Data breach: The questions Reserve Bank must answer
The RBNZ said a security issue with a third-party file-transfer service — FTA, run by the Silicon Valley-based Accellion — meant files it shares with the likes of banks and insurance companies were potentially exposed, after a possible data breach was revealed on Sunday.
The Herald would like to know:
1 Why was
the RBNZ was using a creaky old service being sunsetted by its owner?
Accellion has been making assertive efforts to move its customers from FTA to its new Kiteworks service.
Spokesman Rob Dougherty said, “FTA is a 20-year-old product . . . While Accellion maintains tight security standards for [FTA], we strongly encourage our customers to update to Kiteworks, the modern enterprise content firewall platform, for the highest level of security.”
The far more capable and secure Kiteworks was released four years ago. Indications are that RBNZ was one of only about 10 per cent of Accellion customers still clinging to its outdated product.
2 Why did
the RBNZ ignore inhouse warnings that its technology was out of date?
A May 2020 report by the bank’s chief information officer, Scott Fisher, warned there was “high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms”. Fisher referenced Kiteworks and outlined a timetable for new technology solutions to implemented from June, but six months later, the Reserve Bank was still using the older FTA service as it was compromised.
3 Why was
there an apparent delay in applying a security patch issued by Accellion?
Dougherty said Accellion discovered a “P0” exploit (also known as a “Zero
Day” vulnerability) in its FTA file sharing service in “mid-December”.
A Zero-Day vulnerability is the most serious kind of security breach, usually involving the injection of malicious code.
Dougherty said Accellion issued a patch (software upgrade to fix the problem) within 72 hours of it being discovered. The Herald has sighted correspondence that says the patch was released to FTA customers — which would include the RBNZ — on December 24. But an insider has told the Herald that the RBNZ did not take action until January 7.
The bank has so far refused to comment on the timeline, other that to say that, as of January 10, “The system has been secured and taken offline while investigations [occur].”
4 What information was
potentially accessed?
Reserve Bank Governor Adrian Orr said on January 10: “The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”
There has been no update since. This is one area where the bank deserves some leeway. It can be hard to ascertain if files have been viewed or copied — often until a ransom demand comes in from a hacker.
5 Why go overseas?
Local IT industry group NZRise has complained of a “cultural” cringe that sees a majority of government tenders being awarded overseas when local talent can do the job well, cost-effectively and with data protected by local laws.
Duty Minister Peeni Henare did not respond to RBNZ’s procurement specifically, but said: “Opportunities to participate in government tenders are publicly advertised on the Government Electronic Tender Service (Gets). The Government has made it a priority to increase access for New Zealand businesses, which is incorporated in Rule 17 of the Government Procurement Rules [which reads ‘Agencies must consider how they can create opportunities for New Zealand businesses’].”
But NZRise has complained that because of the closed panel system used for many all-of-government contracts, only a small minority of tenders make it to Gets — and once they do, the process of participating in a tender is disproportionately expensive for local contenders.
6Why is
our government doing so little to bolster our cybersecurity defences?
NZ has a national cybersecurity defence system, Cortex, and it does stop hundreds of attacks each year. But it is ageing and, compared to other countries, has had relatively little enhancement in recent years.
Crown agency Cert NZ tracked a 33 per cent increase in cyberattacks last year — in keeping with worldwide trends. In Australia, Scott Morrison’s Government increased cyberdefence spending by A$1.35 billion last year. But NZ’s increase of its already smaller per-capita budget was in the single-digit millions.
That’s a question the Herald will be putting to new IT Minister David Clark when he returns from holiday.