SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The rise of cybercrime and NZ's fragmented response
Tue, 15th Jun 2021
FYI, this story is more than a year old

Cybercrime is on the rise but New Zealand's response to it is fragmented and victims rarely get justice. In the wake of the Waikato District Health Board ransomware attack, Anusha Bradley asks how we can better help and protect cybercrime victims.

Paul Hay realised his social media accounts had been hacked when his friends started shunning him.

"There were these really disturbing sexual messages," he says.

The hacker had sent one to Hay's heavily pregnant friend, and Hay later discovered messages had gone to nearly all of his female friends.

But worse, his mates didn't believe his explanation. "They couldn't understand that people could steal your identity or that I couldn't take control of my Facebook," Hay says.

But that's exactly what had happened to the Hawke's Bay farmer in 2014. He suspected a person he knew was behind it, but couldn't prove it was them, even as the messages turned increasingly nasty.

"It got to the point where the police turned up at my house with folders thick of evidence against me."

Hay was never charged, but the damage was done. "It was horrific. Pretty much all my friends I've known for 10 years just didn't want to talk to me anymore. I was literally really cut off from everyone. I fell into a huge depressive cycle of just essentially being alone and sad."

Adding to his misery, it was two-and-a-half years before Facebook believed he was the real Paul Hay and finally deleted his hacked profile page.

That wasn't enough for Hay. He wanted to prove to police and his friends that he was a victim. So he came up with a plan and went to great lengths to transform himself from the hunted to the hunter.

Online impersonation and identity theft are among the many types of cybercrime that are on the rise. But despite its rapid growth, our response to cybercrime is fragmented - and, some say, underfunded. Thirteen government agencies and four ministers - if you include police - oversee different aspects of cybercrime reporting, fighting and security. There are also several non-governmental organisations providing education, advice and reporting services for cybercrimes and incidents. This fragmentation often leaves victims struggling to know where to turn.

With such a plethora of agencies involved, it is difficult to even establish the extent of cybercrime. Just how bad the problem is depends on who you ask. The Computer Emergency Response Team (CERT NZ), which is the central government agency to which all cybercrimes and incidents should be reported, recorded a 25 percent rise in incidents in the past 12 months. During 2020, when COVID-19 prompted people to work from home away from their higher workplace security, instances of malware - which includes ransomware attacks like the one Waikato DHB recently experienced - rose 2008 percent. Overall, there has been a seven-fold increase in the number of cyber security incidents reported by businesses and individuals in the last three years, costing victims a whopping $53 million.

But other organisations give different statistics. The charity Netsafe received 6063 incident reports between October and December 2020, slightly fewer than the previous quarter. It saw a 22 percent decrease in personal harm reports, a 23 percent increase in scam reports and a 16 percent decrease in objectionable material reports. However, the number of reported romance scams - in which victims are tricked into sending money to people they believe they are in an online relationship with - grew 39 percent last year. Romance scam victims lost on average more than $18,000 each, though Netsafe believes that's a fraction of the real losses as people can be too embarrassed to report what's happened to them.

The charity IDCARE, which helps up to 1000 victims of scams, data breaches and identity theft a month, has seen about an 8 percent decrease in romance scams since 2018, but a 40 percent increase in people seeking help for identity theft in the first five months of this year. It has also seen a 38 percent increase in remote access scams since 2018. In these scams, offenders trick victims into giving them access to their device, allowing them to obtain personal information. More than half of remote access scam victims have their online bank accounts accessed, with victims losing an average of $5000 each.

Sandra couldn't access any of her files, but it was the box bouncing up and down on her laptop screen that sent a shiver down her spine. "It was saying I'd been hacked and if we paid $800 we'd get a code to unlock it."

With all her files frozen and unsure what else to do, the Whakatāne business owner took her laptop to a computer specialist who told her the attackers had probably gained access through a malicious email she'd unwittingly opened. "They couldn't do much to help us," she recalls.

Sandra and her husband refused to pay the ransom out of fear the criminals would demand even more money. "But it cost us dearly in the end," she says.

The computer held a month's worth of business accounts that hadn't been backed up, but, more importantly, treasured photos and videos of Sandra's late father. "Nobody else had those videos, so I couldn't replace them. It just really guts you."

