Still the 5 Eyes Achilles Heel?

The National Cyber Security Centre (NZSC), a unit in the Government Communications Security Bureau (GCSB) dedicated to cyber-security, has released a Review of its response to the 2021 email hacking of NZ members of the Inter-Parliamentary Alliance on China (IPAC, a global organization of parliamentarians) and Professor Anne-Marie Brady, the well known China expert and critic. A number of problems were identified, both operational and (yet again) with regard to accountability and transparency, so I thought I would briefly summarise them.

The Review states that too much focus was placed by the NCSC on “technical” solutions to the email phishing probes instead of considering the “wider” context in which the hacking occurred. In layman’s terms that is akin to saying that the NCSC got busy plugging holes in the parliamentary server firewalls after breaches were detected without considering who was being targeted and what purpose the hacking may have served. This is remarkable because the hacking came from ATP-31, a unit linked to PRC military intelligence well known for having engaged in that sort of activity previously, in NZ and elsewhere. Moreover, the NCSC had to be alerted by a foreign partner that the email phishing efforts were part of a progressive hacking strategy whereby the ultimate target was not the emails of MPs but of the IP addresses that were being used by those MPs. In fact, the NCSC currently does not have procedures for how to respond to reports that foreign, including state-sponsored, actors are targeting New Zealanders. The NCSC found out about the parliamentary email servers hacking from Parliamentary Services in the first instance, and then from foreign partner intelligence that was passed on to it by the NZSIS.

This is of concern for several reasons, not the least of which is that it took a foreign 5 Eyes partner to alert the NCSC to something that it should have been well aware of itself (progressive hacking), and because the NCSC initially assumed, for whatever reason, that the phishing was done by ordinary criminals rather than foreign intelligence units. It also assumed that MPs were already engaged in providing their own security, even after Parliamentary Services flagged potential breaches of its email servers to the NCSC. In fact MPs were apparently told more by Parliamentary Services than the NCSC about their being targeted (albeit after the fact), and the University of Canterbury, Professor Brady’s employer, apparently was never contacted about potential security breaches of their servers.

Since MPs may have sent and received emails from multiple IP addresses attached to their official and personal devices, the security breach implications of the email hacks could be considerable given the potential cross-over between personal and official MP communications. Put bluntly, it is incredible that a dedicated cyber-security unit that is an integral part of the GCSB and through it the Anglophone 5 Eyes signals/technical intelligence network did not consider the membership of the targeted MPs in IPAC and that the phishing occurred at the same time that Professor Brady’s emails were targeted (Brady is known to have close contacts with IPAC). This is basic 1+1 contextual stuff when it comes to operational security in cyberspace, so one gets the sense that the NCSC is made up of computer nerds who have little training in geopolitics, foreign policy, international relations or how the world works outside of WAN and LAN (hint: these are basic computer terms). They simply approached the hacking attacks as if they were plugging a leaking dike rather than consider what may be prompting the leaks and red-flagging them accordingly.

The advice given by the Review was for the NCSC to engage more with the targeted individuals in real time, who only found out about their exposure long after the fact. Moreover, the Minister of Intelligence and Security was not briefed on these intrusions, much like the targeted MPs and Professor Brady were not. Again, this defies the notion of democratic oversight, transparency and accountability within NZ intelligence agencies. Worse yet, it follows on the heels of revelations that for a few years a decade ago the GCSB hosted a foreign partner “asset,” presumably a signals or technical intelligence collection platform, at GCSB headquarters in Wellington without the knowledge of the then Minister or even the GCSB Director-General. Operational control of that platform, including specific taskings and targets, were done by the foreign partner. Imagine if one of the taskings was to geotrack a foreign human target in order to eliminate that target. If word was leaked about GCSB’s hosting of the tracking platform, it might cause some diplomatic tensions for NZ. At a minimum it is a violation of both NZ’s sovereignty as well as basic notions of intelligence agency accountability in a democracy. It seems that, almost a decade later, the much vaunted reforms designed to increase intelligence community accountability embedded the 2017 Security and Intelligence Act had not filtered down to the NCSC dike-plugging level.

This is a very bad look for the GCSB, both in the eyes of its domestic clients as well as those of its 5 Eyes partners. NZ already had a reputation for being the “Achilles heel” or “weak link” of the 5 Eyes network due to its lax security protocols and counter-intelligence capabilities. This may only confirm that belief in spite fo significant efforts to upgrade GCSB capabilities and toughen up its defences, including in cyberspace. And, judging from the reactions of the targeted MPs and Professor Brady, domestic clients of the NCSC, who are both private and public in nature, may not feel too reassured by the Review and its recommendations.

