Justice Minister Kiri Allan. Photo / Mark Mitchell
ANALYSIS:
After three years of increasing cyber-attacks, we're all aware - or as aware as we're ever going to be - about the standard precautions: Using strong, unique passwords for every website, keeping backups on and offline, turning on two-factor authentication, training staff to be wary of suspicious approaches, and keeping all your tech up to date.
But what about on the policy front?
Pundits and security experts have raised two big-bag, circuit-breaker moves that could combine to make New Zealand organisations a less attractive target for cybercriminals.
1 Make it illegal to pay a cyber ransom. We would be one of the first countries to take this step, which would be good. It would make it easier for NZ to get a reputation as a tougher target.
2 Levying big fines on companies that lose customers' data due to lax security. NZ has a toe in the water here. The 2020 update to the Privacy Act allowed for fines of up to $10,000 for organisations that fail to take sufficient steps to secure their clients' data.
But it's nothing next to the EU, where a firm can be fined a maximum of €20 million (about $34m) or 4 per cent of annual global turnover – whichever is greater – for data breach infringements under the GDPR privacy regulations, and up to €10m or 2 per cent of revenue under an updated cybersecurity directive introduced this year.
And European companies can be hit by multiple charges, which is how clothing retailer H&M came to be slapped with a €35m fine. Australia has lower financial penalties but also threatens up to five years' imprisonment if health files are involved in a data spill.
I put these ideas to Digital Economy Minister David Clark, who deferred comment to Justice Minister Kiri Allan.
In short, Allan was cold on both.
On making it illegal to pay a cyber ransom, Allan said: "While the Government understands making payments for cyber ransoms may be perceived as encouraging further attacks, taking criminal action against the victim raises issues of fairness in regard to making a victim a criminal when they are attempting to protect their business and livelihoods by making the payment. As such, there aren't any current plans to criminalise those who pay cyber ransoms."
And on fines for firms that lose data to thieves because of poor levels of protection, the Justice Minister said, "Penalising those who fail to take sufficient steps to protect their data with substantial fines is not currently a priority for me as Justice Minister."
Allan noted that the 2020 update to the Privacy Act made it mandatory to report any serious data breach to the Privacy Commissioner, or risk a $10,000 fine. And that the same legislation now allows a firm to be fined up to $10,000 for failing to apply reasonable security safeguards to protect the personal information it holds.
That might not be enough to focus boards' minds.
Kordia chief information security officer Hilary Walton points across the Tasman, where Australia's privacy legislation allows for a fine of up to A$2.2m - and even possible jail time for executives involved - for a health data breach.
Further tightening of Australia's cyber-security regulations is widely expected following the mass data breaches suffered by telco Optus last month and health insurer Medibank this month.
Here, Crown agency Cert NZ and the police have clear advice: "Don't pay." Cert (the Computer Emergency Response Team) says paying up will only encourage another attack on you or another organisation. There's also no guarantee you get your files back or that a DDoS attack will stop if you do stump up - and you'll likely be giving money to an organised crime outfit that's also involved in the likes of drugs and human trafficking.
Making it illegal to pay a cyber ransom "would certainly help stop that criminal element because it would cut off their revenue stream", Kordia chief information security officer Hilary Walton says.
"But it could put a lot of pressure on businesses, depending on their size."
It could be seen as unfair, Walton said, likening it to police targeting businesses that were shaken down by local gangs in a protection racket.
Wenzel Huettner, co-founder of Defend (owned himself and Vodafone NZ), also questions if a stick by the state is the best approach.
"I think there are a few things that need to be considered when attempting to stop cyber-attacks, including that negative reinforcement rarely leads to positive change," he says.
"So penalising people through fines and enforcement while increasing visibility and awareness won't necessarily lead to us being better protected. In fact, it might take the focus away from prevention and implementing protective measures."
Huettner would like to see the government, "Providing our small and micro businesses with the practical guidance and support they need. Not enforcing expensive solutions or heavy compliance requirements and overheads, but the basic practical steps they need to be cyber resilient."
