A small but growing number of government tenders specify a preference for Microsoft or Amazon Web Services systems, products or services. Photo: 123RF
A China-linked hack of US government cloud email accounts is raising questions about the New Zealand government's growing reliance on American data firms.
A small but growing number of government tenders here specify a preference for Microsoft or Amazon Web Services (AWS) systems, products or services. Only those two US firms have special memorandum of understanding (MOU) deals with the government, and ministers have all but ordered all their agencies to use such off-site cloud computing from private firms.
In the US, officials and Microsoft recently revealed that hackers secretly accessed email accounts at two dozen organisations, including at least two US government agencies.
The New York Times quoted a "person briefed on the intrusion" saying "the attack showed a significant cybersecurity gap in Microsoft's defences and raised serious questions about the security of cloud computing".
Microsoft was one of the New Zealand government's two go-to cloud providers, the other was Amazon.
But now the US Department of Homeland is investigating Microsoft, which a senator accused of having lax cybersecurity, stating that it had deployed systems that "violated ... basic cybersecurity principles" and that should have been caught by audits.
'"Organisations of all kinds are increasingly reliant on cloud computing ... which makes it imperative that we understand the vulnerabilities of that technology," the Homeland Department said this week.
RNZ approached Microsoft for comment.
The Government Communications Security Bureau's (GCSB) National Cyber Security Centre said it had an established and well-practiced approach for responding to threats of this type.
"We have highlighted the incident to our customers in the public and private sector as part of regular information-sharing efforts," it said.
"We continue to work with New Zealand organisations and our international partners to maintain visibility of any developments."
Organisations concerned about the hacking techniques used could review the incident reporting released by Microsoft and the US government's Cybersecurity and Infrastructure Security Agency, it added.
Allyn Robins of the Brainbox Institute said such a hack could happen in New Zealand, and it was interesting the US Department of State had detected it.
The Government Communications Security Bureau (GCSB)'s spy base at Waihopai, near Blenheim. Photo: Supplied
"That's what shut it down," he said.
"So while moving onto the cloud can give some security benefits from the cloud provider, it doesn't mean that you shouldn't also have your own security systems ... that's what prevented this attack from being much worse than it otherwise could have been."
Being part of the intelligence grouping Five Eyes could mean New Zealand got the benefit of warnings from other governments, Robins agreed.
More than 180 New Zealand public agencies have transferred masses of data to Microsoft cloud computing servers in Australia for storage and processing since 2019. Sensitive courts data could be headed that way.
The government's revised 'cloud-first' policy in May put even more stress on using the cloud - and not storing data inside agencies as before - especially once Microsoft and rivals like Amazon finish building mega-data centres in Auckland in the next two to three years.
Two-thirds of public data is still not on the cloud; the hold-up in shifting it revolved around cash-strapped agencies struggling with how to afford the shift, documents released under the Official Information Act (OIA) showed.
The government has promoted cloud computing as being more flexible and more secure. One ministry, Culture and Heritage, played up the security angle in a recent tender: "Manatū Taonga has a preference for the service to be hosted on infrastructure services provided by Microsoft Azure," it said.
"Amazon Web Services is also acceptable. Manatū Taonga has completed a risk-based assessment that the infrastructure services provided by Microsoft and Amazon Web Services have acceptable security controls to host the services."
A local firm - that declined to be named - told RNZ this penalised it, when its own security had a proven track record, and it was less of a visible target for offshore hackers than the massive US companies.
The company stood to lose business because of the gathering momentum of government preference for the big US tech firms, it said.
The preference also can benefit New Zealand companies that resell the offshore products and services; this often creates an ongoing cost of licensing to the US firm for the buyer.
Records released to RNZ show 18 government tenders for cloud services or products in the last four years have specified a preference for Microsoft or AWS - a third of them this year.
It is a small number but growing, despite tenders watchdog MBIE warning against stating such preferences.
Internal Affairs has urged public service chief executives to come up with novel projects for Microsoft.
In the US hack, Microsoft said the Chinese group forged digital authentication tokens to access webmail accounts running on Outlook. Its main cloud service is called Azure.
Microsoft recently said a Chinese hacking group forged digital authentication tokens to access webmail accounts running on Outlook. Photo: 123rf
China labelled this "disinformation" and called the US "the world's biggest hacking empire and global cyber thief".
"Azure looks like a house of cards collapsing under the weight of exploits and vulnerabilities," said US tech commentator Dan Goodin.
A spokesperson of the Chinese Embassy in New Zealand said "making accusations without proof is a malicious smear and a spread of disinformation".
China had suffered cyber attacks and so was a staunch defender of cyber security, it said, and firmly opposed and fought all forms of cyber attacks and crimes in accordance with the law.
"Given the virtual nature of cyberspace, one must have clear evidence. As cyber security is a challenge faced by all countries, China always advocates countries to strengthen dialogue and cooperation on the basis of mutual respect, equality, and mutual benefit to address this challenge together."
Warnings
Some cyber-security analysts warned about the breadth of the threat.
"Organisations using Microsoft and Azure services should take steps to assess potential impact," said Wiz, based on its own research. "We discovered that it may be difficult for customers to detect the use of forged tokens."
Other firms' security keys to the cloud could also be stolen, Wiz said.
Allyn Robins said the likes of Microsoft had strength in size and expertise beyond what governments could match, but their size and the sensitivity of the data they held was "very appealing" for hackers.
"They're ... a far bigger target, so any vulnerabilities that exist will be more likely to be detected and exploited."
Microsoft's revenue in New Zealand has skyrocketed above $1 billion as the government has led the cheerleading of cloud computing. It was "very easy for costs to increase" unless a close eye was kept on licensing fees and storage, NZ Trade and Enterprise said in a July 2022 webinar released under the OIA.
MBIE recently updated its guidelines to warn that specifying a particular cloud supplier "limits the number of suppliers who can respond to the tender", "excludes some suppliers from the market" and "limits the ability to consider broader outcomes".
RNZ was aware of two local companies that have complained to MBIE about public tenders biased towards Microsoft or AWS, saying it was unfair and spreading.
MBIE has broken its own rules in four tenders since 2019, expressing a preference.
It told RNZ: "The four GETS tenders ... specified a preference for Microsoft Azure due to the solutions being procured needing to integrate with existing MBIE systems.
"MBIE always looks for ways to partner with businesses in Aotearoa New Zealand, to meet government procurement expectations, and to deliver on our mission to grow our country for all."
Out of 25 agencies approached, 11 had not specified any such preference since 2019, and four did not respond. Ten had: Six tenders this year, five in 2022, and two in each of the previous three years.
Many of these agencies gave RNZ the same reason as MBIE did: For instance, the Ministry for the Environment said it was "cloud infrastructure agnostic" but expressed a preference in two tenders as the solution had to "integrate" with what it already had from Microsoft or AWS.
"We don't feel that informing the market of existing architecture is denoting a preference, but rather enables suppliers to make more informed submissions," it said of a tender for a workflow tool.
The government is building its own $300m data centre to store high-security information such as from the spy agencies.
The third big cloud player globally, Google, did not feature much.
