You don't have to believe the conspiracy theories to see that Treasury Secretary Gabriel Makhlouf is in serious trouble. A new inquiry will have to uncover something yet unknown to excuse the three strikes he committed last week

National leader Simon Bridges laid it on pretty think last week when he did his big reveal and showed that the supposed 'hack' of the Treasury website and early release of some Budget information nothing more than some Google searches and good luck.

Amongst his claims of an "undemocratic outrage" and the accusations against him amounting to "the most contemptible moment in New Zealand politics", he insisted it was beyond belief that Treasury head Gabriel Makhlouf had not briefed Finance Minister Grant Robertson before he called in the police.

Bridges insisted he hadn't come down in the last shower and suggested Makhlouf was covering for his political masters, who must be pulling his strings. That version of events has gained little traction because there is no evidence for it and it would be a remarkably stupid political suicide attempt by Robertson, if true.

Robertson has his own questions to answer about the events of Tuesday May 28 and his handling of his ministry since, but he is on the record that he did not know that Makhlouf had brought in the police until after that call had been made.

National, as we now know, was doing its oppositional pre-Budget research, when it stumbled upon part of Budget 2019 on the Treasury website, hidden in plain site. Contrary to assumptions, it seemed to find the details right away and then had another 1999-odd goes at digging around to see what else Treasury had left hanging in the wind.

The thing about Bridge's more extreme allegations is that none of them have to be true for Makhlouf to be in serious trouble. The facts as reported thus far take us to the substational concern that so serious and central an institution as Treasury could have left itself so exposed.

In this case the data revealed was not especially significant, but the fact is that data meant to be secret was not in fact secret at all. It has been found and copied. And Treasury had no idea. Imagine if it was more sensitive information or it had been stumbled upon by people with more nefarious motives.

That is why the investigation announced today by the State Services Commission is essential. As announced:

The investigation will establish the facts in relation to Mr Makhlouf’s public statements about the causes of the unauthorised access; the advice he provided to his Minister at the time; his basis for making those statements and providing that advice; and the decision to refer the matter to the Police.

While this is political minutiae, it's vital we understand not just what we do, but how we do them. As it stands, it will take something new, surely, to save Makhlouf from censure, because from what we know it already looks like 'three strikes and you're out'.

If, as Bridges claims, Makhlouf is covering for Robertson, them both are toast. But even assuming cock-up rather than conspiracy, it's remarkable Makhlouf hasn't already fallen on his sword. And it's hard to see how he can explain the chasm between his own statements and the facts.

Strike one: Makhlouf oversaw a ministry that allowed nothing less than part of the Budget be accessed days before it was meant to. It was only good fortune that it was another political party that sourced the information. What else on the site was or is insecure? Who else might have got access? While it may directly be the fault of whoever is responsible for Treasury's web security, the buck stops with the boss.

Strike two: He either failed to understand last Tuesday what had happened on his own site or willfully misled his minister and the public. (The third option is that, as Bridges and others claim, he was forced to lie by the government). Because he said Treasury had been hacked and called the police, when it was clear less than 24 hours later no such thing had happened. He said:

"...the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked..." 

He also told RNZ that the information had been under secure lock and key, continuing:

"But unknown to you one of those bolts has a weakness and someone who attacks that bolt, deliberately, persistently, repeatedly, and finds that it breaks and they can enter and access the papers.

"It wasn't a case of someone stumbling into the room accidentally, it wasn't an instance of someone attacking the bolt and finding it broke immediately."

In fact, it was exactly that. Whether Makhlouf was misinformed, didn't understand the technology or panicked and tried to make up excuses for Treasury's failings, he misled the public. And he misled his minister, which leads to...

Strike three: Makhlouf was careful not to say National had hacked Treasury to get the information, but he said the data that party had matched what had been taken. And he called in the police.

In calling the 'search' a 'hack' and calling police, he opened the door to the suggestion National staff or MPs had committed a crime. That is an incredibly serious thing to even imply.

Robertson blundered through the door Makhlouf opened in an ill-written statement that same night, relying on Treasury's advice to say that "the material [National has] is a result of a systematic hack". In doing so, Robertson went a step further than the Treasury Secretary in accusing the Opposition. 

So while Robertson misjudged, it seems he was led to that position by Makhlouf.

Any one of those three strikes could be considered a good reason to offer your resignation. All three make it hard to see why he has not yet done so and how he can survive the inquiry. 

If his defence, as the State Services Commission implies, is that he "acted in good faith" (presumably himself relying on the advice of Treasury's security advisors or the GCSB), that's unlikely to be enough to protect him. It may even be unfair if the tech people or spies got it terribly wrong, but such is the nature of big public sector roles.

Makhlouf is due to end his Treasury job on June 27, ahead of taking up the job as Governor of the Reserve Bank of Ireland. Perhaps that job too is on the line amidst all this, which may explain how this is being handled. (Though before today's inquiry was announced, the Irish had said not). But now, the inquiry must be dealt with quickly and with a full, open explanation at the end.

