Annual Report 2024

Ko Wai Mātou, ā, he Aha Hoki ā Mātou Mahi

Tirohanga Whānui

The Government Communications Security Bureau (GCSB) is New Zealand’s lead agency for signals intelligence (SIGINT) and provides intelligence to government customer agencies. It is also the lead operational agency for cyber security, through the National Cyber Security Centre (NCSC). 

Our mission is to provide our customers with intelligence advantage and cyber resilience to successfully navigate an unpredictable world. The GCSB is a crucial part of how our country makes sense of the world and manages national security threats.

Who We Are – Whakapapa

The GCSB is a public service department, comprised of staff from across New Zealand’s society working in a variety of roles. As at 30 June 2024, we have 596.7 full-time equivalent staff, made up from 605 staff. We strongly value the diversity that each person brings to our mission. Our close connection to the New Zealand Security Intelligence Service (NZSIS) is recognised through our people, with roles in shared functions supporting both the GCSB and the NZSIS. Our whakapapa is built on respect for what has come before and pride in the unique things only we can do for New Zealand.

The GCSB was established in 1977 as an agency under the Ministry of Defence, becoming a stand-alone government agency in 1989, and a statutory agency in April 2003. As a SIGINT agency, whose intelligence is derived from electronic communications, our work continues to evolve alongside technological developments. We continually assess and update our capabilities to ensure they fully contribute to the New Zealand Government’s priorities.

The evolution of technology led to our role in New Zealand’s cyber security. This role originally focussed on support to nationally significant organisations and the public sector. Following the integration of CERT NZ with the NCSC in August 2023, this mandate was expanded to a whole-of-economy remit. We continue to respond to rapidly evolving technology and the security threats New Zealand faces.

Values

Respect

We respect the role that each individual plays in the organisation. We value diversity in all its forms. We treat each other with dignity.

Integrity

We act lawfully and ethically. We are accountable for our actions – both personally and organisationally. We act professionally and with respect.

Commitment

We are committed to our purpose. We are committed to excellence – recognising the contribution of our tradecraft to national security. We are committed to our customers – recognising that our success is measured in their terms. We are committed to our stakeholders – the Government and people of New Zealand.

Courage

We face facts, tell it how it is and are prepared to test our assumptions. We have the courage to make the right decisions at the right time, even in the face of adversity. We are prepared to try new things while managing the risk of failure. We perform at pace and are flexible and responsive to change. 

Ko Wai Mātou

Functions

We use our intelligence collection capabilities, supplemented by intelligence received from partners, to support government agencies in their operations and decision making, and to carry out their legislatively mandated functions. Under the Intelligence and Security Act 2017 (ISA), the GCSB has four core functions:

• Intelligence collection and analysis
• Protective security advice and assistance, including Information assurance and cyber security activities
• Co-operation with other public authorities to facilitate their function, and
• Co-operation with other entities to respond to imminent threat.

Our NCSC works to strengthen New Zealand’s cyber security resilience. This includes ongoing work across Government and critical infrastructure organisations to ensure the data and online services that New Zealand relies on are protected against all hazards and risks. We host the Government Chief Information Security Officer (GCISO) function and provide system stewardship of information security for the public sector.

We are also responsible for providing cyber security advice and education to all New Zealanders, offering support to New Zealanders who have been the target of malicious cyber activity, and for helping to support cyber security resilience in the Pacific.

Funding

We are funded through Vote Communications Security and Intelligence. The Minister Responsible for the GCSB is responsible for the single appropriation within this Vote.

The GCSB’s Statement of Expenses and Capital Expenditure Against Appropriation is on page 64. Unlike other departments, we only provide a total in our annual reports. This is because the ISA provides for intelligence and security agencies to protect certain information, in order to discharge their national security responsibilities effectively.

Public sector agencies were asked to identify savings through the Budget 2024 process. The GCSB will be making savings of $7.62 million per year from 2024/25, through efficiencies in areas such as contractor and consultant spending, training and development, and travel.

In addition, funding of $5.742 million over four years that had been set aside in a tagged contingency for the GCSB in Budget 2023 to expand the mandate of the GCISO to Crown Agents was returned. The GCISO mandate, refreshed by Cabinet in 2023, will not change. This function will continue to be delivered in support of existing mandated agencies.

