Guest Post: The Digital Frontier is in Danger: Why Labour is failing New Zealand on Cybersecurity

A guest post by Melissa Lee:

As I write this, we are entering the second week of the terrifying cyberattack involving ransomware on the Waikato District Health Board’s IT Infrastructure. To put this in perspective the deeply sensitive, private (let alone potentially humiliating) and personal medical records, data and patient files hacked in this malevolent assault on the people of New Zealand, on over 430 thousand New Zealanders, is at risk of being monetised, exploited and marketed on the dark net.

This Government has let this happen.

If you tuned into Parliament TV for the General Debate in the last month you may have noticed I’ve been talking extensively about my concerns for our digital borders and the impact that cyber-attacks, malware, scams and spam have had on our country already in the past year. We saw the confidence shock in our financial institutions with the incidents at the NZX and the Reserve Bank and we’ve had a near unprecedented incident of a Crown Entity, the Health Research Council of New Zealand, being unable to adhere to their democratically mandated duty to report to the House for their Annual Review scrutiny due to the loss of data that took place.

I’ve begged the Government to uplift cybersecurity spending to proportionately match Australia’s $1.6 billion investment into cyber resilience and give Parliament greater insight into the sector.

They haven’t listened.

In Budget 2021 cyber spending is scattered across portfolios. In particular, Vote Business, Science and Innovation, Vote Internal Affairs and Vote Prime Minister and Cabinet (Some may also sit within the Communications Security &  Intelligence (GCSB) Vote but we don’t get to know what publicly). When I looked at these votes and the funding being provided I saw no uplifts and, if anything, a significant decrease in support for Government Digital Services and cyber support. In particular the reduction from $55million to $44 million for Government Digital Services on the basis their ‘payroll’ systems were now sorted was ludicrous particularly when I saw Waikato DHB staff were having strife with their pay. There is no true ‘All of Government’ approach to cybersecurity and that needs to change.

The reason I am so concerned about our cyber education is simple; the Internet is our new border and we are at a growing risk of malicious damage to our nation through online actors then we are now through our airports, particularly during COVID times. Millions upon millions is lost out of our economy due to the damage that one email with a virus can contain and we must do more. The State has to take far more responsibility as our democracy, our health and ultimately, our lives are now at risk. It is not hyperbole to say that when clinics and hospitals across the Central North Island are facing one of the greatest crisis our nation has seen.

At the start of this Parliament I called for a Briefing on Cybersecurity to be instated before our Select Committees. It took several months but it finally began a few days ago, I’m hoping in light of the ongoing situation in the Waikato I will get this Briefing extended to more widely address the ramifications of this assault on the health of the Central North Island and I hope my Committee colleagues will support me on this.

Where is the Ministerial accountability? David Clark, the former Health Minister turned Minister for the Digital Economy and Communications, who was asleep at the wheel during COVID-19 is clearly also asleep at the wheel despite being the Minister in charge of cyber security policy. David Clark confirmed to me in Parliamentary Questions neither he nor his officials, which cover cyber security matters, have given any advice towards Cybersecurity or ICT Operations to the DHBs.  Here it is again unedited:

As Minister for the Digital Economy and Communications, neither I, nor my officials, have given any advice to District Health Boards regarding cyber security.

As Minister for the Digital Economy and Communications, neither I, nor my officials, have given any advice to District Health Boards regarding ICT operations.

What an outrage. Either something is fundamentally wrong in the answer given or his team hasn’t even sent some posters for the offices of our DHBs . I’ve been asking the questions, about 900 cybersecurity specific ones of the 3572 I’ve lodged as of Tuesday. Apparently I’m the most prolific MP so far of this Parliament and that’s not a good thing; it’s ridiculous I have to ask so many questions when this Government is failing to deliver and now our digital borders are being breached near constantly.

Ultimately, this situation goes beyond the Labour Government not doing their job. It is seeing individual New Zealanders being harmed at their most vulnerable being forced to travel the length of the country for medical treatment and with growing anxiety about what unknown hackers know about their personal lives.

My thoughts and the thoughts of the entire National Caucus are with affected families and members of the Waikato Community. We will hold the Government to account for this unacceptable situation.

Our digital frontier is in jeopardy. It’s not good enough. It’s just not good enough.

MELISSA LEE MP
National Member of Parliament
National Spokesperson for – Broadcasting & Media| Digital Economy and Communications | Ethnic Communities

DPF Comment:

I was listening to a podcast a couple of weeks ago about the hack of the US pipeline by a cyber hacking team. The former global head of security for Facebook was on it. He said that these gangs or teams are incredibly ruthless and what they do is encrypt both the current system and the backups.

I’ve heard that this may have happened with Waikato DHB – that the backups are also compromised, which is why after nine days the system is still down. Also the fact the gang has started releasing private patient info to media shows how complete their attack was.

I understand a DHB staffer opened an attachment which lead to the attack. I would have though most corporate IT systems, especially DHBs, should have cybersecurity software that prevents strange attachments from being opened. There are definite questions to be answered.

Comments (98)

Login to comment or vote

Add a Comment