Treasury secretary Gabriel Makhlouf is facing renewed calls for his resignation following the leak of budget information after an investigation revealed that Treasury had inadvertently made the information accessible, disproving Makhlouf’s claims that Treasury had been victim of a sustained and targeted cyber attack.
Immediately after the National Party stole the government’s thunder by revealing the details of the budget, Makhlouf claimed Treasury had identified “multiple and persistent attempts to gain unauthorised access to our systems, and specifically budget related information.”
However, following a police investigation into the leak Treasury admitted that the information had been gathered using standard search procedures, because budget information had been stored on a clone of its main site that was not hidden from searches.
It said approximately 2,000 search terms had been placed into the search bar looking for specific information on the 2019 budget over a 48 hour period, and these had come from IP addresses owned by Parliamentary Service, 2degrees and Vocus.
In a statement Makhlouf said: “Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around budget confidentiality, and we will undertake a review to make them more robust."
However the revelations have led the New Zealand Taxpayers’ Union to call for his scalp. "Gabriel Makhlouf’s accusation of ‘hacking’ and his engagement of the Police during a case of simple Treasury incompetence is truly destructive. The incompetence alone warrants a resignation, but what looks like a cover-up is the greater sin,” the organisation said in a statement.
It also accused him of being “the most political secretary of the Treasury in living memory,” saying that, under his leadership, “Treasury’s reputation as a world-leading, objective economic advisory agency has been destroyed."
Makhlouf’s initial explanation had been questioned as soon as he made it. Bruce Armstrong, Wellington-based founder of cybersecurity company Darkscope described the 2000 attacks in 48 hours as simply “white noise”, and “clearly shows [Treasury’s] lack of cyber security awareness.”
“There are nearly one billion website breach attempts blocked every day across the world – it is far more common than most people expect. The 1000 attempts per day is simply ‘white noise’ on the Treasury site,” he said.
“Darkscope’s baseline scan of cyber-attack activity in the New Zealand government sector shows that government agencies are always ‘under attack’ by mainly foreign attackers. An attack rate of 1000 attempts in a day is at the very light end of the spectrum.”
And while it is possible that access to the budget info was discovered by serendipity, Darkscope’s technical director Joerg Buss suggested it might have been discovered by an exercise aimed to do so.
“A more likely scenario [than hacking] is that someone used a spider or crawler program to find ‘hidden’ content in the Treasury website (which is not considered a cyber-attack) and may have found the Budget 2019 files which were not protected properly at that stage,” he said.