The Reserve Bank needs to answer a number of questions that are still hanging in the air after its possible data breach was revealed on Sunday.
The RBNZ said a security issue with a third-party file-transfer service - FTA, run by the Silicon Valley-based Accellion - meant files it shares with the likes of banks and insurance companies were potentially exposed.
So far, the RBNZ has declined to provide any information beyond that provided in two short press releases, citing security concerns.
The Herald would like to know:
1. Why was the RBNZ was using a creaky old service being sun-setted by its owner?
Accellion has been making assertive efforts to move its customers from FTA to its new Kiteworks service.
Spokesman Rob Dougherty said, "Accellion FTA is a 20-year-old product ... While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to Kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence."
The far more capable and secure Kiteworks was released four years ago, and various competitors have newer products. Indications are that RBNZ was one of only about 10 per cent of Accellion customers still clinging to its outdated product.
2. Why did the RBNZ ignore inhouse warnings that its technology was out of date?
A May 2020 report by the bank's chief information officer, Scott Fisher, warned there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".
Fisher referenced Kiteworks and outlined a timetable for new technology solutions to implemented from June, but six months later, the Reserve Bank was still using the older FTA service as it was compromised.
3. How many of Fisher's other recommendations were implemented?
The RBNZ CIO also wrote: "Our people lack the modern digital tools, data and systems required to effectively collaborate and to support informed decision-making."
How many of the sweeping changes to roles, structure and tools that he recommended were adopted? [UPDATE: An RBNZ spokesman said the IT personnel re-structure suggested by Fisher had largely been approved. "We have completed recruitment for some roles while others are still to be filled." A follow-up question about technology changes was not immediately answered.]
4. Why was there an apparent delay in applying a security patch issued by Accellion?
Spokesman Dougherty said Accellion discovered a "P0" exploit (also known as a "Zero Day" vulnerability) in its FTA file sharing service in "mid-December".
A Zero-Day vulnerability is the most serious kind of security breach, usually involving the injection of malicious code. It's been described as the equivalent of a burglar entering a home then leaving the back door unlocked for others to follow.
Dougherty said Accellion issued a patch (software upgrade to fix the problem) within 72 hours of it being discovered. The Herald has sighted correspondence that says the patch was released to FTA customers - which would include the RBNZ - on December 24.
But an insider has told the Herald that the RBNZ did not take action until January 7.
The bank has so far refused to comment on the timeline, other that to say that as of January 10, "The system has been secured and taken offline while investigations are underway."
5. What information was potentially accessed?
Orr said on January 10: "The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information."
There has been no update since. This is one area where the bank deserves some leeway, or at least its ignorance is understandable. It can be hard to ascertain if files have been viewed or copied - often until a ransom demand comes in from a hacker.
6. Why go offshore?
Local IT industry group NZRise has complained of a "cultural" cringe that sees a majority of government tenders being awarded offshore when local talent can do the job well, cost-effectively and with data protected by local laws.
Duty Minister Peeni Henare did not respond to RBNZ's procurement specifically but offered the general: "Opportunities to participate in government tenders are publicly advertised on the Government Electronic Tender Service (GETS), which is open to all respondents. The Government has made it a priority to increase access for New Zealand businesses, which is incorporated in Rule 17 of the Government Procurement Rules [which reads 'Agencies must consider how they can create opportunities for New Zealand businesses']."
But NZRise has complained that because of the closed panel system used for many all-of-government contracts, only a small minority of tenders make it to GETS - and once they do, the process of participating in a tender is disproportionately expensive for local contenders.
7. Why is our government doing so little to bolster our cybersecurity defences?
NZ does have a national cybersecurity defence system, Cortex, and it does stop hundreds of attacks each year. But it is ageing and, compared to other countries, relatively little has been done to bolster it over the past few years.
Crown agency Cert NZ tracked a 33 per cent increase in cyberattacks last year - in keeping with worldwide trends - with the GCSB's National Cyber Security Centre becoming increasingly involved in protecting high-value targets like NZX and now the RBNZ as part of its mission to protect economically-sensitive organisations against increasingly sophisticated organised crime, and increasingly assertive bad state actors.
Across the Tasman, Scott Morrison's government increased cyber-defence spending by A$1.35 billion last year as it went on what its Prime Minister called a "war footing" against the global escalation in cyberattacks. But NZ's increase of its already smaller per-capita budget was in the single-digit millions, with the issue gaining no traction at the election.
That's a question the Herald will be putting to new IT Minister David Clark when he returns from his summer holiday.