State does not carry out cyber attacks
No known attacks cyber attacks have been carried out by the New Zealand government.
State takes appropriate and effective measures to investigate actions by third parties, hold responsible persons to account and adopts measures to prevent recurrence
Cyber Security Policy
In July 2012 the government established a national cyber policy office in the Department of Prime Minister and Cabinet.44 Little is known about the office’s work. New Zealand has a national Cyber Security Strategy.45 The strategy notes that:46
- 70% of New Zealand adults have been the targets of some form of cyber crime, with the most common complaints being computer scams, fraud and viruses/malware.
- New Zealanders are frequently the targets of international scams and fraud attempts, losing up to $500 million due to scams annually.
- International data suggests 133,000 New Zealanders per annum are victims of identity fraud (the majority of cases having a cyber element), with around one third falling victim to identitytheft and two thirds falling victim to credit or bank card fraud.
- A recent survey showed that 54% of New Zealanders feel they know little or nothing at all about computer security risks and solutions.
- 59% of New Zealanders do not secure their mobile phones, PDAs or smart phones by using, and regularly changing, a password or PIN.
The government is involved in multi-stakeholder processes which monitor cyber-attacks, for example, the New Zealand Internet Task Force (NZITF),47 a non-profit organisation with the mission of “improving the cyber security posture of New Zealand.” The NZITF is a forum “based on mutual trust for debate, networking, information sharing, and collaboration on matters relating to the cyber security of New Zealand.” NZITF participants include security professionals across government, law enforcement, academia, information security, and private sector industries including telecommunications, information technology, and banking. The extent of civil society participation is unclear.
There has been at least one known dedicated denial of service (DDOS) incident against the New Zealand Parliamentary website. On 30 April 2011, an Anonymous statement48 was issued protesting the New Zealand government’s proposals for changes to copyright law which would introduce new penalties for copyright infringement and file sharing. Anonymous later claimed to have succeeded in temporarily making the website unavailable.49
In relation to network security and non-State actors, according to the Government of New Zealand Statistics Office, “Fifty percent of ISPs monitor the traffic in their customers’ accounts for signs of compromised security, including botnets, pharming, phishing, and trojans. Only 1 percent showed signs of compromised security, compared with 3 percent last year. One-third of the ISPs who monitored security threats reported that they most commonly monitored for botnets, followed closely by phishing and trojans equally.”50
There have been no Internet shutdowns affecting the general public.
However, network shutdowns, which are shutdowns implemented by a particular service provider or company on a specific network, usually in response to specific security issue, have occurred. For example, the government has, on more than one occasion, shut down departmental networks in response to information security breaches. In March 2013, for example, an unprecedented privacy breach took place when the Earthquake Commission (EQC) accidentally leaked information by email about 98,000 claims from 83,000 people in relation to the Christchurch earthquakes. The government responded with an unprecedented order that the entire external email system of EQC be shut down51 as well as “business-to-business data exchanges and all systems that allow access to its systems by external parties.” The government’s Chief Information Officer was asked to investigate and report on the issues (see also below in relation to privacy). The shutdown thus affected third parties, including EQC claimants (victims of the earthquake) and businesses.
Another incident occurred just four months earlier in November 2012, when members the public using the service kiosks in WINZ offices were able to access information on the Ministry of Social Development’s network, simply by clicking on files and folders. The incident caused a public outcry and the government responded by shutting down access to all kiosks and subsequently shutting them down indefinitely in light of an independent review.52 The shutdown adversely affected the public’s ability to access Ministry services, and the independent review found, could have been avoided if known security risks and risk mitigation strategies had been properly implemented.53 A further concern is the tenor of criticism by the government of the member of the public who told media of the security breach. In fact the Ministry had been warned of the security issue on previous occasions but had not responded adequately until media attention.54
While immediate responses to security incidents that compromise privacy are to be commended, the use of system shutdowns as a general response is a concern.
44 See: http://www.dpmc.govt.nz/ncpo
45 New Zealand Government New Zealand’s Cyber Security Strategy (Wellington, July 2011)
46 Ibid, at 6.
47 See: http://www.nzitf.org.nz/
48 The statement is available at: https://www.youtube.com/watch?v=FYaD4Qv9oWE
52 Delloitte Ministry of Social Development: Review of Information Systems Security: Circumstances and Causes of, and Response to, the “Kiosk” Security Breach (Wellington, November 2012).