The GCSB does not undertake mass surveillance of New Zealanders. It was a message that the acting head of New Zealand’s foreign intelligence agency, Una Jagose, reiterated in Wellington this week, as well revealing details about the Bureau’s cyber-security work.

It was the second time Ms Jagose has publicly given this assurance in recent months. The first time was when she was two weeks into her current role, when she appeared before Parliament’s Intelligence Security Committee in March 2015.

She told the audience of about 120 people that mass surveillance was a term that created an image of random information collection – “collection without purpose, collection without control”. The GCSB did not “randomly hoover up information and rummage through it, hoping to find something useful”, and the image of mass surveillance was one of the biggest myths about the Bureau’s work.

The agency was prohibited by the GCSB Act from targeting New Zealanders’ private communications – unless the New Zealander was - as described in the Act - an agent of a foreign power or foreign organisation.

GCSB oversight

Ms Jagose described the oversight the GCSB was subject to. Reasons for accessing or intercepting communications must fit the government’s requirements and be justified. The Prime Minister must receive an application from the GCSB justifying why a particular warrant is sought and the controls that would be put in place around the use of that information. The Foreign Minister must also be consulted. If a New Zealander’s communications was to be targeted, the Commissioner of Security Warrants must also agree.

As GCSB director, Ms Jagose was required to keep a register of all intercept and access warrants and authorisations. Work conducted under those warrants and authorisations did not begin until a GCSB analyst had a customer requirement for the intelligence sought. That requirement was linked into an internal plan which also linked to the government’s foreign intelligence requirements. Before conducting work under authorisation, analysts must enter all this data into the database before they began. “All of these inputs into the system, all of the work done on the systems, are fully traceable and auditable.”

The Inspector General of Security and Intelligence (IGIS) had access to the register of warrants and authorisations and to all the supporting information. The IGIS conducted audits, reviews and regular inquiries, and reported to government ministers and the public. “All our work is available to her at any time and it must be fully auditable by her – she has direct access to the building, to the systems and to us.”

Ms Jagose said IGIS aside, the Privacy Commissioner, the Ombudsman and the Auditor-General also had oversight over the GCSB. And as happened earlier this year, Parliament’s Intelligence and Security Committee could also hold the Bureau to account for what it did.

“It seems to be forgotten that the GCSB is a government department, delivering on the government’s priorities, and answerable to ministers and subject to significantly more oversight than most agencies.”

She said there were legitimate questions to be asked about New Zealand’s intelligence activities but this needed to be weighed against the risk of doing harm to the country’s interests. New Zealand had interests it needed to protect and secrets that others wanted to steal. “Complete openness is also openness to adversaries; that weakens, rather than strengthens, the system.”

Ms Jagose admitted, without compromising national security, the Bureau had been slow in the past to be more transparent. The GCSB had to get better at doing this because there were benefits to increasing public understanding and the mandate for what it did in protecting New Zealand’s interests.

How CORTEX works

Ms Jagose also talked about the Bureau’s role in providing cyber-security and the use of its CORTEX project. The existence of CORTEX was revealed by the government last year. It is a cyber-security defence system for organisations of national significance, including some non-government organisations.

She couldn’t reveal what organisations received CORTEX protection but all those that did held sensitive and nationally significant information. To reveal the names of the organisations would disclose where sensitive information was held and potentially create more unwanted focused attention from cyber attackers. The list included government departments, research institutions, operators of critical national infrastructure, economically important organisations and niche exporters.

Ms Jagose said CORTEX was a developing capability that helped to identify and protect against malicious computer software. It involved a layered set of technical capabilities. Layering provided better coverage and was more likely to detect foreign-sourced malware. Organisations under the CORTEX umbrella might receive just one or several layers of capability.

Before CORTEX was adopted as part of an organisation’s cyber defence capabilities, it needed to be authorised by the Prime Minister and the Commissioner of Security Warrants. The organisation obtaining CORTEX protection must also consent to receiving it and agree to a number of conditions. For example, the organisation must carry out the highest level of “cyber-hygiene” and maintain confidentiality about the services it was receiving.

Ms Jagose said the system detected cyber threats to particular organisations and told them about those threats so they could respond to them. The GCSB had experts who gave advice about preventing and mitigating these advanced cyber threats. The Bureau shared what it learned from specific instances to the wider pool of organisations. CORTEX also had the ability to identify vulnerabilities in computer systems and networks that advance malware threats might attempt to exploit. One measure of CORTEX’s capability was that it dealt with types of malware that could not be tackled by commercially available tools.

CORTEX authorisation

Ms Jagose said there were specific terms of authorisation to ensure the CORTEX system was being used for its authorised purpose and nothing else. Technology enabled the independent oversight of the use of CORTEX. A complete log of what occurs was viewable by the IGIS with the data categorised according to how it should be handled, as well as rules about what could or could not be done with it.

The rules limited the number of people who could access the data. “As I’ve said, CORTEX is designed and used for a specific purpose. We cannot and do not use that capability for any other purpose. It is not used for countering terrorism or any other law enforcement purpose. It’s all about cyber-security. And it’s going really well.”

She gave examples of how it had been effective, including the detection and mitigation of a plot to target several key government agency officials by phishing emails to gain access to personal information and potentially compromise that agency’s computer network.

In another case, the detection of a malware package sourced from the ‘Dark Web’ to target six significant domestic organisations. There was also identifying and tracing the source of a new cyber-attack method from a “known major foreign threat source” which targeted several CORTEX protected organisations.

Ms Jagose said the Bureau had conducted a privacy impact assessment on the CORTEX project. Following the Office of the Privacy Commissioner’s advice on best practice, her agency considered all of the Privacy Act’s 12 privacy principles. While some of the principles did not work under CORTEX, the controls on storage, use and retention of data were keys to dealing with any privacy implications. The privacy impact assessment report would be publicly available on the GCSB’s website in the near future.   

You can find the text of Una Jagose’s speech here or watch the video.

Image credit: Who listens to the listeners? Poster by Simon Gray (Vincents Art Workshop, Wellington)

surveillance, security, cybersecurity, intelligence