Furious reaction to spying
Former MPS angry Govt didn’t warn they were targeted in China-backed cyberattack
Two former MPS claim they weren’t told they were targets of China-backed hacking even though the Government was allegedly briefed on the matter in 2022.
Former Labour MP Louisa Wall and former National MP Simon O’connor say they were targeted as part of a Chinese state-sponsored cyberattack in 2021 that the Government revealed last month. The pair used to be New Zealand’s representatives on the Inter-parliamentary Alliance on China (IPAC).
Minister responsible for the New Zealand spy agencies Judith Collins confirmed at the time the Parliamentary Counsel Office and the Parliamentary Service were targeted alongside some MPS’ data. It wasn’t stated who the MPS were but the Government Communications Security Bureau (GCSB) was confident data accessed was not of a “strategic or sensitive” nature.
However, O’connor and Wall have been informed by IPAC that the United States Federal Bureau of Investigation contacted various governments of targeted legislators to brief them through a “Foreign Dissemination Request” in 2022.
Both claim they weren’t informed by either the previous Labour Government or the current coalition Government that they were specifically targeted.
Wall’s parliamentary email address and a University of Canterbury email address for New Zealand IPAC advisor Anne-marie Brady were on the FBI’S verified list of addresses targeted in the cyberattack. O’connor’s was not on the list but it was likely he was targeted given he’d received emails linked to the attack.
O’connor says he is furious to not have been informed in 2022 and believes Parliament’s Privileges committee should investigate the matter.
“I would have thought letting me know would have been a rather basic step in preventing any further incursions.
“That we were not informed at all — at the time or when the nature of the attack was publicly notified in March this year — is deeply concerning.”
Wall says she is concerned about the “absence of transparency”.
“As elected representatives, our primary duty is to serve and protect the interests of the people. The government’s failure to disclose crucial information about the cyberattack undermines this fundamental responsibility.”
The pair are calling for an independent investigation into the matter with Wall saying such an inquiry should assess “the government’s handling of it, to uncover any negligence, cover-ups, or failures in cybersecurity protocols”.
It comes amid revelations other governments in other countries withheld information about elected representatives being hacked, including in Canada where one of its spy agencies has stated it shared details of the cyberattack with officials but not the MPS in 2022.
The Herald has requested comment from the GCSB and Minister Collins.
Andrew Little, who was the GCSB minister under the previous Government, said he couldn’t comment on whether he’d been briefed on the FBI’S communication in 2022 as the matter was classified.
Little did say it would be expected that if MPS were targeted in such a way, they would be informed.
“My experience of the agencies is that if they perceive a potential threat, a security threat to an MP or to anyone they describe as a sensitive category individual, then they take appropriate action on it and I’d be surprised if that didn’t happen in this case.”
Little defended his actions as the minister responsible and said any investigation would be conducted by the Inspector General of Intelligence and Security.
Taieri MP Ingrid Leary, the current IPAC New Zealand co-chair alongside Southland MP Joseph Mooney, confirmed to the Herald she had received the same briefing from IPAC as O’connor and Wall.
“This was an unacceptable attack on elected New Zealand parliamentarians which sought to violate our parliamentary privilege and undermine our sovereignty,” Leary said.
Her briefing didn’t include who specifically within the New Zealand Government was informed about the hacking so was unsure to what level ministers might have known.
“We want to take the politics out of this and just say that this is not acceptable that in the absence of communication by our government, it was IPAC that stepped up to alert the members about the security risks posed by the cyberattack.
“We want a commitment that MPS and citizens will be notified and informed immediately when our Government is alerted to such digital incursions.”
While she didn’t endorse Wall’s call for an investigation, Leary said she supported more transparency around the incident.
Alongside Wall and O’connor, the attack in January 2021 reportedly targeted 122 members of IPAC. The attack involved emails from “nropnews.com” containing tracking pixels to gather recipient data like IP addresses and device types.
O’connor said he was “disappointed and angry” that he and Wall had not been informed since 2022.
“That they have known about this since 2022 and not shared the information with us beggars belief.”