Wednesday, May 29, 2019

Treasury, "hacking", and incentives

Overnight National's budget leak story exploded, with Treasury calling in police over allegations of computer crime. This morning Treasury doubled down on that, saying they had detected over 2000 attempts to access budget information in the last 48 hours. The implication is that this was 2000 hacking attempts (shock! panic!), but it could just as well be 2000 attempts to find budget documents at their usual URLs (like we all did last night after noticing that a cached version of Treasury's publication search showed 2019 budget documents).

National leader Simon Bridges is refusing to say how he got the documents, and quite sensibly too given the allegations that are being thrown around. The most likely scenario is that Treasury fucked up and left them lying around on their web-server for anyone to read, and National or one of its proxies noticed this and exploited it. Accessing unprotected data on a public web-server isn't "hacking" in any sense of the word - its just browsing. But unless some low-level Treasury IT prole directly admitted that they fucked up and resigned immediately, the bureaucratic incentive towards arse-covering and blame-avoidance pushes that to be reclassified as nefarious "hacking", and that incentive gets stronger the higher up the chain (and the further away from IT knowledge) you get. And so "obscurity still isn't security" transforms into "our security was hacked" in the same way that "a crock of shit which stinks" becomes "a powerful growth-promoting plan".

Unfortunately the natural instincts of power in New Zealand are to double down rather than admit a mistake, and to call in the police when embarrassed - just look at the tea tape, or Dirty Politics. With those, we saw police raiding newsrooms and journalist's homes. I'm wondering if we're going to see police raiding the opposition this time. Which would be highly damaging to our democracy. To point out the obvious, that's the sort of shit done in Australia, and worse places. Its not something we should tolerate here, and I would hope that the Speaker would resist any attempt to do so.

(Meanwhile, Steven Price has some interesting thoughts on the ethics and legality of National using the information, which is a completely different question to how it was acquired. Personally, I take an expansive view of public interest around accountability, and I would be loath to see the courts deciding whether politics is in the public interest because that way lies China. If people are unhappy with National's ethics over this, we have a ballot box and should use it accordingly).