Comments to New Zealand Institute of International Affairs
Kia ora koutou
Thank you to the Institute for the opportunity to talk with you today about the role of the GCSB in global connectedness and cyber security. I acknowledge the important role my fellow panel members each play in ensuring New Zealanders are kept informed and connected and that the rights and freedoms we take for granted are protected.
In order to keep New Zealanders and their information safe, the GCSB exercises some intrusive powers, often in secret, on behalf of the State. It is important that we are as transparent as possible about the nature of the threats New Zealand faces, our role in countering them, and how we are held accountable.
Raising the profile of my work is not something I need to worry about at my 6 year old’s school. We recently held the Bureau’s first Family Day, so partners and children could see where their loved ones work and learn a little about what they do.
The following Monday, my daughter came home with a story she had read out for news. It went:
“My dad has a new job. It is an important job. It is important because he is the boss of all the spies”.
Our prosperity and our way of life is built on us being an open and democratic nation, with the free flow of people, trade and information across our border. Yet with that connectedness comes new threats, often as a consequence of the huge growth of the Internet which was never designed with security in mind.
Whereas in the past we could rely on our geographic remoteness to keep us and our information safe, our information and potentially our infrastructures are now open to threats in real time from anywhere in the world. Marginalised people in New Zealand are also subject to radicalisation remotely in ways not possible before.
The GCSB has three roles in managing these threats which are set out in legislation.
We collect and report on foreign intelligence in accordance with Government’s National Intelligence Priorities. By finding out about the interests, intentions and capabilities of foreign parties we help inform Ministers and government decisions.
Second, we assist Defence Forces, NZ Police and NZSIS to undertake their lawful functions. This includes counter terrorism, support to military operations, maritime surveillance and border protection.
Finally, we provide cyber security and information assurance services. This includes:
- the National Cyber Security Centre – located in the GCSB
- the Cortex programme, which uses cyber threat information – including inputs from our international partners - to help protect public and private sector organisations
- our regulatory role under the Telecommunications Interception Capability and Security Act to ensure national security risks are not introduced into telecommunications networks. All our cyber security services are provided with the consent of the organisations involved.
Everything we to do to deliver these functions needs to be in accordance with New Zealand Law and our international human rights obligations. It also has to be proportionate, necessary and reasonable. I would hazard that we, and the NZSIS are subject to more rigorous oversight than any other government agency. This includes:
- A dedicated parliamentary oversight committee
- An Inspector General of Intelligence and Security – with Commission of Inquiry powers
Our activities are subject to the Ombudsman, the Privacy Commissioner, and the Auditor General.
And, there is a strong authorising and warranting regime for our intelligence and cyber security functions.
There have been a couple of recent documentaries through which I have learned some new and fascinating things about the Bureau. Let me briefly deal with some of the most common of these “myths”.
First up, that the GCSB is part of a shadowy intelligence sharing partnership called the Five Eyes.
That’s actually true. It’s just not that shadowy. To be effective, intelligence agencies do need to undertake much of their activity in secret. However, the fact that New Zealand is part of the Five Eyes and derives significant benefit from it is on our website!
As the Cullen/Reddy report states, for each foreign intelligence report the GCSB produces we get ninety-nine from our partners. Where we share information with partners it is done in accordance with New Zealand law and international human rights obligations, and under ministerial authorisation.
That leads to the next common myth about the GCSB, that we are a law unto ourselves.
I have to say, it doesn’t feel like that when I am meeting with Ministers two or three times most weeks, seeking their authorisation and briefing them. I have been struck by the strong culture of legal compliance in the Bureau and the steps that are taken to ensure everything we do is properly authorised.
The Inspector General of Intelligence and Security has reported for the past two years that the GCSB has strong compliance systems and processes in place.
Another common myth is that the GCSB is staffed by “Cold War Warriors”, stuck in the past.
The average age of the GCSB senior team is in the mid 40’s. The Berlin Wall was long down before most of us started working. I’m also pleased to report that over 50 percent of our managers are women, a high proportion of our staff are from the private sector, and we attract some of the brightest new graduates in the country.
The most common myth is that the GCSB is engaging in the “mass surveillance” of New Zealanders; that we are actively monitoring the phone calls, the emails and the internet traffic of large sections of the population.
I can assure you, we aren’t. The GCSB does not have the legal authority, the capacity or the interest to undertake such activity. But don’t take just my word for it. Sir Michael Cullen, Dame Patsy Reddy, the Inspector General of Intelligence and Security, and the Privacy Commissioner have all independently concluded that the GCSB does not do this.
In reality, the datafication of all aspects of everyday life means that international corporations are the ones who collect large amounts of information about citizens and there is not always good visibility about what they do with it.
Let me finish up by talking briefly about the nature of the cyber threats to New Zealand, as we see them.
Not only is the level of threat increasing – our NCSC recorded 338 cyber incidents in the 2015/16 year, compared with 190 in the previous year, the nature of the threats are becoming more complex and the sources of them more diverse.
There is a growing range of international threat actors, targeting New Zealand organisations for financial gain or as a means of advancing their own position.
New Zealand organisations, both public and private, have a wealth of information which is attractive to others - whether intellectual property for a new technology innovation, customer data, business and pricing strategies or government positions on sensitive topics.
In part the increase in recorded incidents reflects increased detection of threat activity by our cyber defensive capabilities, particularly CORTEX. This will continue as we develop relationships with our CORTEX customers and make our cyber defensive capabilities available to them.
CORTEX is a project to counter cyber threats to organisations of national significance – e.g. to operators of critical national infrastructure.
It involves GCSB implementing capabilities to protect these organisations against advanced malicious software (‘malware’). In some cases malware is passively detected. In others it is actively disrupted or ‘blocked’.
In terms of the types of incidents we are seeing, phishing – often clever, socially engineered email intended to make the recipient open an attachment or visit a website which contains a malicious file, and ransomware are some of common types of harm being reported to us or being detected by our capabilities.
We will soon be announcing more details of the Pilot of a cyber defensive initiative called - Malware-Free Networks. This pilot involves GCSB trialling sharing of cyber threat information and technology with an Internet Service Provider (ISP) enabling the ISP to mitigate malware that is targeting a small subset of its customers.
Cyber threats are very real, and New Zealand’s relative geographic isolation offers no protection in our globally interconnected connected world.
Responding to the threats therefore requires strong collaboration between government, the private sector and internationally.
Thank you. I look forward to taking your questions.