Media hacks criticised for obsession with Treasury non-hack story

Is there no other political stuff worth reporting on? Or is the prospects of a high level resignation or sacking too attractive to let go of?

This all happened a week and half ago but the story is still prominent. However criticism of the story obsession  is starting to emerge. “It’s ridiculous that pundits are calling for heads to roll. At the end of the day, it wasn’t a big deal. ”

These sorts of stories continue:

Derek Cheng (NZH) – Jacinda Ardern: Finance Minister’s job is safe

Prime Minister Jacinda Ardern is not saying when she found out about an urgent attempt from the Government Communications Security Bureau to stop Treasury boss Gabriel Makhlouf from saying his department had been hacked.

But Ardern said this morning that Finance Minister Grant Robertson’s job was safe.

The National Party is calling for senior ministers to come clean over when they knew about the GCSB’s concerns, and why Makhlouf’s “hacking” description – and Robertson’s subsequent “hacking” description – wasn’t corrected earlier, or stopped in the first place.

Derek Cheng (NZH) – Budget Bungle: the Govt was told there was no hacking but kept tight-lipped

The Government did not correct or clarify the description that the Treasury’s computer system had been “hacked” for an entire day despite being told by its cybersecurity experts that no hacking had taken place.

On the same day – Wednesday last week, the day before Budget day – the National Party also refused to reveal how it had obtained confidential Budget information, instead accusing the Treasury and Finance Minister Grant Robertson of unfairly smearing National.

Robertson said yesterday that the Government was being tight-lipped because the Treasury had called in the police, but he was also unlikely to want any further distractions on the eve of the Government’s much-hyped Wellbeing Budget.

Instead Prime Minister Jacinda Ardern and Robertson spent that Wednesday answering questions about hacking from National MPs in the House, while changing the language to say that the Treasury had been “attacked”.

National is demanding answers after the Herald revealed that Andrew Hampton, head of the Government Communications Security Bureau, made an urgent call to GCSB Minister Andrew Little in an attempt to stop Treasury Secretary Gabriel Makhlouf from publicly saying that his department had been hacked.

National deputy leader Paula Bennett said it was inconceivable that Little didn’t pass that information on to Robertson and Ardern straight away, and they should have immediately revealed the advice that there had been no hacking.

“If Mr Robertson received the information from Andrew Little after he released his statement, he should have immediately corrected it,” Bennett said.

Zane Small (Newshub) – Budget 2019 scandal: Beehive allegedly warned Treasury wasn’t hacked

But others are seeing things differently.

Alexander Stronach (The Spinoff) – Where you’re getting the Treasury budget data breach story all wrong

The Treasury data breach has been a shitshow. I don’t think I’ve ever seen a bigger disconnect between the experts and the pundits, and I don’t say that lightly. I’m not a security guy, for what it’s worth: I’m a writer at a tech firm, but I’m fascinated by security and over the last few days I’ve been talking to people who actually know their stuff. Almost unanimously they’re calling this a breach. Almost unanimously, the pundits are off shouting that it’s “not a hack!”.

Right from the start, I’m setting a rule: we’re not going to talk about “hacking”. It means totally different things to the IT sector (anything from coding at all to randomly kludged spaghetti code that really shouldn’t work) and the public (a man in a trenchcoat saying “I’m in!”), and most InfoSec types shy away from it anyway. I’m not going to bore you with the whole hacking vs cracking debate, but we’re going to call this thing what it is: a data breach.

I’m not gonna lie, it’s bad. Somebody dropped the ball, and somebody else put a knife into it.

Still, I don’t believe Simon Bridges has committed a crime, nor has he committed breach of confidence. He has violated his CERT obligations, which at worst means he’ll get a strongly-worded nonbinding letter from MBIE telling him not to do it again. He did a bad thing, but not all bad things result in him being removed from parliament in a paddy wagon. To quote one of my anonymous sources: “he’s an asshole, not a criminal.”

It’s ridiculous that pundits are calling for heads to roll. At the end of the day, it wasn’t a big deal. Grant Robertson shrugged and moved on. The Treasury were right: what harm could somebody actually do by using that exploit? Release a half-complete version of the document a day early?

By the by, it’s not dodgy or extreme that anybody called it a ‘hack’. If there’s a problem with the word, it’s not that it doesn’t mean this, it’s that it does mean this because it’s a vague word that means wildly different things to different people.

What’s really happening is that the pundits smell blood in the water, and they don’t care what actually happened—they just want an excuse to sink their teeth in.

Same old #NZPol, I guess.

Richard Griffi (Stuff) – Blown Budget secrets shine light on overblown reactions

It is not difficult to understand the ministerial angst and aggravation generated by the political theatre that disrupted last week’s Budget announcement.

Understandably, the authors and interpreters of the ‘Budget Secret’ production still revel in the drama despite the overall predictability of the political imperatives.

A nightmare for the Treasury benches is an invasion of the stage by the clowns from the back row of the auditorium waving the script and stealing the lines, leaving the man in the top hat puce with anger. But, so it was for Grant Robertson.

Enter, stage-right, an over-excited Simon Bridges supported by loyal side-kick Paula Bennett. They proceeded to blow whistles, point fingers and range through a range of emotions from triumphant to outraged and back again.

From a distance it did all seem a tad over the top but maybe you had to be there.

The usually pragmatic Robertson rose to the bait. He over-reacted while bit players ran in circles claiming the sky was falling.

It may be naive suggestion but surely a flexible, relatively young nation can do better than blindly follow the tenets of political behaviour originally constructed by a different Parliament on the other side of the world by politicians representing a very different constituency in very different circumstances.

