Once operational, the Government Communications Security Bureau (GCSB) failed on multiple levels including a lack of due diligence, record-keeping and staff training. Nor did it have visibility of what the hosting was helping to enable, including any military targeting.
The scathing criticism is outlined in a report, released today, by independent watchdog and Inspector-General of Intelligence and Security Brendan Horsley, who said the lack of proper monitoring meant the use of the system may have even breached New Zealand laws.
"It was improper for the GCSB to decide to host the system without bringing it to the Minister’s attention. This undermined the ability for the Minister to exercise control of the agency," Horsley said.
That was despite concerns identified in 2010 and 2011 being raised at senior level within the GCSB.
Details of the foreign agency involved remain classified, including whether it was from one of New Zealand’s Five Eyes intelligence partners the US, the UK, Australia or Canada. An unclassified copy of the report has been given to GCSB Minister Judith Collins.
Horsley found further failings once the hosting was operational, which lasted from 2012/13 to 2020. It took place:
• without any due diligence by GCSB on tasking requests.
• without full visibility for GCSB of the tasking of the system, including "no apparent access for GCSB to the outcomes of the capability’s operation".
• with inadequate record-keeping including no auditing, and inadequate training, support or guidance for GCSB staff.
• with negligible awareness of the system at a senior level within the GCSB.
• without due attention to the possibility that support for the system could contribute to military targeting, and therefore no clarity about whether "data supplied by the GCSB to the capability did in fact support military action".
"The way in which the system operated meant that the GCSB could not be sure its tasking was always in accordance with Government intelligence requirements and New Zealand law," Horsley said.
Changes to the bureau’s policy and compliance systems have reduced the risk of the same thing happening today, he added.
"I also consider it is less likely that the Bureau would implement such an arrangement as poorly as it did in this case."
He made several recommendations, all of which the GCSB has adopted. These include internal guidance to reflect existing requirements where such agreements need to be consulted with the minister, a register of capabilities in New Zealand that are operated by foreign partners, and an audit of foreign partner capabilities.
GCSB Director-General Andrew Clark said in a statement there were failings in the decision-making processes, "particularly not informing the Minister responsible of the day, and the subsequent management of its operation.
"While this IGIS report examines what could be described as a historical issue, its recommendations will nonetheless help us further refine our current processes that ensure we act with propriety in everything we do."
He said the bureau was "a very different organisation today.
"Since I joined the bureau in late 2023/five months ago, I have looked carefully at how it fulfils its requirements in terms of compliance, relevant legislation, human rights and oversight.
"The GCSB exists to protect and enhance New Zealand’s national security, and our international partnerships play a significant part in how we fulfil our mission. It is important that we have effective processes in place that enable us to do our job in accordance with all our obligations."