Should it be mandatory to report cybersecurity breaches, even if it results in media attention? Or does keeping cyberattacks under wraps help minimise the risk? Those are questions being grappled with by CIOs and CSOs throughout New Zealand, following the well-publicised cyberattacks on the NZX.
Government Communications Security Bureau (GCSB) director-general Andrew Hampton told a trans-Tasman Business Circle audience this week that the perpetrators of the DDoS attacks on the stock exchange are “highly likely” to be a criminal group, which has also been active in Australia and globally. He says the group has been active for up to two years, and “in terms of their motivation, it’s all about money.”
Divided views on whether cyberattacks should be made public
Hampton’s advice to companies under attack is that, while it is important to make customers and stakeholders aware of what is occurring if it affects them, be careful what you say publicly.
What we do know is that this actor, or actors generally, they are monitoring what is in the media, they are responding to what’s in the media. If they see an organisation is being rattled in the media, they’ll hit them harder. So that’s my advice to organisations: to be very careful about what they say publicly. … By outing yourselves, by saying you’re subject to a DDoS attack, which is very serious, and what the volumes are, is likely to incentivise them to go harder.
It is advice that Jeremy Jones, head of cybersecurity at consultancy Theta, doesn’t agree with. “That’s a classic government intelligence perspective, and I know that because I did it for 17 years. Now that I’m in the commercial space, I realise it’s a bit of a folly,” he says.
Jones was previously an Royal Air Force officer for the UK Ministry of Defence, working in cyberoperations, where he was involved in intelligence and cyberwarfare in support of security objectives at the highest government levels. He says:
This is about awareness and education, and the media is a great vector for that. I wasn’t always a great fan of the media; I used to be in the UK armed forces and they used to be problematic when we were in places like Afghanistan and Iraq, but ultimately once you embrace the media as a means to get your narrative across, it’s actually a very powerful tool. I understand where the bureau is coming from, but the reality is they don’t operate in a commercial space and I do. And I would challenge anyone in the government on that.
Jones says that New Zealand businesses are constantly being hit by cyberattacks, which are going unreported, even by NZ CERT which can only report on attacks that they are notified about. “There is this seedy, unspoken, underbelly of cyberattacks in New Zealand that never gets reported. It’s not in the news about how many NZ businesses are actually getting hit with ransomware. You would be mortified if you knew how bad it actually is.”
He notes one small business, which employs 15 people, was forced to spend $150,000 combatting a cyberattack, when preventative measures would have cost around $4,000.
Most New Zealand businesses don’t understand that they can be a target because they believe the country is too small and insignificant, Jones says. Businesses ask themselves, “Who would want to attack us? We’re just a warehouse, we’re just a hairdresser, we’re just a small bank.” But, he says, “the answer is ‘Who cares?’ You’re on the internet; you can be found in four seconds and attackers don’t care if you are in Brazil, Germany, or New Zealand. The fact is if you are online, you are at risk. The speed with which you can find vulnerabilities and exploit them is terrifying.”
The GCSB’s Hampton says it surveyed 250 organisations to come up with four key areas of focus to increase cyberresilience. They are:
- Governance: Cybersecurity is not a ‘tech issue’, it is an organisational one, and senior leadership needs to be engaged and know what the critical threats are.
- Investment: It costs money to provide good cybersecurity, and this includes investing in people as well as technology.
- Supply chain: Your organisation is not a fortress; you have to work with your suppliers, such as your ISP, to understand their services and what your options are.
- Instant response: You must be ready for something to happen and how you can protect your business model when it does. For example, if your website goes down, how will you communicate with your customers and stakeholders?
Cybercrime can be local, as the Ruapehu Alpine Lifts cyberattack shows
There’s a common belief that cyberattacks come from abroad, and so only technical defences are available to deter the otherwise untouchable intruders. Jones disagrees.
For example, an online parking system that Theta deployed for Ruapehu Alpine Lifts (RAL) experienced a cybersecurity incident in the same week as the NZX attacks. The timing meant that it was, in some media, falsely reported that RAL was the subject of a similar cyberattack.
Theta had signed up RAL to Cloudflare to guard against international cyberattacks, but it soon realised that their foe was local. “What we weren’t expecting was the attacks to come from New Zealand. These weren’t master criminals—these were disgruntled IT workers who perhaps have season passes to Whakapapa [ski field] and decided to create a program or a bot or something to programmatically disrupt that web application to enable carpark booking,” Jones says.
RAL chief operating officer Travis Donoghue says that the cyberattack occurred just as it released its weekly availability for access to ski areas, which is critical time for their customers. “For several minutes our guests were unable to complete their transactions, which results in damage to our reputation and brand. … [Theta’s] serious and thorough approach to the issue helped us to rationalise what was going on and why, and they quickly had fixes and improvements in place to avoid a repeat the following week,” he says.
Theta’s Jones says they have “gone a long way to identifying who did it” by working out their methods and the police are in the process of identifying the culprits. It may result in the individuals they believe are responsible being prosecuted under the New Zealand Crimes Act. Sections 250 of the act states that the maximum penalty for damaging a computer system, intentionally or recklessly without proper authorisation, is up to seven years in jail.
“It’s completely unacceptable behaviour. When I talked to police, I said it’s like driving at high speed down the motorway, sideswiping cars as you go. It’s reckless behaviour and it’s a crime that should be pursued by police. You wouldn’t drive like that on the motorway, so why would you behave like that on the internet?” Jones says.
RAL’s Donoghue wants to see that “any intentional or malicious attack to a business is recognised and prosecuted in the same way that it would be if it were the same to a physical premise.” He continues:
The potential impacts of digital crimes can be severe, and so in New Zealand we must see that the focus and ability to fight cybercrime keeps pace with changing technology—in other words cybercrime needs to be an area of priority for the government. A start could be in better facilitation of the reporting on any breaches to enhance visibility on the issue.
How New Zealand could send a stronger message about cybercrime
Theta’s Jones says prosecuting people over cyberattacks is one way to send a message that New Zealand is a country where cybercrime isn’t tolerated. Another way is to make the reporting of breaches mandatory. There is a “nod towards” mandatory breach notification in the new Privacy Act that comes into effect in December 2020, but he notes the “fines aren’t all that great [up to $10,000], and it’s only for personal data”.
What Jones would like to see is a stronger approach being taken, and he points to recent Australian investment in cybersecurity as an example, and the GDPR in Europe “which is another level again”. “We need to demonstrate that New Zealand is a safe place to do business and we will not tolerate that behaviour,” he says.
The consequences of not paying more attention to cybersecurity could be disastrous, Jones says. “We’re going to sleepwalk into a disaster if we’re not careful, and it’s going to be painful and someone or something terrible is going happen. So, either a piece of critical infrastructure is going to get taken out or people or going to die because of a cyberattack—then and only then will people take notice,” he says. In fact, a death in Germany has been linked to cybercrime.
Where both Jones and GCSB’s Hampton agrees is that businesses should never pay the ransom. “It should be illegal to pay ransomware because what you are doing is supporting organised crime,” Jones says.