By Logan Carmichael
On Tuesday and Wednesday of this week, the New Zealand Stock Exchange (NZX) halted trading as a result of Distributed Denial of Service (DDoS) cyberattacks. As most media outlets have explained, a DDoS attack takes place when a site is overwhelmed with (often artificially created) traffic, rendering the site inoperable. What this reportage has failed to explain, however, is why these DDoS attacks are so concerning, not only for the NZX, but also for the broader landscape of New Zealand’s cybersecurity.
The NZX confirmed on Tuesday that this cyberattack came from an overseas source. This should be cause for concern, given that a foreign entity is targeting NZ’s stock exchange. Foreign interference via cyberattack is not uncommon globally; in prominent examples, the Russian hacking group Fancy Bear has interfered in both Ukrainian and American elections, while in 2007, a DDoS attack shut down the government, banking, and news media sites of Estonia. However, this is a space in which New Zealand has not traditionally been targeted.
This is also not the first cyberattack that New Zealand has faced this year. In January, it was revealed that an unauthorised third party had gained access to the personal information of 26,000 customers of KiwiSaver provider Generate. In June, a cyberattack on Lion Breweries halted production of beers including Speight’s. These cyber incursions, coupled with the current attack on the NZX, should heighten concern that the wider financial services industry, and Kiwi businesses are presently vulnerable.
The government website, CERTNZ, meant to provide updates on cyberthreats to New Zealand businesses and individuals, has reported on none of these cyberattacks. In fact, the site has only provided two alerts in all of 2020.
The government’s 2019 cybersecurity strategy was ambiguous, with only two pages devoted to cybersecurity challenges and responses. It notes that “New Zealand must stand up for responsible state behaviour in cyberspace” and “must stay toward the front of the pack so that it does not become a target of choice.” Such statements are extremely vague and provide little clear direction on New Zealand’s cybersecurity strategy, both domestically and internationally.
New Zealand’s place as a geographically isolated island nation doesn’t matter much in the digital world. Boundaries become very blurred, very quickly, in cyberspace; this is an inherently global issue. However, as an ever-emerging field, international norms on cybersecurity are ambiguous. Cybersecurity scholar Ilina Georgieva points out that different countries have different ideas of how these norms should be applied. Major powers like Russia and China advocate for cybersecurity as a domestic concern that should be governed inside their own borders. Most Western democracies disagree.
It is crucial that New Zealand remains engaged in cybersecurity conversations at home, and internationally. Yet it has not signed onto the Budapest Convention, one of the pre-eminent international documents on cybercrime, despite it being recommended in a 2017 briefing for the incoming minister responsible for cybersecurity policy.
At both the domestic and international levels, New Zealand’s cybersecurity protocols are unclear and weak; they have failed to stop recent cyberattacks. In the bigger picture, these attacks on New Zealand businesses are not even close to the worst that cyberattacks can occur.
Cyberwarfare researcher Andy Greenberg says, “On the spectrum of cyberattack sophistication, distributed denial-of-service attacks were largely crude and blunt…They could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques.”
On the NZX cyberattacks specifically, Tom Pullar-Strecker echoes that this is “one of the oldest and crudest forms of cybercrime,” akin to “turning up to a bank with a baseball bat and a handwritten demand.” Given that DDoS attacks have been around for more than a decade, and are often relatively unsophisticated, there are services and software available for purchase to protect against them. A brief Google search uncovers a multitude of these. In other words, other forms of cyberattacks could do far more damage than notably rudimentary ones that we have been seeing in New Zealand.
Cyberattacks are taking place with increasing frequency, and with increasing capability to do widespread damage. As far as the DDoS attacks on the NZX, or Lion Breweries, or any other Kiwi business goes, it’s not even close to the worst-case scenario. It’s unlikely a matter of ‘if’ another cyberattack will happen, but ‘when.’ It only makes sense for New Zealand to be proactive and far more prepared than it currently is, both internationally and at home.
Logan Carmichael is a Profesional Teaching Assistant in the European Studies department at the University of Auckland. She is a graduate of the Masters of Conflict and Terrorism Studies programme, with a research focus on politics, military and cybersecurity in Estonia and the wider Eastern Europe.