State Services Commission to investigate Treasury head Gabriel Makhlouf's public statements, advice to the Finance Minister and decision to involve the Police in last week's Budget 'leak'

State Services Commission to investigate Treasury head Gabriel Makhlouf's public statements, advice to the Finance Minister and decision to involve the Police in last week's Budget 'leak'
Treasury Secretary & CEO Gabriel Makhlouf. Illustration by Jacky Carpenter

The State Services Commission is investigating Treasury Secretary and CEO Gabriel Makhlouf further to the National Party managing to retrieve Budget information from Treasury’s website ahead of its public release last Thursday.

While the Commission on Budget day announced it would investigate how the material was accessed, following a request from Makhlouf, it on Tuesday afternoon said it would look into Makhlouf’s handling of the situation in a separate inquiry.

“The investigation will establish the facts in relation to Mr Makhlouf’s public statements about the causes of the unauthorised access; the advice he provided to his Minister at the time; his basis for making those statements and providing that advice; and the decision to refer the matter to the Police,” the Commission said.

“Mr Makhlouf believes that at all times he acted in good faith,” Commissioner Peter Hughes said.

“Nonetheless, he and I agree that it is in everyone’s interests that the facts are established before he leaves his role on 27 June if possible. Mr Makhlouf is happy to cooperate fully to achieve that. I ask people to step back and let this process be completed."

Deputy State Services Commissioner, John Ombler, will lead the investigation. Makhlouf will continue working as usual during this time.

"The investigation announced today is separate to the inquiry announced last week into the unauthorised access of Budget information. The Terms of Reference and who will lead this inquiry, which is expected to take some months, will be announced shortly," the Commission said. 

National last week accused Makhlouf of sitting on a lie that the party had "hacked" Treasury’s website to retrieve information about the Budget, when in fact a weakness in Treasury’s IT system meant the information could be found on its website if certain key words were typed into the search bar.

National last Tuesday morning started releasing Budget information. It refused at the time to say how it got the material.

Last Tuesday evening Treasury released a statement claiming it had been “deliberately and systemically hacked”, so further to the advice of the National Cyber Security Centre (which is part of the Government Communications Security Bureau), it had gone to the Police.

Finance Minister Grant Robertson shortly after, in a statement, said he had asked National to stop releasing information.

Then last Wednesday morning Makhlouf did an interview on RNZ, in which he elaborated on the “hack” by saying someone had made over 2000 attempts to get into Treasury’s website. He said the information accessed was similar to that National had drip-fed to the media.

In the evening, National said it would reveal at a press conference the following morning - Budget day - where it got the Budget information from.

But then at 5am Treasury released a statement saying the Police investigation had been dropped, as it turned out the information could be accessed by anyone who searched its website.  

Makhlouf conceded there was a weakness in Treasury’s systems that made it susceptible to “unacceptable behaviour” - “deliberate, systemic and persistent” searches of its website.

The State Services Commission released a statement around the same time, saying it would investigate.

Come 8.45am, National Leader Simon Bridges in his press conference detailed how National stumbled upon the information and called for both Makhlouf and Robertson to resign.

Robertson then distanced himself from Makhlouf, expressing his “disappointment” over Treasury not seeking further information about how the Budget material had been obtained, before getting the Police involved.

Hughes on Tuesday said the questions that had been raised about Makhlouf were of “considerable public interest”.  

“It’s my job to get to the bottom of this and that’s what I’m going to do,” he said.

Makhlouf is due to start a new job as the Governor of the Central Bank of Ireland on September 1. A spokesperson for Ireland's Finance Minsiter reportedly said the controversy wouldn't affect Makhlouf’s appointment

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

35 Comments

Comment Filter

Highlight new comments in the last hr(s).

How many neolib-trained ideologues still in the Public Service (now there's a label we should think upon more) could have set this up? It seems too incompetent to be just incompetence, and I don't see an awful lot of original initiative in the opposition benches...... Will be interesting to find out.

That means there are two Public Service CEOs under “suspicion” right now - Secretary of the Treasury & the Government Statistician (Liz MacPherson).

What’s the bet they’ll both be white-washed? In any case, the Treasury guy is leaving very soon.

TTP

Really? You think that some ideologue went on a crusade? The incompetence on display did nothing to discredit the budget, only the public service (the budget can discredit itself just fine). It is just incompetence and projecting it as a conspiracy is a bit missguided.

when one is an ideologue on a crusade it is inevitable he sees them everywhere ..

