Opening statement to the Intelligence and Security Committee
Kia ora koutou.
Thank you for the opportunity to address the Committee. I have now been in the role of Director/Director-General for two years. During that time I have observed improvements in the capability, effectiveness, compliance and transparency of the Bureau. I have also seen changes in the cyber threats New Zealand faces.
Cyber threat scape
The Bureau’s second annual cyber threat summary, released in November 2017, noted a 15 per cent increase in serious incidents affecting New Zealand. Nearly a third of which had indicators of connection to foreign intelligence agencies.
New Zealand organisations were subject to both direct and indirect threats, and New Zealand infrastructure is being used as staging points by threat actors to target systems in other countries. Motivation varies from espionage to revenue generation and seeking to secure political outcomes.
Last month, I added New Zealand’s voice to the international condemnation of the NotPetya cyber-attack which international partners have now attributed to the Russian Government. It targeted Ukraine, but had a global impact – including affecting supply chains in New Zealand.
In December I also joined international partners to express concern about international reports which link North Korea to the major WannaCry ransomware campaign.
While New Zealand was not significantly impacted by NotPetya or WannaCry, we are not immune from this type of threat, which is why New Zealand called out these instances of reckless and malicious cyber activity.
A key means through which the GCSB helps protect New Zealand organisations from these threats is the CORTEX programme which I will return to shortly.
The world continues to be a challenging and ever changing place in which the Government needs timely, relevant and actionable intelligence in order to protect and promote the national interest.
During 2016/17 the Bureau provided intelligence to 19 Ministers and agencies against 14 Government intelligence requirements, in line with priorities set by the Government.
Along with NZSIS and DPMC, we are also part way through a significant change process to improve the value and usability of our foreign intelligence products for our customers.
Like NZSIS, the Bureau received a significant funding increase in 2016 in order to build our capability to deliver on our cyber security and intelligence outcomes. I am pleased to report that notwithstanding the considerable market competition for the technical skills we require, we have increased our head count by 73 since 30 June 2016 and we are on track to come close to our target for June 2018.
A particular focus has been to encourage more women to think about careers in science, technology, engineering and maths (STEM) and to come and work for the Bureau. Across the country there are significantly fewer women than men taking these subjects at a tertiary level, which flows through to the proportion of women applying for technical roles at GCSB. As a way to start addressing this issue we introduced a very successful Women in STEM Scholarship.
We have also worked hard to reduce our gender pay gap from over 11 per cent in 2016 to five per cent today. This work is an important plank of our joint Diversity and Inclusion Strategy with the NZSIS, which we were pleased to launch earlier today.
Delivering Key Projects
The investment in the Bureau has also included significant technology programmes.
The CORTEX cyber security programme to protect our nationally significant organisations from advanced cyber threats was completed in 2017, on time and on budget.
A review using analysis from an international professional services firm assessed that in the 12 months to June 2017, CORTEX led to the avoidance of $40 million of harm to public and private sector organisations.
The multi-million dollar Cryptographic Products Management Infrastructure (CPMI) project to upgrade the New Zealand Government’s cryptographic infrastructure is on budget, although its implementation timeline has been extended due to a delay in the delivery of third party components.
Intelligence and Security Act 2017
The Intelligence and Security Act was passed in March 2017, and came fully into force last September. Working in close collaboration with NZSIS, we contributed to the development of the new legislation and then ensured the necessary policy, processes and training were in place to be fully compliant for the 28 September 2017 enactment date.
As an agency that receives much of its intelligence from our Five Eyes partners, a particularly important feature of the new legislation is the strengthened provisions around cooperation with foreign intelligence services. This includes embedding the requirement for a human rights assessment into the legislation.
Another key focus for the Bureau continues to be legal compliance.
As you hopefully heard from the Inspector-General of Intelligence and Security, she has found our systems and processes to be compliant for the third year in a row and that our staff have a strong culture of legal compliance. Last year her report into GCSB’s process for determining its foreign intelligence activity also found the Bureau acted legally and appropriately.
The IGIS has been looking into complaints about alleged surveillance activities in the Pacific. I welcome the IGIS’ investigation of this issue and we have been engaging with her office to provide information and any other support required.
Just as legal compliance is key to public trust and confidence, so too is openness and transparency.
A priority for me as Director-General has been to talk regularly in public about the nature of the threats New Zealand faces, the role of the Bureau, and importantly, the mechanisms that are in place to ensure we are accountable and act within the law.
I also take the opportunity to bust some of the common myths about the Bureau, such as that we do “mass surveillance” or ask partners to circumvent the law on our behalf. Let me re-iterate here, we do not do these things!
In addition, we are making more information available to the public through the publication of documents. Together with the NZSIS, we proactively published an unclassified version of our Briefing to the Incoming Ministers, our most recent Annual Report includes much more information than previously on the nature of our activities, and in November the Bureau published its second unclassified cyber threat summary.
I welcome any questions from the Committee. Kia ora.