A Tongan cybersecurity expert says the country’s health data hack is a “wake-up call” for the whole region.

Siosaia Vaipuna, a former director of Tonga’s cybersecurity agency, spoke to RNZ Pacific in the wake of the June 15 cyberattack on the country’s Health Ministry.

Vaipuna said Tonga and other Pacific nations were vulnerable to data breaches due to the lack of awareness and cybersecurity systems in the region.

“There’s increasing digital connectivity in the region, and we’re sort of . . . the newcomers to the internet,” he said.

“I think the connectivity is moving faster than the online safety awareness activity [and] that makes not just Tonga, but the Pacific more vulnerable and targeted.”

Since the data breach, the Tongan government has said “a small amount” of information from the attack was published online. This included confidential information, it said in a statement.

Reporting on the attack has also attributed the breach to the group Inc Ransomware.

Vaipuna said the group was well-known and had previously focused on targeting organisations in Europe and the US.

New Zealand attack
However, earlier this month, it targeted the Waiwhetū health organisation in Aotearoa New Zealand. That attack reportedly included the theft of patient consent forms and education and training data.

“This type of criminal group usually employs a double-extortion tactic,” Vaipuna said.

It could encrypt data and then demand money to decrypt, he said.

“The other ransom is where they are demanding payment so that they don’t release the information that they hold to the public or sell it on to other cybercriminals.”

In the current Tonga cyberattack, media reports say that Inc Ransomware wanted a ransom of US$1 million for the information it accessed. The Tongan government has said it has not paid anything.

Vaipuna said more needed to be done to raise awareness in the region around cybersecurity and online safety systems, particularly among government departments.

“I think this is a wake-up call. The cyberattacks are not just happening in movies or on the news or somewhere else, they are actually happening right on our doorstep and impacting on our people.

Extra vigilance warning
“And the right attention and resources should rightfully be allocated to the organisations and to teams that are tasked with dealing with cybersecurity matters.”

The Tongan government has also warned people to be extra vigilant when online.

It said more information accessed in the cyberattack may be published online, and that may include patient information and medical records.

“Our biggest concern is for vulnerable groups of people who are most acutely impacted by information breaches of this kind,” the government said.

It said that it would contact these people directly.

The country’s ongoing response was also being aided by experts from Australia’s special cyberattack team.

This article is republished under a community partnership agreement with RNZ.

Article by AsiaPacificReport.nz

A View from Afar – In this podcast, political scientist Paul Buchanan and Selwyn Manning analyse the advent of new technologies and the rise of hybrid warfare.

In this episode, Buchanan and Manning take you on a journey into a world that exists all around us, no matter where we live. But, it’s fair to say, it’s a world few realise exists and few realise how it is effecting them.

With the technologies that surround us, tech that we use every day, it has become easy to conduct indirect or non-attributable warfare using a variety of means.

There’s the grey area phenomena where opponent states undermine adversaries from within, sowing distrust, or fear, where there should not be. The purpose is to weaken public trust and a population’s resolve to support their government.

In an extreme situation, this form of hostilities can escalate into hybrid warfare using indirect and direct means, from cyber offensives to firepower.

To illustrate the issue, we will draw on the build-up to the Russian invasion of Ukraine, and also evaluate other locations around the world where there is evidence of hybrid warfare.

It may surprise you to realise how close to home are real world examples of hybrid warfare.

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

A View from Afar – In this podcast, political scientist Paul Buchanan and Selwyn Manning will analyse the advent of new technologies and the rise of hybrid warfare.

In this episode, we will take you on a journey into a world that exists all around us, no matter where we live. But, it’s fair to say, it’s a world few realise exists and few realise how it is effecting them.

With the technologies that surround us, tech that we use every day, it has become easy to conduct indirect or non-attributable warfare using a variety of means.

There’s the grey area phenomena where opponent states undermine adversaries from within, sowing distrust, or fear, where there should not be. The purpose is to weaken public trust and a population’s resolve to support their government.

In an extreme situation, this form of hostilities can escalate into hybrid warfare using indirect and direct means, from cyber offensives to firepower.

To illustrate the issue, we will draw on the build-up to the Russian invasion of Ukraine, and also evaluate other locations around the world where there is evidence of hybrid warfare.

It may surprise you to realise how close to home are real world examples of hybrid warfare.

Join Paul and Selwyn for this LIVE recording of this podcast while they consider these big issues, and remember any comments you make while live can be included in this programme.

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

Aotearoa New Zealand makes up a small portion of the world’s population, yet the country is being hit by a relatively bigger share of cyber attacks.

Chances are, you’re familiar with the term ‘distributed denial of service (DDoS) attack’. Not because your organisation has been subjected to one, but instead, the recent numerous, high profile attacks on local and global businesses have captured your attention.

With cyber attacks ramping up across the globe and Aotearoa New Zealand an attractive target, every business—no matter the size—must put protections in place.

What’s a DDoS attack?

Designed to disrupt the normal function of a server, DDoS attacks harness compromised computers and hardware like Internet of Things (IoT) devices to flood the target or its surrounding infrastructure with traffic. This influx can slow down or overwhelm a website or service, denying access to genuine traffic.

DDoS attacks are on the rise across the world, with attackers using different styles of malicious activity to take down websites and even using them as an attempt to extort money. Businesses from all industries were victims of ransom DDoS (RDDoS) attacks in 2021, and Q4 saw a 29% YoY and 177% QoQ increase.

