GCSB is a public service department with its head office in Wellington, a regional office in Auckland, a station at Tangimoana, near Palmerston North, and another station at Waihopai, near Blenheim. The Director-General of the GCSB, since April 2016, is Andrew Hampton. The Director-General reports directly to the Minister responsible for the GCSB, Hon Christopher Finlayson.
GCSB employs staff in a wide range of disciplines, including foreign language experts, communications and cryptography specialists, engineers, technicians, legal, policy, and support staff.
GCSB contributes to:
- The protection of New Zealand’s national security
- The international relations and well-being of New Zealand
- The economic well-being of New Zealand.
GCSB do this by:
- Providing protective security services, advice and assistance, including information assurance and cybersecurity activities
- Collecting and analysing intelligence in accordance with the Government’s priorities
- Co-operating with NZSIS and co-operating and providing advice and assistance to New Zealand Defence Force and New Zealand Police.
The National Cyber Security Centre (NCSC) has been located within the GCSB since its establishment in 2011. The NCSC provides enhanced services and advice to government agencies and critical infrastructure providers to help them to defend against cyber-borne threats.
The New Zealand Government has had a signals intelligence (SIGINT) capability since the Second World War. It has also long recognised the need to ensure that government agencies were protected from “bugging” (technical security, or TECSEC) and that its sensitive messages could not be read by third parties (communications security, or COMSEC). Until the establishment of the GCSB, these services were provided by bodies such as the New Zealand Defence Force and the NZSIS. In 1977, the then Prime Minister, Robert Muldoon, approved the formation of the GCSB, but its functions and activities were secret.
In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis, leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings only acknowledged the GCSB’s TECSEC and COMSEC functions, but not its SIGINT functions. Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT function in 1984.
In early 2000, it was decided that the GCSB should be placed on a statutory footing similar to that of the NZSIS and a legislative process, including public consultation, began.
Meanwhile, in 2001, the Centre for Critical Infrastructure Protection (CCIP) was established to work with the New Zealand Government and critical national infrastructure agencies to improve their awareness and understanding of cyber security in New Zealand, provide them with watch and warn advice in relation to cyber incidents, and investigate any such incidents that occurred against them.
On 2 April 2003, the GCSB Act took effect. In June 2003, Cabinet formalised the role of the GCSB as the national authority for signals intelligence and information systems security.
In 2010, the GCSB began advertising for geospatial and imagery foreign intelligence (GEOINT) analysts to join a new area of analytic discipline for the GCSB, complementing its SIGINT mission. The GEOINT area is closely aligned with similar units within the New Zealand Defence Force. In 2012, the NZDF became the national authority for geospatial intelligence and formed GEOINT NZ.
In June 2011, New Zealand’s Cyber Security Strategy was published and allocated responsibility for cyber security. As part of the NZCSS, a National Cyber Security Centre (NCSC) was established within the GCSB in September 2011, and absorbed the functions of the CCIP.
Following the September 2012 discovery of unlawful intercept, Cabinet Secretary Rebecca Kitteridge was seconded to the GCSB as Associate Director to undertake a review of compliance, which took into account the GCSB’s activities, systems and processes since 1 April 2003 (the date the Government Communications Security Bureau Act 2003 came into force). Ms Kitteridge’s Review of Compliance Report was released by the Government on 9 April 2013. This led to a significant internal change programme to strengthen legal and procedural compliance which has since been completed
Externally, the same events led Government to conclude, as the Review of Compliance did, that the Government Communications Security Bureau Act 2003 as it then stood was fundamentally not fit for purpose. Amendments to the legislation (external link) took effect on 27 September 2013 and required periodic reviews of the intelligence and security agencies, the legislation governing them, and their oversight legislation.
In March 2016, Sir Michael Cullen and Dame Patsy Reddy presented their findings from the First Independent Review of Intelligence and Security in New Zealand to Parliament.
On the 28 March 2017 the Intelligence and Security Act 2017 gained Royal Assent. On 1 April 2017, the first provisions under the Act took effect. On 28 September 2017 further provisions under the ISA came into force.
The Intelligence and Security Act implements the Government response to the Report of the First Independent Review of Intelligence and Security in New Zealand: Intelligence and Security in a Free Society, and replaces the four Acts that previously applied to the GCSB, the NZSIS, and their oversight mechanisms.