The spy agency took two years to implement a major shift in how it targeted threats, but once it did, the rewards were almost immediate.
The Security Intelligence Service (NZSIS) got 10 leads on right-wing extremists in the lead-up to the Christchurch mosque attacks.
This came within a few months of the SIS shifting from an overriding focus on Islamists and threats it knew about, to looking much harder at ones it did not, notably white supremacists.
Summaries of its strategies - newly released to RNZ under the OIA by the SIS - alongside the Royal Commission of Inquiry reports, show how that vital shift was a long time coming, held back by what the commission called "scarce" counterterrorism resources - though an internal review, the Arotake report, maintains the agency got its priorities and rebuilding right.
By early 2016, the SIS had already set as one of its top three priorities the need to get much better at spotting emerging threats - the sort of threats characterised by US Defence Secretary in 2002, Donald Rumsfeld, as the "known unknowns", in a soundbite so famous an acclaimed documentary is named after it.
The agency did not begin building a baseline picture of emerging threats until mid-2018.
By late 2019, emerging threats had become the SIS' first priority enshrined in a new organisational strategy called "Discover".
Meantime, 51 people had been shot dead at two mosques in Christchurch by a gunman who flew under the radar.
The SIS did not know and could not have been expected to know about what the terrorist was planning, the Royal Commission and the Arotake report concluded.
SIS director general Rebecca Kitteridge has called the targeting changes made since 2016 a "transformation" that enables agents to focus much more on identifying "previously unknown, new and emerging national security threats".
Asked to quantify the attention given to white extremism before the mosque attacks, Kitteridge would not say when she appeared at a parliamentary select committee in March.
'True north'
The shift to broaden target spotting began with Project Sterling, a 10-year organisational strategy introduced in early 2016.
This was the "true north" for deciding what to do, the SIS said in its OIA summaries.
The SIS had decided to set its own priorities after years of muddle about what the Government's national security priorities were, and what agencies should do about them, as outlined at length by the Royal Commission.
Three attempts were made to set priorities - in 2012, 2015 and 2018 - and the latest were so "high level" that they were "not helpful", the commission said.
Kitteridge would not release the SIS strategy documents to RNZ, arguing that was likely to prejudice the country's security or defence.
The Royal Commission has told the security agencies to be more transparent with the public.
One of Project Sterling's top three goals was to build up a picture of emerging threats.
"Never in our history have we been better positioned to achieve our mission," Kitteridge said in 2016.
"But equally, never have the threats New Zealand faces been greater.
"My vision is that the NZSIS is ahead of the curve: providing indispensable security and intelligence services underpinned by high public confidence and trust."
It was a clear vision but one that, it turned out, relied on shaky legs.
The agency got a big funding boost in 2016 after hitting a low ebb in 2014, but it took another two years to stand up work on the "baseline picture" of emerging threats.
"Baselining emerging terrorism threats was identified as the third goal ... but its ranking meant that work on it was deferred," the Royal Commission said.
The resources put in - money, jobs, training and liaison with other agencies - were divided up according to Project Sterling. Espionage threats to the state got about 60 per cent, with 40 per cent for counterterrorism, from investigation budgets.
"Sterling provided the framework for determining what mattered more and, consequently, what mattered less," the SIS OIA summary said.
The SIS "did not have enough counter-terrorism resources until May 2018 to start its baselining project", the Royal Commission said.
It had not written up an implementation plan for it until March of that year.
As a result the domestic terrorism threat picture was not fully filled in; two assessments by the inter-agency group hosted by the SIS - the Combined Threat Assessment Group - in 2015 and again in 2018, remained focused on Islamist threats.
Elsewhere, in the main operational arm of counterterrorism of the New Zealand Police, intelligence functions had degraded to the point no strategic assessments of domestic threats were being done, the commission found.
New discovery
In May 2018, the counterterrorism unit got new instructions: start spending 20 per cent of its time on the baseline picture and "discovery" of emerging threats, including a project on domestic right-wing extremism.
An online operations team also began looking at right-wing forums.
"The project generated 10 leads relevant to right-wing extremism, some of which remained open at 15 March, 2019," the Royal Commission said.
The SIS's eventual report on right-wing online activity in July 2019 did not identify any New Zealand-based groups advocating violence.
Around the same time, in July 2018, the counterterrorism unit came up with its own new strategy, "Discovery", which it updated in August 2019.
"The key objective ... is to identify previously unknown potential terrorism threats and leads ... via exploitation of information holdings and datasets based on identified indicators of terrorist activities and behaviour as well as discovery of links or connections to known (previous or current) individuals or groups of security concern," the OIA summary said, quoting the strategy document.
Discovery was a "basic but sufficient" strategy, said the independent expert who did the Arotake review.
It is not clear what would have happened if the SIS had switched resources earlier.
Perhaps it would have lost sight of faith-based extremist threats, the Royal Commission suggested.
"It is not possible to determine with confidence whether the overall risk of domestic terrorism would have been increased or decreased had counter-terrorism resources been allocated earlier to the threat of right-wing extremist terrorism.
"It is considered very unlikely that the earlier development of NZSIS' discovery and baseline programmes areas would have had a tangible impact on its ability to identify [the mosque attacks terrorist]."
The Arotake review concluded the resources were where they should be and that despite the gaps the agency was "alive to the possibility of non-Islamic extremist threat".
It was a reasonable decision to build up "enabling" functions first after 2016, and operational ones only after 2018.
"Although it arguably delayed the arrival of 'front-line' capabilities, the organisation was better placed to raise, train and sustain those capabilities when the time came," the Arotake report said in mid-2019.
"This work will take time to bear fruit."
A list of Discovery projects is blanked out in the Arotake report.
Known threats still got priority, the strategy said, "but there is also a realistic possibility an unknown lone actor could move from radicalisation to action, without intelligence forewarning, potentially in a short timeframe".
As at May 2018, two of the counterterrorism unit's three teams had been focused on what they saw as Islamist threats, with the third also looking at other types of threat.
These had a total of 16 investigators and three managers, in an agency of about 400 people.
The agency began hiring new investigators about this time, but most were inexperienced.
'Limited target discovery'
The counterterrorism unit had to wait until after the attacks, and the 2019-20 financial year, to get a real boost to emerging threat identification, the documents show.
It was "engaging in only limited target discovery activity" before the 15 March attacks due to lack of resources, the focus on Islamists, and the continued reliance on traditional investigative methods not well suited to identifying new threats, the Commission said.
In June 2019, the SIS brought in its sister agency, the Government Communications Security Bureau (GCSB) which does signals monitoring, to try to set up a shared database "combining lists of known behaviours and indicators of violent extremism". It's not clear if that database has been set up.
A few months later, Project Sterling was superseded by the SIS' current organisational strategy: Discovery.
The commission and Arotake report both said lawmakers had to pay attention to the thorny problem of how far the agencies can go with target discovery - say, when they action surveillance or search warrants - under the Intelligence and Security Act.