Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

NZX and Reserve Bank cyberattacks expose lax cybersecurity approach, Mega execs say

Monday, 26 April 2021

Mega executives Bram van der Kolk and Mathias Ortmann’s passports are still being held at the High Court as part of the Kim Dotcom saga.
Mega executives Bram van der Kolk and Mathias Ortmann’s passports are still being held at the High Court as part of the Kim Dotcom saga.

ANALYSIS: New Zealand is too small and interconnected for people to speak too negatively about the country’s institutions, which is why it’s hard to get anybody to say anything bad about the NZX or Reserve Bank cyberattacks last year.

At some point you’re probably going to have to deal with the person or institution you slag off in public. Worse, you might even need to tender for a contract from them.

This attitude is the glue that stops us from descending into a pit of angry recriminations in our public sphere, but it’s also how Reserve Bank Chairman ​Neil Quigley was able to stand up in front of an audience at an event in Auckland earlier this year, and heap a lot of blame for the Reserve Bank hack on to a foreign IT vendor.

“We had no warning to avoid the attack which began in late December.

**READ MORE:

* Why companies should fear the growing cyber threat

* Cyber attacks from state-based actor increasing

* Kim Dotcom fails in Supreme Court appeal, ordered to pay $2.5k to GCSB

* Hollywood studios sue Megaupload

**

“[The vendor] failed to notify us for five days that an attack was occurring against its customers and a patch was available.”

Mega co-founders Bram van der Kolk and Mathias Ortmann.
Mega co-founders Bram van der Kolk and Mathias Ortmann.

A reluctance to criticise is also how the NZX was able to get away with only releasing a press release about a report into its cybersecurity issues and not the report itself.

The NZX still has not even released a redacted version of this report to the public. For what it’s worth, the NZX claims the ​InPhySec report proves the organisation came under an unprecedented attack which, naturally, could not have been reasonably predicted by its staff or board.

Mega executives co-founder ​Bram van der Kolk and chief technology officer Mathias Ortmann have no such qualms about offending people.

When Kim Dotcom was at the helm, the file sharing and hosting service seemed to almost embrace controversy. First, with Dotcom’s verbal sparring with John Key’s Government and then with his launch of the Internet Party. On top of this, both ​van der Kolk and ​Ortmann’s passports are still being held by the courts as extradition proceedings drag on against them.

Which is probably why ​Ortmann seems to have no issue criticising the Reserve Bank’s approach of blaming the vendor for not letting it know a patch was available.

01042020 PHOTO RICKY WILSON/STUFF ...COVID-19 Coronavirus Alert Level 4 Lockdown...NZX ...NZ Stock Exchange ...Ticker
01042020 PHOTO RICKY WILSON/STUFF ...COVID-19 Coronavirus Alert Level 4 Lockdown...NZX ...NZ Stock Exchange ...Ticker

“That is a very, very unrealistic expectation,” says the bespectacled ​Ortmann leaning forward in his chair.

“If you wait until the vendor tells you, and you do not actively monitor for vulnerabilities, the vulnerability might actually be published [to other hackers] before the vendor finds out about it – which is an everyday occurrence.”

​Ortmann’s sentence is finished by ​van der Kolk who sits directly opposite him in their shared corner office at Mega. Their computer screens are almost back to back and as one starts a sentence the other finishes it in something akin to a verbal ping pong match.

Keeping vulnerable pieces of software off computers connected to the internet is a basic design feature that you don’t need to be a particularly sophisticated computer genius to understand. Especially if the piece of software is so old that it’s not properly supported by the vendor, as appeared to be the case here.

“Anything you run on the open internet you must be very vigilant about it,” ​van der Kolk says.

Then ​Ortmann jumps in:

The Reserve Bank has been hiking interest rates aggressively to combat inflation.
The Reserve Bank has been hiking interest rates aggressively to combat inflation.

“The first question to ask is: does this service need to be running on the open internet or not?”

