ITP Techblog

This week saw a continuation of the onslaught against banks and other institutions that were hit with a nasty distributed denial of service (DDoS) attack last week.

Efforts to mitigate the attack seemed to work with much less disruption to websites and apps. But the episode is yet another reminder of how disruptive an old-school DDoS campaign can be.

When online services at ANZ, Kiwibank, NZ Post and Metservice go down for customers as they did last week, even an outage of a few minutes let alone a few hours can have a major impact, given our increasingly digital way of doing business.

By now, New Zealand businesses and our government have a fairly good understanding of how DDoS attacks work. The question is, are we doing enough to fend them off? Writing in the Spinoff this week, Ben Gracewood, an experienced chief technology officer who just joined the publisher after holding senior positions in IT at Vend and Westpac, suggests the answer is no.

Common to many of the DDoS victims, he points out, is that they are running web application firewalls (WAFs) from RedShield, the Wellington-based cybersecurity company.

"It looks like one of two things is happening," Gracewood suggests. 

"Either there are a ton of different DDoS attempts happening across New Zealand and RedShield's customers are having a worse time than most, or more likely the baddies saw just how successful the NZX DDoS was last year, and are now working their way through RedShield's customer list to wreak havoc."

Red alert

RedShield was the cybersecurity partner for the NZX, so that may explain why other RedShield customers are on the attackers' hit list. 

"It's an unfortunate situation for a company whose raison d'être is web security, and an indicator that DDoS attacks have got to a point where only the very largest infrastructure providers can handle them," Gracewood continues.

On Twitter, Catalyst IT director Don Christie dismissed Gracewood's premise as a "cheap shot" against "a Kiwi company that provides global service very successfully".

RedShield founder Andy Prow is a Tech Blog contributor and we'll hopefully get some insights from him on the latest wave of attacks when he comes up for air. Reflecting in a Tech Blog post last week on the increased level of cyber attacks, Prow pointed out the trade-off each CEO and board has to weigh up in devoting resources to beefing up cybersecurity.

"I've been the CEO of five tech companies now, and I've always said 'every dollar has already been spent six ways'. Meaning for every dollar you have in the company there are many ways to spend it, all competing with each other for priority," he wrote. 

"Cybersecurity is one of them. Do you spend the money tightening your company's defences, or perhaps accept the risk of some system vulnerability?"

The elevated level of risk our major businesses and institutions face suggests more investment in tightening defences is in order. 

"Hoary old enterprise companies love WAFs because it means they don't have to upgrade their old systems with known security holes, they can just tell the WAF to block the particular requests that would exploit those holes," Gracewood points out.

"But to do this, WAFs have to inspect every single incoming request. You see where this is going? If you suddenly have millions of requests because of a DDoS, your WAF is almost certainly going to have a Bad Time."

The answer, to the DDoS problem anyway, may involve investing more in procuring the services of the cloud infrastructure giants who have the capacity to deal with large DDoS attacks, the likes of AWS, Microsoft Azure and Google Cloud. The idea that we need the multinational tech giants to keep us safe clearly doesn't sit well with Don Christie, a passionate advocate of buying local when it comes to IT services. But it may be the reality we face. 

"To defend against DDoS attacks, the victims can increase their capacity to deal with requests, but this is normally a losing battle as the attackers can increase the number of bots they use at virtually no cost to them," Auckland University of Technology cybersecurity expert  Dr Kenneth Johnson, told the Science Media Centre this week.

"More practically, websites and ISPs can identify and filter out these illegitimate requests as they are identified, and CERT and security companies are constantly improving these approaches."

The University of Auckland's Dr Rizwan Asghar added that the government needs to get on the front foot with awareness campaigns and proactive support of businesses. 

"Otherwise, a passive approach, by the New Zealand government and organisations, to dealing with cybersecurity issues would result in a huge loss to New Zealand's digital economy," he said.

Investment bump needed

Each organisation is ultimately responsible for its own cybersecurity and the potential fallout from a DDoS or ransomware attack is incentive enough to make the investments in preventing them. 

But most experts tend to agree that our cybersecurity investment as a nation is insufficient. Other countries are ramping up massively in terms of defensive and even offensive cybersecurity capability. 

The Australian Government followed up a nasty spate of cyber attacks by announcing a A$1.35 billion investment in cybersecurity initiatives in its 2020 federal budget. Our Government has many competing priorities as it tries to keep the pandemic response and recovery on track. In the IT space alone, so-called "technical debt" plagues our government agencies and district health boards.

But one thing is for sure - cyber attacks increasingly threaten to derail the digital economy and therefore our efforts to deal with the impacts of Covid-19. If there's any area of IT spend worthy of prioritising at an organisational or nation-state level, it surely has to be cybersecurity.