The Inspector General of Intelligence and Security (IGIS) recently released a report in which he exposes the existence of a foreign intelligence partner-controlled technological “capability” inside the headquarters of the GCSB, NZ’s 5 Eyes-affiliated signals intelligence collection and analysis agency. The memorandum of understanding (MOU) governing the way in which this “capability” was used was negotiated from 2008 through to 2012, and the system went operational in early 2013. It continued to do so until 2020, when it supposedly suffered a systems failure and the equipment was removed.

The IGIS became aware of its existence while investigating an unrelated, different foreign partner-operated “capability” in the GCSB in recent years. What he found about the 2013-2020 “capability” was troublesome on several levels.

At a broad level, the IGIS appears to have indirectly confirmed what Edward Snowden revealed when he defected and leaked thousands of classified documents to investigative journalists in 2013. Those documents included descriptions of signals intercept programs such as XKeyscore, Speargun, Cortex and Prism, all of which were unknown to the public or most political leaders at the time and one of which may be the “capability” in question.

Negotiations over the MOU and entering into service of the “capability” occurred during the first two National-led Key governments. Key was the Minister for Intelligence and Security as well as PM at the time. The MOU assumed that the Minister of the day and perhaps cabinet would be informed of the “capability” following the “no surprises” policy in the Cabinet Manual regarding sensitive, controversial or security-related matters. The MOU specified that the GCSB would be informed of what the “capability” was doing in real time, what its end products/outputs were and to what purposes it was being used. The MOU was also supposed to be reviewed on a regular basis, but in fact it never was.

The “capability” was not a collection technology but an analytic mechanism to which the GCSB delivered collected inputs (intercepts) from a variety of sources. From time to time the foreign partner agency would send emails requesting “feed” settings changes on the “capability” that were done by GCSB personnel. The IGIS found evidence of 45 of these but believes there were more that went unrecorded due to faulty or patchy record keeping and, most troubling, the foreign partner agency unilaterally changing the “feed” settings on the “capability” from a remote location without notifying the GCSB.

That is just part of the problem. Whatever was intended to happen according to the MOU, in practice the Minister responsible for the GCSB–John Key in the first instance–was apparently never informed of the “capability’s” existence. Nor were any other members of the political leadership, even after the Intelligence and Security Ministerial position was divided into two (one responsible for day-to-day oversight and the other a a more general steering role). Worse yet, the senior GCSB leadership after 2013 were also kept in the dark about the “capability’s” existence. Some of that may have been due to the revolving door nature of the Director General’s (DGGCSB) position after the Kim Dotcom illegal spying fiasco of the early 2010s, where general “authorisations” were rubber-stamped by incoming DGGCSBs without paying attention to the details of what was being authorised. It is also possible that lower level technicians with hands-on roles regarding the “capability” assumed that middle management kept their superiors in the chain of command informed about the “capability” and its operational status when in fact no senior leader was the wiser about the system after in came on line. In addition, hosting of the foreign partner’s “capability” was within the law according to the 2003 GCSB Act regarding foreign intelligence sharing even if the GCSB leadership and political decision-makers were not informed about its presence. Everything was lawful and yet in violation of the MOU regarding the duty to keep Ministers and senior agency leaders informed.

Beyond that, problems remained. No legal framework or organisational protocols were developed regarding the “capability’s” usage. In fact, unlike another NZ intelligence partner country that had a similar technology installed on its soil, there was no institutional and legal frameworks developed by the GCSB and Crown Law to specifically govern the operation of the “capability.’ That meant that the “capability” was used without regard to NZ law and international legal commitments.

As an illustration of what could go wrong with this arrangement consider the following. The IGIS repeatedly mentions in his report the possibility of data from the “capability” being used for military purposes, targeting in particular. Even though “targeting” can refer to a number of intelligence-related activities beyond kinetic strikes against physical objects, the possibility remains that NZ hosted a technology that in fact may have been used to do so. Imagine a drone strike in Afghanistan using GCSB-collected data that was analysed and “packaged” by the foreign intelligence partner-operated capability located on NZ soil. Imagine that the drone strike wound up killing innocents as well as intended targets. That makes NZ culpable as an accomplice of war crimes because it was part of the kill chain even if it was not aware of being so.

That brings in the second troublesome aspect of the issue. Whatever the MOU intended, in practice the GCSB had no operational control over how the “capability” was used or what its end products were. Instead, it served as a type of maintenance engineer, maintaining the platform and changing “feed” settings on it upon request (and sometimes not even being aware that the settings were changed remotely). Evidence of the latter only became apparent when GCSB personnel noticed unexplained data outflows at odd times in which there were no setting change requests. Although this was discussed internally by those involved with the “capability,” it was never brought to the attention of the agency’s senior leadership, much less the Minister. It was only discovered by the IGIS during the course of his post-2020 investigations.

In effect, the problem with the arrangement governing the “capability” installed within GCSB headquarters in 2012 was two-fold: on an internal level there was no vertical accountability to their superiors inside and outside of the GCSB from those responsible for handling the technology. This is a gross violation of basic principles of democratic oversight of intelligence operations, where senior intelligence professionals and the decision-making politicians elected by the public are supposed to take responsibility for whatever choices are made regarding intelligence matters. In this instance both the political and civil service leaderships were ignored by their GCSB subordinates, who ran what could be called a type of “dark” operation within an already opaque agency when it comes to revealing or acknowledging its activities.

