A China-linked hack of US government cloud email accounts raise questions about the New Zealand government’s growing reliance on American data firms. This issue comes to light as it is revealed that hackers have gained access to email accounts at two dozen organisations, including at least two US government agencies.
As New Zealand is reliance on these systems, questions arose concerning the security and reliability of the system and whether the government and the private sector should continue to rely on a small but growing number of government tenders in this region, specifically request Microsoft or Amazon Web Services (AWS) systems, products, or services as precautions and steps against digital attacks, suggestions and changes in the guideline were made and adopted.
US system is compromised
Despite possessing sophisticated systems, officials in the United States and Microsoft have confirmed that hackers secretly accessed email accounts at two dozen organisations, including at least two US federal agencies compromising US cybersecurity at a high level. According to a designated individual briefed on the intrusion, the attack has revealed significant gaps in the cybersecurity defences implemented by Microsoft. Concerns have also been raised concerning the security of cloud servers.
Now an investigation is being held by the US Department of Homeland Security concerning Microsoft’s lax cybersecurity, and the investigation further stated that Microsoft deployed systems that “violated … basic cybersecurity principles”, and audits should have caught that.
New Zealand vulnerability
In connection with this problem, New Zealand digital systems are also possibly exposed to hackers due to Microsoft being the New Zealand Government’s two go-to cloud providers and the other was Amazon. Radio New Zealand (RNZ) approached Microsoft and the Government Communications Security Bureau (GCSB) on Tuesday if it was looking at the local implications.
Due to New Zealand’s reliance on American systems, Allyn Robins of the Brainbox Institute states that such a hack might have occurred in New Zealand, and it should be noted the US state department detected such a hack.
Robins emphasises the idea that although integration of cloud systems instead could function as a security from the cloud provider, this does not negate the user for independent use security measures. This is crucial in the anticipation of potential damage from such an attack. New Zealand’s Five Eyes Intelligence membership could also be an early warning to other member nations.
Nevertheless, New Zealand’s vulnerability is due to the migration of substantial data from 180 New Zealand public agencies to Microsoft’s Australian cloud servers since 2019. The government’s updated cloud-first policy further emphasises cloud adoption, especially with impending mega-data centres from Microsoft and Amazon in Auckland. Although, financial constraints have hindered the shift, with about two-thirds of public data still off the cloud, as per Official Information Act (OIA) documents.
Despite touted benefits of flexibility and security, preference for major US firms like Microsoft and Amazon has sparked concern, potentially disadvantaging local companies with solid security records. The recent US hack involving Microsoft’s Azure platform exposed security vulnerabilities, while China denies involvement and advocates evidence-based cybersecurity dialogue. The Chinese Embassy stresses China’s cybersecurity commitment and urges collaborative, evidence-driven approaches to global cybersecurity challenges.
Analyst warns cyber-security threat
Some cybersecurity analysts warned about the breadth of the threat and have urged organisations using Microsoft and Azure services should take steps to assess the potential impact, according to Wiz. According to Allyn Robins, companies like Microsoft have size and competence that governments cannot match. Yet, their size and the sensitivity of the data they hold are “very appealing” to hackers.
The Ministry of Business, Innovation and Employment (MBIE) recently made changes in anticipation of a hacking event. It updated its guidelines to warn that specifying a specific cloud supplier “limits the number of suppliers who can respond to the tender,” “excludes some suppliers from the market,” and “limits the ability to consider broader outcomes.”
Despite the risk, these changes have yet to be entirely accepted as issues concerning MBIE disregarding its regulations by expressing a preference for four tenders since 2019. RNZ further contacted other agencies, resulting in 11 of the 25 agencies that had yet to indicate any such desire since 2019, and four still needed to answer. Ten tenders were issued this year, five in 2022, and two each of the prior three years.
At the same time, the government is building its own $300 million data centre to store high-security information such as from spy agencies as an additional form of cyber-security.
In conclusion, despite implementing a sophisticated cybersecurity system, a China-linked hack occurred in the US digital systems, which was aimed against US government cloud email accounts.
This attack revealed that the New Zealand government’s digital systems are also vulnerable because they are based on US cloud servers. despite the vulnerability of the adopted system, the New Zealand government still has certain protocols and factors that allow the government to defend and detect attacks. Despite said protocols, still changes in regulations and guidelines are implemented in anticipation of a digital attack.
After four years in business school and working for multinational clients, Jomar believes he can improve the world through his writings via Public Spectrum, by informing the public on the latest news and updates happening around the government and society. Jomar has eight years experience as a writer and has a degree in Business Administration and Entrepreneurial Marketing.
