GCSB Annual Report 2025

The GCSB works to the New Zealand Government’s National Security Intelligence Priorities – Whakaarotau Marumaru Aotearoa (NSIPs). These define key areas of national security interest, assisting agencies with related roles to make informed, joined-up decisions.

Baseline savings

The GCSB’s baseline was reduced by $7.62 million in 2024/25 through the Budget 2024 Initial Baseline Exercise. We achieved the savings targets through efficiency savings that could be managed without having a significant impact on operational activity, for example, by reducing spend on contractors and consultants, training and development, travel, and reduced financial contingencies. 

Intelligence advantage

As New Zealand’s signals intelligence (SIGINT) agency, our role involves collecting and analysing electronic communications of relevance to our objectives to produce intelligence. We also get great value from intelligence sourced through our international partnerships.

We provide a range of intelligence products across all NSIPs under our function to contribute to the protection of New Zealand’s national security, international relationships, economic wellbeing and he safety and security of New Zealanders.

Our legislation enables us to seek authorisation to carry out a range of activities to obtain intelligence including intercepting communications, receiving intelligence from our international partners, and accessing information infrastructures to retrieve digital information directly from where it is stored or processed. We can also seek assistance from telecommunications network operators and services providers to give effect to our authorisations.

Strategic competition

The GCSB works closely with the NZSIS and the wider national security system to understand how New Zealand’s people and sovereign structures are at risk from national security issues including the foreign interference activities of other states. The NZSIS leads the NZIC’s efforts to identify and understand foreign interference activity by other governments.

Regional Security

What happens in the Pacific has a fundamental impact on New Zealand’s own national security, prosperity and identity. The GCSB provides intelligence reporting in relation to New Zealand’s interests in the South Pacific. This focuses on providing support to other government agencies whose responsibilities include responding to security issues in the Pacific region.

Transnational Serious Organised Crime

The GCSB provides intelligence and technical assistance to the New Zealand Customs Service (Customs) and New Zealand Police (NZP) to help counter Transnational Serious Organised Crime (TSOC). 

This interagency work strongly aligns with the GCSB’s key objectives, which include contributing to the protection of New Zealand’s national security and wellbeing, and supporting the safety and security of New Zealanders at home and abroad. 

Counter-terrorism

The GCSB’s counter-terrorism effort has both a foreign and a domestic focus, aimed at ensuring New Zealand, New Zealanders, and our interests overseas are protected from violent extremism. Internationally, we continue to make a unique and highly valued contribution to global counter-terrorism efforts. 

Violent extremist attacks worldwide continue to be inspired by online extremist rhetoric. The spread of extremist content and ideologies online remains a threat to New Zealand’s security.

Support to the New Zealand Defence Force

We contribute to NZDF efforts to detect and counter threats to New Zealand military personnel deployed overseas.  

Cyber Resilience

One of our core functions is to provide cyber security advice and assistance for all New Zealanders, which is delivered through our National Cyber Security Centre (NCSC). The NCSC was established in 2011 to support nationally significant organisations to improve their cyber security and resilience.

In July 2023, Cabinet determined New Zealand’s Computer Emergency Response Team (CERT NZ) would be integrated with the NCSC, strengthening the GCSB’s role as the New Zealand Government’s lead operational cyber security agency.

The formal integration programme was completed by 30 June 2025. This programme has unified our functions to consolidate our view of the operating environment, create a unified cyber security incident response service, and offer an authoritative voice from the New Zealand Government on cyber security. This is a positive step for New Zealanders, as it simplifies the process of getting help in response to cyber security concerns.

We recorded 5,995 cyber security incidents this reporting year, of which 331 had the potential to cause high impact at the national level. Of these, at least 25 percent indicated links to state-sponsored actors, while at least 41 percent were likely criminal or financially motivated. The motivations of the remaining 34 percent remained unclear at time of reporting, but could also be state-sponsored, or criminally/financially motivated.

We help raise New Zealand’s collective cyber resilience against incidents through three main approaches:

• we support New Zealanders and New Zealand organisations to act on informed decisions
• we work with key players to build a resilient cyber security ecosystem, and
• we use our mandate and specialist capabilities to counter the most serious harms.

Further information about our work under each of these approaches is outlined below.

Supporting New Zealanders and New Zealand organisations

We provide cyber security advice and education for all New Zealanders and New Zealand organisations. We focus on encouraging people to implement the most effective cyber security behaviours that would protect them from the vast majority of the cyber security threats they are likely to face. We also commission independent research to measure the uptake of these behaviours amongst individuals and small to medium enterprises, and we use this to tailor our engagement approach.

