When the Waikato regional hospital’s IT systems collapsed under a ransomware attack in 2021, patients’ information became inaccessible and critical emergency services were heavily disrupted.
For several weeks, one of the country’s largest hospital networks operated in digital darkness. The hack revealed a harsh truth for New Zealanders: that a single cyber breach can bring a nation’s most critical infrastructure to a standstill. Four years later, that warning still looms.
New Zealand likes to think of itself as distant and isolatory, tucked away in a corner of the world geographically. In cyberspace, distance is meaningless. The cables that connect our homes and hospitals to the cloud also connect us to a global battlefield where lines of code can do the work of missiles.
According to the NZSIS annual threat assessment, this risk is only becoming more prevalent. Other experts have also explained how there is a growing threat of local governments being targeted by cyber-attacks.
In 2024, New Zealand’s Parliamentary Counsel Office and Parliamentary Service were hacked by APT40, a state-sponsored group linked to China. The GCSB’s National Cyber Security Centre contained the breach and removed the intruder. New Zealand joined the United Kingdom in condemning China’s broader cyber-espionage targeting democratic institutions worldwide.
New Zealand’s greatest cyber vulnerability is a strategic issue, not just technical — any attack on critical infrastructure (hospitals, Parliament) is a matter of national security. We are a near-perfect testing ground for hostile actors looking to attack Western systems without provoking retaliation.
As a small and open democracy, we have the digital profile of a developed Western state but the geopolitical weight of a small one. Thus, we are big enough to be useful in testing capabilities for hostile adversaries, but not big enough that they fear retaliation, given our limited budget and soft power diplomacy.
An additional layer of this problem lies in our place inside our alliances, particularly Five Eyes (the intelligence network that binds New Zealand, Australia, Canada, the UK, and the United States).
On one hand, it acts as a shield, from which we benefit immensely. We receive early-warning data and access to some of the world’s most sophisticated defensive tools.
On the other hand, it serves as a target. For adversaries such as China, targeting New Zealand’s digital networks offers a way to probe Western defences without striking the big states (e.g. Washington or London) directly. Breaching an allied system, albeit small, can expose software vulnerabilities and test political responses.
In short, New Zealand becomes a proxy battlefield that is protected by its alliances but also targeted because of them.
We are therefore faced with a dependency paradox. We rely on allies and foreign tech giants (Microsoft, Amazon Web Services) for much of our cyber defence architecture, but that very reliance limits our independence.
When the tools of protection and the targets of attack come from the same ecosystem, it becomes difficult to claim sovereignty over your own security.
The National Cyber Security Centre reported a notable rise in incidents throughout 2024, concentrated among small businesses and local authorities. These exemplify the soft targets that hackers use to perfect their methods before scaling up to banks or infrastructure providers overseas.
New Zealand has highly developed connectivity (some 97.5% of individuals connected to the internet as of 2024) but modest investment in cybersecurity. Some experts estimate the government’s total cybersecurity spend is only $30 million to $50m annually, which is considered insufficient compared to the increasing risks.
At the same time, the government has just approved an additional $12 billion of funding over the next four years for the NZDF.
Some reports indicate New Zealand is falling behind other countries, such as Australia, in its cyber defence capabilities. An estimated additional annual spend of $200m to $300m is suggested as necessary to match countries like Australia and the UK on a per-capita basis.
The National Cyber Security Centre, the central agency for incident response, is centrally funded but supposedly under-resourced and shows disconnect across our government agencies.
Public-sector IT systems are fragmented across ministries and councils, with little central co-ordination.
However, this vulnerability could also become an advantage, if the government chooses to treat it strategically and with high priority. New Zealand is unique in that its small size and manageable network landscape make it a potential example for resilience.
A nation of 5 million with a full democracy can, in theory, co-ordinate faster, test cybersecurity policies more effectively, as well as address security gaps more completely than larger bureaucracies elsewhere.
In fact, there is already work being done to upgrade New Zealand’s cyber resilience, the government releasing a three-year road map to support digital infrastructure.
Our existing strengths could act as a regional hub for cyber resilience building, particularly for smaller Pacific nations that face the same risks with even fewer resources.
This would effectively mean bolstering the narrative of cybersecurity as a central part of national resilience, not just an IT risk and as a way to address the centralisation issue. Hospitals, power grids, ports and assets under the jurisdiction of local governments should be treated as critical infrastructure with built-in and connected digital redundancies.
The private sector, which is often overlooked in these debates, (especially small and medium enterprises) also need incentives to invest in cyber protection mechanisms. It is estimated that nearly two-thirds of New Zealand business were hit by a cyber-attack last year.
Strategically, we must also redefine what partnership within Five Eyes means. Intelligence sharing should remain given its benefits, but so should investment in sovereign digital defence capabilities.
New Zealand thrives when it builds smart niches within global systems, and we have proven capability for relatively fast innovation. Centrally framed and thorough cybersecurity must be one of those niches.
Done right, our alliance could be strengthened and act as an example of small state sovereignty through world-leading cyber defence innovation.
— Josh Wynne is a University of Otago alumni now based in Wellington completing a master’s degree in strategic studies.
