On New Zealand’s Lack Of Adequate Cyber Security Defences
Remember how, back in the olden days, we had security concerns about the Chinese firm Huawei? Allegedly, Huawei was to be shunned as a business arm of the Chinese Communist Party and supposedly some Huawei products contained security glitches that would leave potential users vulnerable to cyber penetration. Well…. The last six months have shown that Huawei was the least of our problems. The Russians, not the Chinese, seem to pose more of a cyber security threat. Moreover, it is the security glitches in the supply chains for software already in use there that is triggering major problems here, and elsewhere.
In the last six months alone, the US has been hit by several huge and apparently successful cyber intrusions. These have included :
(a) the SolarWinds hack of the US government Energy, Treasury Justice and Commerce departments and thousands of other users of a particular version of SolarWinds software.
(b) a ransomware attack on the Colonial Pipeline that forced the company to shut down nearly 9,000 kilometres of its pipeline system
(c) a ransomware attack on the Brazilian firm JBS, the worlds’ largest meat company that resulted in JBS choosing to pay $US11 million in ransom, and
(d) the Kaseya attack, for which the REvil cybercrime gang are now demanding $US70 million in ransom.
Such problems aren’t new, but they seem to be snowballing. The Russian Fancy Bear hacker team has been held responsible for the 2018 hack of the International Olympic Committee, an intrusion widely seen as payback for the IOC’s banning of Russia from Olympic competition. A team working within the Russian Intelligence Main Directorate (the GRU) called Unit 74455 has been formally charged by US authorities with meddling in the 2016 US election. Some of the same defendants have also been accused of cyber intrusions in France, a malware attack on the electricity grid in the Ukraine, and similar actions elsewhere.
The suspects were also accused of carrying out an attack in June 2017 that is considered the most costly in history. Called NotPetya, it was originally aimed at Ukraine but quickly boomeranged around the world, paralyzing some of the biggest corporations in Europe and the United States at an estimated total cost of $10 billion. It was never clear, intelligence experts said, whether Russia intended to limit the attack to the Ukrainian economy and any company that dared to do business with Ukraine, or whether it knowingly built a tool that would wreak global havoc. But the estimated cost to Mondelez, the maker of Oreo cookies and Ritz crackers, alone was more than $100 million; Merck, the pharmaceutical giant, reported some $700 million in damages; the attack also impeded computer use at hospitals and medical facilities in western Pennsylvania.
Medical facilities? That sounds familiar. The recent attack on Waikato DHB seems to have been part of a global pattern. Routinely, the Russian government has denied involvement. In all such activities. At this point, it remains unclear whether the Russian hackers are working directly for a cash-strapped Kremlin, or are criminal gangs operating at a distance from the Kremlin, with its tacit blessing and for a share of the profits. Either way, Russia has built an A-grade cyber arsenal, and - at present – the West is struggling to match its expertise.
As mentioned, the threats are also becoming more sophisticated. Some of the more recent intrusions have not been targeted at individual firms, but at key points in the cyber supply chains that have ripple effects on thousands of customers further down the line. With the SolarWinds hack, the entry was via a software update that contains millions of lines of computer code. The hackers clandestinely rewrote 4,032 lines of that code, thereby creating “back doors’ into the computer networks of the firms, government agencies and think-tanks using the SolarWinds Orion software package. To mount an offensive action on SolarWinds on the scale required, Microsoft’s president Brad Smith has said “We asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.” If so, it is very hard to see how a mere “criminal gang” would have that level of resources at their disposal. Directly or indirectly, it indicates the involvement of a state actor.
Incredibly, the SolarWinds cyber burglars went undetected for the best part of a year.:
[The] Russian military hackers sabotaged a tiny piece of computer code….the hidden virus spread to 18,000 government and private computer networks by way of one of those software updates we all take for granted. After it was installed, Russian agents went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce –among others—and for nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets.
Last week’s Kaseya intrusion has been a somewhat similar story. Like many other countries, New Zealand is still discovering how many firms and agencies are vulnerable and/or may have been affected. Several schools and kindergartens have been hit. Those with good backup systems have been able to readily switch to the backups. (There’s a lesson in that – back-up everything, all the time.) Wider questions arise. In New Zealand, how capable are the cyber security defences (a) of the state and (b) of the private sector, and (c) how should those defences be best deployed?
Disturbingly, the West’s official “security agencies” still appear to be playing catch-up when it comes to detecting and neutralising the threats that are now emerging. It was an alert individual at a large US private security firm (called FireEye) that noticed a problem with the two factor authentication access code on the company phones and then traced the ghostly free rider back to its point of entry, and then alerted the US government to this huge problem it had finally located as being within the SolarWinds software update. With Kaseya, it was a Dutch non-profit organisation that alerted Kaseya to its vulnerability, and Kaseya was in the process of fixing it when the July 2 attack was launched.
