The review began earlier this year when the spy agency confirmed it had been aware of a 2021 China-backed cyber attack on two MPs who were part of the Inter-Parliamentary Alliance on China (IPAC), Simon O’Connor and Louisa Wall, as well as Canterbury University professor Anne-Marie Brady.
The victims of the attack were frustrated the GCSB and its cyber-security arm, the National Cyber Security Centre (NCSC), were not informed by the agency that they had been targeted by APT 31, a state-backed Chinese hacking group.
The internal review, published today, recommended that “where appropriate, the NCSC should consider some form of engagement with individuals” when it discovered they had been targeted by “state-sponsored actors”. It found that the attack, which was mainly phishing emails, did not succeed in compromising email accounts.
Currently, the NCSC does not have procedures for how to respond to reports indicating foreign actors might be targeting New Zealanders. The report also recommended that the NCSC not only focus on the “technical” response to cyber-security incidents, but broaden focus to their “wider implications”.
The review also said the agencies should do better at identifying incidents on which the minister should be briefed. Currently, only the “no surprises” rule applies, meaning a large volume of important incidents might pass the minister by. The report included the caveat that it would not be “possible to prescribe all of the circumstances in which it may be appropriate for the NCSC to brief the minister”.
Brady said the NCSC “need to have a better understanding of foreign interference”.
“China is both the main source of cyber attacks on New Zealand, and the main source of foreign interference and espionage in New Zealand. New Zealand’s national cyber agency needs to understand China’s foreign interference activities in order to better mitigate against the ongoing cyber attacks,” Brady said.
O’Connor told the Herald that while he was pleased the agencies had finally “taken the matter seriously”, he was still “disappointed as to how this was handled”.
He said the recommendations were “good and appropriate” but that he hoped that the changes will see “a better and more robust response in the future”.
Lisa Fong, the GCSB’s deputy director-general cyber security, said the report “did not identify any information to indicate the activity resulted in a successful cyber-security compromise but did identify a number of phishing emails sent to parliamentary email addresses”.
Brady said that the report was effectively looking in the wrong direction by focusing on emails.
“The FBI reports say the hack attempt was a progressive hack aimed at getting IP addresses. The NCSC report wrongly focuses on whether emails were compromised,” she said.
The review said the NCSC is aware of a “large volume” of potential malicious cyber activity. The agency conducts “preliminary analysis” of these threats and if the threat is determined to reach a certain threshold, a “formal incident” is created and the threat investigated. Each “incident” is given a rating from C1, “National Cyber Emergency”, to C6, “Minor Incident”.
Last year, the NCSC recorded 316 incidents. The report found that most incidents are not escalated to this threshold and would best be categorised as random, phishing-style exercises.
“A significant amount of malicious cyber activity affecting New Zealand is not targeted, and is instead part of opportunistic exploitation of vulnerable systems and often global in nature,” the report said.
“This includes most email-based phishing campaigns. The NCSC’s staff prioritise escalation of activity judged most likely to cause significant harm to New Zealand’s nationally significant organisations or cause a high national harm.”
The report gave a timeline of when it became aware of hacking.
In June 2021, the Parliamentary Service advised the NCSC that an MP who was a member of IPAC had raised concerns about possible malicious cyber activity against IPAC members. The NCSC opened an “incident” in relation to that complaint and coded it C5 or a “routine incident”, as it “related to scanning, reconnaissance or a potential threat”.
The NCSC engaged with the New Zealand Security Intelligence Service (NZSIS), who provided the NCSC with “classified intelligence” from another international partner agency, which was not named in the report but is often assumed to be the United States.
The “incident” was closed in mid-July 2021 after the NCSC advised Parliamentary Service that it did not have any material information to update and the Parliamentary Service confirmed it was not expecting any further assistance from the NCSC.
In April 2022, the NZSIS provided the NCSC with a classified intelligence report from an international partner agency related to possible malicious cyber activity against IPAC members. It did not explicitly reference any targeting of New Zealand individuals and the NCSC did not open an incident on it.
In June 2022, an unnamed international partner agency informed police and the NZSIS about possible foreign state cyber activity that may have affected New Zealand members of IPAC. The NZSIS passed that information to the NCSC to lead the incident response. This time, the NCSC did open an “incident”, tagging it C5 or a “routine incident”.
As a result of this investigation, the NCSC “considered taking actions in relation to... [one individual] who may have been affected by the reported cyber activity”, likely O’Connor or Wall, but the NCSC assumed they were likely aware of the risk of targeting by foreign state-sponsored actors and would already be taking appropriate security measures.
“For any agency to just ‘assume’ that we would be prepared seems quite lax, no matter how well prepared we are by our own resources. I note that Parliamentary Services systems failed to prevent this phishing attempt in the first instance and they also failed to identify the issue, even when told.,” he said.
That incident was closed in August 2022, the international partner agency “corrected” the information it had provided the NZSIS, but the NCSC did not reopen the incident.
The report mentions the engagement the NCSC had with Parliament, but it does not mention any engagement with Brady’s employer, the University of Canterbury.
Brady told the Herald the University of Canterbury is a “customer” of the NCSC along with other “research institutions”, which meant it should have been informed of the attack.
“They informed the Parliamentary Service, but they did not inform the University of Canterbury of the cyber attack, even though they are required to,” she said.
In May 2024, following news of the attack breaking publicly, the NCSC finally engaged with people caught up in the attack.
O’Connor remained unhappy with what the NCSC had uncovered during the review.
“Good intelligence should always rely on context as well as technical data. It remains concerning to me that no one thought beyond the technical details,” he said.
“At day’s end, this was not a random cyber activity. A foreign state actor [China] specifically targeted three New Zealanders in public roles and who have been outspoken in their criticism of the CCP [Chinese Communist Party]. I remain unimpressed that this was not apparently considered at the time,” he said.
O’Connor said Chinese proxies “sought to surgically target outspoken individuals who hold significant information and contacts relating to CCP activities both in New Zealand and abroad”. He was particularly critical of the finding that NCSC staff assumed that he and the other targets were taking precautions with cyber security, and did not think to contact them personally.
“All of this highlights the need for greater vigilance and a more proactive approach to those targeted. Had any of these agencies engaged with IPAC members, we would have been able to source the emails in question and eliminate the threat,” he said.
The current IPAC co-chairs Labour’s Ingrid Leary and National’s Joseph Mooney said they were “pleased the matter has been taken seriously and a review undertaken. It finds that no parliamentary emails were accessed, but does make recommendations for improvements which IPAC supports being implemented”.
The Inspector-General of Intelligence and Security, Brendan Horsley, who monitors the GCSB, said no further review was necessary.
“I have reviewed the classified and public reports prepared by the NCSC. I am satisfied that the NCSC review: fully and fairly covers what happened: the public report discloses the important facts; and the NCSC has properly recognised where it can improve. I have decided that a separate IGIS inquiry is not needed. However, I will monitor NCSC’s action on the recommendations,” he said.
Thomas Coughlan is Deputy Political Editor and covers politics from Parliament. He has worked for the Herald since 2021 and has worked in the press gallery since 2018.