15 September 2014
Despite being labelled a “fizzer” by some National-aligned critics, and a media expecting ‘fireworks’, the “Moment of Truth” event presented information that raised the public’s awareness of state surveillance and data collection in this country;
…that the Government Communications Security Bureau was involved in the mass surveillance of New Zealand citizens, and that the National government and Prime Minister John Key were aware of it […] NSA leaker Edward Snowden accused Prime Minister John Key of misleading the public over the country’s spying activities…
One mass-surveillance system referred to was XKEYSCORE, which investigative-journalists on The Intercept described as;
The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.
These servers store “full-take data” at the collection sites — meaning that they captured all of the traffic collected — and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”
Our esteemed Dear Leader, John Key, has consistently refused to confirm of deny whether or not the GCSB uses XKEYSCORE. Equally critically, Key refused to confirm or deny whether or not the spy bureau obtains information from the American NSA, which does employ XKEYSCORE.
However, seven months ago, investigative journalists Nicky Hager and Ryan Gallagher, working with the Herald on Sunday, released a damning report which presented clear evidence that the New Zealand government was indeed collecting private information using XKEYSCORE;
For the first time, New Zealanders can learn about people their government has targeted as part of its role in Five Eyes, a surveillance alliance that includes New Zealand, the United States, the United Kingdom, Canada, and Australia.
The secret document, dated from January 2013, shows some of the names and other search terms that the Government Communications Security Bureau (GCSB) entered into the internet spying system XKeyscore . XKeyscore is run by the US National Security Agency and is used to analyse vast amounts of email, internet browsing sessions and online chats that are intercepted from some 150 different locations worldwide.
GCSB has gained access to XKeyscore through its partnership in Five Eyes, and contributes data to the system that is swept up in bulk from a surveillance base in Waihopai Valley.
John Key’s assurances that New Zealanders are not under mass surveillance, nor mass data-collection being used, is also questionable after a recent TV3 The Nation’s interview with the GCSB’s acting director, Una Jagose.
As well as XKEYSCORE, there is another programme that Key confirmed was being used by the GCSB – “Cortex”;
“We’ve never undertaken mass surveillance, we have got a programme called Cortex running over specific entities providing cyber protection.”
However, there are indications that Cortex is not merely the benign “cyber protection system” as has been made out.
It may well be a cleverly disguised ‘Trojan Horse’ – a possibility recently raised by fellow blogger, Martyn Bradbury.
On 3 October, the GCSB’s acting director, Una Jagose, was interviewed by Patrick Gower.
Image acknowledgement: TV3 – The Nation
Whether by clever persistance or sheer dumb luck, Gower managed to elicit some intriguing responses from Jagose on the ‘Cortex’ programme.
Gower first asked who is under attack by “cyber threats from overseas”. Jagose responded;
“We focus our attention on New Zealand companies that are holders of information, assets of importance to New Zealand, so nationally important infrastructure companies and some key government departments. So, yes, we’re definitely seeing attacks there.”
Gower then pointedly asked; “So what you’re talking about – banks, telecom companies, those kinds of things?”
“Well, those parts of the infrastructure, the nationally important, those sorts of things. We actually don’t talk about who they are or specifically what types of organisations they are, because revealing that also reveals to an adversary where we might have our best and richest sources of data that they might be interested.”
Which is interesting, as foreign cyber attackers would already be aware who their targets are in this country. Jagose would not be revealing anything that foreign cyber attackers would not already know.
The only people kept in the dark – us.
As Gower continued to interview Jagose, it soon became apparent why she was reticent in revealing who was being targetted by so-called “foreign cyber attacks”.
Gower followed up by asking a natural-enough question; “who is trying to get this information? Is it individual criminal organisations, or is it countries?”
“…At best it’s criminals. It’s often foreign-sourced sophisticated malware that we’re seeing…
… it could be industrial espionage. It could be IP theft. It could be just having an in to important sovereign communications or discussions by government agencies, policies, positions governments might take, positions companies might take.”
Then, she made this startling admission;
“We don’t spend too much of our time trying to track down who did that, because, in fact, we want to use our time and our technology protecting networks and systems.”
“We don’t spend too much of our time trying to track down who did that…”
Jagose repeated the statement in the next response she gave to Gower – though the TV3 reporter did not appear to comprehend the implications of her candid admission;
“Well, again, I say we don’t spend our energy looking at— attribution is really difficult. It is apparently a very technical and difficult thing to work out where did that come from, who’s doing it and why are they doing it? We spend our energy on defence.”
In effect, the GCSB’s “new role” has moved from intelligence gathering (ie, finding out who is supposedly – and I use that word deliberately – launching “cyber attacks” against us) – to one of being a State-funded-and-operated, quasi-Norton Anti-Virus agency?
Is this credible?
When did National decide to go into business to offer a rival service to MacAfee, AVG, Norton, et al?
That is not a rhetorical question, as National released two Cabinet Minutes related to “Project Cortex”. The first, labelled “1”, is dated 28 July 2014, the other (labelled “4”) is simply dated “2014” (though Key refers to the document as having been written in July 2014). Both outlined a business case for “Cortex”, including costings and assessment by Treasury – though all dollar figures had been redacted.