New Zealand is a prime target

Only three active undersea submarine cables connect Aotearoa New Zealand to the outside world. In comparison to the rest of the world, this relatively small number makes it easier for the country’s networks to be overwhelmed.

In fact, the National Cyber Security Centre (NCSC) reported an increase in criminal or financially motivated actors with a significant national impact or potential to cause serious harm in its 2020-21 threat report (27% compared to 14% the year prior).

A spate of high profile, local businesses experienced repeated DDoS attacks over the last 18 months—from Vocus to one coordinated attack on NZ Post, MetService, Kiwibank, ANZ and Inland Revenue.

However, it is critical to note that organisations of any size can fall victim to a DDoS or RDDoS attack. No business is immune, and the impacts can be significant.

How can businesses prevent these types of attacks?

Most organisations in Aotearoa New Zealand are still trying to protect themselves using traditional security measures that are no match for a burgeoning tide of bots, ready to be mobilised against them in a few strokes of a keyboard.

While this might sound daunting, implementing good cyber security protections against DDoS attacks does not need to be.

1. Speak with your network provider to understand what DDoS mitigation services they offer and how much traffic they can mitigate before your organisation is affected. This is an added service for some providers, while others might charge surge pricing in the unlucky instance that your website is bombarded with traffic during a DDoS attack.
2. Ramp up your front-line protection. Engage a provider with specially designed network equipment or a cloud-based protection service to mitigate your business from incoming threats. Here, it’s essential to consider the potential risk to your company and consider the scalability, flexibility, reliability and network size of potential providers. For example, large-scale attacks have the potential to take out on-site network infrastructure, while cloud-based solutions can scale when mitigating attacks.

3. Create a DDoS attack incident response plan. The overwhelming nature of a DDoS attack can take out multiple systems and services, not just your website. And in the moment, it’s easy for panic to set in. Be proactive, create a dedicated DDoS incident response plan, and conduct exercises to ensure its effectiveness.

4. Regularly patch your systems, software and hardware. Developers regularly release updates to decrease or eliminate vulnerabilities in software. Applying these patches to operating systems, applications, and all network-connected devices in real-time is the simplest way to mitigate a cyber security attack. There’s a reason why patching is CERT NZ’s top critical control to protect organisations from being breached—don’t leave your business wide open.

It’s been over ten years since Forrester initially coined the term ‘Zero Trust’. The cybersecurity concept has surged in popularity in recent years, becoming the choice approach to protecting remote and hybrid workers from the growing cyber threats and data breaches brought on by the pandemic.

The National Cyber Security Centre recorded a 15% increase in attacks towards Aotearoa New Zealand’s nationally significant organisations in its 2020-21 threat report, including major banking and financial organisations and healthcare providers.

This is an upward trend that is common across the region. According to recent Cloudflare research, 44% of IT and security leaders in APAC said the pandemic had a significant impact on how their organisation approached IT security, leading them to increase their investment in IT security measures like Zero Trust. For 77% of respondents, IT security was one of the core areas “keeping them awake at night”.

The study further revealed a majority (86%) of organisations are aware of Zero Trust. In fact, 66% of respondents had implemented a Zero Trust strategy, and of those without, 58% planned to implement such an approach within the next 12 months.

However, while local IT and security leaders are clearly seeing the benefits of the Zero Trust approach, challenges in getting employees’ buy-in often prevent successful implementation. To overcome this hurdle, there are several steps organisations can take to enlist employees on the Zero Trust journey.

No longer just a concept—what does Zero Trust mean in 2022?

Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting any user by default, including those already inside the network perimeter. If a malicious actor managed to gain access from the outside of an organisation, or a current or ex-employee with access posed an insider threat, with traditional IT network security measures, they would be free to move laterally and wreak havoc from the inside. However, Zero Trust frameworks assume there are attackers both within and outside of the network, so no users or machines are automatically trusted.

This inherent lack of trust is effective in safeguarding an organisation against ransomware attacks that have rattled Aotearoa New Zealand organisations of late, like the Waikato District Health Board, and unauthorised access and malware attacks, which increased by 32% and 372% in Q3 2021 respectively.

Employing values and practises from CERT NZ’s list of top critical controls, like multi-factor authentication, micro-segmentation and least-privilege access only grant access once the identity, context, and policy adherence of each specific request is verified. Logins and connections time out periodically once established, forcing users and devices to be continuously re-verified.

While the security benefits are clear and proven, it is possible to take a Zero Trust approach too far and isolate workforces. If employees aren’t educated on its purpose, they might begin to view such frameworks as indications that their organisations cannot or will not trust them. Or, perhaps, they might see the related protocols as inconvenient processes that prevent productivity. Such sentiment risks disengaging employees from the Zero Trust journey, opening an organisation up to vulnerabilities.

How can businesses enlist employees on the Zero Trust journey?

First, engage employees in Zero Trust from the beginning. Not only does onboarding talent present the first opportunity to get effective role-based access control in place, but it also provides the chance to set expectations, answer questions, and establish best practices around employee engagement with the organisation’s security approach.

Day one adoption is particularly essential as 85% of APAC enterprises’ IT and cybersecurity decision-makers agreed workforces would be more mobile in the future. Moreover, amid staffing shortages, the ‘Great Resignation’ and increased turnover, a Zero Trust approach to offboarding with clear expectations is far smoother for all involved.