That explanation could yet leave Bridges with some explaining of his own to do. While he has railed against the serious accusations unfairly tossed at him, he is still repeating his own serious claims of deliberate lies and a political cover-up by Robertson and Makhlouf. If that is incorrect, and given his anger at his own treatment, he risks being hoisted by his own petard. That wil raise questions about his political judgment.

As for the Opposition's handling of that not-so-secret (and not especially weighty) information, it has elicited a lot of debate amongst political observers. Some had said it was irresponsible to reveal the data and indulging in childish point-scoring; some that it successfully rattled the government on what should have been a marquee week. Some insisted there was no public interest in Bridges revealing the substance of the information.

But there's a reason the main party not in government is called the Opposition. In a parliamentary system, there's a public interest in non-government MPs (and indeed other insitutions at times, such as the media and courts), making life difficult for the government, as a matter of principle. Government without opposition is tyranny, so while the few summaries revealed on the website hardly amounted in the end to anything much, it seems fair dues for National to have exploited its rare good fortune and come out swinging. Voters can judge for themselves what they make of that.

Comments (16)

by Ian MacKay on June 05, 2019
Ian MacKay

Was any of the information released by Bridges actually part of the 2019 Budget?

Was there any sentence from Bridges' publishing the same as text in the Budget?

It seems that underneath the fury the content was neglible. So since Bridges has several times called Robertson a "liar", should Bridges be held to account?

by Gregor W on June 05, 2019
Gregor W

I find it amazing that when first advised (I'm assuming this was before Makhlouf went to Police with his assertion, as I couldn't fathom a State CEO not informing his Minister of a potential breach of this magnitude), that Robertson didnt immediatly seek an independant assessment from the GCSB.

Falling back on "this is an operational matter" doesn't really cut it.

At best it looks lazy / disinterested, at worst, shifty / incompetent.

by william blake on June 05, 2019
william blake

As Bridges was raving (he does rave), erroneously, about billions being spent on tanks, this gift dropped in his lap ( so long as you accept the 'search' struck gold on the first hit and then the researchers hit return 1999 times). Bridges oppositional strategy seems to be saying whatever it takes to curdle the ideas coming out of the government, Simon the spoiler, rather than backing good ideas and pointing out bad ones, and it is wearing pretty thin as the polls indicate. 

by Tim Watkin on June 05, 2019
Tim Watkin

Ian, yes the information National got from Treasury's website and Bridges used was from the Budget. Summary headings, but still part of the Budget. 

It was minor, but as I said in the piece the principle is that Treasury did not have control over its own information, which is worrying indeed.

Gregor, it's been widely reported that Robertson says he was not informed of the 'hack' until after Makhlouf went to police. And that Makhlouf called in the GCSB. As I say in the post, they may have been who he was relying on for his claims of a hack.

 

by Lee Churchman on June 05, 2019
Lee Churchman

Why is it not a crime? They knew they shouldn’t have it and knew that they shouldn’t be accessing it. If I did that to the ACC, I would be prosecuted, I would think. 

by barry on June 05, 2019
barry

They may not have broken the bolt, but they stumbled into the room, and then deliberately went back in another 1999 odd times looing for more stuff.

Yes treasury stufed up. But National discovered a vulnerability and then exploited it to access information they know they were not supposed to have.  If it was me I would also have called in the police.

by Nick Gibbs on June 06, 2019
Nick Gibbs

@Barry, and the police would have told you to stop wasting their time.

by Simon Connell on June 06, 2019
Simon Connell

@Lee

Why is it not a crime? They knew they shouldn’t have it and knew that they shouldn’t be accessing it. If I did that to the ACC, I would be prosecuted, I would think.

This is one of the two main intuitive reactions people seem to have to the 'hack' here. It's also arguably the basic idea behind the tort of breach of confidence.

The other is something like this:

They were accessing publicly available information by using a search tool provided on the website, without using any special software - anyone could have done it - so clearly this isn't and shouldn't be a crime.

See, for example, this from Graeme Edgeler:

5. I am aware of legal disagreement over whether searching undertaken by a National Parliamentary researcher could have criminal. I am firmly in the "no" camp.
6. If I am wrong however, there is also a great public interest in amending the law, so that such searching is lawful.

I you accessed about-to-be-released ACC financial information through a search tool on the ACC website, it's not clear to me that you would be prosecuted. 

by Lee Churchman on June 06, 2019
Lee Churchman

They were accessing publicly available information by using a search tool provided on the website, without using any special software - anyone could have done it - so clearly this isn't and shouldn't be a crime.

I don't think this argument works, because they then went on to do it 2,000 times over, on purpose. The link you supplied seems correct to me–there is no public interest defence. 

