Dr Andrew Colarik, a senior lecturer with the Centre for Defence and Security Studies, says New Zealand has not invested sufficiently in infrastructure to make the country resilient against denial-of-service attacks, or to keep data safe and that a large DDoS attack could shut down communications to the whole country.
Addressing the Massey University Future NZ Forum on Cybersecurity Colarik said: “Everything we do in this country is now so dependent on the free flow of information and the connections that we maintain. Any disruption to that will have huge, cascading effects… If targeted for competitive or political reasons, there are very few organisations that would be resilient to [a large DDos] attack.”
The problem, he said, was that the infrastructure had been scaled for New Zealand’s population, but connected the country to the rest of the world.
He claimed that New Zealand’s economic livelihood faced real threats from competitors with the technology to compromise New Zealand businesses and the unscrupulousness to use it. “New competitors are emerging all the time – and some will have the know-how and motivation to extract information for competitive advantage,” he said.
“What happens when an organisation’s own information is used against it? Customer details, costing and pricing structures, and other intellectual properties are all there for the taking if not properly protected.”
As well as additional investment Colarik said: “What we really need is a cultural shift to strike the right balance between user features and security, and data usage and privacy. You can’t have your cake and eat it too.
“This needs to be done at a whole-of-society level. We all need to take responsibility for the level to which we share our personal data, and we need more education and greater discussion about who owns and controls our information. A genuine public/private partnership is essential for ensuring everyone’s prosperity in our digital future.”
Colarik’s warnings come just weeks after a series of DDoS attacks mounted from compromised IoT devices — video surveillance cameras — dwarfed all previous DDoS attacks and temporarily took down some of the largest global players.
First came one on the web site of security blogger, Brian Krebs. At over 660Gbps it was twice the size of the previous record. That was followed shortly afterwards by a 1Tbps attack on French data centre operator, OVH, and the on domain name service provider Dyn that briefly took the likes of Twitter and Facebook off the air in the US.