Cyber attacks are becoming increasingly costly for businesses of all sizes—with Aotearoa New Zealand organisations losing, on average, $4.1 million every three months. No longer can cyber security only be seen as the IT team’s problem; it must be recognised as a critical function that all employees at all levels are responsible for. Continued and accessible education is paramount. An effective Zero Trust experience works for and empowers every employee.

The industry needs to get comfortable with the idea that trust and education must be extended beyond the IT and security team to include the actual constituents we are trying to support and secure. This means that all employees should be continuously educated on the rationale behind Zero Trust security measures. Explaining that the measures taken are to protect, rather than monitor, means employees are less likely to feel distrust and instead be empowered to work with them.

Shifting to Zero Trust access for every application is the only way to secure today’s human and network resources. Zero Trust is a journey, and while our research indicates that the intent is there, many Aotearoa New Zealand and APAC organisations have only just begun to roll out this approach to IT security.

To progress on this journey, businesses must first overcome the challenges in getting employees’ buy-in and commitment to Zero Trust frameworks through continual engagement and education.

A View from Afar – In this podcast, political scientist Paul Buchanan and Selwyn Manning will consider and analyse the most significant global issues that define 2021. The topics will include:

– Leadership: Trump, Putin, Xi, Biden,

– Pandemic: Impact of Covid-19 & variants on global security

– Security: Afghanistan, AUKUS, Autonomous Weapons, Cyber-Hackers/Attackers.

Join Paul and Selwyn for this LIVE recording of this podcast while they consider these big issues, and remember any comments you make while live can be included in this programme.

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

A View from Afar: Selwyn Manning and Paul Buchanan present this week’s podcast, A View from Afar with a deep-dive into cyber-attacks and hybrid warfare – Especially how 2021 has witnessed a Cold War II styled stand-off between global powers.

To re-cap, there has been:

• Allegations of a global-scale hack by the People’s Republic of China.
• There’s the Pegasus spyware scandal, where Israel has exported deep-tracking and targeting spyware to despots and authoritarian governments.
• Then there’s been the relatively silent mission-creep of Palantir as a Western-oriented Public Private Partnership-styled signals “facilitator”.

Paul and Selwyn discuss how all of this sets 2021 apart and adds up to an evolution of hybrid warfare capabilities.

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

A View from Afar: Selwyn Manning and Paul Buchanan will present this week’s podcast, A View from Afar, LIVE at midday Thursday and will do a deep-dive into cyber-attacks and hybrid warfare – Especially how 2021 has witnessed a Cold War II styled stand-off between global powers.

To re-cap, there has been:

• Allegations of a global-scale hack by the People’s Republic of China.
• There’s the Pegasus spyware scandal, where Israel has exported deep-tracking and targeting spyware to despots and authoritarian governments.
• Then there’s been the relatively silent mission-creep of Palantir as a Western-oriented Public Private Partnership-styled signals “facilitator”.

Paul and Selwyn will discuss how all of this sets 2021 apart and adds up to an evolution of hybrid warfare capabilities.

WE INVITE YOU TO PARTICIPATE WHILE WE ARE LIVE WITH COMMENTS AND QUESTIONS IN THE RECORDING OF THIS PODCAST:

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

New Zealand’s cyber security agency believes China has been behind numerous hack attacks spanning years.

The government joined Western allies and Japan in calling out Beijing for so-called state-sponsored hacks, including a major incursion in February when Microsoft email servers were targeted.

The US has charged four Chinese nationals — three security officials and one contract hacker — with targeting dozens of companies and government agencies in the United States and overseas under the cover of a tech company.

“What we do is when we see malicious cyber activity on New Zealand networks, that may be through our own capabilities that we have to help protect New Zealand networks or it may be something that’s reported to us, we look at the malware that’s used,” Government Communications Security Bureau Director-General Andrew Hampton told RNZ Checkpoint.

“We look at how the actor behaves. We look at who they might be targeting and what they do if they get onto a network.

“That allows us to build a bit of a picture of who the actor is. We then compare that with information that we receive, often from our intelligence partners who are also observing such activity.

“That allows us to make an assessment, and it’s always a probability assessment about who the actor is.

The APT 40 group
“In this case, because of the amount of information we’ve been able to access both from our own capabilities and from our partners, we’ve got a reasonably high level of confidence that the actor who we’ve seen undertaking this campaign over a number of years, and in particular, who was responsible for the Microsoft Exchange compromise, was the APT 40 group — Advanced Persistent Threat Group 40 — which has been identified as associated with the Chinese Ministry of State Security.

The RNZ National live stream.  Video: Checkpoint

“The actors here are state sponsored actors rather than what we would normally define as a criminal group. What we’re seeing here is a state sponsored actor likely to be motivated by a desire to steal information.”

Hampton said there was a blurring of lines between what a state agency does, and what a criminal group does.

“Some of the technical capabilities that previously only state organisations had, have now got into the hands of criminal groups.

“Also what we’ve seen in a range of countries is individuals who may work part-time in a government intelligence agency, and then may work part-time in a criminal enterprise. Or they may have previously worked in a state intelligence agency and are now out by themselves but still have links links back to the state.