New Zealand seems ill-equipped to detect these kind of challenges beforehand. Under the coalition government of 2017-2020, this country has just invested heavily in analogue forms of defence long after the security threats had gone digital. As Werewolf pointed out last week, New Zealand has been locking itself back within a 60 year old Cold War defence configuration, alongside our traditional allies. At enormous expense, we have kitted ourselves out with conventional warfighting tools to meet defence challenges in the Pacific region that even the NZDF says (in its own reviews and reports) will be non-existent over the lifespan of the gear in question. To counter these phantom threats, we have allocated circa $20 billion over the next decade.
That outlay has left New Zealand with almost nothing left over to bolster our defences against the actual threats to our security posed by cyber criminals, domestic and global terrorism and climate change. Against those real and imminent threats, our pricey updated frigates, Poseidon anti-submarine aircraft and heavy left super Hercules planes will be next to useless.
Defence is the best form of defence
Similarly, the Kaseya intrusion has highlighted the mismatch between the resources we’ve bought, and the threats we face. Our main clearing house for information about cyber threats is CERT NZ – a small, under-funded and under-staffed sub-unit within MBIE. Over the past weekend, CERT NZ did a fine job of summarising the Kaseya problem, and usefully pointed firms and agencies towards the best available information –on sites like the Reddit thread of the Huntress security firm. Great work, done on a shoestring. Less impressively, the public statements by GCSB Director Andrew Hampton – that these attacks are sophisticated, and aimed at supply chains – were what any ordinary citizen or firm would have got already from watching CNN or from linking to the Huntress Reddit thread. The GCSB commentary added nothing new to the information mix.
Looking ahead, a debate needs to be had on how New Zealand plans to defend its cyber security. Arguably, we need the cyber equivalent of a Defence Review. Where are our main online vulnerabilities – are they here, or are they mainly being imported from offshore, within the software we’re purchasing? If the latter, can we possibly detect those vulnerabilities and insulate ourselves against them ? Or, do we see our resources as being best deployed in forward projection actions alongside our 5 Eyes allies ? Currently, it is very hard to see how the 5 Eyes alliance could possibly pursue, to use the jargon, an effective “cost imposition” strategy against the Kremlin, in order to motivate it to desist.
In the meantime, the government has to do more than equip CERT NZ to send out reminders for everyone to do their constant back-ups, and to be on the lookout against phishing emails. That’s good advice, but perhaps we also – judging by the pattern of the latest attacks – need to put in place the cyber-equivalent of Medsafe, to vet imported software products beforehand, as safe for local use. Probably though, the expertise required to do that job properly is lacking here, even within the GCSB.
Ultimately – and this takes us right back to the alleged sins of Huawei mentioned at the outset – there wouldn’t be a problem if the software we are importing was up to scratch. If there wasn’t a cyber weakness waiting for the Russians or North Koreans or Ukrainians to exploit, we wouldn’t have had a SolarWinds hack, or a Kaseya intrusion. We wouldn’t have had a problem at Waikato DHB either. It has been surprising ( and counter-productive) that the public has been told so little about the cause of the Waikato DHB intrusion, let alone about who the likely perpetrators were.
Par for the course. Almost nothing has been released about the hack at the Reserve Bank either – beyond the RB absolving itself by blaming an independent supplier, for whom the RB disclaimed any responsibility. But who did it, and how? At least the public was told that the mid 2020 attacks on Stuff, RNZ and the NZ Stock Exchange were foreign-driven Distributed Denial Of Service amplifications, whereby attempts were made to overwhelm the local servers with sudden mass influxes of foreign traffic. But again, where did that traffic originate from ?
On cyber security matters, the public is largely being left in the dark. Supposedly, this is to avoid tipping off the intruders by publicly disclosing too much. As if these expert intruders can’t readily see for themselves the nature (and the limitations) of our responses. Yet in the case of both SolarWinds and Kaseya, it was non-state actors – the FireEye private security firm and the Dutch NGO – that alerted the world to the existence of a problem. Meaning: the pressing need is for greater transparency, not for heightened secrecy. Because the track records indicate that it will be an informed public that will protect the state from cyber threats, and not vice versa.
On cyber security matters though, the GCSB still seems to be banging into the furniture in the dark, while trying to find a light switch. It is how they roll.
The Sahei desert regions of Niger and Mali have given us several brilliant musicians over the past decade. The Tinariwen band from Mali are now global superstars, and the Niger guitarist Mdou Moctar ( he’s a combination of Hendrix-level virtuosity and Prince – like charisma) has also been finding a wide audience in the West over recent years. On his new album Afrique Victime, Moctar has included a couple of acoustic tracks like this beautiful cut” Tala Tannam” alongside the usual electric guitar pyrotechnics.
And here’s“Taharazed” from a couple of years ago, live on KEXP, that showcases some of Moctar’s shredding skills :