Cybersecurity experts say the ransoming of Waikato DHB patient data and medical systems is just the tip of the iceberg – New Zealand is vulnerable to far greater cyber threats if we don’t up our resilience, Marc Daalder reports. (Content Partnership)

ANALYSIS: Sam Sargeant has spent years warning everyone he speaks to – from everyday Kiwis or government departments and corporate executives – that they’re in peril. Deep down, he knows they haven’t listened.

“We certainly do need more cyber resilience in New Zealand. We typically have an attitude of, ‘eh, she’ll be right’. And often it will be. But the day it won’t be is going to be a wake-up call for many people,” the Internet NZ chief security officer says.

“I often use the pandemic as an example. In 2019, if I had talked to the board about risk and talked about a global pandemic shutting down travel and everyone staying in their homes, I would have been laughed out of the room. But now, no one thinks that’s silly.

What do you think? Click here to comment.

“I worry that we haven’t yet experienced the same sort of event that is going to effect all New Zealanders in the same way as a lockdown or a global pandemic in the security realm, our cyber security. I see that day could come. What happens when, suddenly, all of the email for any New Zealand user is exposed? Everything you’ve ever sent via text message is exposed? Are we ready for that? I don’t think we are.”

Sargeant isn’t the only person raising the alarm. In conversations with cybersecurity experts and professionals both before and after the Waikato DHB hack, concerns over New Zealand’s preparedness for a devastating cyber incident were highlighted.

“I would venture that most, if not all, websites in New Zealand would fail in some way or another if there was an international connectivity issue. I don’t think we’re ready for that happening.”

Don Christie, the founder and managing director of Catalyst IT, says the amount of public and private spending on cybersecurity is dwarfed by the cash available for physical security – from police and the NZDF down to CCTV cameras and locks – even though so much of our social, personal, financial and political lives are now digital.

“A lot of the tools that we can pool together are freely available because they’re open-source. And even when they’re not, the actual spend it negligible compared to the assets that are being protected,” he says.

“One example I dreamt up: the cost of a patrol vessel to protect our fishing industry. God knows how many tens or hundreds of millions those damn things cost. But the asset they’re protecting is negligible compared to the digital assets that we’d be looking at protecting.”

Three reasons for New Zealand’s vulnerability in this arena? The fundamental architecture of the internet, which necessitates the overseas transfer of data even to reach a New Zealand-hosted and -domiciled webpage from within New Zealand; an over-reliance on overseas software and companies for cybersecurity and day-to-day functioning; and the lack of a coherent, national approach to cyber resilience which could shore up the gaping holes in our digital borders.

Internet architecture

To some extent, our vulnerability is the price we pay for the advantages of a digital, globalised world.

Take the cables that connect New Zealand to the rest of the digital world. We have a couple of them stretching across the Tasman Sea and one that jumps northwest to link up in New Caledonia with the trans-Pacific Hawaiki Cable. What happens if one or all of them go out?

“I would venture, I won’t be able to get to Newsroom if our international cables are severed,” Sargeant says.

“If our international connectivity is taken down by a cyber attack – you look at the [Colonial Pipeline], it’s a similar sort of experience. Ransomware prevented the operator from operating their pipeline. If there’s a ransomware attack on a cable operator and they can’t operate our international cable, I can’t get to local news websites because our modern, interconnected internet is not going to work.

“I do think having things on-shore, having them controlled by New Zealanders is going to be very important, strategically, in the long term.”

Even a domestic focus isn’t bulletproof, however. Traffic may have to travel from a New Zealand user over to Sydney or the United States before returning back to a New Zealand website, due to the way the internet is structured.

The occupied dairy

“People are well-intentioned. They’ll say, ‘We’re hosting it locally, we’re running all these things on-shore’. My concern is that it is so deeply interconnected and it’s just taken as read that other services on the internet are there. I would venture that most, if not all, websites in New Zealand would fail in some way or another if there was an international connectivity issue. I don’t think we’re ready for that happening,” Sargeant says.

Andy Prow likes to use the analogy of a dairy to convey the cyber issues we’re talking about. He’s the CEO and founder of New Zealand cybersecurity firm RedShield, and says going to a New Zealand website as a New Zealander is like going to the dairy.

“All I want to do is go to the dairy down the road, but my dairy is protected by a US force and therefore all of my privacy goes through that before it comes back,” he says.

“Now that exists today. There are New Zealand government agencies using overseas defences. So you, as a New Zealander, to access a site, your data will go overseas and come back again. The question is: Are we happy with that, is that the right way we should be doing it?”

Andrew Chen, a research fellow at the University of Auckland’s Koi Tū – Centre for Informed Futures, says a move to close New Zealand off from the world (digitally) would involve trade-offs.

“You can’t go down that path without losing some benefits,” he says.

“Basically, you’re handing over the keys to your kingdom to overseas actors.”

“We could go down that path. We could invest more in having local cloud infrastructure, we could invest more in having local cybersecurity products being developed and duplicating local infrastructure and all that sort of thing. But the more you go down that line, there’s going to be costs and you’re slowly cutting yourself off from the outside world.”

“Not everyone can afford in-house security teams,” Nadia Yousef, the incident response manager at CERT NZ, tells Newsroom.