“We don’t know the full detail of the nature of the relationship, but what we do know is the Ministry of State Security in China, for example, is a very large organisation with many thousands of of employees.

“So they are big organisations with people on their payroll but they also would have connections with other individuals and organisations.

Information shared with criminals
“Something else worth noting with regard to this most recent compromise involving the Microsoft Exchange, what we saw there is once the Ministry of State Security actors had identified the vulnerability and exploited it, they then shared that information with a range of other actors, including criminal groups, so they too could exploit it.

“This is obviously a real concern to see this type of behaviour occurring,” Hampton said.

All evidence showed the cyber attacks were all originating from mainland China, Hampton told Checkpoint.

He said such attacks would be aimed at stealing data or possibly positioning themselves on a system to be able to access information in the future.

“A common tactic we see, unfortunately, is there may be a vulnerability in a system,” Hampton said.

“It could be a generic vulnerability across all users of that particular system, and a malicious actor may become aware of that vulnerability, so they would use that to get onto the network.

“That doesn’t mean they will then start exfiltrating data from day one or something like that. They may just want to to sit there in the event that at some point in the future they may want to start doing that.

Malicious actors
“This exploitation of known vulnerabilities is a real concern. This is why all organisations need to keep their security patches up to date, because what can happen is you can have malicious actors use technology to scan whole countries to see who hasn’t updated their patches.

“They then use that vulnerability to get on the network and they may not do anything with it for some time. Or they might produce a list of all the organisations, say, in New Zealand who haven’t updated their patches.

“Then they make a decision – okay these are the four to five we want to further exploit.”

This article is republished under a community partnership agreement with RNZ.

Article by AsiaPacificReport.nz

A View from Afar: Selwyn Manning and Paul Buchanan present this week’s podcast, A View from Afar, where they analyse New Zealand’s national security strategy.

There has been no defence white paper since the John Key National-led governments and no comprehensive review of New Zealand’s strategic priorities, nor assessment of the region’s threat landscape both internal and external.

Now, with hybrid threats like cyberwarfare and terrorism adopting an “intermestic” (international and domestic) characteristic due to on-line recruitment and radicalisation, the perceived need is to develop a holistic national security strategy that addresses defence, security and intelligence needs of the 2020 decade.

But what does this all mean for New Zealand’s defence forces, intelligence community, and cyber-defence agencies?

ALSO: World Watch – The latest/recent round of elections in places like Peru, Mexico and Israel can be viewed as referendums on neoliberalism and national populism.

For example: You can see how Israel prime minister Benjamin Netanyahu has adopted Donald Trump-like rhetoric to describe his opponents.

A similar style has been used by the right wing in Peru as well as in Brazil.

The Peru election pits a socialist native Indian against Peru’s former dictator Fujimori’s daughter. She is a neoliberal conservative.

Both national populism and various socialist approaches have something in common: both ideologies reject neoliberal economic theory in principle and in fact.

With the left most likely to win the elections in Peru, and considering the challenges that Peru faces (including a pandemic where Covid-19 has raged through its communities positioning Peru as having suffered the highest recorded death rates in the world) the question begs, has neoliberalism run its course?

WE INVITE YOU TO PARTICIPATE WHILE WE ARE LIVE WITH COMMENTS AND QUESTIONS IN THE RECORDING OF THIS PODCAST:

You can comment on this debate by clicking on one of these social media channels and interacting in the social media’s comment area. Here are the links:

• Facebook.com/selwyn.manning
• Youtube
• Twitter.com/Selwyn_Manning

If you miss the LIVE Episode, you can see it as video-on-demand, and earlier episodes too, by checking out EveningReport.nz or, subscribe to the Evening Report podcast here.

The MIL Network’s podcast A View from Afar was Nominated as a Top  Defence Security Podcast by Threat.Technology – a London-based cyber security news publication.

Threat.Technology placed A View from Afar at 9th in its 20 Best Defence Security Podcasts of 2021 category. You can follow A View from Afar via our affiliate syndicators.

Article by AsiaPacificReport.nz

Click here to view onsite, or Twitter.com/Selwyn_Manning  or Facebook.com/selwyn.manning

—

Tonight, on Tech Now technology commentator Sarah Putt joins Selwyn Manning to check out what’s been happening in the tech world this week.

The show’s main points include:

What’s Happening in the Tech World?

• How and why international cyber attackers have New Zealand organisations in their sights?

• There are BIG Changes looming to how our Emergency services communicate. Why is this change coming? What’s the cost? And, what will it mean for you, and for first responders?

• Media Tech: Is print really dead? And, why is the New York Times a digital success story?

INTERACTION: Remember, if you are joining us LIVE via social media (SEE LINKS BELOW), you can make comments and even put Sarah on the spot with a few questions. We will be able to see your interaction, and include this in the LIVE show.

You can interact with the LIVE programme by joining these social media channels. Here are the links:

• Twitter.com/Selwyn_Manning
• Facebook.com/selwyn.manning
• Youtube

And, you can see video-on-demand of this show, and earlier episodes too, by checking out EveningReport.nz

The programme is the latest effort by EveningReport as it rolls out its public service webcasting programmes, produced by ER’s parent company Multimedia Investments Ltd.

ER’s Tech Now programme explores the latest tech trends both here in New Zealand and globally.

