see from the last part of the quote from the guidance, they can still work with service providers that don't have cleared staff.