Bryce Edwards: Intense speculation on Budget leaking and hacking

Bryce Edwards: Intense speculation on Budget leaking and hacking

The problem with scandals involving so much mystery is they naturally lead to plenty of speculation, some of which might be useful and some which might be completely wrong, or even highly-damaging. And while we are still in the midst of it all, it’s extremely difficult to sort out the useful from the damaging.

For the best overall guide to what has happened in the Budget leak/hack scandal, see the just-published article by Henry Cooke: What we know and don’t know about the Budget ‘hack’. Amongst his rundown on the background to the scandal and the theories offered so far, Cooke points out that, rather than being hacked, the Treasury website might simply have been scanned by Google, allowing a cache of pages to become available to someone who has handed them on to the National Party.

Another leading explanation for how the Treasury’s Budget information was released early to National comes down to a simple but obvious idea that parliamentary staffers looked for and found the information on the Treasury website. This would also explain how National leader Simon Bridges could be so categorical in his insistence that his scoops weren’t based on hacking or illegality.

According to this theory, National had one of its Parliamentary staffers monitoring the Treasury website in the days leading up to Budget Day, constantly using the frontpage search bar on the site to look for “Budget 2019”. The hope being that at some stage some Budget documents would be loaded onto the site momentarily, in anticipation of Thursday’s publication, before they were then locked away for safety.

The story goes that by searching every five minutes or so, the National staffer eventually hit the jackpot when documents or pages turned up with the goods. It might have taken hundreds or even thousands of searches over a couple of days.

In fact, National Party pollster and blogger David Farrar has outlined a similar scenario based on his previous experience as a parliamentary staffer: “when I worked for the Opposition in 2000 or 2001, I recall waiting for the Government to release the Police crime stats. They always put a positive spin on it. I went to the Police website and looked at last year’s stats. I also looked at the previous year. They had the same URL format. I changed the year to the current one, and hey presto I had the official crime states four hours before the Government was due to release them” – see: My guess as to what happened.

Farrar argues that something similar may have happened, and it therefore wouldn’t constitute hacking: “So my guess is something similar has happened. That possibly the material was put up on a website of some sort and someone found it. Treasury are calling it hacking because they didn’t think it was open to the public. But there is a difference between hacking a secure computer system, and locating information that is on the Internet (even if hidden). Was there any cracking of passwords for example?”

But do such explanations fit with what Treasury are saying when they claim that their site has been “deliberately and systematically hacked”? It’s arguable either way. Certainly, some tech-specialists seem to think that something much more sophisticated must have happened – especially based on the fact that Treasury has called in the Police. For one of the most in-depth discussions of the potential hacking, see John Anthony’s Budget 2019: ‘They’ll remember it as the budget that got hacked’.

Despite some tech specialists believing that a sophisticated hack has occurred, one expert believes a software application might have simply found the material on the Treasury website: “Kiwi cyber security consultancy Darkscope technical director Joerg Buss said a likely scenario was that someone used a ‘spider or crawler’ program to find hidden content in the Treasury website. Such software may have uncovered Budget 2019 files which had not been protected properly, he said.”

It could also be as simple as using Google to search for the material, which is covered by Juha Saarinen in his article, Conspiracy or cock-up? Strong evidence Treasury published Budget accidentally – rather than a hack. He says that “screenshots of the results from a Google search for ‘estimates of appropriation 2019/2020’ are circulating on Twitter suggest that the data was published accidentally.”

Of course, the fact that Treasury has called in the Police would suggest that the government department believes that something much more sinister or malevolent has occurred. However, care needs to be taken in reading too much into this – especially since the Police haven’t even confirmed that they have agreed to investigate, except to say that they are assessing Treasury’s request.

Furthermore, whenever governments and officials call in the police or make claims that criminal actions have occurred in the political sphere, we should always be very sceptical. It’s the oldest trick in the bureaucratic book – to divert attention or to impugn an opponent with charges that they are mixed up in criminal activity. That’s not necessarily the case over the controversial budget leaks – it’s still far too early to tell what has happened.

