Cyberattacks expose lax security: experts
New Zealand is too small and interconnected for people to speak too negatively about the country’s institutions, which is why it’s hard to get anybody to say anything bad about the NZX or Reserve Bank cyberattacks last year.
At some point you’re probably going to have to deal with the person or institution you slag off in public. Worse, you might even need to tender for a contract from them.
This attitude is the glue that stops us from descending into a pit of angry recriminations in our public sphere, but it’s also how Reserve Bank chairman Neil Quigley was able to stand up in front of an audience at an event in Auckland this year, and heap a lot of blame for the Reserve Bank hack on to a foreign IT vendor. ‘‘We had no warning to avoid the attackwhich began in late December.
‘‘[The vendor] failed to notify us for five days that an attackwas occurring against its customers and a patch was available.’’
A reluctance to criticise is also how the NZX got away with only releasing a press release about a report into its cybersecurity issues and not the report itself.
The NZX still has not even released a redacted version of this report to the public. For what it’s worth, the NZX claims the Inphysec report proves the organisation came under an unprecedented attack which could not have been reasonably predicted by its staff or board.
Mega executives co-founder Bram van der Kolk and chief technology officermathias Ortmann have no such qualms about offending people.
When Kim Dotcom was at the helm the file sharing and hosting service seemed to almost embrace controversy. First, with Dotcom’s verbal sparring with John Key’s Government and then with his launch of the Internet Party. On top of this, both van der Kolk and Ortmann’s passports are still being held by the courts as extradition proceedings drag on against them.
Which is probably why Ortmann seems to have no issue criticising the Reserve Bank’s approach of blaming the vendor for not letting it know a patch was available.
‘‘That is a very, very unrealistic expectation,’’ he said. ‘‘If you wait until the vendor tells you, and you do not actively monitor for vulnerabilities, the vulnerability might actually be published [to other hackers] before the vendor finds out about it – which is an everyday occurrence.’’
Keeping vulnerable pieces of software off computers connected to the internet is a basic design feature that you don’t need to be a particularly sophisticated computer genius to understand. Especially if the piece of software is so old that it’s not properly supported by the vendor, as appeared to be the case here.
‘‘Anything you run on the open internet you must be very vigilant about it,’’ van der Kolk says.
Then Ortmann jumps in: ‘‘The first question to ask is: does this service need to be running on the open internet or not?’’
Ortmann raises some interesting questions. The piece of software Quigley and the Reserve Bank spoke about was a piece of ‘‘legacy’’ software not properly supported by the vendor. If you had to use such a thing was it necessary to keep it exposed to every hacker on the internet?
Employees could have accessed this tool using a virtual private network (VPN) instead, he suggests. This would allow people to access the tool, but remove it from the company’s network and the internet at the same time. It would also block it off any future unknown vulnerability from being exploited.
A Reserve Bank spokesperson says the bankwill comment further on the incident ‘‘as and when it is appropriate to do so’’. It does not want to undermine a review by KPMG or criminal and forensic investigations.
However, the advice to remove legacy systems from exposure to the open internet is so basic it’s even parroted by the Government’s own cybersecurity organisation CERT NZ: ‘‘By definition, legacy systems are vulnerable, and present a risk to your organisation. The safest option is to stop using them and remove them from your network,’’ CERT’S website says.
Mega is no stranger to cyberattacks and security issues. It almost invited them with promises of complete anonymity and encryption.
Van der Kolk says the attacks could have been easily combatted by ramping up bandwidth so the system wouldn’t be overwhelmed by cyberattackers. The NZX could have purchased plenty of services to do this. As he talks about this Ortmann scouts Google and finds out other stockmarkets, like the Nasdaq, have used these kinds of services for years.
Their point is, if NZX was not paying for basic safety precautions, or did not know it needed them, what hope is there for other smaller organisations?
Van der Kolk and Ortmann aren’t alone in thinking our companies and the boards that govern them aren’t taking cybersecurity seriously enough.
Cybersecurity experts like deriskme.com’s Paula Gair say it is hard to elevate these cybersecurity issues to the boardroom level. Health and safety issues are discussed all the time, but cybersecurity ones not so much.
She suggests it might stay that way until boards and their directors are made personally liable for serious cybersecurity breaches in the sameway they are for health and safety ones.
‘‘Unfortunately until something goes wrong it’s really difficult to get it high enough up the list. If you think about how we deal with health and safety and the fact thatwe’ve actually made directors liable for serious health and safety breaches then that gets that right up to the top table.’’
Institute of Directors chief executive Kirsten Patterson argues directors are already liable. ‘‘There’s been some pretty clear direction from some of our regulatory authorities like the Reserve Bank and thefma [Financial Markets Authority] who have made it really clear that boards need to take responsibility for overseeing cybersecurity.’’
She says boards are taking these issues very seriously, but acknowledges the institute’s own director sentiment survey shows a huge chunk of companies don’t regularly discuss cybersecurity issues at all.
In Australia, the Australian Securities and Investments
Mega co-founder
Commission (Asic) took legal action against a company for not taking enough cybersecurity precautions to prevent a brute force cyberattack.
Last year Asic started federal court proceedings alleging the RI Advice Group failed to implement ‘‘adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience’’.
Patterson thinks we aren’t far off from seeing similar action taken here.
‘‘I think all directors are upskilling and upskilling really fast. We’re all responsible. Same way that everyone’s responsible for finance, we’re all responsible for health and safety, and we’re all responsible for cyber.’’
Van der Kolk and Ortmann say New Zealand is more of a target for cyberattacks these days than we think. Our relative isolation used to mean we were off the radar for many, but now it makes us a target. We’re a developed country with many systems open to the internet, but without enough experienced personnel here to advise companies on what they should do.
Which is Ortmann’s theory around how the NZX ended up being targeted in a cyberattack. In a statement an NZX spokesman sayswellington-based cyber experts Inphysec concluded the attacks on the NZX went ‘‘well beyond anything previously seen that could have been reasonably forecast’’.
Then it quotes Inphysec’s unreleased report which it claims says: ‘‘The volume, sophistication and persistence of the attacks were unprecedented in anew Zealand context, and are amongst the most severe we are aware of to have been experienced internationally’’.
Ortmann says a lot of other stockmarkets in the developed world had taken precautions; NZX was likely targeted because it hadn’t. In other words, the attack was unprecedented because ‘‘script kiddies’’ knew if they’d tried it on the same scale elsewhere they wouldn’t have been successful.
Government solutions to the problem seem to be having varied levels of success. The Government Communications and Security Bureau says its Cortex system, which protects critical infrastructure from cyberattack, prevented $100 million worth of cyber-disruption since 2016.
A Government request for proposal (RFP) for a cyber credential scheme targeted at smaller businesses was awarded to EY and Capella Consulting in January, 2018, but the most prominence it ever gained was after Capella complained the Government was doing little to promote its use.
A spokesperson for the Department of Prime Minister and Cabinet said ‘‘following the conclusion of government involvement in the [cyber credential] scheme, the primary channel for cyber security advice and support to small business is via CERT NZ’’.
Ortmann suggests companies and individuals are capable of solving this problem without Government help.
Small tomedium-sized enterprises could sort themselves out independently of the Government by banding together in groups of 10 or so and sharing resources.
Van der Kolk says it also might just be about everyone sticking to some basic principles. ‘‘Just like you have a lock on your door, you wouldn’t share the key with other people, you would have different keys for different things.
‘‘If you just apply some very basic principles it’s not very hard to be more resilient.’’
‘‘If you just apply some very basic principles it’s not very hard to be more resilient.’’
Bram van der Kolk