- There is one likely culprit as the foreign power who used the GCSB as a launch pad for spying;
- The spying programme was aimed at metadata and it appears huge quantities were obtained through the GCSB;
- Metadata is often used to profile targets of military strikes by building “pattern of life” profiles;
- Funding for the GCSB has massively increased since serious faults were identified.
ANALYSIS
It’s been more than a decade since our country’s highly-secretive electronic spy agency disgraced itself so publicly.
This current instance is solidly a part of those bad old days but begs serious questions as to how an echo of the past took so very long to be heard.
The Inspector General of Intelligence and Security, Brendan Horsley, issued the most startling report of his nearly four-year tenure when he disclosed the Government Communications Security Bureau had been used by a foreign partner in our sphere of responsibility.
The foreign partner - no country disclosed but probably the United States - had organised to have the GCSB use a particular bit of kit to extract intelligence in our sphere. That “signals intelligence system” was part of a “wider intelligence programme related to this capability”.
Discussions around this piece of kit began in 2010 until an agreement in 2012 for the GCSB to host the “signals intelligence system” and to “take part in a wider intelligence programme related to this capability”.
It required the GCSB to install hardware provided by the partner agency from where certain signals would be selected and sent to the partner agency. Those signals would then be analysed - with other information - to locate remote targets.
The system then operated from 2013 to 2020, largely without anyone aware of its ongoing existence, until “equipment failure” led to its existence being “discovered” by senior spies who immediately told the minister at the time, Andrew Little, and the Inspector General.
Horsley has now reported on what happened with a damning verdict. GCSB leaders should have known, as should its ministers, as controls and systems in a newly-revamped GCSB failed to catch a foreign partner’s technology that was likely used to kill people.
Timing is everything
There are factors relating to the time this was discussed and then implemented that suggest how it sank out of sight but also beg belief as to how it could stay hidden.
In 2010, when the new technology was first floated, the GCSB had been led for five years by Air Marshal Sir Bruce Ferguson. He left and was replaced by two acting directors who filled the role in three shifts over 18 months.
Then Ian Fletcher took on the role running the bureau in January 2012 which could have introduced a period of stability. He had barely got his feet under the desk when the agency experienced the greatest crisis of its existence with discovery of its unlawful blundering when spying on Kim Dotcom and others in the Megaupload affair.
The incident set in train an excoriating review of the GCSB by Rebecca Kitteridge who was Cabinet secretary at the time and is currently acting chief executive of the Department of Prime Minister and Cabinet.
Kitteridge’s 2013 review found no sign of GCSB staff trying to be clever with the law under which it operated at the time. Rather, Kitteridge wrote, “they have been let down by aspects of the organisation that they have relied upon”. This is important to remember - those who do this work do so in a genuine and sincere fashion, for the benefit of New Zealand.
Part of the GCSB’s failure was an internal “bible” that misconstrued the legal position providing GCSB signals intelligence staff a misinterpretation of the law.
This failure was compounded by aspects of GCSB culture at the time. That included the perception that legal requirements were not subject to interrogation - if it appeared that boxes were ticked, staff didn’t go further in seeking evidence and asking questions. There was a lack of “thoughtful judgment”, although that changed in the years ahead.
Other key factors were those that created bunkers inside the GCSB. Some of that compartmentalisation was seen as necessary at the time while some was a consequence of the culture. It led to silos of “people, ideas and technology” with a poor understanding across the agency of what it did, who was doing it and how. This was a result, partly, of the high level of specialisation required for some tasks and the “need to know”.
But Kitteridge wrote how specialisation in places often trumped other important requirements and, as a result, it meant “blind spots are not addressed”.
Another issue at the time was the lack of an appropriate framework to ensure the GCSB was compliant with the law and processes. There was also a weak risk assessment process to properly sound out dangers posed by operations or technologies.
Also absent was a structured auditing process. The GCSB’s audit committee did not meet between June 2010 and March 2013 - the entire chunk of time this spying operation for a foreign partner was devised, discussed and then implemented.
Those searching for legal guidance would have also been frustrated at the “lack of an accessible, centralised and comprehensive repository of legal advice”. The inability to access a bank of institutional knowledge was a risk for the GCSB made worse when the legal director at the time went on “gardening leave” in the midst of the Dotcom debacle.
