What we know and don't know about the Budget 'hack'
Source: https://www.stuff.co.nz/news/113091085/-

2019-05-29 08:48:47

EXPLAINER: Just over 24 hours ago the National Party revealed it was in possession of a huge list of seemingly accurate Budget figures.

Since then the story has taken several wild twists and turns, with Treasury referring a matter to the police and National leader Simon Bridges alleging a massive smear on the behalf of Finance Minister Grant Robertson.

Here's an explanation of how we got here.

HOW IT ALL STARTED

On Tuesday morning, just as the prime minister was heading into caucus, National put out a press release claiming to be in possession of a large batch of budget figures.

To prove this they attached what they said were the figures for several different "votes" for the financial year 2019/20. This information was matched with the estimates for 2018/19 which are publicly available.

This was not the entire Budget or anything close to it. It was a very specific slice of information about existing initiatives presented in a single year - budgets generally cover the next four years of spending for brand new initiatives.

Nevertheless it was incredibly embarrassing for the Government. The release focused on gains for two NZ First ministers at the implied expense of other goals, with Bridges saying the Government were spending money on "tanks not teachers".

Bridges followed this with two further releases throughout the day that he said came into his possession following the original documents, which he said he had obtained on Monday. He refused to say how he had got the documents, or even describe them as a "leak".

HOW THE GOVERNMENT RESPONDED

Prime Minister Jacinda Ardern was immediately put on the spot with the numbers but was unable to respond in any real detail.

A few hours later Robertson told media that some of the information was correct and some of it was not. (Deputy Prime Minister Winston Peters was more than happy to say it was all incorrect).

He later told media that Treasury had told him the information had not been uploaded onto the website, but some placeholder content had been.

WHEN IT BECAME 'HACKING'

The really interesting response came not from a minister but from Treasury itself later in the evening.

At 8.02pm Treasury Secretary Gabriel Makhlouf put out a bombshell statement saying: "Following this morning's media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked."

"The Treasury has referred the matter to the police on the advice of the National Cyber Security Centre."

Makhlouf did not directly say the National party had hacked its website or even that it was in receipt of stolen material - he just said that the evidence of the supposed hack came "following the morning's media reports of a potential leak of Budget information".

Robertson followed that statement immediately and drew a clearer link between the National party material and the alleged hack.

"We have contacted the National party tonight to request that they do not release any further material, given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a police investigation," Robertson said.

On Tuesday morning Makhlouf made clear he had contacted the police before going to Robertson, at around 6pm.

In a series of interviews on Wednesday morning Makhlouf did little to clear much else up.

He told RNZ that Treasury "identified multiple and persistent attempts to gain unauthorised access to our systems, specifically budget-related information, and that's when I decided to refer this to the police."

Using a metaphor he seemed to say those attempts had been successful.

"Imagine you've got a room in which you have placed important documents that you feel are secure, are bolted down with a lock and key, but unknown to you one of those bolts has a weakness, and someone who attacks that bolt deliberately, persistently and repeatedly finds that it breaks and they can enter and access those papers. That's what's happened here."

"It wasn't an instance of someone stumbling into the room accidentally, it wasn't an instance of someone attacking the bolt and finding it broke immediately."

But Makhlouf was careful to say he had no evidence to link this hacking attempt to National itself, other than that the documents targeted appeared to be the same ones. He did also not clearly state that the attacks were successful or go into any detail about what exactly the "attacks" involved.

Robertson made clear on Tuesday that this correlation between the targeted area and the documents in the public domain was the "evidence" he was referring to linking the National documents and the alleged hack.

HOW DID BRIDGES RESPOND?

Bridges has hit back at the hacking line, saying Robertson was smearing the opposition and attempting to gag them.

In a press conference on Wednesday morning Bridges again declined to discuss how the information got into his hands.

But he said that the party had done absolutely nothing illegal or wrong.

"There has been no hacking under any definition of that word. There has been nothing illegal or even approaching that at any time from the National Party," Bridges said.

He also declined to make clear whether National accessed the information directly or had got it through a third party.

Bridges said Robertson was lying to smear him and should resign, implying heavily that Labour had engineered the police complaint. He was more sanguine about Treasury itself, saying it had made multiple false statements over the last 24 hours.

SO WAS IT A HACK OR A MISTAKE?

The word "hack" means many things to many people.

