The New Zealand Government has had a signals intelligence (SIGINT) capability since the Second World War. There was a long recognised need to ensure that the Government was protected from “bugging” (technical security, or TECSEC) and that its sensitive messages could not be read by third parties (communications security, or COMSEC). Until the establishment of the GCSB, these services were provided by bodies such as the New Zealand Defence Force and the New Zealand Security Intelligence Service (NZSIS). In 1977, Prime Minister Robert Muldoon approved the formation of the GCSB, but its functions and activities were kept secret.

In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis, leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings only acknowledged the GCSB’s TECSEC and COMSEC functions, but not its SIGINT functions. Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT function in 1984.

In early 2000, a legislative process to place GCSB on a statutory footing similar to that of the NZSIS began.

In 2001, the Centre for Critical Infrastructure Protection (CCIP) was established to work with the New Zealand Government and critical national infrastructure agencies to improve their awareness and understanding of cyber security in New Zealand, provide them with watch and warn advice in relation to cyber incidents, and investigate any such incidents that occurred against them.

On 1 April 2003, the GCSB Act took effect. In June 2003, Cabinet formalised the role of the GCSB as the national authority for signals intelligence and information systems security.

In 2010, the GCSB began advertising for geospatial and imagery foreign intelligence (GEOINT) analysts to join a new area of analytic discipline for the GCSB, complementing its SIGINT mission.  The GEOINT area is closely aligned with similar units within the New Zealand Defence Force.  In 2012, the New Zealand Defence Force became the national authority for geospatial intelligence and formed GEOINT NZ.

In June 2011, New Zealand’s Cyber Security Strategy (external link) (NZCSS) was published and allocated responsibility for cyber security to selected government agencies. As part of the NZCSS, a National Cyber Security Centre (external link) (NCSC) was established within the GCSB in September 2011, and absorbed the functions of the CCIP.

Following the September 2012 discovery of unlawful intercept, Cabinet Secretary Rebecca Kitteridge was seconded to the GCSB as Associate Director to undertake a review of compliance, which took into account the GCSB’s activities, systems and processes since 1 April 2003 (the date the Government Communications Security Bureau Act 2003 came into force). Ms Kitteridge’s Review of Compliance Report [PDF, 923 KB] (external link)  was released by the Government on 9 April 2013. This led to a significant internal change programme to strengthen legal and procedural compliance, which has since been completed.

Externally, the same events led Government to conclude, as the Review of Compliance did, that the Government Communications Security Bureau Act 2003 as it then stood was fundamentally not fit for purpose. Amendments to the legislation (external link) took effect on 27 September 2013.

In March 2016, Sir Michael Cullen and Dame Patsy Reddy presented their findings from the First Independent Review of Intelligence and Security in New Zealand to Parliament.

On 28 March 2017 the Intelligence and Security Act 2017 (external link) gained Royal Assent. On 1 April 2017, the first provisions under the Act took effect. On 28 September 2017 further provisions under the ISA came into force.

The Intelligence and Security Act implements the Government response to the Report of the First Independent Review of Intelligence and Security in New Zealand: Intelligence and Security in a Free Society (external link) , and replaces the four Acts that previous applied to the GCSB, the NZSIS, and their oversight mechanisms.