New Zealand Government’s response to cyber security breach.

by The REJIGIT Blog

31 May 2021

On 25th May it was reported that the Waikato District Health Board (DHB) has been the victim of a cyber ransomware attack which has crippled the organisation. The New Zealand health minister commented it could take weeks to restore six hundred and eighty computer servers.

The hackers have stolen digital data relating to hospital staff names and numbers, financial records, hospital contracts, hospital complaints and sensitive patient information. Some of the data has been made available to media by the hackers.

New Zealand Privacy Commissioner, John Edwards said if any District Health Board was found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result. He also said "If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions”.

It is reasonable to argue that the DHB has failed dismally to protect its computer systems but the Privacy Commissioner’s primary response was bizarre. All New Zealand Hospital Boards are essentially government entities and the Privacy Commissioner is a government statutory appointment. The Commissioner’s threat to prosecute the DHB is about as nonsensical as suggesting the DHB could potentially be prosecuted for failing to heal patients.

Andrew Little (Minister of Health & Minister for the Government Communications Security Bureau and the New Zealand Security Intelligence Service) said a meeting, involving the Officials' Committee for Domestic and External Security Co-ordination (ODESC), was scheduled for 26 May in Wellington. ODESC is the primary committee of New Zealand’s national security system and sits in the event of events which are deemed to pose a threat to New Zealand's security, sovereignty or economy.

Given that the Waikato District Health Board is currently effectively under direct Government control via Commissioner Dame Karen Poutasi, if the Privacy Commissioner's threats were to be implemented, it would be akin to the Government prosecuting its own employees.


A possible solution for the DHB

Darktrace Plc is a high-flying, Cambrige, England based cyber security specialist with a current Market Cap of £2.4 billion (NZ$4.7 billion).

It is an AI company which specialises in cyber defence. The company was established in 2013 by a grouping of specialist mathematicians from the University of Cambridge, artificial intelligence experts and cybersecurity specialists from the GCHQ and now has more than fourty four offices across Europe, North America, the Middle East, Asia and Latin America with 1528 employees. The company listed on the London Stock Exchange on 30 April this year.

One of the founders of the company is Poppy Gustafsson and she remains a co-CEO. In 2019 she was awarded an OBE for her contribution to cybersecurity. In the words of Gustafsson, the stereotypical hooded hacker in their bedroom certainly still exists but cybercrime has become a big business as virtually every organisation now runs on software and internet connectivity. More often than not organisations are up against full-blown professional cybercrime companies that employ everyone from customer service reps to graphic designers. And that means cyber-attacks are becoming more sophisticated, effective and greater in number and more increasingly, attacks move far too quickly for human teams to contain. That’s why we’ve seen adoption of AI defences soar over the years because attacks that move at computer speed necessitate a machine speed response, and this is rapidly becoming the de facto way to fend off hackers.

The company provides cybersecurity by way of AI autonomous response technology. The company describes its product as an enterprise immune system which can self-learn and self-heal and has an autonomous response capability to deal with cyber threats without instruction as they are detected

Darktrace products learn the rhythms of how companies usually operate via AI and utilise the data to detect anomalies which could indicate clients have been hacked, a scammer has targeted an employee or that someone is stealing information.

Darktrace clients number more than four thousand and extends to governments, corporations and banks etc including HSBC, England’s NHS, British Telecom, McLaren Racing, Coca-Cola...