There has been sustained speculation on Tuesday night and Wednesday the information may have been accessed by guessing at the website addresses of documents updated early, using last year's Budget documents as a model.

Joerg Buss, technical director of Kiwi cybersecurity consultancy Darkscope, said he did not believe the Treasury had been "hacked" in the way people would normally think of the term.

"A more likely scenario is that someone used a spider or crawler program to find 'hidden' content in the Treasury website, which is not considered a cyber-attack, and may have found the Budget 2019 files which were not protected properly at that stage," he said.

What we do know is that a Treasury directory page at least temporarily held links to documents that match those released.

Google automatically "caches" millions of webpages - basically taking a snapshot of a website to store on their server so they can call it up quicker.

Through the cache you can get a look at what web pages looked like at different times. Thanks to the cache we can see that on Monday a Treasury directory page had links to pages labelled with every "vote" that National released figures for, save for the Serious Fraud Office. Clicking on those pages gives one a "403" error - often the result of a user not having authorisation.

So in other words we have evidence that the directory of pages that match the National release were easily publicly accessible - but not that the documents themselves were.

The form of the information released gives us some possible clues. National only released the figures for the next year, not the next four years as budget information is usually released. In last year's version of the Estimate Numbers the webpage itself gives figures in the form the National Party had, while the accompanying PDFs gave figures for the full four year period. This suggests that if National did access these figures in this way only the webpages were accessed, not the full PDFs.

In response to questions about this page, a spokeswoman for Treasury told Stuff "the documents weren't uploaded to a publicly available website and then removed", she said.

That "publicly available" may be very important. Makhlouf himself indicated on RNZ that there were some documents somewhere on the Treasury server that were not "ready for public release."

None of this explains whether or not a password was needed to access those documents behind the "bolt" illustrated in his room metaphor - or whether the bolt is just the fact that the website addresses shouldn't have been publicly available.

It certainly wouldn't be the first time that information meant to be "embargoed" and made public later on has accidentally made its way into the public domain. National's police spokesperson Chris Bishop found a report into Wally Haumaha's behaviour early after it was accidentally uploaded onto the IPCA website.

Treasury and the IPCA both have different websites built in different ways however.

WHERE TO NEXT?

Police have now indicated they are "assessing" the complaint but not said they will investigate it fully.

Treasury themselves are reviewing their own systems and will likely provide updates as that review continues.

Serious legal ramifications are unlikely - simply because politicians are almost never prosecuted by the police, who are naturally cautious about interfering in political matters.

But some argue that Bridges' commitment to no one having done anything illegal is problematic.

The section of the Crimes Act which deals with hacking is not particularly limited and does not require someone to spoof a password. It instead hinges on whether a person knowingly accesses a computer system without authorisation, knowingly that they are not authorised to access that system or being "reckless" with knowing whether or not they can access it.

And it isn't just that law. Victoria University lawyer Steven Price argued in a blog post that technically disclosing any confidential information to the public when you know it is intended to be confidential is a "breach of confidence" - not a crime but a breach of civil law. The usual defence against this when journalists use leaked material is that the disclosure is in the public interest, a bar Price does not believe National has met.

"The information was to be publicly released in two days. The National Party could freely criticise it then. How are the public really made better off by learning of these criticisms two days in advance? Is there really any benefit to a matter of legitimate public concern that overrides the obvious – and perhaps even constitutional – confidentiality that attaches to budget papers?" Price wrote.

"Nor can National argue that it needed to release the information to hold the government to account for its bungling in allowing the leak. It could have made that case without actually releasing the data."

Proving a case using either of these laws would require establishing a lot of intent, which would be incredibly difficult - especially if we are just talking about guessing at publicly available web address.

In the mean time, Bridges has said he is not likely to release any other information prior to the Budget, and that he will comply with the police.

National MPs from every section of the party told media they will be completely vindicated when more is known. It's not clear when exactly that will be.

Politically, tensions are extremely high. Bridges has called on Robertson to resign for smearing him with a knowing lie. That isn't likely and Robertson has been careful to link all his statements to the Treasury on Wednesday - giving himself a way out if needed. Ardern herself has distanced herself further, saying the whole situation was "ultimately a matter for Treasury".

"They hold the information - they know ultimately what has happened here, we don't, they've made a decision on advice to refer it on to the police - that is entirely a matter for them and it has nothing to do with us."

Back to the top ^

Related Articles (30)