Te Rautaki Whakahaere

Our organisational strategy came into effect from 1 July 2023. It sets out the contribution the GCSB strives to make to New Zealand’s national security and economic wellbeing, guiding our activities from 2023 to 2027. It has also informed our refreshed performance measures, reflecting our ongoing work to protect and build resilience, catalyse, and be a trusted organisation.

This strategy shaped our work over the reporting year, supporting us to deliver on our mission to equip our customers with the intelligence and cyber resilience necessary to forecast and successfully navigate New Zealand’s changing strategic environment.

Our organisational strategy is formed around six outcomes. Three focus on what we do to protect New Zealand; three focus on ensuring that we are a strong and resilient agency.

• Protect: Tiaki Tangata – We protect New Zealand; our people, infrastructure and information
• Build Resilience: Tiaki Oranga – We build resilience in others so that New Zealand can confidently navigate future security challenges
• Catalyse: Tiaki Hononga – Our products and services are based on customer partnerships and enable real-world outcomes that advance New Zealand’s values and interests
• Resilient – We invest in GCSB’s resilience so that we can better serve New Zealand
• Trusted – We are a trusted and confident organisation. We make a positive impact, and the value we bring to New Zealand is well understood, and
• Future focused – We will ensure we have the right relationships, co-ordination, and tradecraft to respond to and counter both existing and emerging threats.

These outcomes are underpinned by our six key shifts. Through pursuing our strategy these are the key shifts we will achieve for New Zealand.

Key Shifts

1. Deep insights on regional security – for New Zealand and for the Pacific. We will prioritise our work on 
   regional security to ensure the New Zealand Government has deeper insight and forewarning on the array of security challenges facing the Pacific. We will develop our role in building regional resilience by providing support to government agencies whose responsibilities include responding to security issues in our region.
2. Consolidate national cyber security leadership. We will establish the GCSB’s role as the lead agency for cyber security 
   operations in New Zealand. We will consolidate reporting pathways and response triage for cyber security incidents. 
3. Embed our responsibilities as a Treaty partner to advance cyber resilience with iwi, hapu and Māori organisations. We will work with partners to define and give effect to our role in lifting the cyber resilience of iwi, hapu and Māori organisations.
4. Lift New Zealand’s ability to keep pace with emerging technology risks and opportunities. We will employ a more structured 
   approach, which combines insight from all of the GCSB’s functions and capabilities, to assist the Government to keep pace with the risks and opportunities that emerging technologies present to New Zealand. 
5. Catalyse our customers’ use of intelligence. This strategy is designed to get the GCSB working in a cross-mission way, so that our customers benefit from the full range of what we have to offer. We will join the dots for our customers, including on how they can use our products, advice and services.
6. Positioning ourselves to effectively meet security challenges and increased demand. We have a focus on continuing to make the GCSB a great place to work, prioritising our recruitment and our physical work environment. We will modernise our workplace, enhancing how we connect and collaborate with our customers, partners and suppliers and build adaptability to short-term shocks and longer-term changes in our operational environment. As part of our commitment to improve public trust and understanding of the value we bring to New Zealand, this year we made our strategy publicly available on the GCSB website.

Te Whanaketanga o te Ao Māori

The GCSB and the NZSIS have a shared Te Ao Māori team, which played a pivotal role in the reset of our organisational strategy. This ensured that kaupapa Māori principles are woven into objectives and waypoints aimed at improving national security outcomes for iwi, hapū, Māori partners and organisations.

The GCSB has set three initial objectives for this kaupapa:

• Continue to build positive relationships with iwi at each of our locations
• Work with iwi and Māori organisations to support them in securing their digital information and systems, and
• Continue to build the GCSB’s own cultural competence.

Ō Mātau Rangapūtanga

Domestic Partnerships

As part of New Zealand’s national security community, we work together with a range of agencies and organisations to help enhance our national and regional security. The GCSB, along with the NZSIS and the National Assessments Bureau within DPMC, form the core national intelligence, assessment and protective security functions within the New Zealand Intelligence Community (NZIC).

We work most closely with the NZSIS, sharing a number of enablement functions including People and Capability, Technology Directorate, Financial and Commercial Services, as well as a Security Services Group. The majority of shared enablement staff are employed by the GCSB but work equally across both agencies. This is aided by our agencies’ co-location.

