NZX cyberattacks a wakeup call

Last week, the New Zealand stock exchange was hit by a wave of distributed denial-of-service (DDoS) cyberattacks.

Beginning on Tuesday, the NZX halted trading as the first of these attacks struck. Despite initial claims that the situation had been “mitigated”, it faced further cyberattacks on Wednesday, and remained down through Thursday and most of Friday.

DDoS attacks take place when a website is flooded with large amounts of traffic, overwhelming the site and preventing it from functioning as usual.

These cyberattacks on the NZX are believed to have come from an overseas source. American tech news site ZDNet claims it is also an extortion scheme emulating the Russian hacking group Fancy Bear, and demanding ransom payment in Bitcoin, although this remains unconfirmed.

Over the past week, the prominence of the NZX cyberattacks has brought conversations of cybersecurity to the forefront, with many rightfully concerned about the state of New Zealand’s cybersecurity. Cybersecurity is an emerging field, shrouded in uncertainty, but with potentially wide-reaching impacts.

New Zealand’s “geographic isolation is no defence from people with criminal, hostile or offensive intentions in cyberspace”, the Ministry of Foreign Affairs and Trade (MFAT) points out. The reality remains that New Zealand - its people and businesses - are susceptible to this ever-evolving global threat.

Just this year, New Zealand has seen cyberattacks on KiwiSaver provider Generate, resulting in the personal information of 26,000 customers being compromised, and Lion Breweries, where production of Speight’s beers was halted.

The very same domestic cybersecurity entities that will be responsible for investigating the NZX cyberattacks, have had lacklustre responses to these and other previous cybersecurity concerns.

CERT NZ, the government website that claims to “highlight current cyber security threats in New Zealand, and provide guidance on what to do if they affect you”, did not provide any updates on either the Generate or Lion Brewery cyberattacks, and have only logged two alerts on their website in 2020.

The Government Communications Security Bureau (GCSB) and its National Cyber Security Centre (NCSC) work to “supply advanced cyber threat detection” to the private sector through its CORTEX initiative. The GCSB’s website is unclear about the specifics of CORTEX, but says it is part of New Zealand’s cybersecurity strategy, hyperlinking to the outdated 2015 strategy, which was replaced in 2019.

Even the new 2019 cybersecurity strategy is ambiguous, lacking clear direction. It asserts that “New Zealand must stand up for responsible state behaviour in cyberspace” and “must stay toward the front of the pack so that it does not become a target of choice”. These vague statements provide no definitive details on how, or through what channels, New Zealand intends to broach cybersecurity concerns.

Last week’s cyberattacks represent an immense need to bolster domestic cybersecurity mechanisms, but it is also a prime opportunity to engage in global dialogues so that domestic cybersecurity mechanisms can be enhanced.

New Zealand is currently a participant in the United Nations’ open-ended working group (OEWG), aiming to create international norms for cybersecurity and responses to cyber incursions. However, the OEWG has been criticised as largely ineffective for being unable to reach any consensus or governing document on global cybersecurity.

Other compelling options exist outside of the UN, for example, the Cooperative Cyber Defence Centre of Excellence (CCDCoE), a NATO-accredited Estonia-based military think tank. It was established in 2008, in response to what was believed to be the first-ever cyberattack on a government in Estonia, notably a DDoS attack.

Since 2010, the CCDCoE has been host to Locked Shields, the world’s largest annual cyber defence simulation. In 2013, the CCDCoE and international group of cybersecurity experts authored the Tallinn Manual, which outlined how existing international law could be applied in cases of cyber incursions.

Canada has announced that it will be joining the CCDCoE; eight additional states, including Australia and Japan, are lined up to join. With the United States and United Kingdom already members, the other four members of the Five Eyes intelligence alliance are already participating or committed. It only makes sense for New Zealand to not be left behind, and benefit from the CCDCoE’s innovative cybersecurity research, simulations, and strategy.

Further global measures could include the signing of the Budapest Convention, one of the pre-eminent international documents on cybercrime, which is supported by almost every western democracy and all other members of the Five Eyes. In a 2017 briefing for the incoming minister responsible for cybersecurity policy, it was recommended that New Zealand become signatory, but this never occurred, even when the 2019 cybersecurity strategy was unveiled.

As signatory to the Budapest Convention, New Zealand would be part of global efforts to harmonise its national laws with international standards and improve investigative tactics into cyber incursions. Both would be highly beneficial and sorely needed.

These represent only a few examples in a massive toolkit of global options available to New Zealand. The NZX cyberattacks represent a wakeup call, but also a huge opportunity for New Zealand to be proactive, and take the necessary measures to ensure it is protected in the highly likely event of another, potentially worse, cyberattack.