The GCSB was meant to be fixed
Even before Kitteridge’s report was made public in April 2013, there was a recognition across government that the GCSB was a shambles. In the immediate period after that, it was realised the NZSIS was in similar need of a serious shake-up.
What emerged, it was believed, was a degraded intelligence capability that had been created over years. There had been too little scrutiny of what it did and how it did it and so oversight would change.
Underfunding was driven, it seemed, by Prime Ministers briefed on the risks faced and successes enjoyed without the benefit of agency introspection. The “grey men” who would wait quietly to brief Prime Ministers over the years did not convey the growing culture problems, absence of systems, extent of foreign relationships and the technological advances that had changed the nature of signals intelligence from radio intercepts to “whole take” grabs of internet traffic.
Prime Ministers also found it unpalatable to increase funding at their own agencies at a time other ministers were being told to reign in spending.
The years that followed saw an extraordinary amount of change and funding to support that change.
The appointment of Kitteridge to run the NZSIS gave the government the ability to address the issues that existed in the GCSB without the catalyst of an external disaster such as Dotcom and the publicity that followed it.
The replacement of Ian Fletcher - whose appointment brought its own controversy - with Andrew Hampton, now NZSIS director, saw the bureau led by a quiet yet determined bright spark whose career thus far had been shaped by the public service framework.
There were significant structural changes, too. Since the establishment of the agencies, the Prime Minister had been the sole politician who would be briefed and could quiz spy bosses with expectation of a direct answer.
Sir John Key changed that with the establishment of a Minister for the NZSIS and GCSB, with the Prime Minister having overall responsibility for National Security. There was much sense to this - Prime Ministers always struggled to find the time to properly understand the agencies for which they were in charge. With Chris Finlayson appointed, the agencies were overseen by a fiercely intelligent minister who brooked no nonsense and demanded high performance from the directors-general.
In the period of a few years, our intelligence community was led by two no-nonsense individuals whose background was in the general public service rather than its previous leaders whose military backgrounds were part of what had created its inward-looking culture.
With leaders who could speak directly and a minister inclined to listen, the government was able to deal with the internal issues and the funding issues. That included significant law changes, most recently in 2017, which expanded the bureau’s powers but also its oversight and signoff requirements.
In 2010, when discussion started about the current spying programme, the GCSB was funded about $70m. In the 2023-2024 budget, this had risen to $400m. A similar funding boost has happened at the NZSIS.
Most likely the US harvesting metadata
It seems highly likely that the foreign intelligence partner in this instance is the United States and that the agency in question would be the National Security Agency.
The reason for this is that our primary intelligence relationship is the World War II-era Five Eyes partnership which includes the US, the United Kingdom, Australia, Canada and New Zealand. In that arrangement, in our modern world, there is really only one senior partner - and that is the United States.
Documents from the period show New Zealand very eager to meet the needs of the US, more so than other Five Eyes partners, partly because of its Five Eyes’ senior partner status and partly because we shared in the benefits of the US technical dominance across the Five Eyes network.
The system involved actual installation of hardware. In a sense, this is not unusual. New Zealand hosts other Five Eyes electronic spying programmes - such as XKeyscore - that had required NSA engineers to visit and install equipment.
In this instance, the hardware was installed at a GCSB facility in 2012 not long after it was signed off at deputy director level. We know it was operating in early 2013 because a GCSB officer referred to the overseas partner using the new capability.
In the years that followed, it appears to have sunk from sight internally. It was never audited, as recommended at the oversight, or reported to the director-general or ministerial level, even though the IGIS review says that should have happened. The systems meant to be in place - that the GCSB be told when it was used - were never followed through on.
When it was noticed was when it was being used, it seems, and not necessarily until after it had been used. The IGIS report says GCSB staff noticed “high volumes of data being sent” even though it had not received email requests from the foreign partner to alter or aim the technology.
The identification of “high volumes of data” is interesting given the MOI said “collection of communications would be strictly limited to collection of metadata”. Metadata consumes very small amounts of data suggesting the sort of capture involved was of vast quantities of personal information.
It is also interesting the system did not require the GCSB staff to flick a switch to allow the foreign partner access. It just took what it needed. There were records over the years of instances in which the GCSB was asking to make changes to tasking. That suggests there was a new target, or area of operations, or new “selectors” - personal identifiers that link emails, phones and other distinct points to individuals.