This is certainly the argument made today by leftwing blogger No Right Turn, who suggests that government officials have a tendency, when they’ve made mistakes, to try to point the finger elsewhere, often using rather draconian measures to do so – see: Treasury, “hacking”, and incentives.

Here’s his main point about how politicians and officials are inclined to bring the police into politics: “Unfortunately the natural instincts of power in New Zealand are to double down rather than admit a mistake, and to call in the police when embarrassed – just look at the tea tape, or Dirty Politics. With those, we saw police raiding newsrooms and journalist’s homes. I’m wondering if we’re going to see police raiding the opposition this time. Which would be highly damaging to our democracy.”

The blogger says that “the bureaucratic incentive towards arse-covering and blame-avoidance pushes that to be reclassified as nefarious ‘hacking’, and that incentive gets stronger the higher up the chain (and the further away from IT knowledge) you get.”

Here’s his own explanation for the release of the information: “The most likely scenario is that Treasury f**ked up and left them lying around on their web-server for anyone to read, and National or one of its proxies noticed this and exploited it. Accessing unprotected data on a public web-server isn’t ‘hacking’ in any sense of the word – it’s just browsing.”

The onus is therefore on the Treasury to be much more transparent about what has happened writes Danyl Mclauchlan, saying a “brief technical explanation about what the ‘hack’ amounted to would be a lot more useful than all the bluster and nebulous waffle we’ve heard so far” – see: Budget hacking scandal: About time Treasury told us what actually happened.

Mclauchlan says that if it turns out that the leak has simply come from information on the Treasury website, “then we’ll be talking about the resignation of the Treasury Secretary, rather than National Party leader.”

The No Right Turn blogger doesn’t see the Government delivering such transparency any time soon: “neither Treasury nor their Minister has any interest in that (Ministers are rarely interested in incompetence in their own agencies, because it makes them look bad for allowing it). As for us, the public, we’re the loser, stuck with an incompetent, arse-covering public agency which has just failed on one of its most important tasks” – see: Treasury owes us answers.

He argues that the decision to go to the Police means that Treasury can now sidestep such accountability: “conveniently, by referring the matter to the police Treasury has ensured that they can never do that. It might prejudice the police investigation, you see. OIA requests can be refused to avoid prejudice to the maintenance of the law, and anyone who actually tells anyone anything can be prosecuted. Accountability of course goes out the window”.

That doesn’t get National off the hook, however, if the party has done something illegal in the way they have procured or used the Budget information. One lawyer who knows a lot about hacks is Steven Price, and he argues that the release by National of the information was not in “the public interest”, and that it appears to have “broken the law relating to Breach of Confidence” – see: Budget leak: Nats’ behaviour “entirely appropriate”?

Price says that he is “irritated at the sanctimoniousness of Simon Bridges’ denial that the Nats had done ‘anything approaching’ illegality.” He does admit however, that if National have obtained the Budget information “through some area of Treasury’s (or some other government) website that was technically publicly accessible, then that would at least raise arguments that it wasn’t confidential in the first place, because it was in the public domain.”

Herald political editor Audrey Young is also less than impressed with how Bridges has dealt with the matter today, saying: “Simon Bridges needed to do two things today when he fronted the news media about allegations of hacking Treasury and he did neither. He needed to say, at least in general terms, how he received the leak of Budget of documents. And he needed to say he had contacted the police to offer them any assistance they needed in their investigation” – see: Simon Bridges needed to do two things today and he did neither.

But for another view on the politics of it all, and an explanation of why Bridges’ manoeuvres have been smart, see Brigitte Morten’s National plays strong hand over politics jackpot. She argues that it’s in the public interest for National to be able to dispute the Government’s narrative over Budget spending, and to be able to point out the “lower than expected spending” in areas such as health “that the government doesn’t want you to reflect on.”

Finally, for a recent minor – but extremely colourful – Treasury controversy, involving the use of a transformative wellbeing experiment for staff, see Danyl Mclauchlan’s must-read investigation: Peace, Rest and the Monkey Emoji Moon: playing Heartwork cards at Treasury.