It is known that the GCSB is made up of an assortment of engineers, translators and computing specialists. It has a remit that includes domestic as well as foreign signals and technical gathering and analysis, the former operating under the framework of NZ law under the 2017 Act (most often in a partnership with a domestic security agency).This brings up a question of note. If the staff are all of a “technical” persuasion as described above, then it follows that they simply adhere to directives from their managers and foreign partners, collect and assess signals and technical intelligence data as directed by others, and do not have an in-house capacity to provide geopolitical context to the data being analyzed. It is like plugging leaks without knowing about the hydraulics causing them.

In that light it just might do good to incorporate a few foreign policy and comparative political analysts into the GCSB/NCSC mix given that most of NZ’s threat environment is not only “intermestic” (domestic<–>international) but “glocal” (global and local) as well as hybrid (involving state and non-state actors) in nature. Threats are multidimensional and complex, so after the fact “plugging” solutions are temporary at best.

Given their diversity, complexity and sophistication, there are no “technical” solutions that can counter contemporary threats alone. Factoring in the broader context in which specific threats materialise will require broadening the knowledge base of those charged with defending against them or at a minimum better coordinating with other elements in the NZ intelligence community in order to get a better look at the bigger picture involved in NZ’s threat environment.

The NCSC in-house Review is silent on that.

Voting as a multi-order process of choice.

Recent elections around the world got me to thinking about voting. At a broad level, voting involves processes and choices. Embedded in both are the logics that go into “sincere” versus “tactical” voting. “Sincere” voting is usually a matter of preferred choice, specifically of a candidate or outcome. Simply put, a person votes for their preferred option. But what about “lesser evil” or “second best” choices? Are they “sincere”? Rather than a matter of genuine sincerity of choice, the general demarcation separating “sincere” voting from “tactical” voting is not so much the motive for choice or the specific choices involved but the all or nothing of the process–it is the final selection point before an elected entity or outcome is confirmed. In other words, sincere choices are end choices, regardless of the logics by which they are made.

This allows us to distinguish between elections as a process versus elections as choices between options. Until the last vote is counted in the final round of voting, everything is tactical even if choices for individuals are sincere in the moment.

Under Mixed Member Proportionate (MMP) electoral systems like that in NZ voters do tactical voting all of the time. They consider the relationship between party and candidate votes and choose accordingly. Sometimes voters go with a straight party-candidate vote but other times they split votes between party and candidates. That depends on how they view specific party chances in inter-party competition, the electorate candidate in relation to their party, that candidate in relation to the electorate voting history (does she stand a chance?), and the merits of other candidates in a given electorate. Much of this assessment is done unconsciously in the moment of choice but in any event the voter’s calculation is multi-level and relative in nature.

A vote is tactical when we vote for a candidate or party or coalition or ballot option with the shadow of the future in mind, as far as we can foresee it. We may do so for defensive as well as win-seeking reasons, like what happened in France this past week, where the Left removed competing candidates in a number of electorates in order to improve the chances of designated “unity” candidates defeating rightwing opponents in the second round of parliamentary elections. That was done in order to help defeat the serious possibility of a rightwing victory in the second round parliamentary elections after the first round saw the Right win a significant plurality of the vote. The tactic of limiting inter-Left competition was defensive in nature rather than a “go for the win” effort because all involved understood the costs of allowing a rightwing victory and put their immediate preferences (and differences) aside in order to confront the common threat.

When it comes to tactical voting people may also vote for lesser evils rather than preferred options because the context in which voting occurs may advise them to do so. Voters may simply have to choose between otherwise distasteful candidates or options. In multiple round voting it is the process as much as the immediate outcomes that motivate voters in the first instance, as they are seeking to do something now in order to set up a better sincere choice option in the future. Think of the US primary system, where party candidates are selected not just for their merits but also with an eye towards their “electability” in the general elections. A candidate with lesser ideological purity or Party credentials may win in the selection round because primary voters feel that s/he is more likely to be elected in a general election where sincere choices are made.

On the other side of the coin, as a campaign strategy, what Labour recently did in the UK when it flooded electorates with candidates, even in Tory strongholds where it traditionally had zero chance of competing, was a “throw it at the wall and see what sticks” first-order approach. Labour put up slates of candidates who in many cases have little to no experience in politics and who were in a number of instances sent as electoral cannon fodder into historically secure Conservative electorates. Labour strategists banked on the belief that public disgruntlement with the Conservatives would spill over into Labour winning at least some traditionally Tory seats, and in that they were successful. But this was just the first order outcome. The second order outcome is how these candidates-turned-MPs will perform given their lack of experience. Some will do well but if enough turn out to be incompetent or worse, then Labour runs the risk of incurring a voter backlash against it in just one electoral cycle. That is the second-order problem of the “throw at the wall” candidate selection tactic: good for the short-run, but a bit uncertain over the longer term.

