Dutch journalist Daniel Verlaan (left, in T-shirt) causes mayhem as he gate-crashes a meeting of EU defence ministers earlier this month. Image / Twitter
There's prestige for New Zealand in hosting the first-ever virtual Apec meeting - which will bring together leaders from 21 Pacific rim countries, including China, the US, Singapore, Canada and Australia.
But cybersecurity security expert Daniel Ayers points out that there's also plenty of peril - something he barelyneeds to highlight after Dutch journalist Daniel Verlaan managed to gatecrash a meeting of EU defence ministers.
The reporter didn't have to employ any hacking smarts. Rather, he simply spotted the PIN code for the meeting that was inadvertently included in a photo that Dutch Defence Minister Ank Bijleveld posted to Twitter.
Careful what youโre wishing ;-) Former Minister of Public Safety in #Greece, also responsible for the Greek Intelligence agency he his password AND username on a post it note. Captured by the photographer of the interview ๐๐๐ pass:12345 user:minister (in ๐ฌ๐ท) pic.twitter.com/3u8pgfh9Np
Local security expert Daniel Ayers says the Dutch politician's blunder was hardly unique.
A former Greek intelligence minister also apparently posted his user name and password to Twitter, via a Post-It note stuck to the corner of his screen - not that his user-name (minister) or password (12345) required too much cracking.
And during the falsely issued 2018 ballistic missile alert in Hawaii, an official was caught out by the same Post-It problem during a TV interview.
You say that but remember during the Hawaii missile alert they did an interview and there was just a password on a post it note in the back pic.twitter.com/VlbMFVpHxd
Meanwhile, international security expert Dr Paul Buchanan says there are a number of scenarios that could, potentially, see China "do a Dutchman" and exploit weak videoconferencing security to make a political statement.
Apec (Asia-Pacific Economic Cooperation) meetings were due to be held in NZ this year, with dozens of lower-level meetings from December 2020 through to its culmination, a meeting of the 21 leaders in Auckland.
The initial problem was that the planned venue, the new NZ International Convention Centre, had been delayed by construction hold-ups then a catastrophic fire.
But in the new year, that was, of course, overtaken by the coronavirus pandemic.
This year has seen a dramatic increase in cyberattacks, worldwide and in NZ (as Cert NZ figures issued yesterday confirmed).
Earlier, AUT computer science professor Dave Parry told the Herald that could be directly tied to the pandemic. The remote-working boom has opened up security gaps at the same time organised crime was seeing lockdowns diminish its more traditional activity so ramped its cyberattack efforts to compensate.
At the same time, Kordia chief information security officer Hilary Walton said NZ was seen by some as a "soft touch" because we have not kept up with others' cyber-security efforts.
Experts across the Tasman have seen a rise in cyber attacks by "bad state actors," leading to the Morrison government's decision to go on a "war-footing" and apply an extra A$1.4 billion to shoring-up cyber-defences, at the same time that NZ's extra cyber-security spending could be measured in the single-digit millions and a GCSB insider complained to the Herald about our fragmented, multi-agency approach with no clear leadership.
Earlier this year, Cabinet and the Epidemic Response Committee drew flak for using Zoom - the fast-rising videoconferencing platform that was famously user-friendly but also quickly in trouble for a wave of "Zoombombing" (people gatecrashing meetings) and claiming it had full encryption when it did not.
At the time, the GCSB said it could not mandate what video platform cabinet chose to use, only advise that Zoom was only appropriate for discussion of material up to "Restricted" level.
Earlier this week, the intelligence agency declined to comment on which video conferencing solution would be used for Apec, and its level of confidence in the choice, referring the Herald to the Ministry of Foreign Affairs.
Cas Carter, communications director for MFAT's Apec unit said: "We are still undergoing final discussions with technology providers and therefore unable provide further details at this time."
She added: "Apec NZ works closely with the government intelligence and communications agencies will continue to do so throughout the hosting year."
"The most significant threats from using a videoconferencing solution are likely to be embarrassment if someone gate-crashes or malware being introduced into computers as a result of installing software to participate," Ayers said.
"I would imagine that Zoom would be considered, I understand it has a better UX for higher numbers of participants. Zoom has improved security in recent months, although from a low baseline."
After Zoom boss Eric Yuan's April mea culpa over security and privacy holes, the chief executive told his company's developers to devote 100 per cent of their efforts over the next three months to tighten up the service.
Zoom finally added full, end-to-end encryption in October, plus the ability to choose a Zoom outside of China if your are paranoid, or simply think you'll get better performance from a Zoom call hosted in the US or Australia.
That came on top of other measures introduced since April, including guests left in a virtual waiting room by default until the host let them in.
But Ayers said that - especially with such a large event, involving so many people - the risk of human error remains, which is where we came in with the EU incident.
Bad state actor threat
For Buchanan, the potential for a bad state actor to cause trouble persists, regardless of how much Zoom (or Cisco or Microsoft or other video chat providers) tighten security.
"There is always plenty of opportunity for the PRC or other sophisticated cyber-players to wreak havoc on video-conferencing," he told the Herald.
"And if those video conferences are being held on Zoom, then Western security agencies will be concerned about any number of nefarious activities linked to PRC intelligence and hacking units.
"The question, therefore, is not about the opportunity or technological capability to 'do a Dutchman' on the Apec virtual conference but one of motivation."
What would motivate the PRC to virally disrupt or otherwise interfere with the video-meetings?, the former US State Department analyst and advisor the Pentagon said.
"One reason would be that Apec is going to make some sort of statement or adopt a posture that is perceived as contrary to PRC interests. That seems unlikely but the PRC is very sensitive about things like Hong Kong, the pandemic, South China Sea etc. It would be very unusual for APEC to say anything about such sensitive topics but it is always a (however remote) possibility."
Another reason would be if the PRC is interested in disrupting or otherwise messing with working groups or bilateral aspects of the virtual conference, Buchanan said.
"I am not sure how Apec will conduct its business in a virtual setting but since a lot of the important stuff gets done in side-bars to the main conference proceedings, perhaps there is room for mischief there. But overall, short of some affront, I do not see the PRC wanting to 'Dutch' the conference."