Sandra didn't think to report the attack to police and says she wasn't aware there were any other organisations who might be able to help her. "To be honest, I didn't know who to ask. The first thing I thought of was to take it to somebody who knows about computers to try and fix it. I didn't even think to ask about any government agencies or anything."

Sandra's response is understandable. The myriad agencies dealing with cybercrimes and security issues are a complex network. CERT NZ, which sits within the Ministry for Business, Innovation and Employment, is the central agency responsible for collating incident reports and co-ordinating government agencies' responses to security issues. It also analyses threats and provides advice, mostly to businesses. In the upper echelons of government, the Department of the Prime Minister and Cabinet's National Cyber Policy Office oversees the Cyber Security Strategy developed in 2019. It is responsible for supporting critical infrastructure and nationally significant organisations, while the New Zealand Security Intelligence Services and the Government Security Communications Bureau deal with threats to national security.

At a consumer level, Netsafe provides education and advice to individuals caught out by online scams, and also reports offences under the Harmful Digital Communications Act. The Department of Internal Affairs deals with some aspects of identity theft, but also refers victims to IDCARE for support. Lastly, police investigate cybercrimes.

All these agencies work closely together, with CERT NZ acting as a clearing house with a "no wrong door policy", referring people to the organisation, or organisations, that are best placed to help.

But the complexity means it's difficult to tackle the problem, especially if there's no one looking at the big picture, IDCARE New Zealand operations manager Neil Hallett says. "Because we don't have a single source of truth in terms of the collation of scam information or data breach information, we can only make an educated guess."

One of those guesses is that New Zealanders are losing $500m a year to offshore scams, he says. Hallett, a former police detective inspector, established an identity crime intelligence unit at Police National Headquarters in 2004, and he believes cybercrime can't be tackled until we know just how big the issue is.

In order to get better data, there needs to be better co-ordination between all the different groups dealing with cybercrime and security in New Zealand, Hallett says.

"It's generally accepted that we do need a single source of truth, that there are too many disparate pockets of information, that if it was put together in one place we would have a better idea of what the overall picture looks like and a better idea of where the main threats are coming from."

Australia's scam co-ordination centre, Scamwatch, is a model New Zealand could follow and would be a "relatively easy fix", Hallett says.

Netsafe chief executive Martin Cocker says the complex web of agencies is needed to address different aspects of cyber security, but he agrees there needs to be better co-ordination of data collection.

"We will get somewhere between $20 and $30 million of scam losses reported to us each year and CERT NZ will get a similar amount, but we don't know how much of that overlaps because people can choose to report to both agencies. It could be $20 million reported twice, or it could be $40 million. There really is difficulty quantifying the problem and that then creates a problem for our political leaders to say: Here's the size of the problem, and here is a reasonable response in terms of investment."

The lack of investment in preventing and tackling cybercrimes in the public and private spheres is another issue, Cocker says. "I don't know of any country that spends enough, but I think New Zealand definitely is looking at cybercrime now and looking at the resources we're putting in and saying that doesn't match up."

And the risk is growing rapidly. "We're seeing serious cybercrime and cyber security breaches. And we've got these relatively small teams across a few agencies really struggling with the kind of volume that they're facing."

It's also a struggle for victims to know where they can turn for help, he says. "I think we've got the right agencies and they've got the right responsibilities split, but it's still really hard for consumers to connect with the agency when they need them."

There's an argument for having a single agency to help victims navigate the system, he says. "It's one thing to say to somebody, you've got to go to the police for this and you've got to get the DIA for that, you've got to go to Netsafe for this. But if your one cybercrime incident involves all of those things, you're really asking the person who is dealing with the fact they're a victim of a cybercrime to then also take on the responsibility to organise their whole response plan and connect with those agencies themselves."

Even if victims find their way through the maze of organisations to access help, they rarely get justice. Paul Hay knows that all too well. After the hacking, the sex messages and losing his friends, he felt helpless. That feeling only deepened when he couldn't get the support he needed. He felt so let down by the authorities, he took matters into his own hands.

There was an open day at the local polytech and Hay spotted an ad for a computer science course. "I remember the date vividly. It was 16 January 2015 and something suddenly sparked in me. I was like 'I need to go and teach myself about this'.

"I decided I needed to learn all I could about computers so I could understand how this happened. I had tried... but nobody believed it wasn't me. I had to go and get a degree in computer science to be able to prove myself."

