When silence fails
What to make of being cyber-attacked by a foreign spy agency, and yet your own country's authorities don't think its worth telling you or others affected.
It is difficult to describe the experience of knowing you have been targeted by hackers from a foreign power. There is a novelty, but it is mostly disconcerting and unsettling.
In early 2021, agents of the Chinese Communist Party (CCP) initiated a cyber-attack on Members of Parliament who were also members of the Inter-Parliamentary Alliance on China (IPAC). This attack was global and included two of us in New Zealand. Despite this attack being subsequently known by authorities in New Zealand, they never thought it worthwhile to tell us.
What I can share with you today is due to work with colleagues in IPAC and discussions with agencies outside New Zealand. As I have already noted to a few journalists – the situation is a bit like having your home broken into, authorities knowing about it, but they decided not to tell you.
As readers will know, I have been long involved with IPAC. When it was formed, Louisa Wall (former Labour MP) and I set up the New Zealand chapter. Put briefly, IPAC focuses on how democracies relate to Communist China. We have called out CCP interference in New Zealand; spoke about the persecution of Uyghurs, Tibetans, and house Christians; and have sought to draw attention to what has happened in Hong Kong or the ongoing threats to Taiwan.
In January 2021, a CCP sponsored hacker group called APT 31 (APT stands for Advanced Persistent Threat) specifically targeted IPAC members across the globe. Obtaining public facing emails of MPs, Senators, and at least one of our academic advisors – this group then sent bogus emails to our addresses. Within these emails were images and within those, a single pixel which was designed to obtain data from the person opening the email. It is known as ‘pixel reconnaissance’. For those who opened the email, data was sent back to the hackers such as your IP address, type of computer system you are using and so forth. So fairly mild at one level but it is critical to understand that this was just the first step in a progressive campaign. Put another way, this was just the first step of many to seek access to our emails and documents. We know this because some IPAC colleagues were subsequently ‘fully’ hacked, with emails and information stolen.
As far as I understand things, this particular attack only focused on three New Zealanders (and others across the globe). Myself, Louisa Wall, and University of Canterbury academic Anne-Marie Brady. We can each confirm with confidence we were targeted; in my case, I have the known email sitting right in front of me as I write!!
In 2022, the FBI sent what is known as a ‘Foreign Dissemination Request’ (FDR) to governments around the globe, advising them of this particular attack. The FDR was quite fulsome in it’s detail. While we know it was sent to countries including New Zealand, we do not yet know which agency(s) it was sent to.
Then, as you may recall, in March this year the New Zealand government publicly confirmed news of a CCP sponsored cyber-attack on New Zealand in 2021. It is unclear whether what this announcement was about the attack on Anne-Marie, Louisa, and I or another attack. This announcement was made simultaneously with other nations such as the UK, Australia, and Canada and sparked IPAC’s work to find out more information.
In doing so, we have uncovered the information I am now sharing. Everything we know, is due to the work and research of IPAC. No one in New Zealand – government or its agencies – has been in touch with us at at any time. That such a cyber-threat was so specifically targeted at us, you would think we might be specifically approached.
It is this lack of information from our own side that has me so angry and frustrated. That I could be the target of cyber-interference is no surprise. However, with authorities knowing we had been targeted, they should have made contact with us. That the attack was intended as only the first move of many only reinforces this.
The key point is that New Zealand authorities were well-informed. Who and which agency(s) is something we need to know more about. What, if any, Ministers knew or other officers of Parliament?
Ultimately, this situation must now be more about the future. A few suggestions on what needs to happen:
Transparency. There needs to be clear reckoning of what happened here and why there was a failure to share the information appropriately;
Current MPs across the House need to demand that future cyber-attacks on them and Parliament will see people informed. There must be a public commitment to informing those impacted as soon as possible;
There should be a Privileges Committee review of this. This attack sought to undermine an aspect of our parliamentary democracy and to impact the work of members of parliament. Not telling sitting MPs (at the time) of such an attack is, in my opinion, a breach of privilege in the same way had someone come into my office and taken documents;
People should understand the psychological intention of these hacking attempts. As with other activities by the CCP, they are designed to intimidate and remind targets that they are not safe;
MPs such as Ingrid Leary are calling for a new select committee to focus on foreign interference. This is a good idea and should be pursued;
We also need the Magnitsky Sanction legislation I keep talking about. It would allow New Zealand to specifically sanction those hackers and officials we know were involved. Other countries have this law and have done so. New Zealand should do the same.
There is much work to be done and it is my hope that current MPs see the real need for improvement – not only to protect them but also our democratic structures.
It’s beyond my comprehension to understand why the affected MP’s and others in NZ who were hacked by the CCP were not informed by NZ authorities once they knew if this.
The train fie that needs independent investigation and the reason made known .
They also didn't tell us that there was an American mass surveillance system located in GCSB office in Wellington........the staff didn't even inform the management, nor the Minister...... until it all recently came to light after an IGI investigation......