Cabinet Minute 4 takes great pains to point out;
2. The proposal takes into account the amended GCSB Act and necessary warranting procedures, and will in all cases operate with the consent of the participating entities.
In fact, Cabinet Minute 4 refers to “consent” from organisations and entities no less than eight times. Someone was at pains to make the point to whoever was going to read the document. Which would be unusual, as normally Cabinet Minutes are almost never made public.
Cabinet Minute 4 also makes several curious statements;
27. There will be no ‘mass surveillance’, and data will be accessed by GCSB only with the consent of owners of relevant networks or systems.
By coincidence, a press statement from John Key dated 15 September, 2014 – two months after Cabinet Minute 4 was supposedly written shortly after a Cabinet Meeting held that year – quoted Dear Leader as stating;
“I can assure New Zealanders that there is not, and never has been, mass surveillance by the GCSB.
“In stark contrast, the Bureau actually operates a sound, individually-based form of cyber protection only to entities which legally consent to it,” Mr Key says.
Paragraph 27 of that Cabinet Minute – supposedly written before the “Moment of Truth” on 15 September 2014 – sounds remarkably similar to Key’s 15 September 2015 press statement – a year after “Moment of Truth”.
It almost seems as if Cabinet Minute 4 was prepared at some later date, knowing that it would be eventually be released to the media and the public to counter the “Moment of Truth”. Which is ridiculous… the author(s) of that Minute could not have known – in advance – that the Minute would eventually be released by National. That would mean that the document was written well after the Cabinet meeting, and was re-worded to take into account revelations by Edward Snowden on 15 September last year.
That would mean the document was a fraud.
Interestingly, Cabinet Minute 4 also makes this curious statement at two different points;
7. GCSB is not proposing to procure or develop bespoke systems. No material level of software development is required of GCSB or a second party. The proposal is to procure then integrate capability components already available and tested over several years [redacted],
41. GCSB is not proposing to procure or develop bespoke systems. No material level of software development is required of GCSB or a second party. The proposal is to procure then integrate capability components already available and tested, [redacted]. The hardware and software components range from widely available commercial-off-the-shelf (COTS) systems, through to single-source COTS, to systems only available through government-to-government agreement. All of the technology has been in use for some time, [redacted].
As The Intercept website asked,
The Cortex documents [Cabinet Minutes] refer to the use of technology that “has been in use for some time.” What technology is this?
What is the Cabinet Minute referring to when it states; “ components already available and tested over several years ” and “capability components already available and tested“?
“Tested” by whom?
“In use for some time” by who?
The document throws up more questions than answers. Unfortunately, despite Key’s claims to the contrary, this is not an open and transparent government that readily shares information.
So which “consenting organisations” will use Cortex? And will clients and staff be made aware that their electronic communications may be intercepted by the GCSB?
Cabinet Minute 4 states;
18. The foundation of the preferred option is a malware detection service delivered to [redacted] consenting organisations. [redacted] of the [redacted] organisations will be government agencies. The other [redacted] will be drawn from a list of approximately [redacted] organisations of national importance developed by DPMC’s National Cyber Policy Office (NCPO) and approved by ODESC on 7 June 2013. The list includes key economic generators, niche exporters, research institutions and operators of critical national infrastructure.
However, we do not know who those “consenting organisations” are. It is a secret. Remember Jagose’s first response to Gower during the 3 October interview;
“We actually don’t talk about who they are or specifically what types of organisations they are, because revealing that also reveals to an adversary where we might have our best and richest sources of data that they might be interested.”
Note that Paragraph 18 above refers to the “National Cyber Policy Office” (NCPO). The NCPO is an arm of the Security and Intelligence Group. That Group, in turn, is part of the Department of the Prime Minister and Cabinet (DPMC);
Note the address of the “National Cyber Policy Office“: Pipitea House, 1-15 Pipitea Street, Thorndon (arrow 1). Which happens to be the same building housing the GCSB.
Then note something called “Connect Smart” (arrow 2), which is described as;
Connect Smart is a new Government-led initiative, delivered in partnership with the private and NGO sectors, to raise awareness of cyber security issues and promote ways to protect yourself, your business and others online.
“Connect Smart” sounds remarkably like the supposedly top-secret list described by Cabinet Minute 4 as, “organisations of national importance developed by DPMC’s National Cyber Policy Office (NCPO) and … The list includes key economic generators, niche exporters, research institutions and operators of critical national infrastructure”.
“Connect Smart” was launched on 16 June 2014 (just prior to Cabinet Minute 1 supposedly written on 28 July 2014), by Communications and Information Technology Minister, Amy Adams.
Adams warned about;
“The common thread that unites cyber threats is their capacity to cause damage; ranging in scale from the distress experienced by an individual who has had their identity hacked, to the economic damage that sustained industrial cyber espionage can cause to a country.”
She further stated;
“A range of departments are involved – from those at the front end, such as Police, Department of Internal Affairs, and the National Cyber Security Centre, through to those grappling with the policy implications of cyber security, led by the National Cyber Policy Office.
