In the last six months we’ve had three serious attacks on what could be considered critical infrastructure for our country.
In August, the NZX was hit with a distributed denial of service (DDoS) attack halting trading intermittently over a four-day period.
On Christmas Day last year, a file-sharing software system the Reserve Bank of New Zealand uses was hacked and sensitive data stolen.
Now, more than two weeks on from a ransomware attack taking down the IT systems of the Waikato District Health Board, doctors are still unable to access diagnostics equipment and have even resorted to an ancient Lansom chute system, often seen in old department stores, to send lab results around the building.
This is the most serious cyber attack so far, one that has endangered lives with patients experiencing delays in receiving treatment. We will have to wait for the full, independent investigation of the incident to see where everything went so wrong for the Waikato DHB.
But if the reports into the NZX and Reserve Bank attacks are anything to go by, it will reveal a woeful state of cybersecurity preparedness, that should be giving the government serious cause for concern.
Bad report card
The Financial Markets Authority’s report on the brute force attack on the NZX website was scathing.
“Many other exchanges worldwide have experienced significant volume increases and DDoS attacks but we have not seen any that were disrupted as often or for such a long period,” it concluded, also noting a worrying “lack of willingness to accept fault” among the stock exchange’s managers.
A public summary of the report into the Reserve Bank hack released this week by KPMG should be mandatory reading for any IT or data security manager. It found crucial cybersecurity alerts failed and our central bank was using a system for transferring files securely as an information repository and collaboration tool, outside of the bank’s own guidelines.
“Adherence would have significantly reduced the volume of information at risk," wrote KPMG.
These examples are likely just the tip of the iceberg.
“There's a reason why New Zealand is a very juicy target,” Jeremy Jones, head of cybersecurity at Auckland-based IT consultancy Theta, told Bloomberg in February.
“The country is highly digitized and so dependent on the internet and cloud services. But historically, we’re at least 10 years behind the UK and Europe on general cybersecurity measures in the commercial space.”
We simply haven’t invested in cybersecurity technology, expertise and employee training to address the growing cyber risks. The Reserve Bank was advised by its software provider to upgrade its file trading system in 2017, but it didn’t want to spend the money.
The Ministry of Health in 2019 abandoned a plan to upgrade cybersecurity systems across the DHBs because it didn’t have the budget to pay for it.
Counting the cost
CERT, the government agency that monitors cybersecurity incidents locally, says it received 1,431 incident reports in the first three months of 2021, up 25% on last year. Reported financial losses totalled $3 million, but the real cost is much greater.
Unless insurance covers it, Waikato will have to pick up the bill for sending patients to other hospitals for urgent treatment. Then there’s the so far unknown impact of patient’s stolen health data floating around on the dark web. There’s a lucrative business in extorting money from people who don’t want their medical diagnoses leaked for everyone to see.
The Waikato DHB is right in not giving in to ransomware hackers' demands for large payments to unlock hacked data and systems. But if we are going to take that hard line with hackers, we need to have better frontline defences to prevent them from getting in in the first place.
Most New Zealand businesses and government agencies are somewhere in the process of migrating their IT infrastructure from servers on their own premises to cloud computing platforms. While cloud providers aren’t immune from cyber attacks they offer better security than the efforts to patch and protect sprawling and ageing IT systems. We need to accelerate the migration to the cloud.
Some argue the looming reorganisation of the health system, with the inevitable centralisation of technology systems as DHBs are disestablished, will pose an even larger cybersecurity threat. The opposite is true. We need more standardisation of IT systems and processes across government to allow a more uniform approach to cybersecurity.
We will also need to spend more on cybersecurity. The Australian government last year put aside A$1.35 billion to spend over the next decade on cybersecurity initiatives, including adding 500 staff to the Australian Signals Directorate. Some of those cyber experts will even develop offensive capabilities, joining the US in “disrupting cybercrime offshore, taking the fight to foreign criminals that seek to target Australians”.
Our own budget last month had nothing specifically for cybersecurity, despite the recent high-profile attacks. We can only hope that the $700 million allocated for health sector infrastructure projects will extend to improving cyber defences for our hospitals and clinics.
The New Yorker in February called out the “arrogant recklessness of the people who have been buying and selling the vulnerability of the rest of us” in carrying out ransomware attacks on covid-stressed hospitals worldwide.
Recovery is key
We are not alone in being targeted here. Until we can invest in plugging the gaps in our defences, we need to focus on improving our ability to recover from attacks. The fact that hospital IT equipment and patient data is still inaccessible at Waikato DHB suggests its disaster recovery plan is deficient.
Security experts hammer on about the need for robust data back-up systems and daily back-up schedules to ensure a hacked organisation can at least revert to a recent and malware-free version of its data, using fresh machines until the ransomware-infected ones can be cleaned and reformatted.
It is inevitable that more data will be held to ransom as gaps in our security are exploited. The least we can do is make sure that when we are hit by cyber attacks, we can at least get up off our knees quickly and get back to business.