By Phil Pennington of RNZ
Police computer systems have been ill-prepared to cope with a disaster like a major hack.
This has been at the same time they have been pushing for more powers to gather people’s data to keep in the systems.
An audit shows police did not know how much data they could afford to lose if their IT systems were hit. Read the first two pages of the audit here.
They needed a “disaster recovery” strategy to gauge “the acceptable amount of data loss NZ Police can handle after a disruption has occurred”, the audit said.
The 2019 audit identified a raft of deficiencies.
It found they had not done an assessment of the major threats to their cyber resilience.
There had been “insufficient investment” in cyber resilience for years, and confusion between two teams over who was in charge of IT disaster recovery.
Police say they have been addressing these gaps – this was “in flight”, they said.
‘Very high risk’
The ransomware attack that crippled Waikato District Health Board has prompted questions about the public sector’s ability to defend public data from online criminals.
Police held back from RNZ all but the first two pages of the 2019 audit by consultant KPMG of its information communication technology (ICT) resilience.
Police had mentioned to MPs about this audit in its latest annual review, prompting RNZ to ask for it.
Police said releasing more pages might dissuade staff from providing free and frank opinions in future; and that the first two pages fairly reflect what was in the rest of it.
The two pages show police regarded IT business continuity and disaster recovery as a “very high risk” area.
But KPMG concluded police were largely relying on staff to cope with disruptions.
Staff had proved capable and experienced so far, but this could not make up for the lack of:
Plans for backup and “failover” in a disaster
• Recovery strategies
• A business continuity plan
• An assurance plan to test IT vendors and partners are up to scratch
• Regular disaster recovery testing
• An overall framework for addressing cyber resilience requirements was also missing.
“Without a framework there is a high likelihood that key business processes may have ICT requirements that are not clearly understood or planned for in a disruption,” the report warned.
RNZ asked for details of which of these gaps have been fixed since 2019.
Police have not provided any, instead saying some had been fixed, while others had now been included in its Cyber Security Resilience Programme or CRSP that was aiming to come up with an operating model.
Other documents paint a very mixed picture.
Police’s own annual assessment of how they keep people’s personal information secure says in 2016 police controls were at the second-lowest rung, and now are close to the second highest rung on a five-rung quality ladder.
At the same time it says that all personal information is “robustly secured both physically and technically”.
It shows they are updating how they handle data breaches to match privacy law changes last year.
A 2020 internal review says police are within reach of a big step up in data quality, helped by “reviews of problematic business and ICT processes”.
But a 2020 internal review of intelligence capability says information handling “requires significant uplift”, yet is hampered by the need for annual bids for enough funding just to keep the fragmented storage and other systems maintained.
At the same time there is this push for greater powers to gather data, worldwide and in this country.
A separate OIA response shows police expect to develop policies to give them more access to evidence held anywhere in the world online.
In the late 2020 briefing to the police minister, police said: “There are important cyber policy gaps that need to be addressed”.
It shows police were working on a deal with Europol – the European Union’s law enforcement agency – to share data more easily.
They also aim to boost data sharing within this country with the likes of Immigration, Internal Affairs that runs passports, and the Waka Kotahi, the Transport Agency that runs driver licensing.
Immigration has its own information-gathering powers, but some are secret. For instance, it is understood to use a social media scanning tool from Cobwebs Technologies, a firm set up by ex-Israeli Defence Force tech experts.
Immigration has refused to release to RNZ any business case or privacy impact assessment it has had done on the Cobwebs tool, arguing this was “likely to prejudice the maintenance of the law”.
RNZ asked for details of what cyber policies are being developed to fill the “gaps”, but police have not provided this.
Instead, in a statement it said: “The cyber security environment is constantly changing, and changes significantly over time.
“Our Cyber Security and Resilience Programme addresses the rate of change to the global internet environment, in terms of keeping police systems safe.”
Management and governance included frequent auditing and reviewing of plans and capability, “and enhancing our response and recovery to cyber events”, they said.
Under the OIA, police totally withheld an assurance review into its use of contractors and consultants.