Ah, no. I monitor draw-down within a bounded system.

Others assume no bounds (economists) and still others cynically think they can win in a piddle-down arrangement (neolibs). They have to peddle the 'no bounds' message to keep the piddled-on under the shower, and maybe have to genuinely believe it themselves.

I'll stick with math and physics, thanks.

"Neoliberalism" - a modified form of liberalism tending to favour free-market capitalism.
"Capitalism" - an economic and political system in which a country's trade and industry are controlled by private owners for profit, rather than by the state.

Niether of these have anything to do with "no bounds" growth and were both around long before growth became the thing it is now. The infinite growth myth is a creation unto itself. I agree with you thats it's a fallacy but blaming the wrong thing for it isn't furthering the cause.

I'm not blaming it. I see it as upper-deck passengers shafting steerage passengers, all in a sinking ship.

But the neoliberal cant holds sway at the moment - has done for some decades - and we cannot become sustainable without divesting ourselves of the mantra. Ultimately, I suspect a no-discount long view, with an eye to the commons and to arresting entropy, ends up with altruism. It's probably the only format which avoids endless re-runs of the Hunger Games

That’s where we disagree. Exponential growth is the sinking ship, not neo lib or capitalism.
I thought you might like capitalism without the growth obligation as it allows things to grow and contract naturally as dictated by our environment?

By the time you've stilled exponential growth, you're down to two billion at peasant levels of consumption. If you want to be a capitalist under that cap, it's fine with me.

ok by me, what kind of system would you prefer?

pdk,

With world population expected to reach circa 9Bn by mid century,can you just outline the conditions under which you believe it would fall by some 78% and to pre-industrial living conditions?

Daenerys Targaryen and Drogon?

linklater - have you not followed my links over the years?

Start by reading the Limits to Growth, the original, the 30 year update and the most recent. Add in Dr Graham Turner's peer review.

Then learn about energy, and the trend to entropy.

And about 'projections' foolishness thereof.

We achieved our temporary overshoot on a draw-down basis, and overshoot tends to crash to below statically-maintainable levels

some get the problem: http://limits2growth.org.uk/

Then you work it backwards - what is the population supportable without draw-down? And the answer depends on your consumption-rate.

pdk,

I am happy to accept that you are more knowledgeable than I am,but why do you assume that I know nothing about the trend to entropy? i do know something of the Second Law. I also know a little about population issues and I am looking at my copy of Countdown by Alan Weisman with which I have no doubt you are familiar. I have a small library on climate change (and on the deficiencies of classical economics and its misuse of mathematics.
Indeed,I am in general agreement with much of what you write,But I would welcome a degree of humility.
You write in your post;"And about 'projections' foolishness thereof". Indeed. Your projections are truly apocalyptic,so I think you need to acknowledge that your assumptions may not be correct.

The definitive treatise is Catton's 'Overshoot'.

But from the position of just-in-time-fed-via-supermarket comment, it is hard to imagine a post-financial-transaction world. The bland 'NZ could feed itself' raises questions of societal control, replacement food-systems, nutrient (phosphate for instance) replacement and infrastructure maintenance. My circle reckon the problem will be seeds, and seasonal lead-time. And that in this cohesive, ring-fenced country.

One fellow who did a lot of thinking was: https://phys.org/news/2010-06-humans-extinct-years-eminent-scientist.html

Another is this fellow: http://www.dieoff.com/ a good page is this: http://dieoff.com/page5.htm

By projections I mean the backcasting-to project nonsense - the kind that gives 9 or 10 billion by 2050. The graph in that last link is worth 10 minutes over a cuppa - as is remembering that we stop growing physically for good biological reasons.

As to humility, I've bee watching this progress for 40 years, and can tell you that humility doesn't change things (mind you, I doubt I will change the dialogue in time either). It was just time someone stood up and stated things, figured I'd give it a go. Had to be someone....

I note in the precis of the book you mention, that he cites '1.5 billion at first-world levels' - that's pretty much where I put it.

Very strange.
- Treasury referred the mater to the police (which due to the highly sensitive nature of such an action could only be done with Makhlouf’s knowledge and approval) and could only infer that an illegal act on National’s part was considered to have had occurred
- there has been no acknowledgement or apology from Treasury or Makhlouf that such a complaint to the police was groundless, and
- Makhlouf will be long gone before the inquiry process is complete.

Have said before and will say again our civil service, at all levels, national and local, not all of them, but more than enough, are much about exercising authority and little about taking responsibility. And for this particular identity, you can obviously add a big dollop of hubris into the mix.

DP

Apologies everyone - I had reported that the investigation into Makhlouf would take some months. This is incorrect. The investigation into how the Budget material was accessed will take some months. The Commission hopes to conclude the inquiry into Makhlouf before he leaves at the end of June. The story has been corrected. 

No need to apologise, Jenée,

Certain others have sinned far more than you.

TTP

To be clear, Jenée is no sinner

You could have said that you were hacked, then called the Police and blamed Simon Bridges. I see you took the high road instead.

Or we could show some tolerance. After a brief bout of it after CHC, it has saddened me to see the brutality out for these public servants, by politicians on both sides, for political gain, and the media. By all means if either was lying or duplicitous, and the facts will come out on investigation. But if they were doing their job in trying times, well, s*** sometimes happens to all of us. But in both these cases it might be even less than that. I would not be at all surprised if it was found that Liz M (Stats) was given an impossible task for political reasons and no resources to do it, and Gabriel M (Treasury) was responding to what he understood at the time.

Even if it was what Treasury’s Mr M understood at the time, any decent corp comm person would have advised caution. It was a fluid event, changing by the hour and so some discretionary words of caution were called for in any media statement. Just to cover yourself. But there were none! Stupid fail. Basic stuff. What were he and Treasury thinking? Are they above it all, or do they think the public is so stupid as to treat them with contempt? my god if u were ceo of a private company u would be facing some difficult questions from aggrieved directors and shareholders. And then,later, when the ‘hacking’ turned out to be able to include any joe public with half a clue accessing the search function, there should have been some sort of gesture of acknowledgement of a mistaken claim in the heat of the moment. And assurance that due process would be observed to identify the cause and solution. Some sort of reassurance to stop the public now understandably assuming that anything coming from the Treasurer’s mouth is now unreliable or worse, misinformation. That there is not something rotten in the so-called ‘public servant’ milieu.

Sorry Ron Pol......

But I haven’t got too much “tolerance” for a Government Statistician who becomes perilously close to Contempt of Parliament.

I’d prefer a safer pair of hands running a government department as important as Statistics New Zealand.

TTP

Life would be better if we never heard of this again

Complete amateur hour from beginning to end, time for someone better.

It is general practice when making a new web page/ site to temporarly publish it in public domain and text from an external source other than on the same network.
This involves simply turn off you mobile phone wireless and view it on your mobile network... and doing the same on a computer at several resolutions.
This picks up little things like a incorrect font size, things like that.
Correct and re check...
And yes it may take quite a few views..thu 2000 is more appropriate for someone in basic training on creating web pages
For something that is confidential, and to be published at a later date, any such information and links are not added.... unless the person creating those pages have not been instructed well, and simply total newbies that cant see beyond their nose,
There is no doubt, google, Msn, yandex search engine bots would pick up any changes to the overall web site very quickly, and cache them..in other words recognise them as newly published. These bot will be crawling every few seconds.
They are very easy identified from ac server logs.
Then there are numerous bots from Eastern block countries, China and Asian countries, Brasil also crawling every few seconds looking for new stuff.
These, a good server administrator I assume would continuously monitored and blocked access.
If they have not then certainly 2000 hits in just the short time the pages where published to just those pages would certainly happen.
Bottom line China, Russia, and a doz other countries would have all the information also.

End of the day, nah its not the heads at the top that are the issue.. they would have no idea of the mechanics of these things.. its those who admin the web servers and web sites, who train, give instructions how to to those ppl right at the bottom.

This brings back memories of the email 'hacking' a few yrs back.. basically came down to email server admins who where plain lazy and who knew better than to be so damn slack with main server admin passwords confidentiality.

The issue isn't that it happened, no reasonable person would expect the Head of Treasury to be in this level of detail. The issue is his management of the incident, in particular going public on police involvement and insinuating the opposition were responsible.

Gabby Hakoops, esteemed slack-key guitarist to the King of Diamonds, stood before the Witchsmeller Pursuivant, accused of playing Gabby Faure's 'After the Dream' instead of the programmed 'Ride of the Valkyries' at a recent State Banquet for the Queen of Hearts.

Hakoops averred that the sheet music was, in his words, 'Pukaroo', that it had been safely stored in a Music Shack with a locked, strong - albeit somewhat rusty yet still impressive - iron front door with many Big Bolts, that Dark Forces in the Land were to blame, and then referred the matter to the Grand Inquisitor.

The latter had returned after a fifteen-second Conflab with his minions, stated that no Dark Forces were involved, and that he 'does not appreciate Frivolous Litigation and can he please have another Inquisition Chamber, as he is perennially Under-Resourced'. He was also heard, sotto voce, to complain that he had not been invited to the State Banquet.

The MinionQuisitors have revealed that, after failing to open the Music Shack's front door despite many repeated attempts to hammer out the weakest-looking Rusty Bolt, they thought to try the Back door. This was not only wide open, but seemed never to have had locks or, indeed, Hinges. They concluded that Starveling Waifs, who may have included a noted Cellist in their number - or perhaps all were wearing Stillettos - to judge by the marks on the floor, may have conducted a rehearsal for a Symphony, which included Gabby Faure's piece, and had left behind the 'After the Dream' music. This was, in their summation, then picked up by the esteemed, but perhaps short-sighted, Hakoops, who then faithfully rendered it in mellifluous slack-key fingerings, to the assembled multitudes at the State Banquet.

As the theme of the Banquet was to have been 'Victory and Livery' - hence the Wagner on the playlist - the rendition of 'After the Dream' completely spoiled the occasion. Not only was the King of Diamonds mortified, but the Queen of Hearts had to endure a mild Inquisition after the Witchsmeller Pursuivant was summoned and immediately smelt Something Fishy. She, we are informed, was Not Amused.

Hakoops has been sentenced to a long gig in a Folk Band in a far-off land over the Edge of the Earth. He departs on the morrow. The Music Shack is currently the subject of demolition and re-build, hopefully, this time, with only one entry, and with code-compliant, non-rusty, Big Bolts. But, being as how it's being rebuilt by the very Minions who assembled the Last Shack, and despite including the very Latest Technology, we are reliably informed that Dark Forces, via the Afeared Five-Eyed Raven, are this very minute Watching and Waiting.....

Game of Drones. Can’t wait until HBO gets a hold of it.

I smell a rat.

The video National offered up as evidence doesn't hold water with me. It looked to have been automated using CodedUI or Selenium.

They, or someone aligned with them, in all likelihood did 'scrape' the site to reveal that content using burp or something, then came up with the video after the fact.

Yes, poorly indexed and shouldn't have been public, but I think there's still some nefarious behaviour by National that is going unquestioned by the media.

Indeed. "It's not our fault we repeatedly exploited a security flaw then leaked the data, it's all their fault for having the security hole!"

It would be very interesting to see that argument weighed by NZ's security laws.

A few (now late as I only just saw this article) comments if I may :-

1. The actual failure here was one of technical incompetence - the fact that the cloned (non-production) site's search crawler was still posting it's results to the Production site - should have been anticipated or at the very least detected well before budget week.

2. The poor Treasury CEO was simply acting on information he was provided - he's not a techie. Some techie within Treasury reported that someone had done 2000 searches and in the Chinese whispers and ass covering bureaucracy throughout the levels - by the time it reached the CEO - it was a massive hacking attack - possibly the Russians or the Chinese!

3. It's likely that National were tipped off to the issue - this could have been someone inside Treasury or a member of the public that noticed it - but it's not normal practice to attempt to find upcoming budget details by searching the public Treasury site. Well, it wasn't, but probably is going forward ;)

3. Once tipped off, it's quite likely that a tool was used to pump in a bunch of search terms - at which point it's deliberate and systematic and intentional. Or a bunch of young Nats or students or whomever. Regardless it certainly wasn't Bridges tapping away on his computer and accidentally coming across it - which is the narrative they'd have us believe. So in that aspect there's potential conspiracy to access information that you know is mean't to be private - so there may well be a case to answer.

But is that hacking in the New Zealand legal definition of the term? Maybe? I'll leave it to the lawyers to sort out.

I can say for sure, poor Makhlouf is being scapegoated - in his position, given what he was told by his ass-covering, non-techie public servant management team (several layers removed from anyone who understands this stuff) - he didn't really have a choice but to report it to the minister.