By William Hoverd, Nick Nelson and Nicola MacAulay.
On Friday, one of us tried to order pizza (not our Auckland author), but their ANZ credit card couldn’t be processed, because the bank was being submitted to a Distributed Denial of Service (DDoS) attack. While this distributed denial of pizza may have been fabulous for one Wellington author’s waistline, and pleasing for our Auckland author, it certainly was not healthy for the financial wellbeing of our country and highlights deep seated cyber vulnerabilities.
High profile cybercrime is now commonplace in New Zealand. In the last 12 months, New Zealand has been subject to several high-profile cyber-attacks, the Waikato District Health Board, the New Zealand Stock Exchange, Massey University, ANZ Bank and, as we write this, Kiwibank is under attack. These attacks highlight the vulnerability of New Zealand’s financial, health and education systems to overseas criminal organisations and hostile foreign powers. However, if instead the attacks were aimed at an airline, power companies or traffic networks, then the potential scale of human injury is appalling to imagine.
The National Cyber Security Centre (NCSC) of the Government Security Communications Bureau (GCSB) noted that ‘From 1 July 2019 to 30 June 2020, the NCSC recorded 352 cybersecurity incidents compared with 339 incidents in the previous 12 months. Of those incidents recorded, 30 per cent were linked to state-sponsored actors.’ In August 2020, the Director General of the GCSB gave a speech about New Zealand’s cybersecurity in a Covid world. In July 2021, the Honourable Andrew Little called out China for its attacks on the United States’ Microsoft Exchange. Yet domestically in terms of the cybersecurity of New Zealanders and our institutions, the Government has been quiet in the last 12 months. So, while we are a good international partner, nothing has been communicated in a systematic manner from our Government to its citizenry about these ongoing domestic attacks.
Some important questions arise that are not being asked or answered. Are we under attack by a foreign nation? Have we been subject to retaliation by a foreign nation that we have called out? Are these simply criminal organisations looking to make a profit off a weak cybersecurity infrastructure? Why is New Zealand being targeted? Are these attacks random or are we perceived as easy prey? To what extent are New Zealander’s financial and data protected by the Government? What is being done in terms of resourcing, cybersecurity, and policy to respond to this litany of attacks? How can we prosecute and pursue these criminal actors and their state sponsors?
Understandably, the Government is distracted and has finite resources – we live in a milieu of Covid-19 lockdowns and much of our national security resources are dedicated to operational concerns and the recommendations of the Royal Commission of Inquiry into the terrorist attack on the Christchurch Masjidain in 2019.
However, Andrew Little did note in 2017 that terrorism and cybersecurity are the greatest national security threats, but since the Christchurch attack, all attention appears focused on terrorism. Yet in a Covid world, we are all increasingly reliant on technology to overcome isolation and to facilitate work, family and commerce and this infrastructure is vulnerable. That makes Kiwis vulnerable. Quite frankly, it is urgent and timely for us to consider sustained systemic action to address an increasingly common, sophisticated and dangerous national security threat.
So, we were pleased to see an email on 9 September advising that various government departments have opened a consultation, inviting public feedback, on New Zealand’s Principles and Objectives for Negotiating a United Nations Convention on Cybercrime. Unfortunately, all three authors almost discarded it as spam. This was a consequence of a very generic email forwarded from an unknown address, not addressed to anyone, and not signed by anyone. Fortunately, the email was not deleted, but read by the authors and a link followed to ‘consultation documents’ – a total of five pages of extremely generic information on what is demonstrably one of the key security issues of our time.
This manner of ‘consultation’ by government agencies with the broader New Zealand public is likely ineffective and creates the impression that agencies don’t really want to engage but are merely ticking consultation boxes and only when it affects our international obligations, which is disappointing for our democratic processes, the people of New Zealand and our national security. Unfortunately, this pattern has become all too common by agencies when engaging on issues of cybersecurity.
Given that cybersecurity is one of the most significant national security issues of our time, more is expected, indeed needed, of our government in addressing this issue.
First, we need a more systematic and transparent approach to the communication of cybersecurity issues to the public. This includes a clear statement of the roles of the GCSB, and other agencies (Ministry of Foreign Affairs and Trade, Department of Internal Affairs, Ministry for Business, Innovation and Employment, Computer Emergency Response Team NZ and Department of the Prime Minister and Cabinet) responsible for cybersecurity threats; how these are being systematically addressed, how they might be addressed by citizens; and the initiatives, both national and international, that are underway to enhance cybersecurity.
Second, there needs to be systematic, open and meaningful engagement between agencies, the public, the private sector and academia to address the multitude of issues impacting the cybersecurity environment. From the development of policy and strategy, input into international conventions, and the development of educational pathways to meet urgent needs.
As Security Intelligence Service Director General Ms Rebecca Kitteridge said in relation to the Christchurch attacks, ‘The result of not having a mature discourse between security practitioners, academics, politicians and the media is that some real national security issues have been discounted, and others have been sensationalised in a truly unhelpful way.’ New threats require new mindsets and responses. Now that cyber events are an everyday threat to all New Zealanders, another mature discourse is now imperative. Banally, all these urgent thoughts for New Zealand’s cybersecurity future only coalesce when one fails to order one’s pizza because of a DDoS attack.
Dr William Hoverd is a Senior Lecturer at Massey University’s Centre for Defence and Security Studies, based in Wellington.
Nick Nelson is a Senior Lecturer at Massey University’s Centre for Defence and Security Studies, based in Auckland.
Nicola MacAuley is a Senior Tutor at Massey University’s Centre for Defence and Security Studies, based in Wellington.