China is being accused of sponsoring a cyber attack into New Zealand Parliament systems in 2021. Photo / 123rf

'Very low': Former security minister on the risk of MPs' personal information being stolen in China-sponsored cyberattack

Author: Derek Cheng,
Publish Date: Tue, 26 Mar 2024, 3:14PM

The China-sponsored hack into New Zealand parliamentary systems is unlikely to have yielded any personal information of MPs or ministers, according to the Minister for the Government Communications Security Bureau (GCSB) at the time of the cyber attack.

Andrew Little was informed of the cyber attack in 2021, when he was the minister, but investigations were ongoing into who was behind it.

“The attack ended up being mainly on the Parliamentary Counsel Office (PCO) - they’ve got draft legislation and instructions, that sort of thing,” he told the Herald.

“But in terms of, personal information about MPs and ministers, that sort of stuff, I think the risk in relation to that was assessed as very low.”

He agreed with comments today by GCSB director-general Andrew Clark that nothing sensitive or strategic was accessed.

GCSB minister Judith Collins revealed the hack this morning in a statement that also condemned China for its “malicious cyber activity” aimed at the UK’s Electoral Commission and members of its Parliament.

It follows reports of United States, British and Australian officials filing charges, imposing sanctions or calling out Beijing over a sweeping cyber-espionage campaign that allegedly hit millions of people, including lawmakers, academics and journalists.

The Chinese ambassador to New Zealand, Wang Xiaolong, has also been spoken to late this morning by senior foreign affairs officials, who urged him to convey to China New Zealand’s request to refrain from such activity in the future.

He later said on X: “We reject outright the groundless and irresponsible accusations against China on cyber attacks or intrusions, and have lodged serious démarches to New Zealand’s relevant authorities, expressing strong dissatisfaction and resolute opposition.”

Little released a statement in 2021 condemning China for sponsoring malicious cyber activity in New Zealand and around the world, but with investigations still ongoing, it was not known at the time that the hack into parliamentary systems was China-backed.

The same Chinese state-sponsored actor - known as APT 40 (Advanced Persistent Threat) - that hacked into the PCO and Parliamentary Service had earlier in 2021 exploited Microsoft Exchange vulnerabilities in New Zealand.

The impact of the Microsoft Exchange activity was also assessed as low, Little said, even though the use of such software is widespread.

“Any harm was pretty minimal. But the fact it had been discovered, and that attempts to exploit it by state actors had also been discovered, it was a big deal because the potential for vulnerability was significant.”

Andrew Little was GCSB Minister at the time of the China-sponsored hack into New Zealand parliamentary systems. Photo / Marty Melville

He said there were close to 400 cybersecurity breaches every year, with close to a quarter of them backed by state actors.

“I think we responded well when it becomes known, but I think the point that Andrew Clark was making today is that’s not the best protection. The best protection of the preventive measures, and that’s for every organisation, public and private, to make sure vulnerabilities aren’t exploited,” Little said.

“That’s as simple as making sure passwords are strong and secure, that software protections are actually implemented, and that basic maintenance is done on systems.

“In my time [as minister], some of the breaches that were brought to my attention related to just poor IT hygiene.”

It wasn’t necessarily a failure that APT 40 had accessed the PCO system in the first place, he said.

“There’s a reason why they’re called Advanced Persistent Threat. They are constantly trawling around systems for vulnerabilities, and they won’t be going after them once or twice. It’ll be many times, all the time, trying to find vulnerability.”

Security expert Paul Buchanan, a former intelligence and defense policy analyst, told the Herald that it won’t be the last time China targets New Zealand parliamentary systems.

“That is what they do as a matter of course because New Zealand is often seen as the Achilles heel of the Five Eyes network due to traditionally poor cyber security practices.”

But Little dismissed this characterisation.

“In my time as minister, I met with the heads of most of the agencies who are counterparts of ours in the Five Eyes Partnership. The overwhelming message I got was a message of appreciation for the contribution that we make, and the standards that we operate to.”

Little said he didn’t think China would hit New Zealand with trade sanctions.

“In the end, China understands that our relationship with them is multidimensional. I think that the prospects of retaliatory action are very low.”

GCSB Minister Judith Collins condemned the state-sponsored hack into New Zealand parliamentary systems in 2021. Photo / Mark Mitchell

‘Ingenious, well-resourced and persistent’

Buchanan noted the response from other Five Eyes partners including the US, UK and Australia, which served as a warning that “the times of easy access to critical data infrastructure, even if indirectly and even in New Zealand, are over.

“That remains to be seen because, if nothing else, the PRC hacking community is ingenious, well-resourced and persistent.

“This is part of the PRC’s ascent to having a multi-dimensional, multi-domain (air, land, sea, space, cyber) warfare capability on its way to achieving superpower status. And as part of Five Eyes, NZ is standing in the (albeit small) way of that goal.”

Waikato University Law Professor Alex Gillespie said China had plausible deniability, given the cyberattack was done through an agent.

“To the minds of many, this is only a paper-wall and it would not be plausible to suggest they are separate,” Gilliespie said.

“The breach itself is significant. Targeting the institutions that allow our democracy to flourish is not the action of a friend. It is not surprising. These breaches are becoming more common. What is surprising is the timing of it being called out, in unison, with like-minded friends.”

He said New Zealand could explore imposing travel sanctions as a more severe message to China.

“The challenge is that the Government does not want to get into any type of penalty against the Chinese government or its citizens. That could provoke any number of responses, none of which would be positive, hence the approach of just ‘shining light’ on to the problem.”

This would be hoped to be a sufficient deterrent, he said, though whether that is the case is “a question of debate”.

Little, also a former Immigration Minister, added that imposing travel sanctions would be difficult because immigration laws mean that individuals have to be known, and the grounds for banning their travel have to be justified.

Derek Cheng is a senior journalist who started at the Herald in 2004. He has worked several stints in the press gallery team and is a former deputy political editor.