However, Inde Technology’s chief technology officer Rik Roberts said there was a “high possibility” it could have been the result of some form of automated attack.
“There is a high chance there could be a lot of fictitious submissions through bots,” he said.
“An attack is a strong word to use but this bill has got a lot of publicity and a lot of attention and it makes it an easy target to direct some bots against to influence or interfere with the process.”
Roberts couldn’t be conclusive about what went wrong on Tuesday but said it would be easy enough to overload Parliament’s website in a world of generative artificial intelligence.
“You can create a whole bunch of virtual machines all around the world and on those virtual machines you can instruct it to log on to the website, put in some details.
“It can randomly make up some names, randomly make up some submissions, and submit those as if it was a human and each of those virtual machines can do 1000 of those a minute.”
This type of scenario is called a Distributed Denial-of-Service (DDoS) Attack, where a website is made unavailable to users by overwhelming its ability to process requests.
Tech expert Louisa Taylor said she observed several error messages on the website on Tuesday that suggested it was overloaded.
She thought it could be a DDoS Attack, given she did not see any prevention technologies, like puzzles that require people to prove they’re not a robot, on Parliament’s website.
But another expert Sam Sehnert has since checked the now re-opened Treaty Principles Bill submission form and said the submission forms appeared to be protected from bots.
“That doesn’t necessarily completely rule out DDoS being a factor but does mean that the Treaty submissions themselves are most likely legit.
“There are still ways around captcha but they require a lot more resources to pull off, which makes the cyberattack scenario a lot less likely and would be more of a state actor level attack.”
RNZ has asked the Clerk of the House, David Wilson’s office if Parliament’s website has protections against DDoS attacks.
Wilson has already said the website issues were caused by an unprecedented volume of submissions coming in at the same time and wasn’t aware they were the result of anything untoward.
“To my knowledge, there is no evidence that issues were due to nefarious activity,” he said.
The country’s cyber watchdog, the National Cyber Security Centre, which is part of the GCSB, said it has no information to believe this was a cyber security incident.
Sehnert said digital forensics could be used to detect any sort of pattern or cadence in the submissions, like feedback coming in at regular intervals, to rule out nefarious behaviour.
Roberts said small countries like New Zealand were generally inexperienced when it came to handling high levels of traffic and preventative measures were a must.
“Any website these days has to have DDoS protection in front. We live in an age where it’s all too easy to fire up bots to take down a website so anything that’s going to have high publicity needs to have those prevention tools in place.”
- RNZ