The programme’s format examines the tech world in the present and post-Covid-19 world. It looks at new innovations, what they mean to us as we grapple with the ‘new normal’. Tech Now also looks at the policy settings to see if they are a hindrance to progress or part of the solutions.

Evening Report’s Tech Now also includes audience participation, where the programme’s social media audiences can make comment and issue questions. The best of these can be selected and webcast in the programme LIVE.

Once the programme has concluded, it will automatically switch to video on demand so that those who have missed the programme, can watch it at a time of their convenience.

So join us on Facebook, Twitter, and Youtube as we will promote Tech Now via our social media channels and via web partners. It will also webcast live and on demand on EveningReport.nz, and other selected outlets.

Do bookmark EveningReport.nz and we look forward to you taking part in some robust live debate.

About Us: EveningReport.nz is based in Auckland city, New Zealand, is an associate member of the New Zealand Media Council, and is part of the MIL-OSI network, owned by its parent company Multimedia Investments Ltd (MIL) (MILNZ.co.nz).

EveningReport specialises in publishing independent analysis and features from a New Zealand juxtaposition, including global issues and geopolitics as it impacts on the countries and economies of Australasia and the Asia Pacific region.

The Government Communications Security Bureau (GCSB) has issued a warning to all New Zealand businesses to be prepared for cyber attacks, following almost a week of daily attacks on the New Zealand stock exchange (NZX).

The attacks have caused outages, sometimes for hours, of NZX’s public-facing website since Tuesday last week. This week, it continued trading under a new arrangement that allows it to post information to alternative platforms.

The attacks are part of worldwide malicious cyber activity and the government will likely share information via Interpol and government-to-government links, including the intelligence alliance know as Five Eyes.

The type of attack is known as a Distributed Denial of Service (DDoS). The attacker infects large numbers, often thousands or even millions, of computers with a virus that allows the attacker to instruct the infected computer – known as a “bot” – to send thousands of requests for data to the target.

In effect, this means millions of attempts to access a website at the same time. The website being attacked cannot respond to each one quickly enough so either it simply stops responding or responds to some but not all data requests.

Some people get the most up-to-date page and others don’t.

This is particularly damaging for financial information sites such as a stock market. They have a legal duty to give equal access to different users. They would normally shut down and stop trading for a while rather than allow some people to get information before others.

These attacks are not designed to steal data or do insider trading. They are generally set up to demand ransom from the victims, usually asking for thousands of dollars paid in bitcoin or another cryptocurrency which is effectively untraceable. Governments, terrorist organisations, political groups and even pranksters have also been known to use these attacks.

DDoS software is available on the dark web but also not very difficult to write. In many cases the people owning the bots will not be aware anything strange is happening.

The current attacks
Multi-day attacks have been rare but are becoming more common. The size of these attacks, including how many bots are used and their capacity to send requests, has been increasing.

Such multi-day attacks are potentially risky for the attackers as the defence team will be analysing the attacks, often using artificial intelligence tools, and should be able to respond more quickly to block illegitimate requests.

The defence against such attacks is based on being able to cope with the large number of requests, either by moving the website to a cloud-based system that can increase capacity quickly, or identifying bot requests and filtering them out by setting up a “whitelist” of legitimate users and excluding others.

This is normally done by firewalls at the level of each attacked entity, the internet service provider or, as in the case of New Zealand, at a country’s electronic border (for example, the Southern Cross trans-Pacific network of communications cables).

If an attack is coming from inside New Zealand, security software on the bot computer can normally remove the infection with up-to-date anti-virus software. Internet service providers can also detect this activity and may warn users or disconnect the infected machine until it is cleaned. But in this case, the attacks are coming from outside New Zealand.

The covid-19 pandemic means millions of people are working from home around the world, outside their normal corporate security, often using the family computer. Some people may be less careful about downloading software, particularly on illegal streaming sites, and may be using free or unsecured wifi networks. This makes infecting computers to turn them into bots much easier.

How to repond
Assuming this is a criminal gang, financial institutes are an attractive target. They rely on availability of service and potentially have money to pay ransoms.

In New Zealand, disaster management and recovery has tended to focus on responses to natural hazards rather than criminal activity. New Zealand does not have local cloud providers and expanding capacity is more difficult.

Even if NZX won’t pay a ransom, this attack is “advertising” for the criminal gangs that may act as “subcontactors” to larger criminal organisations.

The government’s aim will not be to catch the perpetrators in the short term but to share information on how to block the attacks. Normally the response is effective, but it can take some time to analyse details.

At the same time, other attacks (for example phishing to steal data) may use the confusion caused by the DDoS attacks to target potential victims. Organisations should encourage people to update their security software and remain vigilant.

In the future, as the internet of things (IoT) becomes more widespread, many billions of new devices will be connected to the internet. Security standards and forensic capability (storing data to analyse attacks) are not universal and there is a danger that these attacks will become more common and larger in scale.

Defence is possible
But defence is possible and both technical and policy approaches are getting better. Artificial intelligence tools for rapidly analysing attacks are the focus of research.

Support for governments in vulnerable areas is also increasing to enforce international agreements, clarify local law and share information between network providers. For example, Macau recently introduced a much tougher cyber security law which seems to have been very effective.

Dr Dave Parry is head of the Department of Computer Science, Auckland University of Technology. This article is republished from The Conversation under a Creative Commons licence. Read the original article.

