Wellington, New Zealand — Following a hiatus last year over possible abuses by New Zealand’s foreign intelligence agency, a review of the Government Communications Security Bureau’s (GCSB) compliance with the law has noted problems with its structure and internal operations.
The review, by Cabinet Secretary Rebecca Kitteridge, stressed that the GCSB’s 300 staff plays a vital role in national security by obtaining, providing and protecting sensitive information and that “New Zealand needs this organization now more than ever.”
However, the review noted underlying problems within GCSB, concerning its structure, management of its information, capability and capacity, and concluded that “legislative clarification would be desirable.”
Recommendations include reorganizing GCSB “in a simpler, less fragmented way,” reducing the number of small units, centralizing some key roles and giving them bureau-wide reach, and appointing a “professional Information Manager.”
The lawfulness of some of the bureau’s past assistance to other agencies, especially to the New Zealand Security Intelligence Service (NZSIS), is now called into question, says the review, noting that such assistance ceased last September.
The person who for some years was the bureau’s sole legal adviser was not well connected with the public law community and “therefore not well placed to keep in touch with legal developments.”
No less disturbing, the decade-old legislation governing the GCSB has “not kept pace with developments, especially in relation to information assurance and cyber security,” according to the report.
It appears the bureau has not even kept pace with its own paperwork because even with the assistance of GCSB staff, Ketteridge could not locate all the documents she expected to “find easily.”
GCSB staff expressed a wish for a centralized database to access compliance precedents, examples and frequently asked questions. Such detail, the review found, is scattered throughout the bureau.
Similarly, the review found there was no uniform process by which domestic agencies, such as the NZSIS and the New Zealand police, could request information or assistance from GCSB, although a new system is being tested.
Acknowledging that a lack of perfect information is “inherent” to intelligence work, the review says that does not mean “that one is entitled to make assumptions without applying one’s mind and judgment to the issue.”
Several new organizations have been created to assist with the bureau’s cyber security role, including the National Cyber Security Centre (NCSC) and, last year, the National Cyber Policy Office (NCPO).
There is no mention of the NCPO in the review, which states that the NCSC “does not seem to have made the process more systematic, and in some ways appears to have added to the difficulties.”
With regard to the Inspector-General of Intelligence and Security (IGIS), the review notes that IGIS has lacked staff, has “waited for complaints to which to respond.” and notes that GCSB’s supposedly quarterly reports to IGIS have not always been provided, “although nobody asked where the missing quarterly reports were.”
The review estimates this process will take a year.