Police have rebuffed the Treasury secretary’s complaint about purported hacking of Budget information. So what really happened, and has Simon Bridges been vindicated?
Metaphors abound when it comes to claims of hacking. Yesterday, following suspicions that the National Party had accessed parts of the Treasury website thought to be secure, the head of the most powerful government department considered his imagery options and chose a bolt.
Appearing across breakfast media, Gabriel Makhlouf announced there had been 2000 suspicious attempts to access the site, and it had been referred to Police. He explained the act this way:
Imagine you’ve got a room in which you’ve placed important documents that you feel are secure, that are bolted down under lock and key. But unknown to you one of those bolts has a weakness and someone who attacks that bolt, deliberately, persistently, repeatedly, and finds that it breaks and they can enter and access the papers. It wasn’t a case of someone stumbling into the room accidentally, it wasn’t an instance of someone attacking the bolt and finding it broke immediately.
Which does sound bad. But this morning came fresh news. The Police wouldn’t be taking the matter further, and the deliberate, persistent, repeated attacks on this purported bolt were – wait for it – putting some words into the Treasury site search form. There was no URL fiddling, let alone password guessing.
What happened was that someone – and it seems the searches were from a parliament computer, so it’s safe to assume they were from a National office – was able to generate snippets of preview text when they entered searches. They couldn’t access the documents themselves, but some Budget 2019 material had been left on a clone drive in preparation for today’s release, and the search engine served up those snippets of preview text. Sellotape all those snippets together, and you could get a pretty good idea, in a few areas, of the substance.
So much for the bolt-attack metaphor. A better metaphor: Treasury left the door very slightly ajar and chinks in the windows, and if you darted around looking from a bunch of different angles you could patch together a picture of parts of what was inside.
If National has by this definition hacked the Treasury website, then I have hacked, for example, the Australian newspaper or Google books. In both cases a paywalled, or unavailable, part of content can be generated via a search field, and if you’re desperate enough you can cobble together full passages by tweaking the precise words of the search.
Assuming that Simon Bridges confirms this version of events later this morning, does it completely vindicate him and National, who went hard on the counterattack yesterday, saying there was no definition of hacking, that Grant Robertson was a liar and they’d been grievously smeared?
Not completely – you could still mount an argument that they knew they were accessing information that was meant to be behind, ahem, a bolt. And there is no evidence that the finance minister was doing more than relaying information he’d been provided by Treasury. But the fact that Police have waved away any thought of charges so quickly is compelling.
It turns out there was a lot of hyperbole bandied around on Monday night and Tuesday morning, and the award for the Most Hyperbolic goes to the Treasury secretary, Gabriel Makhlouf. If he wasn’t about to finish up at Treasury anyway, he may have found it hard to stay bolted in.
The Treasury statement in full:
Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.
In the meantime, the Treasury and GCSB’s National Cyber Security Centre have been working on establishing the facts of this incident. While this work continues, the facts that have been established so far are:
– As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
– Budget information was added to the clone website as and when each Budget document was finalised.
– On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
– The clone website was not publically accessible.
– As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
– The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
– As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
– A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
– The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote.
– This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document.
– At no point were any full 2019/20 documents accessible outside of the Treasury network.
The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public. Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information. Three IP addresses were identified that performed (in the Treasury’s estimation) approximately 2,000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool. The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus.
The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day.
In light of this information, Secretary to the Treasury Gabriel Makhlouf said, “I want to thank the Police for their prompt consideration of this issue. In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust.”
The Treasury took immediate steps on Tuesday to increase the security of all Budget-related information. Mr Makhlouf has now asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.