But in between those times it seems that the foreign partner was able to lean into the existing settings and suck up vast quantities of information.
As to who was being targeted? In 2015, the NZ Herald reported that the GCSB had responsibility for collection from more than 20 countries including China, Iran, India, South Pacific nations and the Antarctic. Other targets were diplomatic communications between Japan, North Korea and South American nations.
Some of these were simply a divide up of work but some were geographical location, which appears to be the reason New Zealand was needed for the system that has just emerged.
Metadata used to develop target profiles
It’s highly likely that the intelligence operation run through the GCSB was used by the foreign partner - highly likely the US - to kill people.
The IGIS report found “it is clear” the data “was used to support military operations”. Horsley did not find evidence that specific capability was used in relation to a military action. He did say it “clearly had the potential to be used, in conjunction with other intelligence sources, to support military action against targets”.
Over a period in which the US exploited every potential to identify and kill targets, it seems very likely this equipment would have assisted in that aim, in some small or large way. We don’t know. The record-keeping wasn’t good enough.
This is not unusual territory for New Zealand. We have been involved in the War on Terror throughout with NZSIS and GCSB capabilities used to support the “coalition” aims. There remain stories told that GCSB staff were involved in tracking down Osama Bin Laden.
In this immediate instance, we don’t know exactly what spying programme was used. Brendan Horsley was, appropriately, careful to remove classified information from the report issued this week.
However, there is some grounded speculation into what sort of system was being used.
If, as it is stated, it is a data-based collection tool that operates on metadata then there is a tool which fits broadly with those requirements that was installed in New Zealand at the time.
There are a number of such systems that were disclosed when NSA whistleblower Edward Snowden walked out of work with a treasure trove of classified information in 2013. In Snowden’s trove was information about tools with names such as Prism, Trafficthief, Pinwale and Marina.
We know New Zealand’s GCSB has incorporated some or all of these tools as part of its Five Eyes partnership. The Herald has previously reported on the visiting NSA engineer in February 2013 who came to take part in “technical discussions” around a future “Special Source Operations” site at the GCSB’s Waihopai base near Blenheim.
The SSO is a part of the NSA that specialises in capturing massive amounts of internet content and electronic communication which is then applied to the agency’s various tools.
The hardware installed at the GCSB in 2012 could have been Marina, which mined metadata to build “pattern of life” profiles of intelligence targets. Those profiles were the sort of information that was used by the US military to carry out kill missions on adversaries.
Were we played as fools?
The most striking element is how this was missed after years of reviews and substantial restructuring. It was noticed because it stopped working. If it had carried on, we could be years down the track before anybody noticed.
It raises the question as to what else was missed. That should have been the first question GCSB minister Judith Collins asked. And an assurance to her that there was nothing else should not be enough - the bureau needs to review everything it is doing and to report to the minister and then publicly.
It should also mean some tough questions for that foreign partner. New Zealand appears to have been played as fools. It appears as if the greatest level of involvement with the system - from installation to training to use - was carried out by that foreign partner as we became increasingly oblivious.
If one were to be cynical about what has happened, it could be seen as a successful intelligence operation on New Zealand by a friendly partner power that subverted our spies’ national interest in the furtherance of another’s.
And that leads to another astonishing fact to emerge from this. Even though very few knew this capability existed, its operation was still within the “intelligence sharing relationship” New Zealand has with the foreign partner. “That authorisation was broad and unqualified,” Horsely said.
As a result, “it permitted the GCSB to share intelligence with the foreign partner without qualification as to content or means”.
That shows just how broad those authorisations currently are. If you can drive a bus through it, one would rather we held the keys. That needs explaining from the minister to the public because it makes it seem as if the controls that currently exist are effectively meaningless.
Who could argue those authorisations are too broad if the people who sign them off have no idea they cover New Zealand’s unwittingly provision of a platform for a foreign power to prosecute its military objectives?
Information - intelligence - is an instrument of national power. It is a means through which to exert force, seize advantage or construct defences. It should be New Zealand’s to control.
David Fisher is based in Northland and has worked as a journalist for more than 30 years, winning multiple journalism awards including being twice named Reporter of the Year and being selected as one of a small number of Wolfson Press Fellows to Wolfson College, Cambridge. He first joined the Herald in 2004. From 2018-2020, he was a member of the Reference Group for the Inspector General of Intelligence and Security.
