The State Services Commission is calling for further amendments to the Crimes Amendment Bill (number six) to make denial of services attacks (DOS) illegal.
DOS attacks are, “an increasing problem on the internet in New Zealand and overseas. There is a risk that New Zealand’s legislation will remain out of step with other countries ... if no attempt is made to make denial of service attacks a crime,” says the SSC’s report into so-called “cyber-threats”.
The report, which is dated December 2000 but was only released to the public last week, has prompted the State Services minister, Trevor Mallard, to order “a programme of work to improve protection for New Zealand’s critical infrastructure from cyber-crime and other IT-based threats” according to the minister’s office. That programme will include advising government on changes to the law and the possibility of the creation of a government unit to monitor IT security and risks and provide training and assistance on the issue.
The report looks at what the SSC considers to be critical infrastructure areas: finance and banking; transport; electric power; telecommunications; oil and gas; emergency and government services and water. While some are obviously less at risk from a hacker or some other form of cyber-threat, such as roads, oil and gas, there are clear areas of potential risk.
The problem the SSC faces is that most of New Zealand’s infrastructure is no longer in government’s hands and so it has problems gathering information for the report itself, let alone assessing risk or recommending a course of action. The electricity lines companies are singled out in this respect.
“The project team has been unable to gather any information about the protection of electricity lines companies’ infrastructure assets.”
The report does say there is “scope for industry co-operation” to ensure some degree of redundancy is achieved.
The banking sector is one are that does concern the SSC, in particular the decision to move processing offshore. Most New Zealand banks are owned by Australian banks and many are, according to the report, considering moving all retail processing to Australia. Alarmingly, the Reserve Bank is planning to move its “real time gross settlement system” to Australia as well as its “Austraclear computer systems”.
“There are two main risks in the movement of banking systems offshore. Firstly, adverse events in Australia ... would be outside any New Zealand control yet could have a highly adverse impact here,” says the report. The second problem it outlines is that of a telecommunications failure.
“Trans-Tasman telecommunication circuits or their local (Australian) links to the computer systems might fail, leaving New Zealand disconnected from its banking system.”
The report says while that might be fine for the Australian-owned retail banks, it “raises issues of sovereignty” if the Reserve Bank continues with this plan.
Telecom’s latest venture, the Southern Cross Cable, comes in for praise from the report — citing its built-in triple redundancy as a factor.
“As Southern Cross becomes fully commissioned through 2001 the risk of a major loss of offshore telecommunications will decrease significantly.”
Inter-island cables are less well thought of. The two Cook Strait cables are periodically damaged by fishing vessels and as they are reasonably close together and use the same landing facilities, their potential failure rate is much higher.
“Despite legislation to protect the cables, no one has ever been prosecuted for this damage.”
Inter-island telecommunication should be improved by the introduction of two separate high-capacity cables that should be commissioned this year.
Strangely, the report claims New Zealand’s internal telecommunications networks are diverse enough to offer “robust domestic voice and data networks” with a variety of carriers offering a number of services. Whether the SSC realises that most of New Zealand’s data and voice traffic is borne by Telecom’s network is another question.