The New Zealand Government has had a signals intelligence (SIGINT) capability since the Second World War. There was a long recognised need to ensure that the Government was protected from “bugging” (technical security, or TECSEC) and that its sensitive messages could not be read by third parties (communications security, or COMSEC). Until the establishment of the GCSB, these services were provided by bodies such as the New Zealand Defence Force and the New Zealand Security Intelligence Service (NZSIS). In 1977, Prime Minister Robert Muldoon approved the formation of the GCSB, but its functions and activities were kept secret.
In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis, leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings only acknowledged the GCSB’s TECSEC and COMSEC functions, but not its SIGINT functions. Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT function in 1984.
In early 2000, a legislative process to place GCSB on a statutory footing similar to that of the NZSIS began.
In 2001, the Centre for Critical Infrastructure Protection (CCIP) was established to work with the New Zealand Government and critical national infrastructure agencies to improve their awareness and understanding of cyber security in New Zealand, provide them with watch and warn advice in relation to cyber incidents, and investigate any such incidents that occurred against them.
On 1 April 2003, the GCSB Act took effect. In June 2003, Cabinet formalised the role of the GCSB as the national authority for signals intelligence and information systems security.
In June 2011, New Zealand’s Cyber Security Strategy (external link) (NZCSS) was published and allocated responsibility for cyber security to selected government agencies. As part of the NZCSS, a National Cyber Security Centre (external link) (NCSC) was established within the GCSB in September 2011, and absorbed the functions of the CCIP.
Following the September 2012 discovery of unlawful intercept, GCSB Director Ian Fletcher and Chief Executive of the Department of the Prime Minister and Cabinet Andrew Kibblewhite initiated a review of compliance at GCSB. Cabinet Secretary Rebecca Kitteridge was seconded to the GCSB as Associate Director to undertake the review, which took into account the GCSB’s activities, systems and processes since 1 April 2003 (the date the Government Communications Security Bureau Act 2003 came into force). Ms Kitteridge’s Review of Compliance Report [PDF, 923 KB] was released by the Government on 9 April 2013. The report made 80 recommendations, 76 of which the GCSB was directly responsible for implementing. This led to a significant internal change programme to strengthen legal and procedural compliance.
Externally, the same events led Government to conclude, as the Review of Compliance did, that the Government Communications Security Bureau Act 2003 as it then stood was fundamentally not fit for purpose. Amendments to the legislation (external link) took effect on 27 September 2013.