"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days," Reserve Bank Governor Adrian Orr says. Photo / Mark Mitchell
OPINION:
An independent report on the Reserve Bank's December data breach is unsatisfying, at least in its public version.
The incident saw a breach of a file-sharing service called FTA (File Transfer Application), operated by a US company called Accellion, which the RBNZ used to share files with its customers, who include retail banks and insurance companies.
Report author KPMG focuses heavily on the breach itself and particularly how various parties acted in its aftermath.
That's not to criticise KPMG, which was given limited scope. It was working to a terms-of-reference brief with a heavy emphasis on incident response, and recommendations for improvements.
Still, I was surprised that the public version of the report made no mention of two major elements in the story - both of which involve technical issues, but also suggest a wider management issue of warnings being ignored.
The first is a May 2020 (initially confidential) RBNZ report called Digital Services: Consultation for Change, with a foreword by the bank's chief information officer Scott Fisher.
The report includes the lacerating line that there is, "High operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms."
The report namechecks Accellion and also calls for a move to "more resilient platforms" and an "uplift in our cyber-security capability".
So I was surprised that, six months later, the RBNZ was still using Accellion's creaky FTA service.
Which brings us to the second major point not discussed in the KPMG report: Accellion's own warning that FTA was past its use-by date.
Accellion has been making assertive efforts to move its customers from FTA to its new Kiteworks service.
Spokesman Rob Dougherty said Accellion had been strongly encouraging its partners to upgrade from FTA to its newer, more secure Kiteworks service, which was first released in 2014 and works with Google Drive and Dropbox.
"For the past three years, Accellion has been attempting to move its existing FTA customers over to our modern and more secure platform, Kiteworks," Dougherty said.
RBNZ was one of around only 10 per cent of Accellion's customers still clinging to FTA.
Accellion's own independent report, by security company FireEye, doubles down on the point that FTA was an end-of-life legacy product. It notes that Kiteworks, which was built from the ground up on a new code base, was not breached during the attack.
While it ignores Fisher's report with its warning of "high operational risk" from underspending and outdated tech, KPMG's report does note that the RBNZ did address the need to upgrade its IT systems in its "Statement of Intent 1 July 2020 - 30 June 2023". However, the Statement addressed the issue in the blandest possible, feel-good terms, with lines like "We have developed a strategy to improve the digital capability of the Bank to ultimately become a stronger, more reliable and secure kaitiaki [guardian]."
Vulnerabilities with FTA were first reported in 2016.
A spokesman for RBNZ said the company stopped using FTA. (Now the case with all customers. Accellion shuttered the service on April 30.)
Elsewhere, KPMG backs the Reserve Bank's claim that when Accellion discovered the FTA security breach in December, it was slow off the mark to inform the RBNZ and other customers (a point that Accellion had already tacitly conceded by refusing to answer Herald questions about a detailed timeline).
KPMG says Accellion first discovered the FTA security breach on December 16. Accellion says it was able to offer customers a patch within 48 hours. KPMG says a technical failure in Accellion's alert system means the RBNZ was not informed until January 6. The bank implemented the patch on January 7, but by that time the horse had bolted - or at least the attackers had already downloaded what RBNZ described as "sensitive" files.
Accellion's slow communications allowed Reserve Bank governor Adrian Orr to go on the front foot, and shift attention from the RBNZ's failure to heed warnings about using an outdated system to share files.
KPMG says "There were also initial alerts of potential malicious activity on the System [FTA] in December 2020 that would have helped provide early detection had they been identified and/or followed up by the Bank's support staff. These alerts were default alerts enabled within the System since 2015."
KPMG also says the RBNZ should have undertaken a formal risk audit, which would have identified FTA as a potential pain point (Fisher's May 2020 warning notwithstanding).
Instead, the Reserve Bank seems to have gone in the other direction, developing an over-reliance and too much trust in FTA.
