A report into the way the GCSB handled a cyber attack on New Zealand MPs and a prominent academic has found that processes could be improved and that, in some circumstances, it should contact people affected by cyber attacks.
The review began earlier this year when the spy agency confirmed it had been aware of a 2021 China-backed cyber attack on two MPs who were part of the Inter-Parliamentary Alliance on China (IPAC), Simon O鈥機onnor and Louisa Wall, as well as Canterbury University professor Anne-Marie Brady.
The victims of the attack were frustrated the GCSB and its cyber-security arm, the National Cyber Security Centre (NCSC), were not informed by the agency that they had been targeted by APT 31, a state-backed Chinese hacking group.
The internal review, published today, recommended that 鈥渨here appropriate, the NCSC should consider some form of engagement with individuals鈥 when it discovered they had been targeted by 鈥渟tate-sponsored actors鈥.
Currently, the NCSC does not have procedures for how to respond to reports indicating foreign actors might be targeting New Zealanders. The report also recommended that the NCSC not only focus on the 鈥渢echnical鈥 response to cyber-security incidents, but broaden focus to their 鈥渨ider implications鈥.
The review also said the agencies should do better at identifying incidents on which the minister should be briefed. Currently, only the 鈥渘o surprises鈥 rule applies, meaning a large volume of important incidents might pass the minister by. The report included the caveat that it would not be 鈥減ossible to prescribe all of the circumstances in which it may be appropriate for the NCSC to brief the minister鈥.
Brady said the NCSC 鈥渘eed to have a better understanding of foreign interference鈥.
鈥淐hina is both the main source of cyber attacks on New Zealand, and the main source of foreign interference and espionage in New Zealand. New Zealand鈥檚 national cyber agency needs to understand China鈥檚 foreign interference activities in order to better mitigate against the ongoing cyber attacks,鈥 Brady said.
O鈥機onnor told the Herald that while he was pleased the agencies had finally 鈥渢aken the matter seriously鈥, he was still 鈥渄isappointed as to how this was handled鈥.
He said the recommendations were 鈥済ood and appropriate鈥 but that he hoped that the changes will see 鈥渁 better and more robust response in the future鈥.
- Foreign spies ramping up activity in NZ- SIS report
- Revealed: Three local terror plots foiled; foreign interference rising, spies told
Lisa Fong, the GCSB鈥檚 deputy director-general cyber security, said the report 鈥渄id not identify any information to indicate the activity resulted in a successful cyber-security compromise but did identify a number of phishing emails sent to parliamentary email addresses鈥.
Brady said that the report was effectively looking in the wrong direction by focusing on emails.
鈥淭he FBI reports say the hack attempt was a progressive hack aimed at getting IP addresses. The NCSC report wrongly focuses on whether emails were compromised,鈥 she said.
The review said the NCSC is aware of a 鈥渓arge volume鈥 of potential malicious cyber activity. The agency conducts 鈥減reliminary analysis鈥 of these threats and if the threat is determined to reach a certain threshold, a 鈥渇ormal incident鈥 is created and the threat investigated. Each 鈥渋ncident鈥 is given a rating from C1, 鈥淣ational Cyber Emergency鈥, to C6, 鈥淢inor Incident鈥.
Last year, the NCSC recorded 316 incidents. The report found that most incidents are not escalated to this threshold and would best be categorised as random, phishing-style exercises.
Canterbury University professor Anne-Marie Brady was a target of the attack. Photo / Michael Craig
鈥淎 significant amount of malicious cyber activity affecting New Zealand is not targeted, and is instead part of opportunistic exploitation of vulnerable systems and often global in nature,鈥 the report said.
鈥淭his includes most email-based phishing campaigns. The NCSC鈥檚 staff prioritise escalation of activity judged most likely to cause significant harm to New Zealand鈥檚 nationally significant organisations or cause a high national harm.鈥
The report gave a timeline of when it became aware of hacking.