Together with the NZSIS, we published a Joint Statement of Common Purpose this reporting year. While the GCSB and NZSIS each has its own strategic focus and unique identity, the nature of our work and the complex threat environment we face create a strong partnership between us. Our joint statement speaks to the functions we share and our commitment to aligning with each other for greater national security outcomes.

We also work alongside other agencies, such as New Zealand Police, New Zealand Customs Service, and Immigration New Zealand, to contribute to our national security and the wellbeing of New Zealanders.

The NCSC engages with organisations in the public sector, to help build understanding of their cyber security risk and provide guidance. We partner with other system leaders such as the Government Chief Digital Officer and the Government Chief Data Steward to facilitate public service digital transformation. We partner with the private sector to deliver our cyber defence capabilities at scale. We also engage with the digital supply chain to increase cyber resilience for New Zealand users.

As the government lead for information security, we partnered with the NZDF for the construction of the all-of-government data centre at RNZAF Base Auckland (Whenuapai). Once completed, this data centre will house protected information for a broad range of government agencies.

The NZIC has a crucial role to play in understanding the threats New Zealand faces and how to guard against those threats. By providing unique intelligence insights to policy and decision makers, the NZIC contributes to building a safer and more prosperous New Zealand.

To support the objective of enhancing national security, the NZIC strives to advance New Zealand’s international interests and reputation. We articulate New Zealand’s national security priorities and interests on a global stage in our work with international partners.

International Partnerships

The reporting year has seen the beginning of a foreign policy reset by the New Zealand Government, reflecting the changing geostrategic landscape and the role New Zealand plays in this. Any cooperation and intelligence sharing with international partners is subject to New Zealand’s laws, including human rights obligations, and to the laws of partner countries that share information or other support with us.

We value the international partnerships we have with like-minded states. Our relationships with a range of regional and international security and intelligence partners are significant to New Zealand. This includes the international intelligence and security partnership known as the Five Eyes, which is comprised of New Zealand, Australia, Canada, the United Kingdom, and the United States of America.

The Five Eyes partnership has been an instrumental part of New Zealand’s intelligence and security activities since World War II. The partnership began as a cryptologic venture to share efforts and results in code breaking (and code making) during the war. The Five Eyes partnership remains fundamental to the GCSB’s work to support New Zealand’s national security interests and ensure the wellbeing of New Zealanders both at home and abroad. We could not deliver our current level of intelligence and security activity alone.

While New Zealand receives great benefit from the Five Eyes intelligence partnership, it also makes a unique and valued contribution to global efforts.

Our engagement with international partners aligns with New Zealand’s foreign policy and the New Zealand Government-set National Security Intelligence Priorities. These are enduring priorities across successive governments, subject to rigorous oversight.

National Security Intelligence Priorities

Whakaarotau Marumaru Aotearoa

We work to the New Zealand Government’s National Security Intelligence Priorities – Whakaarotau Marumaru Aotearoa (NSIPs). These define key areas of national security interest, assisting agencies with related roles to make informed, joined-up decisions. These NSIPs were agreed by Cabinet in June 2023. Further information about the NSIPs is available on the Department of the Prime Minister and Cabinet (DPMC)’s website.

Our work is guided by, and contributes to, all of the NSIPs:

1. Economic Security
2. Emerging, critical and sensitive technology
3. Foreign interference and espionage
4. Malicious cyber activity
5. Maritime and border security
6. National security implications of climate change
7. National security implications of disinformation
8. New Zealand’s strategic interests in the Indo-Pacific region
9. Pacific resilience and security
10. Space security
11. Strategic competition and the rules-based international system
12. Terrorism and violent extremism
13. Threats to New Zealanders overseas
14. Transnational serious and organised crime.

Te Rarapa i te Tau

• 10,334,448 Cyber threats disrupted by Malware Free Networks®.
• 343 Cyber security incidents triaged for specialist technical support because of the potential to cause high impact at the national level.
• 6,779 Cyber security incidents handled through general triage process, often affecting individual New Zealanders or small to medium businesses. 
• 30 Vulnerability alerts published.
• $38.8m Approximate harm prevented through CORTEX.
• 143 Network change proposal notifications.
• 21 Assessments of regulated space activities.
• 74 Assessments of regulated radio spectrum activities.
• 27 Intelligence warrants.