Article by AsiaPacificReport.nz

For the best overall guide to what has happened in the Budget leak/hack scandal, see the just-published article by Henry Cooke: What we know and don’t know about the Budget ‘hack’. Amongst his rundown on the background to the scandal and the theories offered so far, Cooke points out that, rather than being hacked, the Treasury website might simply have been scanned by Google, allowing a cache of pages to become available to someone who has handed them on to the National Party.

Another leading explanation for how the Treasury’s Budget information was released early to National comes down to a simple but obvious idea that parliamentary staffers looked for and found the information on the Treasury website. This would also explain how National leader Simon Bridges could be so categorical in his insistence that his scoops weren’t based on hacking or illegality.

According to this theory, National had one of its Parliamentary staffers monitoring the Treasury website in the days leading up to Budget Day, constantly using the frontpage search bar on the site to look for “Budget 2019”. The hope being that at some stage some Budget documents would be loaded onto the site momentarily, in anticipation of Thursday’s publication, before they were then locked away for safety.

The story goes that by searching every five minutes or so, the National staffer eventually hit the jackpot when documents or pages turned up with the goods. It might have taken hundreds or even thousands of searches over a couple of days.

In fact, National Party pollster and blogger David Farrar has outlined a similar scenario based on his previous experience as a parliamentary staffer: “when I worked for the Opposition in 2000 or 2001, I recall waiting for the Government to release the Police crime stats. They always put a positive spin on it. I went to the Police website and looked at last year’s stats. I also looked at the previous year. They had the same URL format. I changed the year to the current one, and hey presto I had the official crime states four hours before the Government was due to release them” – see: My guess as to what happened.

Farrar argues that something similar may have happened, and it therefore wouldn’t constitute hacking: “So my guess is something similar has happened. That possibly the material was put up on a website of some sort and someone found it. Treasury are calling it hacking because they didn’t think it was open to the public. But there is a difference between hacking a secure computer system, and locating information that is on the Internet (even if hidden). Was there any cracking of passwords for example?”

But do such explanations fit with what Treasury are saying when they claim that their site has been “deliberately and systematically hacked”? It’s arguable either way. Certainly, some tech-specialists seem to think that something much more sophisticated must have happened – especially based on the fact that Treasury has called in the Police. For one of the most in-depth discussions of the potential hacking, see John Anthony’s Budget 2019: ‘They’ll remember it as the budget that got hacked’.

Despite some tech specialists believing that a sophisticated hack has occurred, one expert believes a software application might have simply found the material on the Treasury website: “Kiwi cyber security consultancy Darkscope technical director Joerg Buss said a likely scenario was that someone used a ‘spider or crawler’ program to find hidden content in the Treasury website. Such software may have uncovered Budget 2019 files which had not been protected properly, he said.”

It could also be as simple as using Google to search for the material, which is covered by Juha Saarinen in his article, Conspiracy or cock-up? Strong evidence Treasury published Budget accidentally – rather than a hack. He says that “screenshots of the results from a Google search for ‘estimates of appropriation 2019/2020’ are circulating on Twitter suggest that the data was published accidentally.”

Of course, the fact that Treasury has called in the Police would suggest that the government department believes that something much more sinister or malevolent has occurred. However, care needs to be taken in reading too much into this – especially since the Police haven’t even confirmed that they have agreed to investigate, except to say that they are assessing Treasury’s request.

Furthermore, whenever governments and officials call in the police or make claims that criminal actions have occurred in the political sphere, we should always be very sceptical. It’s the oldest trick in the bureaucratic book – to divert attention or to impugn an opponent with charges that they are mixed up in criminal activity. That’s not necessarily the case over the controversial budget leaks – it’s still far too early to tell what has happened.

This is certainly the argument made today by leftwing blogger No Right Turn, who suggests that government officials have a tendency, when they’ve made mistakes, to try to point the finger elsewhere, often using rather draconian measures to do so – see: Treasury, “hacking”, and incentives.

Here’s his main point about how politicians and officials are inclined to bring the police into politics: “Unfortunately the natural instincts of power in New Zealand are to double down rather than admit a mistake, and to call in the police when embarrassed – just look at the tea tape, or Dirty Politics. With those, we saw police raiding newsrooms and journalist’s homes. I’m wondering if we’re going to see police raiding the opposition this time. Which would be highly damaging to our democracy.”

The blogger says that “the bureaucratic incentive towards arse-covering and blame-avoidance pushes that to be reclassified as nefarious ‘hacking’, and that incentive gets stronger the higher up the chain (and the further away from IT knowledge) you get.”

Here’s his own explanation for the release of the information: “The most likely scenario is that Treasury f**ked up and left them lying around on their web-server for anyone to read, and National or one of its proxies noticed this and exploited it. Accessing unprotected data on a public web-server isn’t ‘hacking’ in any sense of the word – it’s just browsing.”

The onus is therefore on the Treasury to be much more transparent about what has happened writes Danyl Mclauchlan, saying a “brief technical explanation about what the ‘hack’ amounted to would be a lot more useful than all the bluster and nebulous waffle we’ve heard so far” – see: Budget hacking scandal: About time Treasury told us what actually happened.

Mclauchlan says that if it turns out that the leak has simply come from information on the Treasury website, “then we’ll be talking about the resignation of the Treasury Secretary, rather than National Party leader.”

