Politics

GCSB practices 'could be improved', review of IPAC hacking response finds

13:42 pm on 15 July 2024

(file photo). Photo: RNZ / Samuel Rillstone

The Government Communications Security Bureau's cyber security centre should consider wider implications of cyber attacks, and whether to contact the people targeted, a review has found.

The review of National Cyber Security Centre's procedures was carried out by senior staff after current former MPs from the cross-party Inter-Parliamentary Alliance on China (IPAC) group said they should have been told of attacks targeting members of the group.

The NZ Herald reported the GCSB had found out about the attacks from the United States' Federal Bureau of Investigation in 2022, but had not told the people who were targeted.

They included former Labour MP Louisa Wall, former National MP Simon O'Connor, and academic Anne-Marie Brady.

IPAC chair Ingrid Leary (Labour) in May said it was "absolutely critical" that all MPs and public figures targeted by such attacks should in future be told.

Prof Brady said it was embarrassing for the government the attack had been known about for so long, without people being told.

GCSB deputy director-general Lisa Fong said the review went wider than that specific attack, and there was no indication the hack had been successful.

"The NCSC did not identify any information to indicate the activity resulted in a successful cyber security compromise but did identify a number of phishing emails sent to parliamentary email addresses," Fong said in a statement.

However, the review found the cyber security centre's processes could be better, including by considering the implications of such attacks and whether to contact the people targeted.

"The review recommended that the NCSC's response to incidents needs to ensure it considers the wider implications of cyber security incidents, and not focus solely on the technical response to such incidents.

"It also recommended that the NCSC consider engagement with individuals targeted by foreign state-sponsored actors, and that it reconfirms its approach to briefing incidents to the Minister Responsible for the GCSB and the Minister's office."

An unclassified version of the review report noted that information exchange and co-ordination with other agencies "typically occurs because of the initiative, experience and judgement of NCSC staff, rather than because they are required as a part of clear procedures or practice".

It also found the centre's focus - before it merged with New Zealand's Computer Emergency Response Team (CERT NZ) in August last year - was on the effects on nationally significant organisations' networks.

This meant "the consequences for any individual targeted have not been prominent considerations in the incident triage and response process" and the centre should ensure it considered the wider implications for affected individuals.

It recommended the centre should develop new guidance for staff to bring cyber attacks to the attention of other agencies, and consider "some form of engagement with individuals who may have been targeted by foreign state-sponsored malicious cyber actors".

"This does not mean the NCSC or another agency should directly engage with all affected individuals on every occasion ... the decision on whether or not to engage with an individual needs to be made on a case-by-case basis, weighing the reasons for engagement against the NCSC's capacity and capability to undertake direct individual engagement."

The review also noted there may be classified information or other practical constraints to sharing information.