Obligatory hacking stock photograph

Budget hacking scandal: About time Treasury told us what actually happened

A brief technical explanation about what the ‘hack’ amounted to would be a lot more useful than all the bluster and nebulous waffle we’ve heard so far, writes Danyl Mclauchlan.

Treasury’s budget documents are – potentially – very valuable information. They might affect currency valuations, or bond prices, or company share prices, or any number of financial market transactions. So if someone hacks Treasury’s IT systems and obtains unreleased budget data that’s huge deal, and if it was done with the knowledge or approval of opposition leader Simon Bridges, then that’s the end of his political career. He’s done.

This feels rather unlikely, though: Bridges is a former Crown prosecutor and he’s come out very strongly against the allegation that the information he obtained was hacked. Bridges knows how the information was obtained, he told media this morning, and he knows there wasn’t any hacking.

Which is hard to square against Treasury Secretary Gabriel Makhlouf’s announcement that Treasury has been hacked. He’s referred to “more than 2000 hack attempts” to access Treasury’s budget documents, and admitted that Treasury had “a weakness”. But it’s still very unclear exactly where those documents were, and how they were obtained, or even if any information was actually downloaded.

Treasury seem to have uploaded a number of documents relating to the 2019 budget to their public web server, where they’ve been indexed by Google, but the nature of what’s been uploaded and what was accessible to the public is also unclear. Makhlouf has said that some budget information was “online” but that it was in an area the public couldn’t access. And when Makhlouf talked to Radio New Zealand he said:

Imagine you’ve got a room in which you’ve placed important documents that you feel are secure, that are bolted down under lock and key. But unknown to you one of those bolts has a weakness and someone who attacks that bolt, deliberately, persistently, repeatedly, and finds that it breaks and they can enter and access the papers. It wasn’t a case of someone stumbling into the room accidentally, it wasn’t an instance of someone attacking the bolt and finding it broke immediately.

This is all incredibly vague and unhelpful. National Party pollster David Farrar has suggested that the Treasury documents were obtained by guessing URLs – that is, by iterating through file names and locations of the documents on the public web server, or the right sequence of commands to send to the database serving up the web pages, and although his language gives the impression of a highly sophisticated hack, nothing Makhlouf has said quite rules this out.

Your definition of whether this constitutes “hacking” probably depends on how much you like Simon Bridges and the National Party, and how good National’s lawyers are (if it ever comes to that). If that’s what happened then National will insist that nothing was hacked because Treasury published the information online; while Treasury and the government will insist National – or whoever – had to manipulate the server to access information that wasn’t supposed to be public, ie they hacked it.

But I want to suggest that if this is what’s happened then the real issue is with Treasury placing highly sensitive information in an accessible place, regardless of the legality of that access, and not figuring out it was being downloaded until they heard about it on the news. If that’s the scenario then we’ll be talking about the resignation of the Treasury Secretary, rather than National Party leader.

And there’s yet another scenario, suggested by Bridges in his stand-up this morning, that Treasury’s network comes under attack on a routine basis, that the 2000 attempted hacks over the weekend is just business as usual and has nothing to do with the documents leaked to the National Party, which were obtained by other means entirely.

The stakes here are very high. The police might be investigating the Leader of the Opposition! Who might be involved in a criminal conspiracy! Treasury might have committed a massive security breach! Or none of it might mean anything! The public deserves more than very, very vague metaphors about locked rooms and attacking bolts. Treasury has a Chief Information Officer, and a brief technical explanation from them about what’s actually happened here would be a lot more useful than all the bluster and nebulous waffle we’ve heard from Simon Bridges and Gabriel Makhlouf, respectively.


This content is funded entirely by Flick, the electricity retailer giving New Zealanders power over their power. With both spot price and fixed price plans available, you can be sure you’re getting true cost and real choice when you join Flick. Support us by making the switch today.

Related:


The Spinoff is made possible by the generous support of the following organisations.
Please help us by supporting them.