For his part, French President Macron has ruled out working with the largest of the Left parties (“France Unbowed”) in the coalition that came first in the second round of the French parliamentary elections thanks to the defensive unity candidate first order manoeuvres, so is now trying to carve away smaller Left parties from the Left coalition so they can form a majority coalition with his Centrists. He apparently has promised the Prime Minister’s job to a Left candidate if they agree to his terms (in France the president selects the PM). But if he cannot do this, then France will be in political gridlock through and beyond the Olympics. So his first order tactical gambit of calling snap elections and forming a defensive alliance against the Rightists worked, but now the second order consequences embedded in the process must be confronted and resolved less the otherwise unwelcome triumph of the Right become reality.

In Iran the reformist Pezeshkian won the run-off election against a conservative hard-liner. The latter could be seen as a “continuist” following the approach of his dead predecessor (recently killed in a helicopter crash), whereas Pezeshkian seeks a thaw in Iran’s foreign relations with the West and a relaxation of restrictions on social freedoms at home. But since the Council of Elders and the Ayatollah Khamenei are the real power brokers in Iran, perhaps they allowed Pezeshkian to run (they did not allow any other reformist to do so) in order to gauge public sentiment and/or use the elections as an escape value that eases social pressures on the regime by allowing the electorate to institutionally vent its views. Think of it as an Iranian political pressure cooker, with the electorate permitted to let off pent-up steam during the election process.

The first round of that vote only brought 40 percent of the electorate to the polls, but the second round brought in 53 percent. Beyond the narrowing of the field of candidates in the second round, the turnout and strong majority vote for Pezeshkian demonstrates the apparent need for some reform-mongering when it comes to policy making. This is a strong signal that the Elders must consider if they are to keep a lid on things. They have been sent a message about what the public wants in public policy, especially (judging from field reports) about social mores and behaviours. But what about the hard-liners? They have the guns, are not going away and are ill-disposed towards Pezeshkian’s proposals.. So the second order question is to reform monger or not and if so, how much is too much? Again, it is a process, and the choice of Pezeshkian is a first-order means towards a perhaps necessary but uncertain end.

In the US the Biden question is not only should he stay or should he go, but also how and when? Sooner or later? At the convention or before? Does he designate an heir if he goes (presumably Vice President Harris) or does he throw it open to a short-list of previously vetted candidates? The James Carville opinion piece in the New York Times was an interesting proposition, with its geographically organized Town Halls acting as an extended job interview process for designated candidates. And the George Clooney op-ed in the same newspaper pretty much spells out why Biden has moved from being an asset to a liability for the Democrats. Here too there is a process as well as the individual to consider, something that must converge into an electable platform that can defeat Trump. So the first order choice is about Biden staying or going, the second order choice is about when and how to replace him and the third order choice is about the agenda and team needed to defeat Trump. With those three parts of the process resolved, a sincere choice can be presented to the electorate in November.

This is about more than Joe Biden. In a democracy people serve their party in the first instance, the party serves the country in the second instance and the country serves the nation in the last instance (“country” being a political entity with territorial boundaries codified in the notion of “State” and “nation” being a political society or culture legally represented by a country). For the Democrats the issue is not just about choice of a presidential candidate in light of Biden’s perceived limitations (age, fragility, cognitive decline), but about the institutional process by which their candidate choice is made. The process is time-sensitive given the upcoming Election date, so the choices must be soon and facilitated by the institutional process. It remains to be seen if Biden and other Democrats fully understand the difference between his fortunes and those of the party–and the country itself, but if they do, then the process of candidate selection is as important as the candidates themselves.

Again, I am no voting behaviour expert (too much bean-counting and tea leaf-reading for me), so please take this very incomplete and shallow sketch as a a preliminary rumination about choice and process in voting. I will leave for another day discussion of certain hard realities about voting in practice–things like voter suppression, gerrymandering, redistricting, incumbent advantage, campaign finance laws and loopholes, polling, etc.–as well as the use of game theoretic and AI models as predictive tools in voting analysis. That is best left to those who focus on such things. But having said that I do think that recent elections offer an opportunity to ponder the process as well as the choices that democratic elections involve. Hence this note.

Author’s Postscript: This essay serves as the basis of my remarks for the “A View from Afar” podcast of July 14, 2024.