Over the next few years, he learnt how to trace the malicious messages that had ruined his life. "I could prove without a shadow of a doubt the piece of hardware that every message came from." The computer belonged to the person Hay had suspected all along. But it wasn't enough. "When I went to the police with the evidence, all they said to me was: 'Can you prove who was on the end of that computer?'"

Prosecutions of cybercrimes are rare, admits Detective Inspector Stu Mills, who manages police's intercept and technology operation. It's because it's tricky to track down cybercrime offenders, most of whom are based overseas. "It makes it more difficult to identify them and have sufficient evidence for the local authorities where they're based to take any of the investigative or prosecuting action."

There have been some successes. Mills' team helped to convict the US-Israeli teenager who made bomb threats to New Zealand schools in 2018, and police have occasionally frozen the accounts of cybercriminals who have taken money from New Zealand victims. Netsafe's Cocker says he's never heard of anyone overseas being prosecuted for scamming or defrauding someone in New Zealand. Nor is he aware of anyone getting their money back. "In fact, if you ever get contacted and told we've recovered money from a scammer, we're going to give it back to you, that will be a scam," he warns.

Low numbers of cybercrime prosecutions, dissatisfaction with funding, data spread across organisations and victims struggling to know where to turn. What does Digital Economy and Communications Minister David Clark have to say?

He's unconvinced that a more centralised approach for data collection or service provision is needed, but he does say the government will "continue to look at the resourcing" for CERT NZ to ensure it has "the capacity across government to respond in an increasingly difficult world".

Some collaboration is on the cards too. One of the projects in the government's Cyber Security Strategy aims to improve links between government cyber security agencies by establishing a "cross-agency governance board and funding for inter-agency priorities" which Clark says is "work that is ongoing".

What about victims struggling with where to turn? "The system that we have at the moment, there's no doubt, does help people who get into difficulties - I've received positive feedback on it."

The real issue is that victims don't report crimes, he says. "There's a huge amount of under-reporting here. It's something that jurisdictions around the real world wrestle with. One of the big reasons it's hard to work out is because there's a lot of embarrassment associated with being a victim."

The government is doing "everything it can" to make sure people are aware that those services are available through CERT NZ. The organisation says it's also working on publishing a flowchart to help people figure out the agencies they need to contact for help.

Are Clark's plans ambitious enough? Darkscope founder Bruce Armstrong, who monitors the dark web for criminal activity, reckons New Zealand could do better. He favours Australia's more centralised approach, and says New Zealand could learn from it. The Australia Cyber Security Centre (ACSC) is a one-stop shop service, supporting national critical infrastructure, small and medium-sized enterprises and individuals. The country also has AusCert, a not-for-profit outfit based at the University of Queensland that provides a user-pays service for businesses and government agencies, providing technical help and advice.

University of Melbourne lecturer Suelette Dreyfus agrees the Australian system works reasonably well. Still, Dreyfus, an expert in computing and information systems, says no system is perfect. She believes the thing that would really help, globally, is transparency about cybercrimes. "A lot of companies are anxious about reporting incidents because they think it might cause that loss of reputation." But if these case studies were made public, we could learn from them, she says.

"A couple of years ago, Australian National University was hacked in a very sophisticated attack and to the enormous credit of that university its management decided to release the report about the hacking attack. I use that report in my teaching and it's very important because it provides a set of lessons for people who are going to go out into the workforce and defend organisations about what can go wrong and how you can prevent it."

When the global shipping company Maersk was immobilised by a ransomware attack in 2017, it did the same, Dreyfus says. "They did an analysis of what went wrong, how they were infected… they made that all public and that is incredibly valuable to the rest of the world to figure out how to do it right."

Paul Hay advocates speaking up too. It's why he shares it all - the sex messages, the friends who ditched him, the struggle for justice. He hopes others can learn from his experience, but also that it will make victims feel less alone.

That's not all he's doing to help others. He finished studying computer science and is now a case manager at IDCARE, where he works with victims of cybercrime. "I had a lady call me up the other day in the exact same position that I was five years ago. By the end of the conversation, she went from being in tears to saying 'Thank you, you've made me feel better about the whole situation' and it actually makes me feel good, because I can actually help somebody."