Budget Leak: Most cyber-leaks come from internal sources, says cyber expert
By Pattrick Smellie
May 29 (BusinessDesk) - Most information leaks come from "malicious" or "inadvertent" releases from internal sources rather than via hacking, says Mark Shaw, a technology strategist for cyber-security software provider Symantec.
His comments came as the government and Opposition politicians traded blows in Parliament over the leak of information from tomorrow's Budget by National Party leader Simon Bridges, which the Treasury believes came from a "systematic hack" of its IT system.
Bridges and National's finance spokeswoman, Amy Adams, called repeatedly at the daily parliamentary question time for Finance Minister Grant Robertson to be "stood down" if, as Adams put it, the leaks turned out to be a result of the Treasury's "own failures, a far more likely explanation".
Shaw said information on the source of the Treasury leak was "pretty light at the moment", but questioned the assumption of hacking.
"From a sensationalist perspective, it’s nice to attribute these things to hacking a lot of the time," he said. "Without knowing the details behind Treasury, what I can say is that the vast majority of breaches that we see are caused by malicious insiders and the inadvertent leaking of information.
"While it’s convenient and interesting and curious to be pointing towards hacking activity – not to say that it’s not – it’s important to keep in mind that they need to be looking internally as well – whether it’s something malicious internally or someone inadvertently giving up information, whether through mis-clicks, ‘fat fingering’ and the like."
Shaw said breaches of cyber-security were now a matter of 'when', not 'if'.
However, sophisticated alert systems and trained staff should mean a successful cyber-attack would be noticed inside an organisation before it became public.
"There are tools and people play a big part in this," said Shaw. "All of these tools generate telemetry and noise and alerts, so organisations can be a bit overburdened by the amount of noise coming through.
"So having skills or technology to sift through that and identify an incident out of the many, many different alerts that are coming through is a big factor for organisations", especially given skills shortages in the area, said Shaw. "Detection for organisations is certainly not impossible. It should happen the majority of the time as quickly as possible after the event.
"Unfortunately, organisations, a lot of the time, are aware of a breach (only) when it becomes noticed in the public domain. That occurs with concerning regularity but ultimately organisations want to avoid getting to that point."
The Treasury began investigating the leaks yesterday only after Bridges made Budget information public. Treasury secretary Gabriel Makhlouf advised around 6pm that the government's primary economic advice agency, which handles some of the most sensitive economic policy information in the country, had found "sufficient evidence" of a "systematic hack" to call in the police to investigate.
In the case of hacking, Shaw said cyber criminals are becoming less reliant on using customised tools that had made them easier to spot in the past.
"Symantec talks about the way that attackers are what we call ‘living off the land’. They are actually using tools and processes that exist on our systems already.
"Having said that, almost no attack can ever take place without leaving some footprints around the place so, over the course of the last 10 years or so, we’ve seen a much greater focus on detection and response and not as much focus on prevention - that’s still important - but on detecting whether something has taken place in the environment."
Meanwhile, National is now complaining that the government is limiting its normal level of access to the Budget documents ahead of tomorrow's scheduled 2pm release in Parliament by halving the number of National Party representatives in the pre-Budget media lock-up from 16 to 8.
“I’m concerned this government is changing the rules in a way that appears petty and vindictive," said Adams.
Robertson last night called on National not to release any further Budget information because of the Treasury's advice that it appeared to have been obtained by hacking. By mid-afternoon today, no further Budget leaks had been released by National.