Date: Nov 2017 NZT
> Begin forwarded message:
> To: Rebecca Kitteridge <R.Kitteridge@nzsis.govt.nz>, info@nzsis.govt.nz
> CC: c.finlayson@parliament.govt.nz , S.Bridges@parliament.govt.nz
> CC: Cheryl Gwyn <C.Gwyn@igis.govt.nz>, enquiries@igis.govt.nz
>
> Subject: Re: Spotlight on Security: Rebecca Kitteridge,   at Vic Uni.
> Ref: www.victoria.ac.nz/law/about/events/nz-centre-for-public-law/spotlight-on-security
>
> Dear Rebecca,
>
> Is NZIC (NZSIS, GCSB/NCSC/CERT, ...)  leadership aware enough that bureaucrats within the organisation structure created
> and still maintain several Catch-22's, which Prevent the NZIC from actually achieving several of its stated goals?
>
> For instance can you spot 2 (or more) Catch-22's in the statements from NZIC careers email{*1} below?
> Contradicting rules and requirements, which actually specifically prevent the type of person, which is described in job
> descriptions, from even being considered for those key positions. Because they would have to ignore/break several of the rules and
> also act in contradiction to elementary security guidelines, in order to be even considered by those who handle the job applications.
> ? Can you imagine which type of people do get selected instead of the described/required ones...
>
>
> Besides that, there are other structural paradox's visible.
> For instance in the fact that NZSIS & GCSB publish many statements with direct self-contradictions in them. Like: www.nzsis.govt.nz/about-this-site/#privacy
> Or the fact that NZSIS/GCSB is failing to even implement a functional Responsible Disclosure Procedure (RDP), in order to actually
> be able to deal with information offered by researchers/white-hats/ethical-hackers/students about potent structural
> vulnerabilities in the NZ Critical Infrastructure... Like for instance the continued use of inherently vulnerable (and sensitive
> information leaking) systems by GCSB and most other government sections, just because that's what the govt IT people are used
> to. Instead of putting a little effort into learning about (far simpler) systems, which are inherently not
> vulnerable at all^{(yes they do exist)}, which can also provide the needed services for the organisation.  
> In other words, the current structure still has what you describe as: "impenetrable exterior and isolation"
>
> Those are just a few simple examples from a rather lengthy list of visible issues within the NZIC current structure.
> Fundamental issues which radiate out into the NZ critical infrastructure companies like power supply, health and transport.
> Because your organisation is still setting a bad example and by doing so misinforming those organisations with misleading advice, it seems.
>
>
> There seems to be a "mind the gap!" difference between your presentation at Vic Uni last year, and how the NZIC is
> actually still operating at this moment in time.
> A gap which can be closed quickly with very little effort, without extra expenses. But only if leadership is willing to think/operate outside the square a bit more.
>
> So, we like to invite you for a rather informative chat about the subject, if you like?
>
>
> Kindest regards,
> *_{<you know..>} 

>  "sed Quis Custodiet Ipsos Custodes?"