​Ortmann raises some interesting questions. The piece of software ​Quigley and the Reserve Bank were talking about was a piece of “legacy” software not properly supported by the vendor. If you had to use such a thing was it really necessary to keep it exposed to every hacker on the internet?

Employees could have accessed this tool using a virtual private network (VPN) instead, he suggests. This would allow people to access the tool, but remove it from the company’s network and the internet at the same time. It would also block it off any future unknown vulnerability from being exploited.

A spokesperson for Reserve Bank says the bank will comment further on the incident “as and when it is appropriate to do so”. It does not want to undermine a review by KPMG or criminal and forensic investigations currently under way.

However, the advice to remove legacy systems from exposure to the open internet is so basic it’s even parroted by the Government’s own cybersecurity organisation CERT NZ.

“By definition, legacy systems are vulnerable, and present a risk to your organisation. The safest option is to stop using them and remove them from your network,” CERT’s website says.

Mega is no stranger to cyberattacks and security issues. It almost invited them with promises of complete anonymity and encryption.

To ​van der Kolk and ​Ortmann, we are nowhere near as worried about these attacks as we should be. The issue isn’t just the vulnerabilities that were exposed, but that these two important financial institutions didn’t have anybody on staff who recognised them before they were exploited.

Or, in NZX’s case, it didn’t even have staff who recognised how to fix the problem while it was happening, which left the exchange offline for four days as it came under wave after wave of attacks. The attack affected the NZX’s ability to publish market announcements to the public. A decision was made to halt trading so that public traders were not disadvantaged by a lack of information.

​Van der Kolk says the attacks could have been easily combatted by ramping up bandwidth so the system wouldn’t be overwhelmed by cyberattackers. The NZX could have purchased plenty of services to do this. As he talks about this ​Ortmann scouts Google and finds out other stockmarkets, like the NASDAQ, have used these kinds of services for years.

The government has pulled in the heavyweights to investigate attacks on the NZX. The stock exchange has been the victim of attacks for four days in a row.

Their point is, if NZX was not paying for basic safety precautions, or did not know it needed them, what hope is there for other smaller organisations?

“When you’re operating a stockmarket and you’re part of the financial system that’s a big responsibility. You need to live up to a certain standard. You cannot have ‘script kiddies’ come along and ruin the party, that’s not allowed,” van der Kolk says.

Van der Kolk and Ortmann aren’t alone in thinking our companies and the boards that govern them aren’t taking cybersecurity as seriously as they should be.

Cybersecurity experts like deriskme.com’s Paula Gair say it is hard to elevate these cybersecurity issues to the boardroom level.

Health and safety issues are discussed all the time, but cybersecurity ones not so much.

“In this case I think cybersecurity is often lumped in with IT in general, and it’s just seen as a cost centre.

She suggests it might stay that way until boards and their directors are made personally liable for serious cybersecurity breaches in the same way they are for health and safety ones.

“Unfortunately until something goes wrong it’s really difficult to get it high enough up the list.

“If you think about how we deal with health and safety and the fact that we’ve actually made directors liable for serious health and safety breaches then that gets that right up to the top table.”

Institute of Directors ​chief executive ​Kirsten Patterson argues directors are already liable.

Kirsten Patterson, chief executive of the Institute of Directors, sees regulatory bodies taking legal action in future over cybersecurity issues.
Kirsten Patterson, chief executive of the Institute of Directors, sees regulatory bodies taking legal action in future over cybersecurity issues.

“It’s no longer a nice to have on the agenda. There’s been some pretty clear direction from some of our regulatory authorities like the Reserve Bank and the FMA [Financial Markets Authority] who have made it really clear that boards need to take responsibility for overseeing cybersecurity.”

She says boards are taking these issues very seriously, but acknowledges the Institute’s own director sentiment survey shows a huge chunk of companies don’t regularly discuss cybersecurity issues at all.