The No Right Turn blogger doesn’t see the Government delivering such transparency any time soon: “neither Treasury nor their Minister has any interest in that (Ministers are rarely interested in incompetence in their own agencies, because it makes them look bad for allowing it). As for us, the public, we’re the loser, stuck with an incompetent, arse-covering public agency which has just failed on one of its most important tasks” – see: Treasury owes us answers.

He argues that the decision to go to the Police means that Treasury can now sidestep such accountability: “conveniently, by referring the matter to the police Treasury has ensured that they can never do that. It might prejudice the police investigation, you see. OIA requests can be refused to avoid prejudice to the maintenance of the law, and anyone who actually tells anyone anything can be prosecuted. Accountability of course goes out the window”.

That doesn’t get National off the hook, however, if the party has done something illegal in the way they have procured or used the Budget information. One lawyer who knows a lot about hacks is Steven Price, and he argues that the release by National of the information was not in “the public interest”, and that it appears to have “broken the law relating to Breach of Confidence” – see: Budget leak: Nats’ behaviour “entirely appropriate”?

Price says that he is “irritated at the sanctimoniousness of Simon Bridges’ denial that the Nats had done ‘anything approaching’ illegality.” He does admit however, that if National have obtained the Budget information “through some area of Treasury’s (or some other government) website that was technically publicly accessible, then that would at least raise arguments that it wasn’t confidential in the first place, because it was in the public domain.”

Herald political editor Audrey Young is also less than impressed with how Bridges has dealt with the matter today, saying: “Simon Bridges needed to do two things today when he fronted the news media about allegations of hacking Treasury and he did neither. He needed to say, at least in general terms, how he received the leak of Budget of documents. And he needed to say he had contacted the police to offer them any assistance they needed in their investigation” – see: Simon Bridges needed to do two things today and he did neither.

But for another view on the politics of it all, and an explanation of why Bridges’ manoeuvres have been smart, see Brigitte Morten’s National plays strong hand over politics jackpot. She argues that it’s in the public interest for National to be able to dispute the Government’s narrative over Budget spending, and to be able to point out the “lower than expected spending” in areas such as health “that the government doesn’t want you to reflect on.”

Finally, for a recent minor – but extremely colourful – Treasury controversy, involving the use of a transformative wellbeing experiment for staff, see Danyl Mclauchlan’s must-read investigation: Peace, Rest and the Monkey Emoji Moon: playing Heartwork cards at Treasury.

The world is changing fast, with digital technological innovation that is both liberating and disturbing. The threats and opportunities this presents requires a massive debate, and intervention, to ensure such changes are as healthy as possible for humanity. The online dimension of the Christchurch terrorist attacks is now provoking a sea change in attitudes towards social media.

Around the world we are now seeing attempts to rein in the tech giants with government regulations. There are blunt questions being asked about whether the likes of Facebook are “monetising hate”, and whether the dream of social media enhancing democracy and social connectedness is over.

Prime Minister Jacinda Ardern’s Christchurch Call to Action campaign is currently at the most visible end of this new momentum, and commentators have declared her trip to Paris a success. For example, this afternoon Henry Cooke has concluded: Jacinda Ardern’s big day in Paris ends with her getting what she wanted.

Likewise, Gordon Campbell is impressed with how the final Paris manifesto has come together, apparently managing to satisfy all sides, including Facebook – see: On the Christchurch Call.

But the campaign isn’t over yet. According to Kelsey Munro, a research fellow at Australia’s Lowy Institute, Ardern’s bid is still a difficult one – see: Christchurch Call: Jacinda Ardern’s Paris pitch a sign of tech giants’ power.

Munro points out that attempts to regulate social media so far, have been fraught and dangerous: “Many nations around the world have concluded that the public sphere must reassert a regulatory role; the problem is how to do it within reasonable limits. No one wants anything resembling the Chinese model. Australia’s ‘knee-jerk’ reaction has been widely criticised by the tech industry and lawyers as rushed and ill-defined.”

Clearly Ardern has been keen to keep away from some of the issues around free speech that are brought up by government regulation, as I explained in my previous column – see: Ardern’s “Christchurch Call” might not be so simple.

So is her campaign going to work? There are all sorts of risks with this sort of attempt at regulation. And this is best dealt with in Henry Cooke’s article, The risks Jacinda Ardern faces with her ‘Christchurch Call’ in Paris. He outlines three broad threats: 1) Over-reach, 2) Under-reach, 3) Being used by Macron to launder his image.

In terms of those first two dangers, the Christchurch Call might end up being too strong or too weak. The third point is the idea that in collaborating so closely with the French President and other world leaders, Ardern is naively being exploited for their own electoral opportunism. Cooke suggests that Ardern might need to “make her disagreement with these other leaders clear”.

This is also the view of Newstalk ZB’s Barry Soper: “What is French President Emmanuel Macron playing at? The answer’s pretty obvious, he’s trying to boost his flagging popularity at home while at the same time trying to establish himself as a world leader on cleaning up the internet” – see: Jacinda Ardern being used by Emmanuel Macron to boost his image.

Soper suggests that Macron has been rather disingenuous in his role: “If you needed any convincing that she’s being used, get a load of what happened as she was packing her designer bags for the French capital. Macron releases a 33-page report he’d commissioned… Why he couldn’t delay the release until this week’s summit is an insult to those attending. And what’s more, the investigation was only halfway through but Macron decided to make a song and dance about how well France is doing.”

