The Law of the Jungle – How can New Zealand navigate Global Disruption?
Speech delivered to New Zealand Institute of International Affairs, Wellington.
Thank you for the opportunity to talk with you again.
I recently saw a blog about a talk I gave to Transparency International last year. The author, who wasn’t actually there, reported that participants found me to be reasonable and reassuring. However, she cautioned people not to be ‘taken in’ as I would have had significant media training and, even worse, I may have convinced myself that what I was saying was actually true! I’ll leave you to decide.
As you have already heard today, the international environment is currently undergoing significant changes, which presents both threats and opportunities for New Zealand.
Today, I want to talk about:
The role the Bureau plays in helping New Zealand respond to these threats and maximise these opportunities, particularly our intelligence collection role;
How the recent Intelligence and Security Act makes us more effective, more accountable and more transparent; and
The trends we’re seeing in how external parties are using cyber means to advance their objectives.
What is the GCSB?
The GCSB is a ‘SIGINT’, or signals intelligence agency meaning we specialise in intelligence derived from electronic communications. We also have a statutory role in cyber security and information assurance.
We are a government department, and as such we are accountable to the Government of New Zealand and required to act in the interests of New Zealand and New Zealanders.
The new Intelligence and Security Act 2017
Everything the GCSB does needs to be in accordance with the objectives in the Intelligence and Security Act 2017, which has been in force since September.
The Act specifies three objectives for the GCSB. We contribute to:
The protection of New Zealand’s national security;
The international relations and wellbeing of New Zealand; and
The economic well-being of New Zealand.
The GCSB does this by:
Collecting and reporting on intelligence – primarily foreign intelligence – in accordance with government priorities in order to inform government decision-making.
Providing cyber security and information assurance services to organisations of national significance, from both the public and private sector.
Our priorities are set by the Government
The Government’s intelligence priorities, which guide all our work, are reviewed periodically. The detail of the intelligence priorities are not made public for obvious reasons.
However, as stated in the joint NZSIS and GCSB Briefing to the Incoming Minister, our ongoing focus areas include cyber threats, counter terrorism, foreign espionage and stability and governance in our region.
If you’re interested there is an unclassified version of the Briefing on our website.
The new Act provides a clearer authorising framework for our intelligence activities. It states more clearly what we do under a warrant, and makes it easier to understand the different warrants we use and the approvals that are required.
Type 1 warrants relate to New Zealand citizens or permanent residents. Type 1 national security warrants can only be issued if they will enable the Bureau to investigate or protect against harms such as terrorism, violent extremism, espionage against New Zealand, sabotage, proliferation of weapons of mass destruction, or transnational crime.
Type 1 Warrants are issued by the Minister Responsible for the GCSB and a Commissioner of Intelligence Warrants (a previous High Court Judge). The warrants are also subject to review by the Inspector-General of Intelligence and Security.
Type 2 warrants cover foreign citizens. These warrants are issued by the Minister alone, and are reviewed by the Inspector General after being issued.
The new legislation confirms the GCSB’s ability to obtain a “class-based” warrant. These are useful in situations where we are interested in a group - such as a terrorist organisation - and we would otherwise need to get separate warrants for different people in the group. The scope of the warrant needs to be necessary for a function and proportionate to the purpose it is intended to achieve.
The independent oversight provided by the Inspector General of Intelligence and Security was also strengthened under the Intelligence and Security Act. For example, Parliament’s Intelligence and Security Committee can now ask her to conduct an inquiry.
I am pleased to report that for the third year in a row, the Inspector-General has found GCSB’s systems and processes to be fully compliant and that our staff have a strong culture of legal compliance.
How does the GCSB undertake its intelligence function?
We collect intelligence by electronic means, which includes the ability under the Intelligence and Security Act to intercept communications and to seize electronic information.
Dame Patsy Reddy and Sir Michael Cullen in their 2015 review made the point that modern communications mean it is often not possible to identity and copy a specific communication of interest in isolation. We often need to collect a larger set of communications – they describe it as the “haystack” in which our analysts then find the “needle”.
Even then, the extra information we draw together to form the haystack is a tiny proportion of the abundance of communications zooming around every day. As has now been well established, we do not undertake “mass surveillance”.
What is key is that we have robust policies and process in place to manage and discard all the irrelevant information that makes up the “haystack”, retaining only that information – or the “needle” - that is relevant to the intelligence we produce.
Our role in the Five Eyes Partnership
While the GCSB has its own intelligence collection capabilities, most of the intelligence we obtain for government comes from our partners.
It’s well documented that New Zealand is one of the five countries which makes up the Five Eyes intelligence partnership. The others are Australia, Canada, the UK and US.
This partnership affords New Zealand a greater level of protection and intelligence than we could ever achieve alone.
Under the Intelligence and Security Act the GCSB must satisfy the Minister that sharing intelligence with foreign agencies, including our Five Eyes partners, accords with all human rights obligations recognised by New Zealand law.
Our cyber security role
Let me finish by talking about our cyber security role for nationally significant organisations and the threats we are seeing.
Under the new legislation we now can provide cyber security services with the consent of the organisations involved without the need for individual warrants.
A key way we protect organisations of national significance is through a system we call CORTEX. It’s focused on detecting and disrupting complex and persistent foreign-sourced malware that is typically beyond the capabilities of commercially available tools.
A recent independent assessment found CORTEX helped avoid damage of around $40 million, in the year to June 2016. We are now working with the Government on how to scale this capability to protect more New Zealand organisations.
New Zealand’s cyber threat-scape
In November we released our second annual unclassified cyber threat summary, which is on our National Cyber Security Centre website.
It noted a 15 per cent increase in serious incidents, nearly a third of which had indicators of connection to foreign intelligence agencies.
New Zealand organisations were subject to both direct and indirect threats, and are being used as staging points by threat actors to target systems in other countries.
Motivation varies from espionage to revenue generation and seeking to secure political outcomes. Cyber-attacks are relatively cheap and effective, and to date the implications of getting caught have not been great.
Earlier in the month I added New Zealand’s voice to the international condemnation of the NotPetya cyber-attack which international partners have now attributed to the Russian Government. It targeted Ukraine, but had a global impact.
In December I also joined international partners to express concern about international reports which link North Korea to the major WannaCry ransomware campaign.
While New Zealand was not significantly impacted by NotPetya or WannaCry, we are not immune from this type of threat. That’s why New Zealand called out of these instances of reckless and malicious cyber activity.
In the current “jungle” of an international environment New Zealand needs to be well informed about the interests, intentions and capabilities of others. We need to work in cooperation with like-minded partners, and we need to call out bad behaviour that doesn’t conform with the international norms we rely on.
Before I take my seat I should say that if you want to hear the classified version of this speech you should head to our recruitment site Beyond Ordinary. We’re always on the lookout for talent.
Thank you for your time.