The origins of the 2019 Budget "hack" appear go back to failures in Treasury's website procurement starting in 2014 that led to a "rushed, sub-optimal solution", a report released today found.
State services commissioner Peter Hughes released the report into the early leakage of secret Budget information last year, saying the Treasury’s failure to keep the information secure was not acceptable.
Sensitive Budget information was accessed via Treasury's own website search function two days before the 2019 Budget was to be announced on 30 May.
“This should not have happened,” said Hughes. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”
An inquiry found a series of technical decisions led to a design in the Treasury website search function, which allowed access to Budget 2019 information.
The design also existed in the 2018 Budget, though there were no security breaches.
Essentially that centred on a "vaulted clone"' of the Treasury website, set up to switch into action when the Budget was announced, was prematurely linked to the live site's search function allowing some details of the Budget to be seen.
Former Treasury secretary Gabriel Makhlouf was widely criticised after the exposure for saying the site had been "deliberately and systemically hacked".
However, the origins of that failure appear go a lot further back to failures in the procurement of the website starting in 2014 that led to a "rushed, sub-optimal solution" for production of the 2018 and 2019 Budget.
In June 2014 the Treasury-owned and operated Central Agencies Shared Services (CASS) function initiated a procurement process for a new web hosting platform for the CASS group of agencies to replace the existing, and near end-of-life Plone platform.
The scope of the request for proposal (RFP) was both the replacement of the platform and subsequent development of 5 or 6 agency websites. A key requirement was increased content management and search functionality.
The initial RFP was unsuccessful with none of the tender pricing being acceptable to CASS.
A second RFP was issued in November of that year with a slightly modified scope that removed a "Budget Day Scenario (BDS)" from the core scope of works negotiated with the vendor.
This was “parked” by CASS for later consideration.
"Excluding the BDS scope from the Treasury website project meant the Treasury Website Project team (subsequently renamed the Treasury Website Migration Project team) was not required to consider how the Treasury’s web and publishing function could deliver against its obligations to publish the Budget on Budget Day on the new website," the report says.
"Since there were existing challenges in engaging the wider organisation in the website project, it is unclear what information was provided to other Treasury teams regarding the now 'orphaned' BDS business requirements."
In the weeks leading up to the launch of the new Treasury website in 2018, it became apparent to the Treasury web and publishing team that the way the Treasury had previously published Budget information and content would not work on the new website,
The Budget Day Scenario (BDS) scope of works was required to enable the Treasury to securely upload and publish Budget Information on Budget Day 2018.
Hence the workaround with the "vaulted clone" website.
"Despite it being a core function of the Treasury to produce annual Budget documents on its website, the Treasury repeatedly excluded consideration of the Budget Day Scenario, initially from the Drupal Hosting Platform implementation, the Treasury Website Project and subsequently the Treasury Website Migration Project," the report concluded.
"This exclusion from scope contributed to the Treasury needing to implement a rushed, sub-optimal solution for production of the 2018 Budget which was then applied to Budget 2019."
The report found governance and oversight at the Treasury’s executive level fell short and risk management processes around Budget 2019 were not good enough.
Concerns about security risks existed but were not escalated.
“But sometimes doing your best is not enough,” said Hughes.
“Some things you just need to get right. Each and every time. For these you need to check, check and check again and that didn’t happen with security around Budget 2019."
Senior leadership at the Treasury were rightly focused on the big economic and fiscal issues which are important to New Zealanders and the Government, he said.
"That is what I expect. But they got the balance wrong. The Treasury’s core business is also delivering the Budget and I’m disappointed the senior leadership were not hands-on enough in that task."
The Treasury, under new secretary Dr Caralee McLiesh, has already implemented a number of changes that address many of the issues raised or findings from the inquiry, he said.
McLiesh has appointed one of her executive leadership team members to personally oversee the security of the Budget and implemented new quality assurance measures around all aspects of the process.
New security and testing policies are in place.
McLiesh said the Budget production process for Budget 2020 was robust and secure, and in line with best practice and the appropriate guidance and standards.
“The Budget is a core priority of the Treasury and what happened should never happen again,” she said.