The Reserve Bank has revealed that it was an overseas provider whose systems were breached, potentially exposing sensitive RBNZ files. That's drawn the ire of a local IT industry group that says the incident highlights a wider failing in government strategy that has weakened our defences.
The data breach also followed a May 2020 consultation document by the bank's chief information officer, Scott Fisher, that highlighted the need for more investment in IT, and a sweeping restructure of its IT structure and personnel.
Fisher's report said there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".
It added: "Our people lack the modern digital tools, data and systems required to effectively collaborate and to support informed decision-making."
The Herald has asked the RBNZ how many of Fisher's recommended changes were implemented. A second RBNZ initiative, involving enhanced cyber-security for its partners, is still subject to a consultation process that closes on January 29.
On Sunday, the RBNZ said it was responding with urgency after a third-party service, now named as US-based Accellion, was illegally accessed.
The RBNZ uses Accellion to share data with banks and insurance companies.
Overnight, Reserve Bank governor Adrian Orr said the Accellion file-transfer system had been taken offline while investigations were under way.
"This wasn't a specific attack on the Reserve Bank, and other users of the file-sharing application were also compromised.
"Our core functions and New Zealand's financial system remain sound, and Te Pūtea Matua is open for business. This includes our markets operations and management of the cash and payments systems."
Work is continuing to confirm the nature and extent of information that has been potentially accessed. The compromised data may include some commercially and personally sensitive information, Orr said.
Meanwhile, the National Cyber Security Centre, a unit of the GCSB, has confirmed it is assisting the Reserve Bank following the hack.
A cyber-security insider told the Herald that Accellion first notified all of its customers, including the RBNZ, of the file-sharing breach on December 24 and issued a patch, but that the RBNZ did not implement the patch or take its files offline until January 7.
Neither the RBNZ nor Accellion (which did not immediately respond to questions) has given a timeline for the data breach.
The insider said around 30 Accellion customers had been hit by the breach, which involved an SQL-injection attack, where malicious code is planted that allows a hacker to view, modify or delete files on a database.
The Accellion product involved, FTA (File Transfer Appliance) is some 20 years old. The company has been urging clients to upgrade to a newer service Kiteworks, a spokesman said.
NZRISE: WIDER QUESTIONS RAISED
Meanwhile, NZRise cofounder Don Christie says the incident raises broader questions about not just the Reserve Bank's IT policy, but the Government's wider technology strategy.
While acknowledging that the central bank takes security very seriously, Christie questions its approach to file-sharing.
"It seems likely that RBNZ is using a third-party platform and it seems likely that this would be a very high-value target for hackers, similar to SolarWind which was hacked last year and used widely by government agencies across the world," he says.
"In my view, the NZ Government needs to urgently review its IT strategy," adds Christie, who is also a director of one of the largest local IT services and cloud providers, Catalyst.
"Right now, individual agencies are being mandated to move as fast as possible to overseas infrastructure and overseas SaaS [software-as-a-service] suppliers. That's very short-term thinking and requires a high degree of effectively unproven trust. Time and time again the model has been proven to fail as state-sponsored warfare becomes more prevalent."
An over-reliance on this one-size-fits-all strategy leaves NZ without the agility to respond to threats and compromises at a local level, Christie says.
"It also leaves us vulnerable to the whims of overseas actors. Who knows who would have control over many of these platforms had the coup attempt of January 6 in Washington DC been successful?"
An NZRise study released in November found that only about a third of government IT tenders, by dollar value, were awarded to New Zealand-owned companies for the previous year.
The lobby group argues that more business should be awarded locally, in part for skills development and to increase our tax base, and in part because of issues such as data sovereignty, and the fact that multinationals often prove difficult to regulate.
"We are simply not building a national view on resilience and capability and we are not co-ordinating investment and procurement across government agencies. If we put more focus on the latter the investment case for building much more shared infrastructure and capability in New Zealand would become far more positive," Christie says (a theme he addresses in the video below from the 11-minute mark).
"This is not to say that New Zealand tech is more secure than anyone else's but we can verify and audit respond much more easily onshore than we can offshore. Indeed, many NZ companies experience far more oversight than our overseas competitors simply because we are so close," Christie says.
"Keep in mind that the Europeans are about to spend billions of Euros building their own cloud and other infrastructure. It's likely this investment will produce more open source systems, such as Open Stack and Kubernetes that NZ can leverage. Indeed, if we played our cards right we could think about joining that initiative with a view of giving NZ more technical independence.
"This rethink will require good political leadership and a radical shake-up of Government IT leadership."
CYBERATTACKS SURGE, NZ SPENDING STUTTERS
The past 12-months have seen an escalation in cyberattacks, according to Crown agency Cert (Computer Emergency Response Team) NZ, with attacks increasing by 33 per cent year-on-year.
August and September saw the GCSB come to NZX's aid as the local stock exchange struggled to repel a series of DDoS (distributed denial of service) attacks that overwhelmed its website.
Earlier in 2020, there were cyberattacks on multiple corporate targets including Fisher & Paykel Appliances, Toll Group and Lion.
In F&P Appliances' case, a "ransomware" gang leaked a number of its spreadsheet and planning files on to the internet in a bid to pressure the company to pay for the return of its stolen files. F&P refused.
AUT computer science professor Dave Parry told the Herald that a Covid was a double-whammy had contributed to the dramatic rise in cyberattacks.
The pandemic has spurred a working-from-home boom, often involving much lower security, at the same time that lockdowns around the globe had reduced many of organised crimes' usual "real-life" avenues - leading to a spike in cybercrime.
Businesses were being targeted to exploit the gaps in security that were opening up as staff shuffled files between work and home - and simply because commercial organisations are richer targets.
Across the Tasman, Scott Morrison's government increased cyber-defence spending by A$1.35 billion last year, while NZ's increase of its already smaller per-capita budget was in the single-digit millions, with the issue gaining no traction at the election.