Let's say an unknown quirk of the landscape allows someone to see their neighbour sunbathing naked in a pool enclosure. No problem at first. Let's then say that they watch for hours and hours and invite their friends, and then post pics online. That would seem to be criminal to me. 

by Simon Connell on June 06, 2019
Simon Connell

@Lee basically we have two claims:

1. knowing acquistion of private information is wrong/criminal

2. accessing information which is publicly available on a website without use of specialised computer tools should not be penalised by the criminal law

Some people normally be happy with both 1. and 2., but accept that in a case like the Treasure one, you have to pick one. For some people, the "publicly available" aspect of this case trumps the "private information" aspect. For others, it's the other way around.

Let's say an unknown quirk of the landscape allows someone to see their neighbour sunbathing naked in a pool enclosure. No problem at first. Let's then say that they watch for hours and hours and invite their friends, and then post pics online. That would seem to be criminal to me. 

Yeah, some of that sounds like it might be the offence of making an  intimate visual recording. That we have that specific offence shows that our law treats some sorts of private information different from others.

 

by Gregor W on June 06, 2019
Gregor W

Tim - Yes, I understand the order of events as has been widely reported. What I'm suggesting is that it's highly unusual that the events occured in this order and/or some context is missing (whether by ommission or commission, I have no opinion).

Without going into too much detail regarding the procedures / workings of NZ security apparatus, I can confidently say that it's inconceivable that a potential security issue of this nature wouldn't be flagged to a Minister's political staff as an inform by the security services, irrespective of whether Treasury advised the Minister in a timely fashion or otherwise.

Secondly, it would also be highly unusual for the Treasury's internal security to contact the GCSB without advising the Minister's office.

Lastly, it's almost inconcievable that the GCSB would intimate that a malicious penetration was the likely culprit without going through a rigourous assesssment process. They simply don't make that type of call off the cuff. At most, they would have provided a range of possibilities as a 'hot take' on the situation.

by Lee Churchman on June 06, 2019
Lee Churchman

For some people, the "publicly available" aspect of this case trumps the "private information" aspect

That argument trades on an equivocation. On the normative meaning of "publicly available", as in "public access is permitted" it cannot be private information by definition. Moreover, the descriptive meaning of "publicly available" can't trump the private information aspect because the former is not a normative claim. "Those people" are making a fallacious and/or sophistical inference.

As for:

accessing information which is publicly available on a website without use of specialised computer tools should not be penalised by the criminal law

The generally accepted moral principle is "ought implies can", not "can implies ought". We are owed an argument. 

by Megan Pledger on June 07, 2019
Megan Pledger

By definition a hack is to "gain unauthorized access to data in a system or computer".  National gained unauthorised access to data - they knew they were not meant to have it - and although it was simple to do (although tedious to put together into something meaningful) - that doesn't excuse them. 

Whether it was easy or hard to do/whether it needed specialised software or not - those shouldn't be the point on which the law turns - the turning point should be accessing data that you know is unauthorised - mens rea.  

Accessing unauthorised data by accident and not using the result for benefit should not be brought to prosecution (with the hope that people would inform the holder to prevent further loss e.g. Keith Ng's and Winz) but sustained mining of confidential information should not be acceptable.

As Keith Ng said: As an award-winning rubbish hacker, let me tell you: Hacking which is lacking in sophistication, even crude to the point of embarrassment, is still hacking.

https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12236128

If someone got your tax return data from the IRD would you care whether they stole a paper copy off someones desk, used a simple search engine to get at it or used sophisticated software.   The blame attached to the IRD might be different ... But towards the person who stole the data?

 

 

 

by Ross on June 09, 2019
Ross

it seems fair dues for National to have exploited its rare good fortune and come out swinging

If I ever have the misfortune of leaving a $100 note in an unlocked car, I do hope you're not in the vicinity, Tim. 

 

by Simon Connell on June 10, 2019
Simon Connell

@Lee

re: "we are owed an argument" - alternativey, the onus is with anyone arguing that conduct should be criminal to explain why that should be the case.

I haven't actually run into a really clear case where someone sets out why they think this conduct should not be criminal. That's why I suggested that it's triggering some intutive response whereby people think it's so obvious why this sort of thing shouldn't be criminal so they don't spell out why.

Perhaps it's actually an unstated premise about what sort of conduct should receive a response from the criminal law? 

@Megan

By definition a hack is to "gain unauthorized access to data in a system or computer".

That's one way to define "hack", but it's potentially a very wide definition. Here's a slightly different take:

In the broadest sense “hacking” requires unauthorised access – that’s not just ignoring a red warning notice, but bypassing or overcoming security controls. If that hasn’t happened then we’re probably not talking about a “hack.”

I agree with this author of this piece, who argues that it's often not very useful to talk about whether or not something was a "hack", because there isn't a generally accepted meaning of the word. Some people would consider accessing someone's unlocked pc or cellphone a "hack", others not.

by Megan Pledger on June 12, 2019
Megan Pledger

How do you ignore a warning notice but not bypass security controls? A warning notice is a security control. 

Post new comment

You must be logged in to post a comment.