In June 2021, the Parliamentary Service advised the NCSC that an MP who was a member of IPAC had raised concerns about possible malicious cyber activity against IPAC members. The NCSC opened an 鈥渋ncident鈥 in relation to that complaint and coded it C5 or a 鈥渞outine incident鈥, as it 鈥渞elated to scanning, reconnaissance or a potential threat鈥.
The NCSC engaged with the New Zealand Security Intelligence Service (NZSIS), who provided the NCSC with 鈥渃lassified intelligence鈥 from another international partner agency, which was not named in the report but is often assumed to be the United States.
The 鈥渋ncident鈥 was closed in mid-July 2021 after the NCSC advised Parliamentary Service that it did not have any material information to update and the Parliamentary Service confirmed it was not expecting any further assistance from the NCSC.
In April 2022, the NZSIS provided the NCSC with a classified intelligence report from an international partner agency related to possible malicious cyber activity against IPAC members. It did not explicitly reference any targeting of New Zealand individuals and the NCSC did not open an incident on it.
In June 2022, an unnamed international partner agency informed police and the NZSIS about possible foreign state cyber activity that may have affected New Zealand members of IPAC. The NZSIS passed that information to the NCSC to lead the incident response. This time, the NCSC did open an 鈥渋ncident鈥, tagging it C5 or a 鈥渞outine incident鈥.
As a result of this investigation, the NCSC 鈥渃onsidered taking actions in relation to... [one individual] who may have been affected by the reported cyber activity鈥, likely O鈥機onnor or Wall, but the NCSC assumed they were likely aware of the risk of targeting by foreign state-sponsored actors and would already be taking appropriate security measures.
This particularly irked O鈥機onnor.
鈥淔or any agency to just 鈥榓ssume鈥 that we would be prepared seems quite lax, no matter how well prepared we are by our own resources. I note that Parliamentary Services systems failed to prevent this phishing attempt in the first instance and they also failed to identify the issue, even when told.,鈥 he said.
That incident was closed in August 2022, the international partner agency 鈥渃orrected鈥 the information it had provided the NZSIS, but the NCSC did not reopen the incident.
The report mentions the engagement the NCSC had with Parliament, but it does not mention any engagement with Brady鈥檚 employer, the University of Canterbury.
Brady told the Herald the University of Canterbury is a 鈥渃ustomer鈥 of the NCSC along with other 鈥渞esearch institutions鈥, which meant it should have been informed of the attack.
鈥淭hey informed the Parliamentary Service, but they did not inform the University of Canterbury of the cyber attack, even though they are required to,鈥 she said.
In May 2024, following news of the attack breaking publicly, the NCSC finally engaged with people caught up in the attack.
O鈥機onnor remained unhappy with what the NCSC had uncovered during the review.
鈥淕ood intelligence should always rely on context as well as technical data. It remains concerning to me that no one thought beyond the technical details,鈥 he said.
鈥淎t day鈥檚 end, this was not a random cyber activity. A foreign state actor [China] specifically targeted three New Zealanders in public roles and who have been outspoken in their criticism of the CCP [Chinese Communist Party]. I remain unimpressed that this was not apparently considered at the time,鈥 he said.
O鈥機onnor said Chinese proxies 鈥渟ought to surgically target outspoken individuals who hold significant information and contacts relating to CCP activities both in New Zealand and abroad鈥. He was particularly critical of the finding that NCSC staff assumed that he and the other targets were taking precautions with cyber security, and did not think to contact them personally.
鈥淎ll of this highlights the need for greater vigilance and a more proactive approach to those targeted. Had any of these agencies engaged with IPAC members, we would have been able to source the emails in question and eliminate the threat,鈥 he said.
Thomas Coughlan is Deputy Political Editor and covers politics from Parliament. He has worked for the Herald since 2021 and has worked in the press gallery since 2018.
Take your Radio, Podcasts and Music with you
Get the iHeart App
Get more of the radio, music and podcasts you love with the FREE iHeartRadio app. Scan the QR code to download now.
Download from the app stores
Stream unlimited music, thousands of radio stations and podcasts all in one app. iHeartRadio is easy to use and all FREE