“But we have seen a huge shift in organisations wanting to make security a priority, for themselves and their customers. Making use of third-party providers is just the best way to do that. It’s scaleable, it’s affordable, it works.

“It’s not perfect. It’s certainly not a perfect model and there are some risks involved with outsourcing control of your information and control of your security.”

Control is key

As Chen suggests, there are ways to mitigate this interconnectedness. While we can’t change the fundamental architecture of the internet, we can make a conscious decision to reduce our reliance on overseas cybersecurity products.

Christie points to CloudFlare, a widely used tool to protect against DDOS attacks, as a key example.

“A lot of these overseas defence bits of software like CloudFlare and Fastly and Akamai – one of the ways they protect your systems from being attacked is they actually decrypt [encrypted] internet traffic, read it and check that there’s nothing malicious happening and then re-encrypt it,” he says.

“Basically, you’re handing over the keys to your kingdom to overseas actors. Now these companies are great companies, but they’re not under New Zealand’s control. Being overly reliant on solutions that we can’t control puts us in a pretty weak position.”

“Having control is the first step. Having the right people involved in these issues,” Sargeant agrees.

“Shouldn’t we just be doing a lot of our defences using the technology and skills we have at home? I certainly believe we should be,” Prow says.

“Because we are then, first, masters of our own destiny. But also we are then promoting what is already a high-value industry in New Zealand.”

This doesn’t just apply to cybersecurity services either, Sargeant says.

“It’s not just the cybersecurity side of things, it’s that the intrinsic nature of our daily lives are linked to international organisations. We rely on them. Even the infrastructure that businesses use to power their organisations are based offshore. Xero is delivered to us from, I believe, the United States – it’s not actually here on shore. It’s not just New Zealand’s cybersecurity, it’s everyone’s, it’s the world’s.”

In other words, the use of overseas software for day-to-day operation (most government agencies depend on the cloud-based Office 365 suite) means we’re exposed to vulnerabilities in offshore firms’ cybersecurity setups, as well as the whims of geopolitics.

“I’m not talking about huge amounts of money. But I am talking about lifting our national capability.”

That’s what happened to the Reserve Bank, when its third-party, US-based file-sharing service was hacked in December. On Monday, the bank conceded it was “over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.”

Beefing up our cyber borders

Alongside these questions of interconnectedness and reliance on overseas providers, Christie says we need to think about the technological measures we could take to scour scams and cyber attackers from New Zealand’s internet.

If, for example, an offshore bad actor was engaging in a distributed denial of service (DDOS) attack, where a server or webpage is overwhelmed with automated requests, wouldn’t it be ideal if we could block traffic from overseas without inadvertently disrupting every website in the country?

“If we’re finding that these attacks are coming from overseas, we could actually throttle down the level of traffic that’s coming through from overseas actors,” Christie suggests.

To reach the point where that was feasible – where we not only had the technical ability to manage that incoming traffic but had built up the resilience to mitigate the collateral damage – would require an immense amount of coordination and work across the public and private sectors.

“My suggestion is that New Zealand needs an organisation that very proactively ties together the public sector and private sector and builds a security capability that lifts our national stance and doesn’t allow us to be picked off as individual agencies or organisations,” Christie says.

The existing agencies, CERT and the GCSB’s National Cyber Security Centre (NCSC), would struggle to do this with their existing resources. The NCSC mandate is very narrow – it’s limited to providing its technology and expertise to a couple hundred “nationally significant organisations”.

Sargeant says this way of thinking about firms as either significant or not doesn’t hold up under scrutiny. While a nationally significant organisation may be protected by the NCSC, would its law firm be? And wouldn’t they have all the same valuable data worthy of targeting?

‘Lifting our national capability’

CERT, meanwhile, is able to help anyone, from an individual targeted by a phishing scheme to a multinational corporation, but they aren’t resourced to do the sort of proactive, technical work that the NCSC does, Christie says.

“Within the supply chain and within government, there’s a huge amount of expertise. So it’s not like we don’t have the capability onshore.”

He envisions a $13 million seed fund for a new agency (or a beefed up CERT) and development of more cyber resilience capability over the next couple of years.

“It does look like it’s the next two to three year cycle that we’re going to see a real lifting of the threat profile as we see some of these AI tools being rolled into action. And again, $13 million, that was the cost of the Green School in Taranaki,” he says.

“I’m not talking about huge amounts of money. But I am talking about lifting our national capability.”

As someone with a keen interest in cybersecurity, Christie says he’s already had his “wake up” moment. Or rather, moments. The NZX hack, the Reserve Bank hack, now Colonial Pipeline and Waikato DHB. And last year, Catalyst played a role in supplying “critical systems” for New Zealand, through a pandemic and election year.

“I was surprised at the fact that we had minimal direct communication with the security agencies that are responsible for cybersecurity in New Zealand during that period. I would have expected, very quickly, for a partnership to have rolled into place.”

Fortunately, nothing went wrong. But that isn’t a guarantee in the future – and Christie doesn’t want to wait until something goes catastrophically wrong for the government and industry to start working more productively on bolstering the country’s cyber resilience.

This story is part of a content partnership with Catalyst

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment