If I hadn’t been away, and then come down with a very nasty cold (which will soon have me back on the sofa again), no doubt I’d have commented earlier on the Makhlouf affair. Whatever your view of how Gabs came to be appointed and reappointed, or of his overall stewardship of the office of Secretary to the Treasury, it is a sad business in many ways.
Human beings make mistakes. I don’t suppose anyone would be calling for Makhlouf’s head if it were only a matter of having been chief executive of a (not overly large) agency where the document/computer security was so weak that what happened early last week could happen. Not even when taken in the context of an organisation that didn’t seem to be quite as attuned to keeping secret what they were supposed to keep secret as we might have hoped (recall their policy on computers and lock-ups even after the RB OCR leak, or the episode last Thursday in which Treasury staffers were giving out copies of Budget documents to journalists outside the lockup, under the impression that the recipients were fellow Treasury staffers). It isn’t a good look – even recognising that Budget material is typically politically sensitive rather than market sensitive – and perhaps might have taken a bit of the gloss off the farewell functions in the next few weeks. But that would have been all. The chief executive would have been responsible, and in some sense accountable, but those actions – or failures – wouldn’t have been his personal ones.
But the focus now is on choices that Makhlouf himself personally made, words he himself chose to use (or not use) and so on. They are a rare case when the public gets a direct look at how a top public servant handles himself under pressure. Not well.
The whole business started on Tuesday, mid-morning when National released Budget material. By 12:20 pm that day there was an official statement from Makhlouf. It was fine. The heart of it was this
“Right now we’re conducting our own review of these reports and the information that has been published,” said Makhlouf.
As you’d expect. Presumably the office of the Minister of Finance and (perhaps) the Prime Minister’s office had already made it clear they wanted to be keep updated.
But it must have been a busy next few hours at The Treasury, and presumably Makhlouf was extensively involved, at least in reviewing whatever information and advice his staff were generating.
His next public statement was issued at 8:02 on Tuesday evening. And this was the one that started him down the perilous path
Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked.
The Treasury has referred the matter to the Police on the advice of the National Cyber Security Centre.
It sounded impressive and sobering at the time. No doubt it was supposed to. All reinforced by Makhlouf’s rash interview on Radio New Zealand the next morning, with his overblown bolt analogy and attempts to play up the “attack” and “penetration” language (using it and never once objecting when the interviewer used those words). I heard some of it at the time, but listening to it again this morning with the benefit of perspective it is all the more extraordinary given what Makhlouf clearly already knew. He ruled out any “sloppiness” or “incompetence” in his own staff or systems.
But, of course, what we now know – what Makhouf knew at the time – is that the National Cyber Security Centre had already made it clear to Treasury that, based presumably on what Treasury staff had told them, there was no sign that anything fitting the bill of a “hack” had happened. If they suggested – as Makhlouf claims – that it was a matter for the Police, it was probably only in a “nothing to do with us, but you could try Police” sense. The NCSC reference should never have appeared in Makhlouf’s statement at all – they were dragged in, it appears, to provide Makhouf with cover.
Even allowing for the fact that it was a busy day, you can be sure that every word in the Makhlouf statement would have been considered carefully. Presumably Treasury comms staff were involved, and at least a couple of his key deputy secretaries (including, one hopes, the one responsible IT and security). We don’t know if they ran a draft past the office of the Minister of Finance (on Makhlouf’s telling, the matter was referred to Police at about 6pm and the Minister informed at about 7pm). But in many respects it doesn’t matter: it was Makhlouf’s statement (personally) and even if someone else suggested things the words actually used are wholly his responsibility. Public service chief executives are supposed to operate at arms-length, and are personally accountable as such. At this point, the Minister had no leverage (after all, Makhlouf was leaving in four weeks time).
(The Minister’s own statement is another matter. It upped the ante further, in a way Makhouf never directly did, attempting to tie the National Party to criminal activity (“the material is a result of a systematic hack and is now subject to a Police investigation”). The fact that the Minister’s statement was released only 15 minutes after Makhlouf’s suggests that likelihood of close liaison between Treasury staff and staff in Robertson’s office. The statement looks unwise and opportunistic, but surely that is politics. Absent further evidence, I’m prepared to believe the Minister and his office – none of whom will have had a high degree of technical capability – were misled by Makhlouf and The Treasury.)