{*1}

Careers NZIC <careers@nzic.govt.nz wrote:     Good Morning,  * Thank you for your email, to be considered for this vacancy you must include a fully completed application form.     Without  this, we are unable to consider your applciaiton.     Please submit a current CV, completed application form [DOCX, 78 KB] and covering letter outlining why you are interested in the role. Full and complete applications can be sent to careers@nzic.govt.nz. Only completed applications will be progressed.     Kind regards,     NZIC Sourcing Team   www.gcsb.govt.nz/ www.nzsis.govt.nz / www.nzic.govt.nz    * The NZIC treats all applications for employment in the strictest confidence and we ask that you maintain a similar level of confidentiality.     * You are expected to exercise discretion during the recruitment process and throughout your career.     --    * This electronic message, together with any attachments, contains information that is provided in confidence and may be  subject to legal privilege.    * Any classification markings must be adhered to. If you are not the intended recipient, you must not peruse, disclose,   disseminate, copy or use the message in  any way.   If you have received this message in error, please notify us immediately by return email and then destroy the original message. The New Zealand Intelligence Community (NZIC) and the departments comprising the NZIC accepts no responsibility for changes to this e-mail, or to any attachments, after its transmission from NZIC. This communication may be accessed or retained  for information assurance purposes. Thank you.     ______________________________________________________________________________    * This email has been filtered by SMX cloud-based email.   For more information visit http://smxemail.com   ______________________________________________________________________________         From: Careers NZIC <careers@nzic.govt.nz  Return-Path: <careers@nzic.govt.nz  Received: from out1101.nz.smxemail.com   client-ip=203.84.134.32; envelope-from=careers@nzic.govt.nz  DKIM-Signature: v=1; a=rsa-sha256; d=nz.smxemail.com; s=alpha; c=relaxed/relaxed;  Received: from smtp.gcsb.govt.nz ([131.203.86.54]) by omr.nz.smxemail.com      with ESMTP (using TLSv1.2 with cipher DHE-RSA-AES128-SHA  (128 bits)) id ....@mta1102.omr;  Received: from 172.26.8.11 (EHLO Polaris.local.net) ([172.26.8.11])            by seev3 (Liverton Technology Group - SmartGate) with ESMTP ID 2106337986  Received: from Nightcrawler.local.net (Not Verified[172.26.10.11]) by Polaris.local.net with MailMarshal (v7,1,0,4874)  Received: from WOLVERINE.local.net (172.26.2.16) by nightcrawler.local.net  (172.26.10.11) with Microsoft SMTP Server v14.2.347.0;  Received: from WOLVERINE.local.net ([::1]) by Wolverine.local.net ([::1])  v14.02.0387.000 Note: ? Why can't NZIC / GCSB implement simple, standard, common sense, security measures to protect NZ against cyber attacks. !? Why oh why.. is NZIC / GCSB still using those notoriously vulnerable products for crucial systems? If you like to know why: just send us an email with that question ;-)

> Wikipedia:
> "Strictly speaking, a "Catch-22" is "a problematic situation for which the only solution is denied by a circumstance inherent in
> the problem or by a rule." For example, losing something is typically a conventional problem; to solve it, one looks for the lost
> item until one finds it. But if the thing lost is one's glasses, one can't see to look for them.
> - a Catch-22. The term "Catch-22" is also used more broadly to mean a no-win or absurd situation."
>
> "Ivory Tower: refers to intellectuals engaging in pursuits that are disconnected from the practical concerns of everyday life."

@Rebecca Kitteridge:

"I have been in my role as Director of Security for just over two years and I think this is a good point to stop and reflect on
 the organisation that I lead. In particular, I want to answer three main questions over the course of this lecture:
 ~ Firstly, what are the national security challenges that we face as a country and how are these changing?
 ~ Secondly, how well equipped is the NZSIS to meet these challenges? "

 "When I started as Director of Security two years ago, it was on the back of a State Services Commission sponsored Performance
 Improvement Framework report. I think a polite summary of the report was that the NZSIS, along with the wider New Zealand
 Intelligence Community, had many ‘challenges’. In reality the Performance Improvement Framework showed that this was an
 organisation that had major shortcomings.

 With the benefit of hindsight, the secrecy that the NZSIS had operated under
 since its inception had, in some respects,done it considerable damage.
 Because of its impenetrable exterior and isolation, I don’t think anybody was
 aware how far it had fallen behind over a period of decades, in terms of the
 systems, policies and procedures that one would find in any modern organisation.
 So the last two years have involved a significant series of internal
 improvements within the NZSIS. In almost every aspect, from strategy and planning to HR ...""
 /

> #---------------------------------------#
> On Tue, 21 Nov 2017
> From Vulnerable server: PSCAHT02.ps.ad.parliament.govt.nz (192.168.70.12) Microsoft Exchange Server 2010 Server (?last update sept 2015?), v14.03.0266.001;

> "C Finlayson (MIN)" <c.finlayson@parliament.govt.nz> wrote:
>   
> > On behalf of Hon Christopher Finlayson, thank you for your email. Please be assured that all correspondence is read and noted
> > by this office. Where the Minister has portfolio responsibilities for the issues raised, a response will be sent to you in due
> > course.
> >
> > While the Minister considers all correspondence to be important, if your email falls outside of his portfolio responsibilities,
> > or expresses a personal view, then your opinion will be noted and your correspondence may be transferred to another office or
> > there may be no further response to you.
> >
> >
> > Kind Regards
> >
> > Office of Hon Christopher Finlayson
> >
> > ________________________________

> >