The bigger problem is that Macron has a terrible record in terms of civil liberties, and is clearly no friend of free speech, which could taint the ongoing campaign to regulate social media. This is all very well explained by leftwing journalist Branko Marcetic who puts forward “a brief review of what Macron’s done while in power” – see: Jacinda Ardern must not let Emmanuel Macron co-opt the Christchurch Call.

Marcetic then asks whether New Zealanders should be comfortable with such an alliance: “This is the man Ardern is teaming up with to figure out a way to regulate online spaces. Concerns over this shouldn’t be limited to the New Zealand right – with Macron at the helm, there are legitimate worries the outcome could threaten free speech, including for that of the liberals and left that are backing such measures right now.”

He concludes: “Ardern should be careful that Macron and any other embattled leaders in the G7 don’t use this meeting as an opportunity to push measures that harm not just journalism, but all of our civil liberties. But more importantly, the New Zealand public needs to hold her to account and make sure she doesn’t.”

And some are worried that the clampdown will inevitably intrude on the traditional media. Barry Soper criticises Ardern for “trying to reign in the mainstream media’s coverage of events to ensure it’s not gratuitous, and that for all of us should be worry. It’s not for the politicians to dictate how events should be covered” – see: The media here is generally self regulatory.

It’s clear that the task of social media regulation isn’t a simple one. And one of the best outlines of the pitfalls and best practices that Ardern and co should keep in mind can found in Dan Jerker B. Svantesson’s article, It’s vital we clamp down on online terrorism. But is Ardern’s ‘Christchurch Call’ the answer?

He cautions against the “risk of hasty, excessive and uncoordinated responses” to social media problems and suggests that we are currently seeing a rush of politicians who all want to gain political capital from coming up with fast answers. He says “as part of this we must avoid hasty ‘solutions’ that will only mask the issues in the long term, and potentially cause other problems such as excessive blocking of internet content.”

Svantesson’s own list of requirements for new regulations are the following: “Effective legal regulation of the internet must be clear, proportional (balanced for all involved), accountable (able to be monitored and checked) and offer procedural guarantees (open to appeals).”

Similarly, Jordan Carter and Konstantinos Komaitis, of Internet NZ and the Internet Society, have put forward their own suggestions of what needs to underpin any new rules and laws – see: How to regulate the internet without shackling its creativity.

Former Prime Minister Helen Clark has also jumped into the debate this week with the launch of her own Foundation think tank report, titled “Anti-social Media”. This calls for a new body to be set up to regulate social media in this country in the same way that the New Zealand Media Council and Broadcasting Standards Authority does with traditional media. For an in-depth discussion of the report, see Thomas Coughlan’s How to regulate social media.

Clark has explained the thinking behind this, and how it’s partly based on her own personal experience: “What I’m concerned about is that the rising level of rhetoric on social media from people who think they can get away with just about anything… And let’s face it, they can. I have regularly reported very hateful content, and very often you just get these reports dismissed. So that’s why you now need what this report recommends, which is the statutory duty to self-regulate, and then you need the regulator overseeing that” – see 1News’ Changing hate speech laws would ‘not necessarily’ have prevented Christchurch attacks – Helen Clark.

For more on this, as well as other debates about regulation of social media in New Zealand, and what sort of agreement was expected from the Paris meetings, see Derek Cheng’s Christchurch Call summit: New rules must leave nowhere to hide. In terms of the Paris agreement, he notes that “whether it will have any teeth will be a key issue, given it will be a voluntary framework.”

A new survey out shows that there’s a strong demand amongst New Zealanders for this problem to be sorted out: “More than half of New Zealanders want livestreaming stopped until platforms work out a way to immediately remove violent or other harmful content, a survey indicates. The online survey of 1134 adults carried out in the second half of April, found 54 per cent of those questioned wanted a halt to livestreaming in the meantime. In contrast, 29 per cent thought platforms should be given time to sort out a solution” – see: Most Kiwis want livestreaming halted until violent content can be curbed: survey.

Much of the debate about the problems of online extremism and regulation comes back to The Matrix movie’s concept of being “red-pilled”, which is explained in today’s Christchurch Press editorial: “To be red-pilled is to have the shackles of delusion removed and to see things as they really are” – see: Cleaning up the dark corners of the internet. But if this sounds like a positive development, then for a bigger explanation of the problem, see Henry Cooke’s Christchurch Call could lead to work on ‘red-pilling’ of online radicalisation.

Despite the difficulties involved, there’s no doubt that the tide has turned, and there is now a significant public appetite for some sort of action to be taken that might deal with the tech giants. After all, their reach affects everything in society – including democracy and politics.

This is a point well made in a report released this week, “Digital Threats to Democracy”, which suggests that the way New Zealanders are interacting with information online “can lead to the rapid spread of incorrect information and hinder the discussion and debate of issues of public policy” – see Brittany Keogh’s Social media influences New Zealanders’ opinions on politics and hurts democracy, study says.

Finally, there’s plenty of other disturbing evidence of the brave new world we are moving into. For one of the best recent accounts of this, see Danyl Mclauchlan’s book review, Big Google is watching you. Looking at an important new book by Shoshana Zuboff, a professor of social psychology at Harvard Business School, called “The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power”, Mclauchlan explains why he feels so uncomfortable at the supermarket.