After Makhlouf’s RNZ interview on Wednesday morning we hear nothing more of substance for most of the day. A non-partisan observer might reasonably have concluded that the Simon Bridges release/attack was backfiring (it was my take). But that was those of us not in the know. Makhlouf and his senior IT staff (and their bosses) must have known very well by this point what had actually happened (and if Makhlouf personally did not sufficiently understand the point, that too reflects poorly on him, for not having asked hard enough questions, or ensured he was on totally solid ground). They must have known that at any time National could reveal how they had actually obtained the information (the search bar on Treasury’s website). But they said nothing more all day, despite knowing that they had poured fuel directly into an intensely political controversy.
And then two awkward things must have happened. First, Police actually reacted fast (and around something where it might have been politically convenient for them to have acted slowly) and advised Treasury that was nothing unlawful for them to investigate, and then Simon Bridges indicated that he would hold a press conference the following morning to explain how National had actually obtained the information.
Thereupon, there must have been intense activity at Treasury, as they attempted to get ahead of the story again. This was the 5:05am statement. But it wasn’t just another Makhlouf statement, as he managed to get the State Services Commissioner to issue a parallel statement. One can only wonder how much consultation with ministers (Finance, State Services) or their offices went on through this period – but it is hard to believe that Peter Hughes would have put out such a statement, getting in the middle of a political controversy, with little or no notice, little or no consultation.
And what did Thursday morning’s (5:05am) statement say? There was a bit of unavoidable clearing the decks
Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.
But it was hardly a mea culpa by Makhlouf. Once again, he seeks to perpetuate the “hack” theme, invoking the idea that the NCSC were working with Treasury to identify what had gone on.
In the meantime, the Treasury and GCSB’s National Cyber Security Centre have been working on establishing the facts of this incident. While this work continues, the facts that have been established so far are:
(there follow 11 bullet points, the now-familiar material about clone websites, indexing documents, and the simple ability to use Treasury’s search bar.)
And pushes the notion that someone else had done something wrong
The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public. Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information.
Rather than that his job had been to run an organisation keeping politically-sensitive government material secure until the government chose to release it. Something he had failed to do.
As he gets to the end of his statement Makhlouf does reluctantly concede the systems failure.
In light of this information, Secretary to the Treasury Gabriel Makhlouf said, “I want to thank the Police for their prompt consideration of this issue. In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust.”
But even then is keen to muddy the waters. Embargoes are irrelevant here – they only apply to people who accept information under embargo, on terms and conditions set by the person releasing it. There was no embargo here, simply insecure Treasury systems. And then there was the final sentence, again playing distraction. There is no “longstanding convention around Budget confidentiality”. There are obligations on public servants to keep “Budget secret” information secret, an obligation that applies especially to the Treasury Secretary, responsible for Treasury systems, and there are rules in the Budget lockup. But none of that applies to anyone else. A journalist who receives a leak about Budget material isn’t breaking the rules or any conventions in breaking the story – in fact, they’d be failing in their job if they chose not to run a newsworthy story.
And that was it. No apology for misleading the Minister, no apology to the public for misleading them (all that talk of “hacks”, attacks on iron bolts etc), just an attempt to get in ahead of the Bridges press conference – as if he himself were a political operator – and to keep on muddying the waters and minimising responsibility. Makhlouf has given not a single media interview since – despite that very lengthy one on Radio New Zealand when he was playing the “under systematic attack” card, and probably garnering quite a degree of public sympathy, for all it was worth.
It was an extraordinary couple of days, and an extraordinary display of poor judgement by one of our most senior public servants. He’d made a series of very bad calls, all his own personal responsibility, and in the full glare of the public spotlight.
A decent and honourable person might have taken a day and then announced his resignation. After all, human beings make mistakes, and when they are serious enough, and public enough, sustained enough, and committed by someone very senior (in whom the system reposes considerable trust), bad choices need to have consequences. Given that he is leaving shortly anyway, surely the decent thing to have done would have been to have issued a statement indicating that he’d made mistakes, regretted and apologised for that, but that it was best now to clear the air, and that accordingly he would be resigning with immediate effect. Had he done so, my regard for him would have risen considerably (I’d even toyed with words for a post I might have written had he done so).
The alternative approach might have been to have announced that he had offered his resignation to the State Services Commissioner, and left to the Commissioner to decide whether or not to accept. But reports to date suggest there has no even been that offer.
