[Check against delivery.]
Good afternoon Chairman and Committee members.
Thank you for the opportunity to address you briefly today on the GCSB’s year under review, and to answer any questions you may have.
I have been the Acting Director of GCSB since the end of February this year and have been privileged to lead this organisation for the past 10 months. As you know, I will finish this acting role in February next year, so this will be my last appearance before the Intelligence and Security Committee (ISC).
The Bureau is an organisation that few people will ever know just how important a role it plays for the safety and security of New Zealand and New Zealanders. I have been impressed by the people at the Bureau who deliver on the mission. They get to do some incredible things in assisting Government to make high quality, intelligence-led decisions for the benefit of all New Zealand, and in protecting information that is of enormous value to our country.
They do it with humility and no expectation of recognition. They are smart, they care, they help others, and they enjoy testing themselves.
Turning to the year under review, 2014-15: it was a year of consolidation for the GCSB and also a significant step forward in openness and transparency about what we do.
We finished implementing the recommendations of the 2013 Review of Compliance, and bedded in amended legislation and the policies and processes associated with those amendments.
When the Inspector-General recently certified in her Annual Report for the year under review that GCSBs compliance systems and processes are “sound”, that was a cue for the staff to be very proud of what we have achieved. This is a major achievement when you consider the Review of Compliance was completed a little over two years ago and found our compliance systems and processes wanting.
We have continued to drive organisational improvement through implementing the Performance Improvement Framework (PIF) Review findings. That includes greater cooperation within the New Zealand Intelligence Community (NZIC) to deliver better, coordinated, and more efficient outcomes for Government.
The last time I appeared before this Committee in March this year, I committed to GCSB being more open about what we do. We have delivered on that commitment.
We have delivered speeches to interest groups, at other organisations’ conferences open to the public, responded to media requests for information, and visited community organisations and education institutions.
We have heard, and are responding to, public calls for greater transparency. That remains a focus for both GCSB and the NZIC more broadly. We are changing our default mode to being generally open about things, unless we cannot be for operational and security reasons.
Transparency and openness are not entirely straightforward in the security environment, but we remain committed to them as concepts underpinning our work.
Our adversaries are increasingly “going dark”, using encryption and fast changing technology platforms to avoid detection. We have to ensure that we do not inadvertently increase our vulnerabilities to people who do not have New Zealand’s best interests at heart by revealing our sources, methods or targets. We don’t want people we are gathering foreign intelligence on, or defending computer networks from, to know that we are looking at them or how we are doing that. We don’t even want them to know what we are or are not capable of.
But we do want to be open – to the extent that is possible – with the New Zealand public about the important work we do, how the system is governed and overseen, and what they can expect from their intelligence agencies. That’s an important part of building informed public debate about the work we do.
Getting the balance between security – which can look like secrecy to some – and transparency right is not always easy. But the rigorous authorising regime in the Act and the independent oversight functions now embedded in the system are the answer to the tensions in that balance.
Where we cannot be open to the public about what we are doing, we are certainly open to significant, strong and independent oversight: by this committee, by the Inspector-General of Intelligence and Security, the Ombudsman, the Privacy Commissioner, the Commissioner of Security Warrants, and the Auditor-General. These systems of independence and/or oversight are important for the health and trustworthiness of the system, and we welcome them.
This year has seen considerable advances in understanding the cyber threatscape and defending New Zealand infrastructure networks from attacks.
These threats continue to evolve and challenge us – but implementation of the CORTEX cyber defence programme has been happening during the year and allows a strong platform from which to support and protect organisations of significant importance to New Zealand. The CORTEX programme is something I have been speaking about more publicly in this Financial Year (not the one under review). It was commenced in the year under review and is going very well.
CORTEX is a project to counter cyber threats to organisations of national significance. That is its sole purpose. The CORTEX cyber defence programme is making a significant contribution to protecting both New Zealand’s economy and security. GCSB implements technical capabilities to protect those organisations against advanced malicious software – here we are focusing on countering foreign-sourced malware that is particularly advanced in terms of technical sophistication and/or persistence. The capabilities allow advanced malware to be detected and/or disrupted.
All CORTEX capabilities are authorised by the warranting process – as set out in the Act – which requires the agreement of both the Minister and the Commissioner of Security Warrants. But, also – and importantly – the customer who is to receive the CORTEX capability must agree to receive the network protection capabilities. So both things must be in place before we can engage in CORTEX – warranted authorisation and the customer’s consent.
Also, we make sure we take what we are learning about these advanced and persistent cyber attacks and let people know so that they can take steps to protect themselves. Of course we may have to do some work to declassify the information, but once we have done that we issue public advisories (on our website) and also approach those sectors that might be affected by a new malware to alert them. We work closely with both the public and private sectors to share the information we obtain about cyber threats - and vice versa - to enable us all to better assist and protect our country’s networks. The National Cyber Security Centre (NCSC) is now conducting well attended ‘super briefs’ where we hold short, regular briefings for key Government information security partners on current operations, incidents, and what we are learning about cyber threats and mitigation options.
I have been doing a lot of engagement with the private sector this year on CORTEX; our customers tell me they value the support we provide, both in terms of technical cyber capabilities, and in terms of the information sharing we can conduct to ensure we all benefit from what we are learning about cyber threats and how to counter them.
CORTEX is going really well. We have recently posted on our website some detailed FAQs and a privacy impact assessment to let people see more detail about what CORTEX is, and (importantly) what it is not.
Also on the cyber security front, we have a role as regulator under the Telecommunications (Interception Capability and Security) Act 2013’s (TICSA) network security provisions, which is now well implemented. Under the Act network operators who wish to make a potentially significant change to their network configuration must notify the Bureau. We have to consider the proposal and advise on any security concerns we have with the proposal. Proposals that cannot adequately mitigate against the security concerns may not be made.
We have increased our capability and capacity – and our engagement with the sector – in this area. We have consulted with the sector over our approach to their notifications. We have set our service levels, which we are consistently meeting, or beating. According to the feedback we receive from the regulated network operators, we are delivering well to their expectations. Not always easy when you are the regulator, so a great outcome for the Bureau.
The changing cyber threatscape is not a problem for New Zealand alone – it is an international issue. We work closely with our Five Eyes partners to share technology, training, expertise and understanding of current threats.
The 2014/15 year has seen us working much more collaboratively with our NZIC colleagues in reviewing our delivery of foreign intelligence product. We are committed to ensuring we provide intelligence product to our customers that is high quality, given at the right time, to the right people in Government and in accordance with Government priorities, and relevant to our customers’ decision-making context. This focus on our customers, throughout the NZIC, is a significant response to the PIF report I have mentioned.
We have also provided timely and critical foreign intelligence reports to policy-makers and decision-makers, including on matters relating to security and stability in the South Pacific.
In the year ahead, we look forward to making further progress on our key strategic initiatives, as well as continuing to work on issues arising from the NZIC Performance Improvement Framework report. We will also continue to be focused on the review of legislation that is underway and any outcomes from that.
We know that this continued focus on customers, delivery to government priorities, and striving to deliver a sustainable, agile and collaborative NZIC will keep us well-positioned to protect and enhance New Zealand’s security and wellbeing.