Public Service Commissioner Peter Hughes

State Services Commissioner Peter Hughes yesterday confirmed that he was worried that the National Party breach of Treasury’s security was part of a wider attack on the Government IT network.

Hughes said that was why the Government’s Chief Digital Office and the head of the Government Communications Bureau met with Hughes;  the head of the Prime Minister’s Department, Brook Barrington and the Secretary of Treasury, Gabriel Makhlouf, at 1.15 the day after National produced what it said was leaked material.

Speaking in Parliament, the Minister in  Charge of the GCSB, Andrew Little, said that the GCSB had not been able to do a fulsome assessment of what had happened at Treasury, and that did not happen until the following day.

“I am aware that the GCSB did not provide personnel to assist Treasury to understand what had happened until the following day—that is, the Wednesday,” said Little.

The report from those personnel presumably provided the basis for what Hughes said was a written report provided by the GCSB Director, Andrew Hampton, to a further meeting of the group of officials at 4.30 p.m. on the Wednesday.

That finally was able to confirm that there was no threat to the security of New Zealand from whatever had happened at Treasury.

But it nos clear that that meeting begged two questions.

The first was why National continued to say nothing about how they had acquired their Budget leaks while the country’s public service was under a serious security alert.

And the second, which was pressed home by National’s Deputy Leader, Paula Bennett,  at a meeting of the Government Administration Committee, was why it had taken 12 and a half hours after the GCSB worked out what had happened for that to be made public.

National have tried to deflect attention from their own role in this saga by attacking the public servants involved, particularly Hughes and Makhlouf.


It is an odd situation since both were appointed by the previous National Government.

But Makhlouf made himself an easy target yesterday simply by failing to turn up for the annual examination of the Budget at the Finance and Expenditure Committee.

It is usual for the Treasury Secretary to accompany the Finance Minister to this meeting, but Makhlouf’s name was never on the list of witnesses from Treasury to appear.

National’s Finance spokesperson, Amy Adams, complained about this.

“It is utterly unacceptable that the Secretary who is still on the payroll is not here for his role in the Budget that he was I in charge of preparing,” she said.

“You yourself (to Finance Minister, Grant Robertson)  have made reference to your confidence in his work preparing the Budget.

“He should be here sitting beside you answering questions.”

However, Adams first question was one that she and her fellow National MP colleagues knew as much about as anybody.

“Why was Budget information freely available through a search function on the Treasury website,” she asked.

National is maintaining that it did nothing wrong after it stumbled onto Budget 2019 documents by undertaking a search on a part of the Treasury website which had been left unsecured with a login and password lock.

But it may not be as easy as that to prove his innocence.

The Police cybercrime website differentiates between two types of cybercrime; computer intrusion and attacks on a computer system.

It says computer intrusion “ commonly referred to as hacking is gaining unauthorised access directly or indirectly to a computer system” and can be achieved by “poor password management “. 

It says this fits the definition of a cybercrime.

It is therefore easy to see how Makhlouf could conclude on the Tuesday night that Treasury had been hacked.

The use of the word “hack” became the subject of an intense series of questions from Bennett to Hughes.

Hughes said he only found out there was a difference in what wording to use between Makhlouf and Hampton from Barrington late on Tuesday night.

“The National Party was not in the frame at that stage,” he said.

“I was told by Mr Makhlouf, and he sounded very confident,  in his view was that the Treasury systems had been,  he used the term hacked, systematically broken into,  his term hacked

He said that there were, I think he said three IP addresses. one of which was linked to the Parliamentary Services and that he had referred the matter to Police, but he told his Minister, and he was putting a press statement out.”

This is the most explicit statement in the saga so far suggesting that it was Makhlouf who first used the word “hack”.

POLITIK understands from sources close to Makhlouf that he may have done so based on the advice on the Police Cyber Crime website.

However, GSCB Director, Andrew Hampton contested the use of the word.

Hughes said that in the late-night phone calls he had there was a difference around about how what had happened had been characterised by the word hack.

“So it was a difference of view,” he said.

“I advised my Minister Chris Hipkins of it, and I left it there until the following morning when I contacted Mr Hampton to try and get to the bottom of the matter.

However, what Hughes confirmed yesterday was that on Wednesday morning, there was a widespread concern that the whole of the public service IT systems could be in danger.

That was only  resolved  by the GCSB investigation of the Treasury system that day which was ultimately reported at 4.30 p.m.  to a meeting involving Hughes, Barrington, Hampton, Makhlouf and Paul James the Government Chief Digital Officer

So what has now been confirmed by multiple sources is that for most of Wednesday, May 20, the most senior managers of the Government’s security and digital services were unsure whether the state’s computer networks were subject to a hostile intrusion.

That they were not was only confirmed at that meeting on the Wednesday afternoon, some 30 hours after the first media advisory from National saying they could reveal details of the upcoming Budget.

But then though the matter had been sorted out, it took another 12 and a half hours before the news was made public.

Hughes said Treasury made that decision after the 4.30 meeting.

“They went away to prepare a media statement to put in the public arena what we knew about what had happened,” he said.

“It took until 9 30 that night for that statement to be finalised.

“My statement was finalised before it

“I made a judgment that my statement would go out on the back of that.

 “A judgment was made in the Treasury that it would go out the following morning rather the last thing at night.”

However, Hughes himself came under attack from Bennett because he spoke at Makhlouf’s farewell in Parliament last Thursday.

“I was one of two speakers asked to speak at his farewell event hosted by Minister Robertson,” he said.

“I chose to speak.”

Hughes said that he had scripted the speech and had it double checked within the State Services Commission, which was unusual for him.

“Look, this man has given eight years of loyal service.

“There are a variety of views as to the things he has prioritised and emphasised, but he has worked across administrations and delivered loyal service to the nation and Government, and I felt it would be churlish and dishonest to discount that in any way.”

Hughes said he expects the first report on the whole matter, from Deputy State Services Commissioner, John Ombler, to be ready before the end of this week.

That report is tasked with l establishing the facts in relation to Makhlouf’s public statements about the causes of the unauthorised access; the advice he provided to his Minister at the time; his basis for making those statements and providing that advice; and the decision to refer the matter to the Police.

A more comprehensive report to be conducted by former Deloitte CEO Murray Jack and is not expected to report for another three months.