Instead, after several days, we learn that SSC is to hold an inquiry. Unfortunately, their statement is not on their website, but according to media reports
The State Services Commissioner will conduct a new inquiry into statements and actions made by Treasury Secretary Gabriel Makhlouf concerning the Treasury “hack” last week.
I have little confidence in this inquiry. For one, the inquiry is supposed to look into Makhlouf’s handling of last week’s events, but recall that the SSC made themselves an active player in those events when they agreed to a coordinated statement with Treasury on Thursday morning. They are, at least in part, inquiring into themselves. And then there is line from yesterday’s statement
State Services Commissioner Peter Hughes said the questions that had been raised were of considerable public interest and should be addressed.
“It’s my job to get to the bottom of this and that’s what I’m going to do,” Hughes said.
“Mr Makhlouf believes that at all times he acted in good faith.”
“Nonetheless, he and I agree that it is in everyone’s interests that the facts are established before he leaves his role on 27 June if possible. Mr Makhlouf is happy to cooperate fully to achieve that. I ask people to step back and let this process be completed.”
What have Makhlouf’s preferences got to do with it? It all has a rather too-cosy feel to it, and the likelihood of this being wrapped up any time materially earlier than 27 June seems very low (any draft report will surely be given to Makhlouf and other affected parties to review, and perhaps have their lawyers comment on, before release).
Add to the cosy sense, the fact that Makhlouf hasn’t been suspended, but continues to work as normal – with the full support in that of the Prime Minister. This isn’t an inquiry into some obscure aspect of past administration, or even to details of how he was appointed, it is about his personal choices, words and judgements within the last week. If it is serious enough to have a serious inquiry, it is serious enough for Makhlouf to be stood aside until the report comes in. If it is a serious inquiry that is.
What of the authority under which Makhlouf is hired and fired? That is the State Sector Act. Government department chief executives are not standard employees, but hold a statutory office, appointed by the Cabinet on the recommendation of the State Services Commissioner. The Commissioner them becomes the employer. What of dismissal? Section 39 covers that.
On the face of it, it is as simple as that. So long as Cabinet agrees, a departmental chief executive can be removed. It isn’t the famed “at-will employment” of the US, but it isn’t standard employment law either. To a lay reader – and there probably isn’t any case law in this specific context – “just cause or excuse” really does look at though it should cover failings like misleading the Minister, repeatedly misleading the public, making flamboyant statements that the facts (known to him at the time) don’t support, (arguably perhaps) wasting Police time, and refusing to offer any contrition when those facts emerged.
In that earlier quote, Peter Hughes reports that
“Mr Makhlouf believes that at all times he acted in good faith.”
I’m happy to believe that, but what of it? That is no sort of standard – a 16 year old placed in charge of The Treasury probably would have acted in good faith too, but simply wouldn’t have been up to the demands of the job, and would have been exposed sooner or later. Makhlouf isn’t 16, but his conduct over the last week suggests that if he was acting in good faith, he simply didn’t display the judgement,temperament, and character that should be required to hold such office in New Zealand (let alone Ireland, but that is their problem).
Perhaps one can debate whether section 39 should be invoked to dismiss Makhlouf (although it is now clear that it won’t be). One reason to hesitate might be that provision should not be used lightly, and has not been used previously. I’m not in a position to know whether there have been more serious breaches of acceptable standards from departmental chief executives over the 30 years since the law was enacted – most of what departmental CEs do happens behind closed doors, away from the public eye. But of things that have come to public view, it is hard to think of any (departmental chief executive) episodes that plumb the low standards on display by Makhlouf in the last week (not just a single choice, word, or act but the accumulation of words, actions, choices over several days, each compounding the other, with no sign or act of any contrition). He should go, and if he won’t resign, he should have been dismissed (yesterday’s Cabinet would have been the opportunity).
Matthew Hooton has a sustained Twitter thread this morning that is worth reading. He is more focused on the political aspects, and the potential culpability of Grant Robertson (I’m ambivalent on that point, pending more evidence). But his bottom line is one I strongly agree with:
And the State Services Commissioner is fully part of that same self-protecting establishment – appointed by them, from among them, and now supposedly reporting independently on actions (of another member) that he himself was part of as recently as last Thursday morning.
This must not be the standard we settle for.