Our incident management function plays a vital role in safeguarding against cyber security threats that could impact our national security and wellbeing. We triage incidents according to their potential national impact, engage with victims to understand the scope of the activity, and provide targeted support throughout the incident’s lifecycle. For incidents with potential national level impact, this involves performing investigations and providing recommendations to support malicious activity containment, remediation, and recovery.

Key achievements

During 2024/25, we:

• Responded to 5,995 cyber incidents
• Ran a “Scamathon” campaign in this year’s annual Cyber Smart Week event (see page 17)
• Launched BOSS – the Business Online Safety Series – to help small businesses start their cyber security journey
• Published cyber security guidance for high-profile individuals¹, and
• Joined the Anti-scam Alliance, a group of government agencies and private sector organisations working to improve New Zealand’s ability to prevent and respond to online financial scams²

1 Producing this guidance for high profile individuals was one of the recommendations of a review undertaken into our practices and procedures for our response to cyber security incidents, following phishing activity targeting members of the Inter-Parliamentary Alliance on China.

2 As not all scams are cyber security issues, the GCSB’s work in relation to addressing online financial fraud is on cyber-dependant crime, rather than cyber-enabled crime. Our expertise and resources are focused on cyber security threats and vulnerabilities, as well as raising cyber security resilience in New Zealand. We continue to deliver a range of existing cyber security services that help individuals and organisations better protect themselves from cyber security threats.

Support to victims of cyber security incidents

This year we recorded 5,995 cyber incidents. To understand the impact of any one incident, we triage incidents into categories based on the severity of the compromise and the size of the impact, ranging from C1 (a national cyber emergency) to C6 (a minor incident). We did not record any C1 or C2 incidents this year, but did record eleven C3 incidents.

Our work in 2024/25

Case study

The Scamathon campaign

Context

Our annual Cyber Smart Week event took place in October 2024. For this year’s event, we created the “Scamathon” campaign.

While New Zealanders consider cyber security to be important, our research showed that many people are not proactively keeping themselves secure online. In particular, our research showed that New Zealanders are not implementing some of the most impactful cyber security behaviours:

• Only 42 percent of New Zealanders feel vulnerable to cyber attacks
• 32 percent do not use two-factor authentication
• 30 percent admit to using weak passwords
• 43 percent reuse passwords between different online accounts

What we did

To increase the uptake of these cyber security behaviours, we ran a “Scamathon” campaign to show New Zealanders that we are all vulnerable to cyber attacks and to highlight the importance of having strong, unique password practices, as well as two-factor authentication.

Our impact

Independent market research, commissioned by the NCSC, showed that 15 percent of New Zealanders saw the campaign within the first month, and that 62 percent of those people took action to improve their cyber security as a result of the campaign. Examples of actions were updating their passwords and enabling two-factor authentication. 

Over 1,300 businesses supported Cyber Smart Week – an increase from 1,200 last year. During the reporting period, research suggests the campaign reached a total of 1.97 million New Zealanders and had 9.2 million media impressions.

Building a resilient cyber security ecosystem

We work closely with key players in New Zealand’s IT and communications ecosystem to build the resilience of New Zealand’s cyber security ecosystem. These include government agencies, telecommunications network operators, critical infrastructure providers, and the digital supply chain. Decisions made by these key players have an outsized impact on the cyber security of all New Zealanders, and can also drive cyber security uplift in other areas of the economy.

Through our role as Government Chief Information Security Officer (GCISO), we provide system stewardship of information security for the public sector. We also provide national security advice to inform regulatory decision-making on technology investment in areas critical to New Zealand’s national security.

Through our Pacific Partnerships Team we work with Pacific states to help improve their cyber resilience. This reflects the importance of a secure and resilient Pacific, and the value of our partnerships with our Pacific neighbours. Our Pacific Partnership Programme supports institution building, workforce development and awareness raising and leads New Zealand’s engagement in regional cyber security. This includes co-chairing the workforce capability working group of the Pacific Cyber Security Operational Network (PACSON) and delivering its annual awareness raising campaign.

Key achievements

• In October 2024, we launched the Vulnerability Insights Programme: a service that proactively scans for and notifies customers in the public sector about cyber security vulnerabilities affecting their systems. Since launch, we have expanded coverage to scan over 200,000 devices across 122 organisations. In addition to monthly vulnerability reports for these organisations, we issued 92 alerts for high-impact vulnerabilities within 24 hours of identification. We have observed organisations patching or disabling vulnerable services after receiving reports, with positive feedback from customers relating to the discovery of vulnerabilities previously unknown to their organisations.
• We began consultation with government agencies on Minimum Cyber Security Standards, ahead of future publication. These standards will provide greater clarity for GCISO-mandated agencies about where to prioritise cyber security efforts. The standards are designed to focus on the basics, to create visibility of cyber security practices, and to drive an uplift. Reporting on the standards will provide system level insights; we will use this to improve our products and services.
• We co-chair Security Information Exchanges to share cyber security insights and best practice specific to different sectors. This year, we established two new groups and co-chaired 29 such exchanges across eight sectors: energy, finance, government, network-providers, universities, and transport and logistics, water, and health. 
• We published 15 advisories with our international partners to raise awareness of cyber security threats and provide information of value to cyber defenders to mitigate malicious cyber activity. This included co-publishing advice with the Australian Signals Directorate to help organisations prepare for and respond to denial-of-service attacks, after we observed New Zealand organisations being increasingly targeted by such attacks last year.
• We continued to provide national security advice and risk assessments this year to inform regulatory decision-making on technology investment.

