[Check against delivery]
This is my first time addressing the Committee for the Government Communications Security Bureau’s Financial Review, having taken on the role of Director in April this year.
I am conscious that in reviewing our performance, the Committee also has the perspectives of two of our oversight entitles: the Auditor General and the Inspector General of Intelligence and Security.
The key points for me from those oversight bodies are that our financial management is sound; there is a strong culture of commitment to legal compliance; and our systems and processes have been certified as compliant again.
While we continue to make improvements in how we conduct our business, we will be doing that from a sound platform. The current state is pleasing and reassuring.
The GCSB has three roles, which are set out in legislation.
First, we collect and report foreign intelligence in accordance with the Government’s intelligence requirements. By finding out about the activities, intentions and capabilities of foreign parties we help inform government decisions.
Second, we provide cyber security and information assurance advice and assistance to a wide range of organisations in New Zealand. This includes:
Finally, we assist the New Zealand Defence Force, New Zealand Police and NZSIS to undertake their lawful functions. This includes counter terrorism and support to military operations.
Everything we do to deliver our functions needs to be in accordance with New Zealand law, including our human rights obligations.
Our powers are only exercised with an applicable interception warrant or access authorisation.
Before issuing an interception warrant or access authorisation, the Minister Responsible for the GCSB must be satisfied not only that it is for the purposes of either cyber security or the collection of foreign intelligence (or both), but also that the activities contemplated are proportionate, necessary and reasonable.
Interception warrants, access authorisations, and the activities under them are all subject to oversight by the IGIS.
During the 15/16 year, there were a total of 22 interception warrants in force, and 15 were issued during the year. There were 46 access authorisations in force during the year, and 30 were issued during the year.
Some of the interception warrants or access authorisations may have been in force at the start of the year, and expired, and some may have been renewed.
In the year under review, we also provided assistance, under section 8C of the GCSB Act – seven times to NZSIS, and twice to NZDF.
I would like to take this opportunity to draw attention to some of the Bureau’s activities and achievements in the year under review.
In summary, GCSB has:
Now, I’d like to briefly outline to the Committee what we are seeing in terms of the cyber threatscape to New Zealand.
The primary focus of GCSB’s cyber security role is advanced and persistent cyber threats – usually foreign sourced – to nationally significant organisations.
These threats are becoming more complex, and their sources more diverse.
There is a growing range of international threat actors targeting New Zealand organisations for financial gain or as a means of advancing their own positions.
New Zealand organisations – both public and private – have a wealth of information which is attractive to others. This includes intellectual property for new technology innovations, customer data, business and pricing strategies or government positions on sensitive topics.
The types of incidents we are seeing include phishing attacks – socially engineered email intended to make the recipient open an attachment or visit a website which contains a malicious file; and ransomware, which involves an actor locking down a system until money is paid.
The level of threat is also increasing – 338 cyber security incident were recorded by the National Cyber Security Centre during the year. This is an average of 28 incidents per month. In the previous year there were 190 cyber security incidents.
In part the increase in recorded incidents reflects increased detection of threat activity by our cyber defensive capabilities, particularly CORTEX. This will continue as we develop relationships with our CORTEX customers and make our cyber defensive capabilities available to them.
Turning now to the investment government made in our community in the 2014/15 year and even more significantly in this year’s Budget.
The investment comes with clear expectations about the outcomes sought from the security agencies and recognition of the capability required to deliver.
To this end, we have continued to build capability in the areas of cyber defence, intelligence collection, and information technology.
Because of the interdependencies between the Bureau and NZSIS’s strategic directions, we have established a Joint Leadership Team with senior representatives from both agencies to govern shared work programmes.
This investment, coupled with the systems and processes that have been beefed up or introduced means the Bureau is well positioned to deliver improved results for government and all New Zealanders.
The Bureau now employs around 370 people – an increase of around 70 on the previous year. This is a tangible consequence of the Government’s increased investment, and we will continue to grow in coming years.
Our staff are GCSB’s greatest asset and my top priority as Director. They bring diverse expertise including foreign language experts, cryptographic specialists, IT professionals, engineers, technicians, technical analysts and corporate staff.
The gender split is 37 percent female and 63 percent male. This is representative of the male-dominated IT profession. That said, the Senior Leadership Team is 55 percent female, and 53 percent of the wider senior management positions are filled by women.
Achieving greater ethnic diversity remains a challenge, and is a real priority for GCSB. Given GCSB is growing we have the opportunity to shape our future workforce through initiatives underway such as our very successful graduate programme and the recently launched Beyond Ordinary recruitment website.
In the past year we have moved all staff to a standard remuneration framework and performance management system. We have also supported better career paths through career boards. All these factors assist us to attract and retain talented individuals.
Overall, the people who do work for us are of the highest integrity and calibre, which is appropriate because they are dealing with some of New Zealand’s most sensitive and valuable information.
As members of the Committee will know, the New Zealand Intelligence and Security Bill is currently before the Foreign Affairs, Defence and Trade Committee.
We are continuing to work closely with the DPMC National Security Policy team which is leading the policy work on the legislation and advising the select committee, to ensure that the Bureau’s operational context is well understood.
While Parliament is yet to decide on the final shape and detail of the legislation, we are preparing to implement any change that is decided and this is a high priority for the current financial year.
I would like to conclude by saying I am committed to continuing to build public trust and confidence in the Bureau and the New Zealand Intelligence Community.
Our engagements with this committee; the briefings we provide to Ministers and the Leader of the Opposition; the other agencies we support; and how we interact with the oversight bodies who report on our performance all contribute to trust and confidence.
We have provided more and greater detail to the public in this year’s annual report, and I am continuing to talk publicly about the threats New Zealand faces, our role and how we are held accountable.
Thank you and I am happy to take questions.