‘I am convinced that there are only two types of companies: those that have been hacked and those that will be.’ – so said Robert Mueller, then director of the FBI, in 2012.
Fast forward to 19 July 2021, where Hon Andrew Little, the Minister in charge of New Zealand’s spy agencies, took a bold step by publicly attributing the cyber-chaos experienced by New Zealand businesses earlier this year to Chinese state-actor efforts.
So does this statement signal a sea change for New Zealand’s relationship with China? And are Chinese state-sponsored hacking groups a mere drop in the ocean of cyber warfare?
To understand what’s happening now, we need to go back to early March 2021. Microsoft triggered a ginormous emergency beacon: warning the public that it had detected bad actors in its Microsoft Exchange server. Virtually anything accessed through Outlook flows through Exchange, so the ramifications of the vulnerabilities were immense. Once disclosed, the vulnerabilities ricocheted into hundreds of exploitation attempts against organisations worldwide, including businesses in New Zealand.
But while Microsoft directed primary blame to Chinese state actors, until now, the New Zealand Government did not publicly blame China for the attack.
The statement from the Government on Monday crossed the Rubicon: The Government condemned Advanced Persistent Threat 40 (APT40), Chinese state-sponsored actors, who are said to be behind ‘malicious activity’ in New Zealand and globally. The statement was a joint effort with our Five Eyes partners (the US, Canada, Australia and the UK) as well as the EU and Japan.
What does it mean?
Things are heating up. And the Government has serious cause for concern. The statement by the Government would not have been made lightly, not least due to the crucial trade relationship between New Zealand and China, our largest trade partner. Some analysts have already concluded that New Zealand is in a ‘state of vulnerability’ given the consequences of Chinese economic retaliation.
But the more intriguing part of the Government’s statement was what was left unsaid: We’re left to read between the lines on the nature and extent of the other ‘malicious cyber activity’ the Government is attributing to China as well as the plan for responding should such activity continue.
International reports indicate that the statement is stage one in a concerted and public effort to clamp down on Chinese cyber efforts, with purported plans to share intelligence on cyberthreats and ‘collaborate’ on network defences and security. New Zealand would not have wanted to be left in the lurch by failing to play its part.
A question bound to be causing restless nights is whether China is the big catch – or just one of many ‘phishes’ of concern. Russia is widely acknowledged as the likely culprit for the ransomware attack on Colonial Pipeline which saw the shutdown of its near 10,000 km pipeline for almost a week.
The Beehive alluded to the global threat in its careful wording – attributing ‘around 30%’ of serious malicious cyber activity against New Zealand organisations to ‘various’ state sectors.
Why does it matter?
While the threat is a global one, the impacts for New Zealand businesses are real. The victims of malicious cyber activity are frequently small and medium businesses, without the resources to clamp down on highly sophisticated exploit efforts. We have previously commented on the recent strew of ransomware attacks, affecting businesses both globally and in Aotearoa.
We have seen the consequences for New Zealand when it comes to exploits. But the attacks on the Waikato DHB are the tip of the iceberg when it comes to the destruction that a concerted effort targeting New Zealanders could wreak. This isn’t new, but the magnitude of a state-sponsored cyber threat is one our Government is yet to publicly and frankly acknowledge.
Our view is that the New Zealand public should expect change – both in terms of regulation and the Government’s approach to information security. Such change will be driven by the pressure to protect New Zealand businesses as well as increasing expectations by our allies to contribute to intelligence efforts. We’re likely to see increased legislative and policy efforts aimed at equipping New Zealand’s intelligence and surveillance agencies to contribute to global efforts.
And with change comes trade-offs: the Director of the New Zealand Security Intelligence Service has urged the public to reflect on the tide of ‘state-sponsored espionage’ against businesses in New Zealand. In other words, if we want to stay ahead of the curve, that means allowing our Government – and potentially other governments – greater access to everyday New Zealander’s private communications.
We’re already seeing movement in this space, with the Government co-signing an international statement urging platform providers to provide a ‘back-door’ for Governments to access encrypted content in a readable form. But policy in this space is tough stuff: a back-door designed to aid intelligence efforts could easily be the source of further exploitation.
In any case, the landscape has shifted. Businesses that deal with data need to be ready to respond to requests for access by the New Zealand Government and also data breaches that could leave them in the lurch.
If we want to stay ahead of the curve, everyday New Zealanders may need to be prepared to allow the New Zealand Government – and potentially other governments – greater access to our private communications.