Seemingly every week this year, there's been another high-profile organisation targeted by hackers, who often demand millions for the release of stolen or encrypted information.
Air New Zealand partner Travelex, Fisher & Paykel Appliances, Toll Group, The University of Auckland, University of Otago, Garmin, Canon, Honda, BlueScope Steel, Lion, transport giant Toll Group (twice within months), Twitter, MetService and of course the NZX are just some of those hit by cyber-criminals so far this year.
None of those attacks has ended up costing customers money, but they have cost their targets hundreds of millions in costs from lost business, workarounds, and recreating lost data from scratch.
Is there a rise in cyber attacks?
It's notoriously difficult to get a close handle on the number of cyber attacks or the cost of the damage they cause, because many organisations are sheepish about admitting they were a victim at all, let alone the full scale of their losses.
This will change on December 1 when an update to the Privacy Act comes into force, requiring organisations to tell the Privacy Commissioner, and affected parties if they lose data through negligence or theft in a situation that has or could cause harm (the {Privacy Commissioner's website will feature an interactive tool for helping organisations decide if a breach meets the "harm" threshold).
Still, it seems certain the online world is getting scarier.
The first half of this year saw a 42 per cent increase in cyber-attack incident reports to the Crown agency, the Computer Emergency Response Team, or Cert NZ.
Cert NZ director Rob Pope - best known to most Kiwis for his time heading the Scott Watson investigation - won't comment on recent high-profile cases, or the financial hit taken by various specific corporates, saying it would inhibit other targets from coming forward.
His agency's figures show total attacks for the first half of this year topped 3000, and saw collective losses of $7.8 million, compared to $16.5m lost to cyber crooks for the first six months of 2019. But NZ-based security company Emsisoft estimated the cost at a minimum $36m in the first half.
Why now and why NZ? The soft touch
Experts say New Zealand is seen as a bit of a soft touch - in part, simply because we haven't kept up with other countries' efforts.
"We're seeing hacker behaviour evolve," says Hilary Walton - a one-time operative for MI5 in the UK, who returned home to New Zealand to become the first chief information security officer for state-owned Kordia this year.
"The US has been flooded with attacks and become more cyber-savvy. So now attacks are getting closer to home."
AUT computer science professor Dave Parry says "Australia is hardening itself a great deal against these cyber-attacks, partly because of [its] China dispute."
By comparison, New Zealand has come to seem "a small, soft touch", Parry says.
And although we are small, and it's unlikely a foreign power would want to steal the blueprints for the NZDF's combat tractors [link], we are part of the high-powered Five Eyes network; and what state-hackers could see as a weak link.
The pandemic could well be another factor, especially when we look beyond bad "state actors".
With arrests few and far between at home (who are you, Rawshark), let alone for offshore attacks, we know little about criminal cyber-gangs, other than that they seem to usually work out of Eastern Europe, and that they are often also engaged in other activities such as drugs, human trafficking and prostitution.
Parry speculates that as virus-lockdowns put a crimp on their offline illegal activities, criminal enterprises decided to up their cyber-attacks to compensate.
At the same time, many in the West were heading to work from home - where they often use older devices on poorly-protected Wi-Fi, making them an easy conduit into the companies they worked for.
But even last November, we had Cert NZ issuing an alert that a gain of cyber-criminals, thought to be aping a Russian outfit often going by the name of Cozy Bear, was targeting NZ financial institutions (some pundits see this very group behind the NZX attacks, and others on banks and payment companies around the Asia-Pacific region, months after the warning).
Why does Russia keep coming up? Parry says that although a cybercriminal could be anywhere, there are several factors behind Eastern Europe and the former Soviet Union's hotbed status, including "a weaker legal framework, lots of very good mathematicians and large-scale organised crime".
It's the people stupid
Lastly, as we move into the cloud, with data often stored in a data centre many countries away, and accessed by the internet.
July saw the revelation that the data of about 30,000 Wellington renters had been publicly accessible online for months - including photos of IDs like passports and driver's licences - because a Wellington property management company had a storage "bucket" on Amazon Web Services mistakenly configured for public viewing.
Another human factor is the malicious insider.
It's never been disclosed how Toll Group managed to get hit by ransomware twice within months this year.
