The National Cyber Security Centre (NZSC), a unit in the Government Communications Security Bureau (GCSB) dedicated to cyber-security, has released a Review of its response to the 2021 email hacking of NZ members of the Inter-Parliamentary Alliance on China (IPAC, a global organization of parliamentarians) and Professor Anne-Marie Brady, the well known China expert and critic. A number of problems were identified, both operational and (yet again) with regard to accountability and transparency, so I thought I would briefly summarise them.

The Review states that too much focus was placed by the NCSC on “technical” solutions to the email phishing probes instead of considering the “wider” context in which the hacking occurred. In layman’s terms that is akin to saying that the NCSC got busy plugging holes in the parliamentary server firewalls after breaches were detected without considering who was being targeted and what purpose the hacking may have served. This is remarkable because the hacking came from ATP-31, a unit linked to PRC military intelligence well known for having engaged in that sort of activity previously, in NZ and elsewhere. Moreover, the NCSC had to be alerted by a foreign partner that the email phishing efforts were part of a progressive hacking strategy whereby the ultimate target was not the emails of MPs but of the IP addresses that were being used by those MPs. In fact, the NCSC currently does not have procedures for how to respond to reports that foreign, including state-sponsored, actors are targeting New Zealanders. The NCSC found out about the parliamentary email servers hacking from Parliamentary Services in the first instance, and then from foreign partner intelligence that was passed on to it by the NZSIS.

This is of concern for several reasons, not the least of which is that it took a foreign 5 Eyes partner to alert the NCSC to something that it should have been well aware of itself (progressive hacking), and because the NCSC initially assumed, for whatever reason, that the phishing was done by ordinary criminals rather than foreign intelligence units. It also assumed that MPs were already engaged in providing their own security, even after Parliamentary Services flagged potential breaches of its email servers to the NCSC. In fact MPs were apparently told more by Parliamentary Services than the NCSC about their being targeted (albeit after the fact), and the University of Canterbury, Professor Brady’s employer, apparently was never contacted about potential security breaches of their servers.

Since MPs may have sent and received emails from multiple IP addresses attached to their official and personal devices, the security breach implications of the email hacks could be considerable given the potential cross-over between personal and official MP communications. Put bluntly, it is incredible that a dedicated cyber-security unit that is an integral part of the GCSB and through it the Anglophone 5 Eyes signals/technical intelligence network did not consider the membership of the targeted MPs in IPAC and that the phishing occurred at the same time that Professor Brady’s emails were targeted (Brady is known to have close contacts with IPAC). This is basic 1+1 contextual stuff when it comes to operational security in cyberspace, so one gets the sense that the NCSC is made up of computer nerds who have little training in geopolitics, foreign policy, international relations or how the world works outside of WAN and LAN (hint: these are basic computer terms). They simply approached the hacking attacks as if they were plugging a leaking dike rather than consider what may be prompting the leaks and red-flagging them accordingly.

The advice given by the Review was for the NCSC to engage more with the targeted individuals in real time, who only found out about their exposure long after the fact. Moreover, the Minister of Intelligence and Security was not briefed on these intrusions, much like the targeted MPs and Professor Brady were not. Again, this defies the notion of democratic oversight, transparency and accountability within NZ intelligence agencies. Worse yet, it follows on the heels of revelations that for a few years a decade ago the GCSB hosted a foreign partner “asset,” presumably a signals or technical intelligence collection platform, at GCSB headquarters in Wellington without the knowledge of the then Minister or even the GCSB Director-General. Operational control of that platform, including specific taskings and targets, were done by the foreign partner. Imagine if one of the taskings was to geotrack a foreign human target in order to eliminate that target. If word was leaked about GCSB’s hosting of the tracking platform, it might cause some diplomatic tensions for NZ. At a minimum it is a violation of both NZ’s sovereignty as well as basic notions of intelligence agency accountability in a democracy. It seems that, almost a decade later, the much vaunted reforms designed to increase intelligence community accountability embedded the 2017 Security and Intelligence Act had not filtered down to the NCSC dike-plugging level.

This is a very bad look for the GCSB, both in the eyes of its domestic clients as well as those of its 5 Eyes partners. NZ already had a reputation for being the “Achilles heel” or “weak link” of the 5 Eyes network due to its lax security protocols and counter-intelligence capabilities. This may only confirm that belief in spite fo significant efforts to upgrade GCSB capabilities and toughen up its defences, including in cyberspace. And, judging from the reactions of the targeted MPs and Professor Brady, domestic clients of the NCSC, who are both private and public in nature, may not feel too reassured by the Review and its recommendations.

It is known that the GCSB is made up of an assortment of engineers, translators and computing specialists. It has a remit that includes domestic as well as foreign signals and technical gathering and analysis, the former operating under the framework of NZ law under the 2017 Act (most often in a partnership with a domestic security agency).This brings up a question of note. If the staff are all of a “technical” persuasion as described above, then it follows that they simply adhere to directives from their managers and foreign partners, collect and assess signals and technical intelligence data as directed by others, and do not have an in-house capacity to provide geopolitical context to the data being analyzed. It is like plugging leaks without knowing about the hydraulics causing them.

In that light it just might do good to incorporate a few foreign policy and comparative political analysts into the GCSB/NCSC mix given that most of NZ’s threat environment is not only “intermestic” (domestic<–>international) but “glocal” (global and local) as well as hybrid (involving state and non-state actors) in nature. Threats are multidimensional and complex, so after the fact “plugging” solutions are temporary at best.

Given their diversity, complexity and sophistication, there are no “technical” solutions that can counter contemporary threats alone. Factoring in the broader context in which specific threats materialise will require broadening the knowledge base of those charged with defending against them or at a minimum better coordinating with other elements in the NZ intelligence community in order to get a better look at the bigger picture involved in NZ’s threat environment.

The NCSC in-house Review is silent on that.