By Paul Brislen*

Opinion - So Treasury has been hacked? What does that actually mean.

Photo: Pixabay

Typically, hacking (breaking into a computer network of some kind to access data) falls somewhere on a spectrum.

At one end we have "oops, I accidentally hit publish and now the Budget documents are live online please don't tell anyone" school of hacking. This really isn't hacking, it's just run of the mill bumbling and probably wouldn't have seen Treasury refer the matter to police.

It's still possible that is what happened, but given how Treasury secretary Gabriel Makhlouf phrased it on Morning Report today, we should assume it's more serious than that.

The next step up the ladder is probably someone guessing the right web address (known as a URL) for the Budget.

Photo: RNZ / Rebekah Parsons-King

Take last year's budget website's address: treasury.govt.nz/publications/glance/budget-glance-2018.

An obvious ploy would be to change the 2018 to 2019 to see what's there.

Currently it shows an error message but earlier, perhaps it could have shown all the documents that have been "hacked"? Treasury says not, that it simply puts up the headings for each section (health, education, police and so on) and the content of these sections remains unfilled until the day of the Budget itself.

So this probably isn't the source of the hack either.

Of course, the most common attack vector isn't by computer at all but via human error, by pretending to be someone you're not or by stealing someone's password (which is why you should never write your passwords down or reuse passwords across multiple sites) and the most common type of human attack is the "disgruntled former employee" attack where someone has had a guts full of the boss and decides to copy a stack of papers and take them as they leave.

I presume this would be serious enough to be referred to the police but the wording from Treasury would suggest it's not the case. There's no talk of a suspect and I strongly suspect Treasury's IT system doesn't allow random copying of files to memory sticks or printing without some kind of evidential chain being established, so let's rule that out.

Which brings us to the information we do have, and it's pretty scant I'm afraid.

Treasury's Makhlouf described the attack using an analogy. Since he's referred the matter to the police he has to be somewhat circumspect in how much information he gives away, so he told Morning Report's Susie Ferguson to imagine a locked room.

" room in which you have placed important documents that you feel are secure, they're bolted down under lock and key but unknown to you one of those bolts has a weakness, and someone who attacks that bolt deliberately, persistently, repeatedly, finds that it breaks and they can enter and access those papers.

"That's what's happened here."

That suggests more than an accidental publication and more than a disgruntled former employee. It suggest an active attempt to break into Treasury systems (it isn't clear from this whether he's referring to the website or more alarmingly to Treasury's IT system) that ultimately was successful. Someone was actively trying to break in to a system to secure Budget-related information.

He says the system was attacked more than 2000 times in 48 hours, which sounds exciting and could very well be, but IT systems are constantly attacked (probed, is the technical term) and 2000 in 48 hours breaks down to less than one per minute and in IT automation terms, that's a quiet stroll in the park. I can't imagine the team would call in the police over that amount of network probing.

Photo: RNZ / Dom Thomas

But what about old-fashioned actual hacking - someone sitting at a computer trying to break in by guessing passwords or the like? That could very well be what's going on here and takes us to the extreme other end of the spectrum: full-blown, Mission Impossible-style hacking.

State-level actors have been accused of trying to interfere with US elections, with the UK referendum on Brexit and plenty more besides. It would be foolish to think New Zealand is immune to such attacks, especially as the Government Communications Security Bureau (GCSB) has said it does happen here.

Is this the first public evidence of that level of attack? Who knows, at this point. The police, along with the GCSB will be investigating and nobody is saying quite what the state of play is yet.

Sadly that leaves a vacuum until we do get a briefing from those who are investigating and that means you're stuck with politicians and talking heads speculating on what might have happened.

Sorry about that.

* Paul Brislen is a technology commentator.