'Not secure': NZTA needs millions to update core IT systems

Several transport technology systems were old or unsupported by suppliers.
Several transport technology systems were old or unsupported by suppliers. Photo credit: Getty

By Phil Pennington of RNZ

The Transport Agency needs millions of dollars to update old IT systems that provide crucial road safety information.

Documents released to RNZ under the OIA say several core regulating systems "are not secure and/or are past end of life".

This comes on top of the 2018-19 annual report that warned: "We need to reduce critical technology risks ... A critical risk rating means that it is possible the Transport Agency's technology systems may stop performing, in part or whole, and may not be recoverable for extended periods (weeks or months), with extreme consequences."

The agency refused on security grounds to identify for RNZ just which systems are most at risk, and the office of Transport Minister Phil Twyford office refused, too, on the same grounds.

"Doing so would identify the systems used and maintained, and their vulnerable points ... someone could go looking to exploit these," his office said by email.

The alarm has been sounding for months, if not years.

The OIA documents from mid-2019 give a glimpse of a crisis around the back-up systems meant to make roads safer, at a time when the government has announced billions of dollars for road building.

Several systems in both corporate and transport technology areas were old, unsupported by suppliers, and untested when it came to standing up to a disaster like an earthquake, reports said.

If funding was not available "then the systems run the risk of failure with no ability to recover for extended periods and thereby increasing the risk related to safety on the network", a chief executive's report to the board said.

A regulatory review last October outlined old systems that could not talk to each other, to, for instance, raise an alert if someone who had lost their licence was trying to get a warrant

The documents said up to $120m was needed just to stabilise existing systems, but only $22m was available for the 2019-20 year.

This reflected "historical and long-term underfunding of maintenance and upgrades" that were now needed as a "matter of some urgency".

"The above investments in Corporate and Transport Technology are aimed at stabilising our existing technology and are not about building for the future."

The agency has not provided an update to the risk advice or the funding shortfall figures, as requested by RNZ.

A few of the vulnerable systems are named in reports just as acronyms, but the motor vehicle registers are also among them. These registers were described as "near collapse" when the MOT passed them to NZTA for $1 some years back; just last year reviewers concluded they "were and are a liability", contributing to TA's "lack of data integrity".

The reports summarised the twofold problems as, old technology poorly maintained, and expensive upgrades on hold.

This presented a two-prong chronic risk of failure or breakdown, and acute risk from disaster like a quake.

Minister's statement

The Transport Minister Phil Twyford did not provide funding figures, but said in a statement:

"The Transport Agency advises they have sufficient funding to continue critical maintenance for their technology applications, and they are working with the Ministry of Transport and Treasury to secure additional funding to make the needed upgrades."

He blamed underfunding on the previous government.

RNZ has requested from the minister the latest technology risk assessments. The agency would not release these. It also gave commercial sensitivity reasons for refusing to release information under the OIA.

Twyford said he had told the board to address the problems and it was.

The agency is now shifting to cloud-based services that don't face the same on-premises risks.

An independent inquiry last year found that TA's disgraced and now-defunct high-tech Connected Journeys Solutions unit railroaded through its selection of a cloud service provider, then implemented it poorly without proper security or cost controls.