But its chairman, John Mullen, has also dropped a heavy hint that the first attack was the result of human rather than technical frailty.
Mullen told the AFR, "It is an element of human behaviour that creates these entry points or the chink in the armour, it is rarely the actual firewall that didn't work.
"People somehow get access to a master password, whether it's via guile or whether it's through criminal activity or bribing. They will use human weaknesses to get around the system."
Similarly, the mass breach of verified Twitter accounts in July was a case of "social engineering".
The incident saw the accounts for Elon Musk, Bill Gates, Kanye West, Joe Biden and former President Barack Obama hijacked, and used to post a link to a Bitcoin scam.
A rare arrest of 17-year-old Florida high school graduate Graham Ivan Clark uncovered the low-tech plot.
Clark convinced one of the social network's staff that he was a co-worker in the technology department who needed the employee's credentials to access the customer service portal.
Experts say one lesson from the Twitter incident is to keep a close eye on access to sensitive tools and data. It can start tight, but then - as apparently was the case with Twitter - gradually spread to many employees over time.
Kordia's Walton says part of the answer is screening staff when they are employed, if they are going to have high-level security access, then watching for behavioural changes once they're on staff.
Every organisation should also have an ongoing education campaign to keep rank-and-file staff alert to the sort of scams that can open the door. In November last year, for example, Herald publisher NZME won an iSANZ award for a campaign that encouraged staff to report "phishing emails" (bogus messages used to harvest the likes of logons and passwords), using posters, videos and a custom reporting button on Outlook.
A fragmented response
A former GCSB staffer, who is still in close touch with the security agency, met with the Herald to highlight what he saw as several issues with the Government's approach to cybercrime - and especially the security community's.
He stressed that the GCSB, and its National Cyber Security Centre unit, were by no means ineffective.
And the agency has thwarted various attacks. In its most recent report to MPs, delivered in February, the GCSB said, "We have continued to improve and advance our Cortex cyber-defence capabilities, which we calculate have prevented almost $100m of harm to nationally significant organisations since June 2016."
It said $27.7m in harm was prevented by Cortex in 2019 as the GCSB assisted or advised around 800 organisations. The agency reported there were 339 cyber attacks on NZ "organisations of national significance" in 2019. Of those, 131 had "links to state-sponsored actors - the same proportion as the previous year", when there were 347 attacks.
But the insider also saw a number of problems. One was New Zealand's relatively small cyber-crime budget spread across a number of agencies, some of which he saw as duplicating effort.
A recent example is Cert NZ and the NCSC both circulating advice for businesses about DDoS (distributed denial of service attacks). The Department of Internal Affairs can also weigh in, given its chief executive, Paul James, is also the Government's chief digital officer (CDO), a position that trumps GCSB director-general Andrew Hampton's dual role as government chief information security officer (GCISO).
In 2018, Communications Minister Clare Curran sought to cut across the alphabet soup of digital titles and agencies in security and other IT areas by appointing a digital czar or chief technology officer with sweeping powers to shape strategy.
That effort fell on its face as appointee Derek Handley was handed a $107,500 payout as the Government had a last-minute rethink. After Curran was shuffled off stage left, it was ultimately decided that the CTO role should be replaced by a "Digital Council" of lowish-profile IT industry figures who were appointed in February 2020 by Communications Minister Kris Faafoi and Statistics Minister James Shaw, without fanfare. So far, the council has had a couple of low-key meetings on topics like the "digital divide" as it finds its feet.
Another of the insider's gripes was that one of the GCSB's core tools to deflect cyber attacks, the aforementioned Cortex suite of defences, was first launched in 2012 and is now, despite upgrades, getting "a bit long in the tooth". It was also designed to prevent cyber break-ins rather than repel the sort of DDoS attack that was designed to simply overwhelm the NZX with connection requests last week.
Cortex matters because it's not just used to protect government agencies, but various private sector operations, including the NZX, and various key exporters, who are deemed "organisations of national significance" (there are around 600 in all).
He also fretted that the hacking boom had fuelled a hiring boom in the private sector. Some experienced GCSB staff were leaving for better-paying corporate security gigs.
But his chief concern was that Australia was taking the new cybersecurity threats much more seriously.
