It became clear yesterday that the Government feared for nearly 24 hours after it learned secret Budget documents had leaked to National that the country faced a serious breach of national security.
The Department of Prime Minister and Cabinet removed sensitive material from its website as a precaution and the heads of several Government departments spent most of an afternoon meeting in an atmosphere of crisis.
The Head of the Department of Prime Minister and Cabinet, which oversees security, Brooke Barrington, told a Parliamentary Select Committee yesterday that it was not till the day after he learned of the breach, some 30 hours after National revealed that it had the secret documents, that the Government Communications Security Bureau worked out how they had obtained them that the crisis ended.
But serious questions remain.
As it turned out there had been no breach.
In fact, national had simply found a part of the Treasury website which had no security login and password lock on it.
Barrington said the first formal information he got about the whole saga was at 7.37 p.m. on the night of Tuesday, May 28, just over nine hours after National had produced its leaked documents.
He was phoned at home by the Treasury Secretary, Gabriel Makhlouf telling him that the Treasury systems had been breached.
“Hacked was his word,” said Barrington.
Makhlouf said a Police complaint had been made and he was about to issue a press statement.
“That was the first I heard of any of the events that were unfolding on May 28,” said Barrington.
“I informed the Prime Minister immediately thereafter.
“And I said to the Prime Minister that my primary concern as it was for the rest of that night and for much of the following day was the security of the Government’s information systems.
“My question to myself, and I conveyed this to the Prime Minister, was how was it possible that the firewall And cyber protections had been breached.
“So I was taking a national security lens to what I had heard from the Secretary of the Treasury.”
After he had called Barrington, Makhlouf issued a press statement saying that Treasury had gathered sufficient evidence to indicate that its systems “have been deliberately and systematically hacked.”
Presuming that was what Makhlouf also said to Barrington, it is understandable that the Head of the DPMC would regard the Treasury hack as a potential threat to all the Government IT systems with the myriad of top-secret and sensitive Infomation that they contain.
Not surprisingly, Makhlouf’s statement also attracted attention from the international media and three of New Zealand’s Five Eyes intelligence sharing group contacted the GCSB for more information.
The GCSB Director, Andrew Hampton, said that the contacts were “three routine information requests and/or offers for assistance from Five Eyes partners in response to media coverage of the Treasury incident”.
While Barrington had been having difficulty getting hold of Hampton, a staff member from the office of the Minister in Charge of the GCSB, Andrew Little, spoke to someone at the GCSB at 8.43 p.m. and then Little himself spoke to some at the Bureau at 9.52 p.m.
Those conversations led to what the Prime Minister, Jacinda Ardern, has said was GCSB disputing the language that had been used in Makhlouf’s press statement and a subsequent and similar statement from Robertson.
Barrington finally spoke to Hampton at 8.45 p.m. “or shortly thereafter” and asked him what had happened and why the firewall had been breached.
“He said that it was not a cyber intrusion matter. but he could not tell me what it was,” said Barrington.
National Deputy leader, Paula Bennett, asked Barrington, why, if that was the case, he had not convened a meeting of the top-level Government security committee, the Officials’ Committee for Domestic and External Security Coordination (ODESC)
The Chief Executive of DPMC is always the Chair of ODESC
It does not have a fixed membership but the CEO of the DPMC “will invite colleagues to attend an ODESC meeting as s/he deems necessary, having regard to the issues in play” according to the Government’s “National Security System Handbook”.
But Barrington said that he had learned over the years that ODESC was not something that was convened at the drop of a hat.
“You try and get information that you consider in a measured way and an hour afterwards, and I had determined that it was not a cyber intrusion episode.
“It was just not clear to me what it was.
“Nor indeed was it clear to Mr Hampton.”
No one knows what has happened
Bennett argued that National had been linked to the intrusion and that surely senior public servants would be concerned about that.
“The who was secondary to the how,” said Barrington.
“The first question we needed to determine was whether and how there had been a cyber intrusion.
“In a sense, it doesn’t matter whether that intrusion has taken place domestically or whether it was an act of foreign interference — the who of it might have taken a very long time to consider.
“My primary task is to determine whether the government systems had been breached by a cyber intrusion.”
Bennett claimed that there had been a disagreement between Treasury and the GSB over what to call what had happened.
Treasury wanted it called “unauthorised access”, and she said the GCSB wanted it called an “information management issue.”
The Treasury suggestion is important because if it was an unauthorised access issue, then that would bring it much closer to the Cyber Crime definition in Section 252 of the Crimes Act which carries a term of imprisonment of up to two years.
Furthermore, the Police Cyber Crime website describes “unauthorised access” as “hacking”’
Bennett: “Did you advise the Prime Minister of the two views?”
Barrington: “I didn’t know of those two views.
“In a sense, as I’ve said, I had a conversation with the director about 8. 45.or thereabouts.
“The director said it was not a cyber intrusion.
“It was not a hack.
“I conveyed that to the Prime Minister. “
“But I was unable to tell the Prime Minister,because the director was unable to tell me, precisely what had happened.
“I had a further conversation with the director one hour later, at around a quarter to 10. where he was still not able to tell me definitively what had happened.”
Barrington fears the worst
Barrington was so concerned that Government secrets might still be vulnerable that the next morning (Wednesday) he ordered that any sensitive material be taken off the DPMC website.
That fear prevailed through Wednesday morning and at 1.30 p.m. Barrington convened a meeting with the State Services Commissioner, Peter Hughes; Makhlouf; Hampton and the Chef Executive of the Department of Internal Affairs, Paul James.
“The primary question of that meeting was whether we needed to send further advice out to departments to ensure that they were acting appropriately because we simply did not know what had happened,” he said.
The meeting reconvened at 4.30 p.m.
“It was at that meeting that Mr Hampton said that he was able definitively to advise what had occurred the night before.” (In fact, the intrusion had been on the Sunday and Monday beforehand. It was reported to Barrington the night before.)
But Bennett asked why it had then taken 12 hours for the full story to be made public at 5.00 a.m the next morning.
(Though of course, her own party, National, could have cleared everything up at any stage.)
Barrington replied that as a diplomat, he had been trained to be cautious and methodical.
“I am trained to wait for the evidence to present itself; to breathe deeply and to take the time to consider the facts that have been laid before me.
“And frankly that would that was my advice to the ninth floor which was everybody just needs to. look at the evidence.
“Give the Treasury time to consider and reflect on its options and to breathe deeply,”
And so the crisis ended; some 72 hours (at least) after National staff found the unsecured part of the Treasury website and 20 hours after the two controversial press statements.
This whole incident begs any number of questions, and some are very serious.
Why did Makhlouf and Robertson not withdraw their “hack” statements after Hampton advised it was not?
National will have to answer why it allowed the country’s security agencies to fear for nearly 24 hours that the Government’s overall cybersecurity had been breached
And the agencies, in turn, will surely have to answer why it took them so long to find out exactly what had happened.