The second problem is one of sovereignty. The GCSB hosted a foreign espionage platform operated by an intelligence partner country without any meaningful level of scrutiny or control, legal or practical, over what that platform did. The GCSB knew about its technological attributes but little more, and certainly knew nothing about its uses and end products until, at best, after the fact (in just one instance as far as the IGIS could determine). Although the IGIS report does not mention the possibility, it is known that US personnel are regularly stationed at GCSB facilities and, according to the report, were involved in training GCSB personnel in the operation and maintenance of the “capability.” If US (presumably NSA) officers were inside the GCSB and involved in running the “capability” without the knowledge of GCSB leaders and the Intelligence and Security Minister, then the infringement on NZ sovereignty was great.

Think of it this way. Imagine that the CIA sent an undercover officer to work from within the SIS on a project tasked by the CIA. Although the MOU governing his/her work stated that the SIS would know about his/her activities and regularly review them, the SIS had no idea what the CIA officer did although it regularly provided him/her with various spycraft tools of the trade. The CIA officer answered and provided human intelligence to the CIA, which did not share with the SIS how the intelligence was used or what its end product or output was. The SIS “handlers” of the CIA officer did not inform their superiors about his/her presence and no one told the responsible Minister that s/he was even in NZ. How would people react to such news? Well, that is what has been revealed about the GCSB foreign “capability” program from 2013-20.

The irony is that had the “capability” been revealed to the responsible Ministers and GCSB leadership it would have most likely been approved given the nature of the NZ governments during that period and importance of NZ’s relationship with its 5 Eyes partners. Or, given how he governed, perhaps John Key told the GCSB that he did not want to know about sensitive operational matters because it gave him plausible deniability when asked about them. Maybe there was a bit of truth in both possibilities. Who knows?

Another interesting aspect to this story is that it is very possible that the “capability” was installed at the GCSB headquarters in Wellington because NZ’s looser intelligence and security laws at the time made it easier for the foreign intelligence partner to circumvent its own laws regarding certain types of signals intercept collection and analysis. The Snowden leaks detail instances of “bulk collection” and other types of whole-scale metadata gathering that much like some types of mass surveillance violate the right to privacy and presumption of innocence in most democracies. The IGIS report actually mentions metadata collection, albeit without specifics. It is therefore possible that the foreign intelligence partner took advantage of NZ’s looser oversight and legal control regime in order to do what it could not do at home.

One positive discovery by the ISIG was that as far as he could tell the “capability” was not used on NZ citizens or permanent residents. That reinforces the notion that the targets of the “capability” were foreign as well, military or not. Again, Snowden’s leaks alluded to this.

When the 2017 Intelligence and Security Act was promulgated, which superseded previous legislation like the 2003 GCSB Act and brought various legal artefacts into one body of legislation, things appear to have begun to tighten when it comes to internal oversight mechanisms within the GCSB and the SIS. Former GCSB Acting Associate Director General (and later SIS Director General) Rebecca Kitteridge and former Inspector General of Intelligence and Security Cheryl Gwynn were instrumental in this regard and met concerted resistance from the “old boys” ranks within both agencies. Although they resisted so-called “bureaucratic capture” by spy agency “old boys” institutional inertia was great and it ran against them. They made significant inroads when it came to reforming institutional culture and practices, but much more remains to be done.

Here the troubling aspect is also double-sided. One the one hand the culture of impunity within these agencies continues to exist, even if in diluted form. The IGIS had great difficulty obtaining records, documents and truthful statements about and from those involved with the 2013-20 “capability.” Even after leaving the GCSB, some claimed to not recall its existence even though they were directly involved with it. This indicates that they are more loyal to each other and their foreign partners than to the governments of the day and the people who paid their salaries when in government service. Wellington, there is a problem.

The second difficulty is that for all the tightening of internal oversight mechanisms, there still is no effective external oversight of the NZ intelligence community, and particularly of operational agencies like the GCSB and SIS. The parliamentary committee on Intelligence and Security remains a toothless gab-fest with no powers of compulsion under oath or any other other form of disciplinary enforcement powers levied on intelligence agencies for a lack of institutional candor or cooperation. Legal punishments for these agencies for breaking the law are limited to small fines and no personal punishments. That means that the bureaucratic culture of impunity within some elements of the intelligence community is rewarded rather than constrained because, quite frankly, agency personnel can get way with things that the rest of us cannot because they are the so-called “keepers of the secrets.”

As things stand, as far as the IGIS report mentions none of those responsible for managing the “capability” have been held to account or disciplined in any way. The suggested agency reforms proposed by the IGIS, all accepted by the GCSB, do not address the issue of individuals discipline or accountability. It seems that impunity is its own reward.

This extends to their incompetence. One of the provisions of the Royal Commission on the Christchurch terrorist attacks was that no one within the intelligence and security communities would be held responsible for failures of a personal or institutional nature. This was supposedly done to encourage people to talk freely about what was and was not known in the lead-up to the attacks, but instead what resulted was a highly sanitised whitewash of bureaucratic and personal responsibility for the intelligence failures that facilitated the carrying out of one of NZ’s worse mass killings in modern times.

In effect, the story about this foreign intelligence “capability” secretly operated from within the GCSB is one about violation of basic principles of democratic oversight of intelligence agencies, of an abdication of sovereignty to a foreign power when it comes to intelligence collection and analysis, and above all, of an ongoing culture of impunity within NZ intelligence agencies that do not appear to have learned the right lessons from the Zaoui, Dotcom or March 15 cases when it comes to behaving ethically and taking responsibility for the actions or inactions taken on their watch.

Which begs the question: in spite of all the post 2017 tightening of internal oversight mechanisms, will it be a matter of when not if before history repeats when it comes to an intelligence agency scandal?