In June, Australian Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country's public and private networks against hackers - such as the unnamed "sophisticated state actor" that launched a massive attack on government agencies and private businesses that month.
Some pundits fingered China as the state actor. Morrison did not name any specific country.
His 10-year funding plan includes A$470m that will be used to create more than 500 new jobs within the Australian Signals Directorate, the agency responsible for repelling cyber attacks. That will take the agency's total staff to around 2500.
Asked about NZ cybersecurity spending, Faafoi pointed to the creation of Cert NZ, which was set up in 2016 (under the National-led Government of the time) with a $22.2m budget. Faafoi said the agency's budget was increased by $9.3m over four years in Budget 2019.
"Also in Budget 2019, the Government allocated $8m over the next four years to help implement Cyber Security Strategy," he said.
What has that $8m yielded so far?
"Initiatives making use of these funds will be announced as they are being implemented," Faafoi said.
Cert, headed by director Rob Pope, is a public-facing agency.
Faafoi added that the GCSB's NCSC unit is "in the process of scaling up the availability of one of those defence, capabilities, Malware Free Networks, to a much broader range of organisations."
The NCSC's staff are all within the GCSB's total headcount of around 500.
Budget 2020 included $146m over four years for the intelligence agencies, that is, the domestic-focused NZSIS and the GCSB. That works out to $36.5m per year.
An NZ intelligence community spokesman would not say how much of that annual budget is devoted to cybersecurity.
"To give specific amounts allocated to particular functions as that may give adversaries an indication of our capability in any one area," he said.
A wakeup call
The five-day attack on the New Zealand Stock Exchange - which saw trading suspended at times and the bourse's website and information sharing platform forced offline at various points - was not a good look for New Zealand on many levels.
Commentator Paul Brislen said the slow response would harm New Zealand's image as a tech innovator, undermining investment and its general appeal as a job destination.
But Parry saw a silver lining.
Historically, "These attacks have not been seen as such a high priority to defend against. The likes of earthquakes were seen as a greater risk, so cybersecurity was a relatively lower priority in NZ than in many other Western countries.
"But the Government's advice has become more forceful now."
The question, though, is whether it will make like Morrison and put its money where its mouth is.
Postscript: Should you pay a ransom?
Today's hackers often want money to give you back your files (after they've stolen them or encrypted them in a "ransomware" attack) or to cease a DDoS attack (a distributed denial-of-service attack where an army of bots try to connect to your site at once, rendering it inaccessible to regular punters).
NortonLifeLock security expert Mark Gorrie saw the recent DDoS attack on the NZX as a "profit-driven" attack. (The exchange would not comment on whether a ransom had been demanded).
Crown agency Cert NZ has clear advice. "Don't pay." Its deputy director Declan Ingram says paying up will only encourage another attack on you or another organisation. It's also no guarantee you get your files back or that a DDoS attack will stop if you do stump up - and
you'll likely be giving money to an organised crime outfit that's also involved in the likes of drugs and human trafficking.
Nevertheless, Kordia chief information security officer Hilary Walton says research indicates around 20 per cent of victims do pay up. There are indications that fitness-tracker and avionics maker Garmin recently paid $14m to rid itself of an attack.
And the University of Auckland recently disclosed that it had alumni and donor data stored with Blackbaud, a listed US company that publicly disclosed it had paid a ransom after its systems were compromised earlier this year. Otago University also had data with Blackbaud. Both NZ universities said they were not party to the decision to pay off the hackers.
If an organisation doesn't pay up, the latest tactic is blackmail - or slowly leaking small batches of sensitive files on to the public internet to encourage a victim to pay up.
Fisher & Paykel Appliances suffered that fate earlier this year as it had highly-detailed budgets and planning documents posted online.
But the whiteware maker gritted its teeth and did not pay up.
It was a tough outcome, but Cert's Ingram says even if you do pay, and your files are returned, your attacker could keep copies and use them to blackmail you in the future.
Yet Wellington lawyer and IT specialist Michael Wigley says he can understand why some organisations pay up. It some cases it can be a pragmatic decision. In others, an argument can be made that a company's duty-of-care extends to retrieving lost client data.
Herald columnist Juha Saarinen says the government should make it illegal to pay a ransom.