“Only 54 per cent of the boards that we surveyed in there indicated that it was being regularly discussed and felt they had capacity to respond to a cyberattack or incident.”

Fifty-four per cent is a small number considering cybersecurity is something she believes should be on all company risk registers, and an issue consistently named by directors as one of the top five risks their companies face.

In Australia the ​Australian Securities and Investments Commission (Asic) took legal action against a company for not taking enough cybersecurity precautions to prevent a brute force cyberattack.

The New Zealand sharemarket was subjected to trading halts and disruptions over a four-day period as the result of a sustained cyberattack from overseas.

Last year Asic started federal court proceedings alleging the RI Advice Group failed to implement “adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience”.

​Patterson thinks we aren’t far off from seeing similar action taken here.

“I think all directors are upskilling and upskilling really fast.

“We’re all responsible. Same way that everyone’s responsible for finance, we’re all responsible for health and safety, and we’re all responsible for cyber.”

​Van der Kolk and ​Ortmann say New Zealand is more of a target for cyberattacks these days than we think.

Our relative isolation used to mean we were off the radar for many, but now it makes us a target. We’re a developed country with many systems open to the internet, but without enough experienced personnel here to advise companies on what they should do.

Bram van der Kolk is in favour of cybersecurity education being taught in schools as a basic life skill.
Bram van der Kolk is in favour of cybersecurity education being taught in schools as a basic life skill.

Which is ​Ortmann’s theory around how the NZX ended up being targeted in a cyberattack.

In a statement an NZX spokesman says Wellington-based cyber experts InPhySec concluded the attacks on the NZX went “well beyond anything previously seen that could have been reasonably forecast”.

Then it quotes InPhySec’s unreleased report which it claims says: “the volume, sophistication and persistence of the attacks were unprecedented in a New Zealand context, and are amongst the most severe we are aware of to have been experienced internationally”.

Ortmann says a lot of other stock markets in the developed world had taken precautions, NZX was likely targeted because it hadn’t.

In other words, the attack was unprecedented because “script kiddies” knew if they’d tried it on the same scale elsewhere they wouldn’t have been successful.

Yet despite all of this ​Ortmann doesn’t really see a role for the “nanny state” in preventing this, beyond perhaps educating school children on basic cybersecurity.

This last part is something ​van der Kolk is in favour of. Most of the cybersecurity breaches over here come about because people are committing basic mistakes like using the same password across multiple services.

“I’ve lost hope for the older generation, but that problem will solve itself. We need to solve this problem at the root,” van der Kolk says.

“I can even see with my own son how sloppy he is. I teach him myself, but why are we not having some economies of scale?”

Passwords are being hacked and distributed over the internet on a regular basis. So, if you use the same password on one service you’re opening yourself up to being hacked while using another.

Computer systems are now advanced enough for hackers to run these leaked password and username combinations across all services at scale until they get lucky.

Government solutions to the problem seem to be having varied levels of success. The Government Communications and Security Bureau says its CORTEX system, which protects critical infrastructure from cyberattack, prevented $100m worth of cyber-disruption since 2016.

A Government request for proposal (RFP) for a cyber credential scheme targeted at smaller businesses was awarded to EY and Capella Consulting in January 2018, but the most prominence it ever gained was after Capella complained the Government was doing little to promote its use.

A spokesperson for the Department of Prime Minister and Cabinet said “following the conclusion of government involvement in the [cyber credential] scheme, the primary channel for cyber security advice and support to small business is via CERT NZ”.

Ortmann suggests companies and individuals are capable of solving this problem without Government help.

Small to medium-sized enterprises could sort themselves out independently of the Government by banding together in groups of 10 or so and sharing resources.

Van der Kolk says it also might just be about everyone sticking to some basic principles.

“Just like you have a lock on your door, you wouldn’t share the key with other people, you would have different keys for different things.

“If you just apply some very basic principles it's not very hard to be more resilient.”