As KPMG puts it, "Usage of the System [FTA] by the Bank was not limited to secure file transfers as intended. Working practices evolved over time to the point where the System was also used as an information repository and collaboration tool, which was not
in adherence with the Bank's 2014 guidelines on acceptable use of the System. Adherence would have significantly reduced the volume of information at risk."
Broadly, KPMG gives the Reserve Bank a thumbs up for the way it responded from when it was first formally alerted to the hack by Accellion on January 6.
But it does note, "Some key events in the timeline in the period up to 9 January 2021 were not recorded in the detailed incident log", so KPMG was not working off a full record.
Early in the controversy, an insider told the Herald that the RBNZ's slow reach was, in part, because it was the Christmas/New Year holiday period and a lot of people were at the beach.
KPMG says staff responded rapidly, despite the incident falling in the holiday period, but does add that there was not strict adherence to all aspects of the MIRP [Major Incident Response Plan] with respect to the use of the defined playbooks," adding "It is difficult to extrapolate whether these factors would have materially impacted the overall timeline and outcome."
And its report also implies that while members of the MIRP team quickly ditched their beach towels, the response was hampered, to a degree, by not everyone being on deck.
It says a full response was delayed, for an unspecified time, because "Not all key Bank users of the System were involved in determining the extent of the potential breach as there was not widespread understanding of who was using the System, the nature of that usage and the at-risk information that was stored on the platform."
And although it never explicitly the RBNZ's failure to upgrade from FTA to Kiteworks (Kiteworks is never mentioned, per se), it implies that an upgrade project in the works - but that the bank was not taking steps to be more careful in the meantime.
"Delays in the project to replace the System [FTA] did not trigger any interim mitigating controls to be implemented or reinstated," KPMG says.
KPMG's report makes a series of sensible recommendations - some of which it says are already underway - including a risk-audit of systems, and the implementations of risk-management processes, including with third-party processes, that have so far been missing or are "not consistently enforced."
It's all straightforward, sensible stuff. The only question is why such routine security policies were not already in place.
Orr says the recommendations will be implemented.
Acceleron says 25 customers lost files after the FTA breach.
Those included the RBNZ. Orr said on February 9 that "For security reasons, we can't provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded ... External legal advisers are also providing assurance checks and advice on any personal information which was included in the downloaded files."
I'm not clear how simply saying the number of files taken, or the partner companies involved, would compromise security in any way. In some cases, citing "security" for saying almost nothing about a breach seems more like a public relations than cybersecurity strategy.
So many questions remain, including why the RBNZ did not opt for an on-shore file-sharing service.
Luckily, no RBNZ files have been spilled onto the web - a common tactic by ransomware attackers as they try to pressure victims. That could be luck, the fact that documents about the OCR, packed with dense economic jargon, have limited sex-appeal on the dark web).
Certainly, it wasn't because the Reserve Bank paid a ransom. Orr said it would not entertain the idea, in line with advice from police and the GCSB (which assisted post-attack, and covers various institutions of national interest with its Cortex system).
Nevertheless, the bank estimates that the final cost of the breach response, including internal resources, will be around $3.5 million, according to KPMG. All costs associated with the breach were absorbed into its baseline budgets.
A final missing piece: it could also have been useful for KPMG to look a the Reserve Bank's data breach through the lens of NZ's broader cyber-security crisis, which has seen not only institutions like the RBNZ and the NZX hit, but top corporates like F&P Appliances, Lion and Toll Group - and of course now the Waikato DHB.
In some organisations, there seems to be no appreciation that cyber-security is no longer an issue for the IT crowd, but clear and present danger to reputation, profit - and in some cases, lives - that boards to address.
There seems to be a systemic issue with major New Zealand institutions under-investing in cyber-security, and little sense of urgency from boards or the government to address the problem. But with KPMG being asked to work within such a narrow brief, those answers will have to wait for another report.
The Reserve Bank says no new information was disclosed in the speech.