Does the Opposition always have to find everything the Government puts in place the work of the Devil, and does the Government leadership always have to dismiss everything the Opposition does as trivial and without consequence?

And am I really asking myself this question?

He shouldn’t have to ask it. The Government and the Opposition should be asking themselves whether they are acting like representatives and leaders.

 

 

Zuckerberg apologises ahead of hearings, NZ data breaches

Mark Zuckerberg has apologised ahead of hearings in Congress over Facebook data breaches and possible effects on the 2016 US election. In the meantime it has been revealed that about 64,000 New Zealanders may have been involved in the data breaches.

More talk from Zuckerberg over ongoing Facebook data revelations, but  Congress will be looking for more than apologies in two days of hearings.

Reuters: CEO Zuckerberg says Facebook could have done more to prevent misuse

Facebook Inc Chief Executive Mark Zuckerberg told Congress on Monday that the social media network should have done more to prevent itself and its members’ data being misused and offered a broad apology to lawmakers.

“We didn’t take a broad enough view of our responsibility, and that was a big mistake,” he said in remarks released by the U.S. House Energy and Commerce Committee on Monday. “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.”

“It’s clear now that we didn’t do enough to prevent these tools from being used for harm. That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy.”

His conciliatory tone precedes two days of Congressional hearings where Zuckerberg is set to answer questions about Facebook user data being improperly appropriated by a political consultancy and the role the network played in the U.S. 2016 election.

Top of the agenda in the forthcoming hearings will be Facebook’s admission that the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica.

But lawmakers are also expected to press him on a range of issues, including the 2016 election.

Meanwhile:

Facebook, which has 2.1 billion monthly active users worldwide, said on Sunday it plans to begin on Monday telling users whose data may have been shared with Cambridge Analytica.

This potentially includes thousands of New Zealanders. RNZ:

Facebook today revealed it estimated nearly 64,000 New Zealanders were estimated to have had their data collected and used by Cambridge Analytica. The company is accused of using private data to personally target voters to manipulate elections.

A spokesperson for the social media giant said 87 million people were estimated to have been affected by the “Cambridge Analytica data misuse” worldwide, with more than 80 percent of those based in the US.

The data was apparently obtained via the “thisismydigitallife” personality test on Facebook and pulled in information about users’ friends liked without their explicit permission.

“For New Zealand, we estimate a total of 63,724 people may have been impacted – 10 are estimated to have downloaded the quiz app with 63,714 friends possibly impacted,” the company said.

The spokesperson said that from Tuesday the company would begin showing users which apps they connected to at the top of their Facebook feed, and an easy way to delete them.

“As part of this, we will let people know if their data might have been accessed by Cambridge Analytica,” the spokesperson said.

“We’re dramatically reducing the information people can share with apps. We’re shutting down other ways data was being shared through Groups, Events, Pages and Search.”

NetSafe chief executive Martin Cocker…

…said he did not think Facebook users needed to shut down their accounts following the revelation.

Mr Cocker said the breach was a reminder for Facebook users to take their privacy settings seriously, but not necessarily to quit the social media platform.

“Facebook has responded to this breach by setting up a series of tools and improving their management of apps and if anything the breach has lead to a safer Facebook in the future.”

There is nothing obviously different on my Facebook this morning.

 

MSD deputy cops one for the team for data bungle

Murray Edridge, a deputy chief executive in the Ministry of Social Development, has resigned over an embarrassing data bungle, but the Public Service Association (PSA) says that responsibility went wider than that.

Stuff: MSD deputy quits after botch-up with client data security, despite having ‘no direct involvement’

A senior civil servant has quit after a privacy botch-up at the Ministry of Social Development – but a union says others are also responsible for the bungle.

Murray Edridge​, a deputy chief executive at the ministry, will step aside, even though his boss, Brendan Boyle, said Edridge had “no direct involvement” in the client data controversy.

But responsibility went “wider than Mr Edridge and his colleagues”, PSA national secretary Glenn Barclay said.

The Public Service Association (PSA) said Edridge had taken the blame for security and privacy issues arising from client data collection.

Is one person falling on their sword sufficient?

The ministry’s poor handling of issues around the handling of sensitive and personal data in late March and early April triggered an independent inquiry.

Data sharing is a contentious issue and this was an embarrassing stuff up.

Former Deloitte consultant Murray Jack, who led the investigation, made it clear the ministry was asked to implement policy in an unworkable timeframe, and the security issues were a direct consequence of that, Barclay said.

“At a time of major organisational change, putting pressure on agencies to implement complex IT projects is unfair and unwise.

“We are very concerned about the pressure the Government can bring to bear on ministries when their pet policies are at stake.”

Political pressures in election year? Not a good reason to rush things.

Social Development Minister Anne Tolley announced details of the independent review into MSD’s individual client level data system last month.

Client level data included beneficiaries’ demographic information and vital statistics, such as client addresses, details of their dependants and details of MSD programmes clients were enrolled in.

No privacy breach occurred in the IT botch-up, but the review found the IT system gave organisations access to other groups’ folders, with the potential to reveal vulnerable clients’ personal data.

The botch-up infuriated Tolley, being revealed as she promoted policies forcing non-governmental organisations (NGOs) to hand over personalised client data if they wanted Government funding.

Was she poorly advised about reasonable timeframes, or did she push things too hard?

On Tuesday, Boyle said the investigation confirmed the ability of other organisations to see one uploaded folder stemmed from human error, relating to the incorrect granting of access permissions.

Human error is easy with things like that, especially if under time pressure and with inadequate systems and tests to check crucial things like data security.

“While we are satisfied that no breach of privacy occurred, it is concerning that there was the potential for this to occur.”

Very concerning.