Alex Nehmy, an executive with the Asia Pacific division of US cyber security giant Palo Alto Networks, says increasing attacks on targets like critical infrastructure and healthcare have driven more regulation.
"Governments are increasingly stepping in globally to say, 'We need to pull that regulatory lever to make sure organisations are investing more heavily in their cyber security."
He adds, "Paying a ransom encourages more cybercrime and funds the cybercrime."
Yet the reality is that some firms do get their systems unlocked if they pay a ransom - most notably the Colonial Oil Pipeline, which disclosed it had made a US$4.4m ($7.7m) payment to hackers to free its control systems and get petrol flowing again to service stations on the US east coast.
Similarly, Nasdaq-listed Blackbaud, which runs donor management databases, disclosed it had paid an unspecified cyber ransom to retrieve files for clients including Auckland University (which stressed it had no hand in the decision to pay up).
Nehmy favours a "zero trust model" and ramping up security, but says Government mandates around cyber-security would require enforcement and audits, which would put heavy burdon on small businesses.
Walton says one idea could be to make it compulsory for organisations to carry out their own "gap analysis", using a checklist supplied by Crown agency Cert NZ, with a report going to the executive - "So they couldn't just wish it away. They would have visibility on the issue that would force - or help - them to make cybersecurity investment decisions".
The Kordia CISO says there's also scope for NZ to sharpen its rules around high-risk data - and possibly, the consequences when things go wrong.
She says an important precedent was set in Australia, where financial planning firm RI Advice suffered a ransomware attack and was then hit by hackers again after failing to upgrade its defences. The Australian Securities and Investments Commission (ASIC) took it to Federal Court in 2020, alleging it had breached its obligations as a financial services licensee.
In a decision released in May this year, the court ordered RI to fork over A$750,000 and directed it to hire an outside cyber-security expert to review its systems.
A 2019 law change meant ASIC can pursue a business that breaches its financial licensee obligations for civil penalties of up to A$11m or up to 10 per cent of its turnover (to a A$555m cap).
Our equivalent to ASIC - the Financial Markets Authority - can't ding a company with a financial penalty per se if its cyber-security is not up to snuff. But the agency can order one of the companies it regulates to take remedial steps to improve its cyber-defences, and there could be a major financial penalty if that order is not complied with.
"If the FMA issued a direction order for the breach of a licence condition relating to cyber-security and the direction order was not complied with, the maximum penalty would be $600,000, or $200,000 for an individual," an FMA spokesman says.
"The parties would make submissions on an appropriate penalty and cases depend on a wide range of factors, which is ultimately for the court to determine."
In September, central North Island health provider Pinnacle was hit by a cyber-attack, with a "taster" selection of financial and patient data posted to the dark web earlier this month - a common pressure tactic during ransom negotiations.
Pinnacle today said it had no further comment beyond its October 9 update when it said, "We are attempting to retrieve the stolen data and will provide updates where possible."
Asked if Pinnacle was negotiating a ransom payment, or had told the hackers it would refuse to pay, a spokeswoman said, "Our advisers continue to advise us to not comment on those types of questions."
That's a stark difference from the Waikato District Health Board cyber-heist last year, when the DHB stated unequivocally that it would not pay a ransom.
The Government's move to consolidate 20 DHBs - and their 120 different IT systems - into one centralised health authority provides opportunities for efficiencies and modernisation.
Some $230m in operating spending and $170m in capital spending has been earmarked for a new, centralised patient record system.
But while a single system will be easier to control, and upgrade, Palo Alto's Nehmy warns, "Centralising the patient data will make it more of an attractive target for cybercriminals because it's all in one place."
The growth in online remote consultations and "the internet of things" - which includes a growing number of medical devices used at home that are connected to the internet - are providing more opportunities for hackers.
"There have been sort of virtual hospitals created during the pandemic where people who had Covid are actually given pulse oxygenators and digital devices to take home and monitor their health," Nehmy says.
"But while that's shown really positive outcomes in terms of reduced hospitalisation rates, it also increases that digital footprint of healthcare - and the more digital that healthcare becomes, the more vulnerable it is to threat actors."
The industry faces challenges but hopes to bring newcomers and veterans together.