20 Oct 2022

The E-team: Parliament and cyber security

From The House , 6:55 pm on 20 October 2022

Parliament takes security seriously. Getting into the precinct is similar to going through an airport. 

But it’s not just physical security they focus on, because the biggest threats can come in through the smallest holes.

Parliament has its own Cyber Security team headed by Derek Robson. They manage a wide range of risks ranging from phishy or threatening emails through to preventing electronic spying or other state sanctioned e-naughtiness.

New Zealand flag  is depicted on the screen with the program code. The concept of modern technology and site development.

Photo: 123RF

For example Derek Robson’s team provide travelling MPs with burner phones and laptops if they are heading somewhere problematic.

“We’ll hook them up with a cellphone that’s blank: fresh phone number, no contacts, no data. They can use it while they’re travelling. When it comes back we can clean it, wipe it, or potentially shred it.”

Yes he did actually include “shred it” as one of the options.

The world has moved on since the days of Le Carre, as Robson makes clear. “You don’t need to get a spy into the embassy if you can get a USB stick into the embassy.” 

Bread and butter emails

But most of us are not potentially targets for professional spies. For most people at Parliament cyber security involves emails and they get baskets of dodgy ones.

Every MP’s email is publicly available, so constituents can contact them. But this public face also opens them up to more spam and threats than most of us need to worry about. Especially as Parliament keeps its email filtering light so as not to prevent freedom of (irate) expression.

So what sort of dodgy emails do MPs and their staff get thrown at them? Mostly they get the usual spammy emails. 

Fake appeals to donate money on behalf of say, “the Armed Forces of Ukraine". Exciting news that they are owed millions from a fake estate. Convincing looking alerts to pay for an incoming parcel. Fake log-ins and requests to “confirm their account details”.

But they also get much nastier scams.

Sophisticated fake blackmail threats claiming to have accessed their computers and stolen data and demanding... payment. Bomb threats demanding... payment. Sextortion threats…demanding payment.

“Before you consider sharing this with an accomplice or that IT guy, consider that you will be exposing your little secret to a third party with many eyebrows raised in disgust… .”  I think they mistranslated ‘accomplice’ for ‘colleague’ but you get the idea.

Some even come with instructions for purchasing the bit-coin they want sent.

Man wearing hoodie hacking server in dark room

Photo: 123RF

Going Pro

As always with scam emails some of the language is accidentally charming and tell-tale.

“No dilly-dally and I will go straight to the point… .”

But some of these emails are well written, they use correct names, they are garnished with real or real-looking letterheads and logos. They may even include a correct password found on the dark web as proof they have access to your system (odds are they don’t).

But the most impressive and disturbing are those that appear to come from your own boss or someone else in authority. They usually need a quick favour - transferring some cash or buying some iTunes gift cards and sending the codes.

That might sound silly but how would you respond if you got a personally addressed email from your boss (imagine even that that was the Prime Minister) and it really appeared to come from her email?

“Got a moment? I need you to complete a task for me….”

Scary. "The ‘bad guys’ know that they can use social media to figure out who is in charge around an organisation,"says Derek Robson.  "So if you an email from the Chief Executive to the E.A. of the Chief Financial Officer saying 'we need to move some money in a hurry' often the E.A. will say 'Yes boss, no problem'."

Tactics and advice on avoiding cyber nasties

So how does Derek Robson protect Parliament from nefarious cyber crooks?

“A lot of it is: we make it as easy as possible to do the right thing. So we have a button within our email system that says ‘report scam email’. That comes through to my team and then we can look at it with: 'is this malicious, can we update the filters, is there a problem, do we need the police involved?' ” 

And what advice does he have for the rest of us?

“If it seems too good to be true - stop and have another think”.

“If it’s an email you’re either not expecting, or from someone you’ve never spoken to before, that should be a bit of a red flag.”

And if it comes from an organisation you do business with and looks potentially legit, phone them to check.  (Not with a phone number provided in the email though).

CERT NZ: your own personal cyber security unit 

CERT NZ is the Computer Emergency Response Team. They are part of the government business ministry known as MBIE. Derek Robson describes them like this.

“They’re almost a cyber-security help-desk for all of New Zealand. Anyone in New Zealand can contact CERT with ‘I don’t know what to do’, ‘I’ve got this phishing email’, ‘I’ve got this weird message’, ‘what should I do?’. …When an organisation’s been hit by ransomware CERT New Zealand can deal with that.”