Countering serious harms

We have the mandate, relationships and capability to understand and counter the most serious potential cyber security harms New Zealand faces. Where we have visibility, we can identify threats to New Zealand systems, and can block or remediate these threats before they can cause an impact. We also work with other government agencies to ensure that New Zealand’s classified information is protected.

Key achievements

• Our cyber defence capabilities – including our CORTEX suite of detection services and flagship Malware Free Networks® (MFN®) threat detection and disruption service – continued to prevent harm to New Zealanders this year.
• Our CORTEX suite of services prevented approximately NZ$47.9 million worth of worth of harm to New Zealanders in 2024/25.
• A combined total of 473.4 million malicious cyber incidents have now been disrupted through MFN. This is a significant increase from last year’s cumulative 10 million disruptions, and 390,000 cumulative disruptions the year before. MFN helps New Zealanders avoid costly security incidents and makes a real difference to everyday New Zealanders’ lives. These figures reflect our efforts to automate the disruption of malicious cyber activities through MFN that have been detected through CORTEX. 
• We help ensure New Zealand’s most sensitive communications are not intercepted or compromised. We carry out accreditation services to check that highly classified information systems and sites are safe and secure for use, and undertake inspections to counter the potential for hostile actors to intercept information through eavesdropping, video surveillance, or the collection of unintentional emanations signals from ICT equipment. 

How we measure performance

Reporting entity

The GCSB is a New Zealand government department as defined by section 5 of the Public Service Act 2020. The relevant legislation governing our operations includes the Public Finance Act 1989, Public Service Act 2020 and Intelligence and Security Act 2017.

The GCSB is New Zealand’s lead agency for signals intelligence (SIGINT) and lead operational agency for cyber security. We do not operate to make a financial return, and we are a Public Benefit Entity (PBE) for performance reporting purposes.

Our performance framework (see page 10) sets out how we measure, track, and report on our strategic intentions and outcomes. We measure the services we provide to the Government, our customers, and the public that support us to achieve these outcomes. We measure our outputs across these outcomes.

We are funded through one appropriation, Vote Communications Security and Intelligence. The appropriation contains a group of output performance measures and standards to assess how well we deliver our services and activities.

The majority of our performance information is classified and cannot be released publicly. Where performance information is unclassified and can be released, it is set out in the following pages (pages 20-25).

Statement of Compliance

Our performance information is prepared in accordance with Tier 1 PBE accounting standards, which have been applied consistently throughout the 2024/25 financial year.

This includes compliance with the new PBE FRS 48 Service Performance Reporting standard. The standard sets principle-based requirements around the selection and presentation of performance information that is appropriate and meaningful to readers.

Critical reporting judgements, estimates, and assumptions

We use a framework of performance measures to help us achieve outcomes for New Zealand, contribute to Government priorities, improve outcomes for customers and deliver high-quality services. The measures included this year help assess our progress and results.

Our performance measures are reviewed each year. Performance measures are selected through consultation with subject matter experts with consideration for measures that best demonstrate performance against our key functions and activities, the availability of data and relevance to the result or outcome we are trying to achieve. We have discretion to select our measures and targets.

For comparability and consistency, we maintain a core set of performance measures each year. This allows us to compare performance from prior years and maintain visibility of critical performance areas over time.

Contextual information

We have included comparison of our 2024/25 performance measures against the results for 2023/24. The 2024/25 actual results in this section are audited. The 2023/24 comparative results are unaudited.

We provide additional information to explain any significant changes in performance or where standards have not been met.

Minister satisfaction surveys

In keeping with the Policy Quality Framework provided by the Department of the Prime Minister and Cabinet (DPMC) we survey our Minister each year to assess their satisfaction with the policy advice and ministerial servicing we provide (page 23). The survey measures our Minister’s satisfaction across four areas on a five-point scale. The survey is amended slightly from DPMC’s Ministerial Policy Satisfaction Survey to reflect the Minister’s role in signing intelligence warrants. The survey was completed by the Minister Responsible for the GCSB in July 2025.

How we performed against our output measures

Outcome: Social licence from New Zealand’s public allows GCSB to operate effectively