What can NZ organisations learn from the recent cyber attacks?

STUFF
NZX has been the subject of a sustained cyberattack from overseas.

A wave of cyberattacks exposed worrying vulnerabilities in some of the country’s key institutions. What is our defence? National Correspondent Katie Kenny reports.

It was like groundhog day.

The NZX website is down, under fire from a cyberattack. Again.

For six days, the nation’s stock exchange – where tens of millions of dollars in shares are traded each working day – was laid low by a distributed denial-of-service (DDoS) attack.

Various NZ firms have been subjected to repeated cyberattacks recently.
Ricky Wilson/Stuff
Various NZ firms have been subjected to repeated cyberattacks recently.

MetService, Westpac, and media companies RNZ and Stuff were also targeted. But the NZX bore the brunt of the attacks.

An email was sent shortly before the attacks started, putting the NZX “on notice”. It’s understood the email sought a large ransom in Bitcoin.

The site would be restored, only to be brought down again the next day.

READ MORE:
* Experts confident DDoS attacks will 'fizzle out' and attackers will be left out-of-pocket
* 'You don't want to be like them, do you?': The ominous message that precedes a DDoS attack
* GCSB examining extortion email sent to NZX ahead of DDoS attack

Associate Professor Lech Janczewski, a data security expert at the University of Auckland, says DDoS attacks work by overloading websites with more traffic than they’re able to manage, causing the site to crash.

Most of the time, the attacks are able to be repelled by the targets and their service providers. However, in NZX’s case, the attack on its infrastructure is understood to have peaked at more than 1 terabit per second of spurious data. This was up there with some of the largest-ever reported DDoS attacks globally.

“Due to the DDoS characteristics, only the biggest and most vulnerable sites are targets of these attacks,” Janczewski says. “Defence against a DDoS attack, when it is launched, is extremely difficult. Installing fire detectors when you are under fire is useless. Perhaps the only solution is to switch off the site.”

GCSB Minister Andrew Little has said the country’s spy agency has been attempting to track down the source of the attacks.

A GCSB spokesperson said given what they've learnt from international partners, it’s likely the attacks were the work of “sophisticated and well-resourced cyber criminals”. They didn’t comment on the specifics of their operational response.

They also refused to comment on the criminals’ likely motivation, other than to say: “Malicious cyber actors have a number of motivations including to generate revenue through theft or extortion, disrupt business and steal intellectual property.”

They mentioned the criminals were referring to “media reporting” as a way of establishing their credibility.

The standard advice from the GCSB’s National Cyber Security Centre (NCSC) was to discourage organisations from paying ransoms, as there’s no guarantee payment will make the attack stop.

CHECKPOINT/RNZ
The minister overseeing the country's spy agencies says the New Zealand stock exchange was warned before the attacks.

Gone phishing

In its most recent update, cybersecurity agency Cert NZ cited more than 3000 reported cybersecurity incidents between January 1 and June 30, a 42 per cent increase on the same period last year.

April saw the greatest number of reports in one month since the agency was established in early 2017.

In the first half of 2020, reported direct financial loss was nearly $8m.

Nearly half of the incidents were phishing-related, and scams and fraud accounted for another third.

According to a Cisco cybersecurity report published earlier this year, ransomware was the most likely threat to cause more than 24 hours of system downtime. DDoS, or distributed denial-of-service attacks – the type that took down NZX – was found to be the third most destructive type of attack for organisations with more than 10,000 employees.

Adam Palmer, chief cybersecurity strategist at Tenable, a global cybersecurity company, says the increase in cyberattacks is a global trend, as are the tighter regulations around data protection practices.

“We’ve seen a number of countries adopt stronger data protection and privacy laws starting with the European Unions' GDPR [General Data Protection Regulation].

New Zealand’s updated Privacy Act, due to come into force on December 1, will help bring the country up to speed with the EU, California and Brazil.

“Cyber attacks don’t recognise borders,” Palmer says. “We know attackers seek to exploit any weaknesses they see.”

Public and private entities run legal and reputational risks if they slip up on data security.
KATHRYN GEORGE/STUFF
Public and private entities run legal and reputational risks if they slip up on data security.

Publicly shamed, legally blamed

With increased reporting of breaches, we can expect to see increased public awareness of which companies have been rendered vulnerable, Palmer says. Companies will not only be fined for lax procedures, but suffer serious harm to their reputation.

When the Privacy Act finally takes effect in New Zealand, organisations will need to notify the Office of the Privacy Commissioner when they’ve suffered a privacy breach likely to cause serious harm.

In Australia, mandatory notification has been in place since 2018. After 12 months, the country saw better security practises and increased transparency and accountability in how organisations handled personal information.

As well as the introduction of privacy breach notifications, the updated legislation here will see Privacy Commissioner John Edwards given more powers to hold organisations to account when they fail to protect customer data.

He will be able to issue compliance notices requiring organisations to do something, or stop doing something, in order to comply with the Act.

Without proper safeguards in place, organisations risk serious brand and reputation damage when customer data is hacked or stolen.

However, avoiding errors and staying protected is easier said than done, for some.

There is a global shortage of people qualified to repel cyberattacks.
Kathryn George
There is a global shortage of people qualified to repel cyberattacks.

Cyber soldiers

Internationally, evidence points to a huge gap in the skills required for cybersecurity roles. Nearly 75 percent of US security professionals say they don’t have enough staff to defend their organisations against current threats.

For years, ‘ICT security specialist’ has been on Immigration New Zealand’s long-term skills shortage list. According to the Digital Skills Forum, the country has relied on supplementing the insufficient, local workforce with imported talent. But strict border controls in place in response to Covid-19 are likely to impact the numbers of skilled migrants able to enter the country.

When the Digital Skills Forum asked more than 100 firms to estimate the number of people they expected to employ in different digital skills areas over the next two years, collectively, the firms forecast hiring an additional 3200 employees. Proportionally, the largest growth – 46 per cent – will be in the skills of cybersecurity.

As Palmer says, and as is often the case with any kind of crime, cyberattacks tend to target the vulnerable. Why would someone waste time and effort breaking into a secure home, when the one next door has been left unlocked?

The country’s third cyber strategy, published last year, said as all nations improve their cybersecurity, malicious actors will seek out those falling behind. “New Zealand must stay towards the front of the pack so that it does not become a target of choice.”

As a member of the five-eyes alliance with the United States, United Kingdom, Canada and Australia, privy to classified foreign intelligence including the cyber operations of state actors, New Zealand will always be a tempting target. Particularly if it remains the weakest of the group.

Experts say they’re often only contacted after something’s already gone wrong.

To avoid being publicly called out, or worse, taken out by a cyberattack, organisations would do well to plug gaps in their security systems now. Not only to meet the December 1 deadline, but to also access the talent pool before it dries up.

Stuff