This year, the NCPO will be working on a number of major policy initiatives:
A refreshed and comprehensive national Cyber Security Strategy to make sure we are coordinated and resourced across government to address this challenge;
A targeted inter-agency cybercrime plan;
An assessment of the economic balance of cyberspace for New Zealand;
Testing the Government’s response to a significant cyber incident; and
Consideration of the options for a national cyber mechanism to improve the coordination, effectiveness and efficiency of the Government’s response to cyber incidents. “
It sounds as if Adams is referring to… Cortex?
So who are the “Connect Smart” Partners? They are;
- Hewlett Packard
- Spark NZ (formerly Telecom)
- Dimension Data
- International Underwriting Agencies Ltd
- Internal Affairs
- Department of the Prime Minister and Cabinet
- Aura Information
- Mako Networks
- Ministry for Primary Industries
- NZ Post
- Inland Revenue
- Nga Pu Waea
- North Harbour Business Association
- NZ Police
- University of Auckland
- Yahoo NZ
- ZX Security
- IPENZ Engineers NZ
- Air New Zealand
- British High Commission
- Financial Markets Authority
- Institute of IT Professionals
- Internet NZ
- Massey University
- Privacy Commissioner
- Senior Net
- Dept of Conservation
- 1st Tuesday
- Journey Church
- Digital Journey
- Institute of Directors
- University of Waikato
- Scots College
- Greater East Tamaki Business Association
- Commission for Financial Literacy
- Delta Insurance
- Neighbourhood Support
- Ministry of Education
- Waikator District Health Board
- NZ Foreign Affairs & Trade
- Waitemata District Health Board
- Business NZ
- Longitude 174
- University of Canterbury
- Insurance Council of NZ
- Weta Digital
- High Tech Youth Network
- AJ Park
- Noel Leeming
- Our School
- NZ Transport Agency
- NZ Bankers Association
- University of Otago
- Chartered Accountants
- ARC Solutions
- Secure Safe
- Quantum Security
- NZ Customs Service
- Room 9
- NZ Trade & Enterprise
- SSS IT Security Specialists
- Statistics NZ
- NZ Health IT
- Crombie Lockwood
- Lock It
- Meredith Connell
- Network Box
- Stay Smart Online
- NZ Security Intelligence Service (SIS)
- Eagle Technology
- Plan B
- Naki Cloud
- Liverton Technology Group
- Price Me
- Mila XAG
- Need A Nerd
- KD Consult
- Senate SHJ
(I have listed all companies, in case the website suddenly disappears, or that particular page is taken down.)
“The list includes key economic generators, niche exporters, research institutions and operators of critical national infrastructure” – the DPMC’s National Cyber Policy Office’s description of their supposedly secret list of clients.
The “Connect Smart” list certainly meets that criteria – including the Security Intelligence Service. And Amy Adams’ 16 June speech appears to confirm it.
So do the staff and clients of these companies, organisations, and government departments know that they are most likely part of the Cortex programme run by the GCSB?
Are they aware that their electronic communications may be collected and stored by the GCSB?
Are they aware their communications could be read, as Jagose confirmed to Patrick Gower;
Gower: What does the analyst do if there’s a personal email there?
Jagose: Well, the analyst is looking at it not for its content but for what the email and the traffic tells us about the fingerprint or the adverse attack that is occurring. So that’s what they do with it.
Gower: But the analyst can see the content if they want to?
Gower: Yeah, but I would be told, would I, by the company that they’ve now put Cortex on?
Jagose: You’ll be told that your communications will be screened or may be screened for cyber defence purposes.
Gower: Right. How do you get told that?
Jagose: In terms and conditions of use, for example.
I scrutinised the Terms and Conditions of Spark NZ – one of the country’s largest companies that deals with thousands of employees, contractors, and customers. Is there any reference to Cortex with Spark’s Terms and Conditions?
There is, however, this brief reference to handing over information to the government;
The Operator and Spark Digital reserve the right to disclose end user information that it believes, in good faith, is appropriate or necessary to take precautions against liability; to protect the Operator and Spark Digital and others from fraudulent, abusive, predatory, or unlawful uses or activity; to investigate and defend against any third party claims or allegations; to assist government enforcement agencies; or to protect the security or integrity of the Platform.
That paragraph is at the end of the Terms and Conditions statement, at the bottom of the page. How many people will have waded through the entire document to spot it? Who even bothers to read Terms and Conditions?
And by itself, just how informative is the brief statement, “to assist government enforcement agencies“?
It is a meaningless statement.
One cannot escape the conclusion that Una Jagose has attempted a ‘snow job’ of New Zealanders. If so, it remains to be seen how effective she has been.
Meanwhile, it is unclear what the true purpose of the ‘Cortex’ programme really is. Can we trust anything that we are told about it by National?
There is much more to this than meets the eye.
Of goods, especially clothing) made to order.
(of a computer program) written or adapted for a specific user or purpose.
Questions posed by The Intercept on XKEYSCORE and Cortex;
We are currently researching a number of other stories related to GCSB, and I expect we are going to shine more light on the agency’s activities in this sphere in the near future. In the meantime, Key and the GCSB face a mounting number of important questions that they have until now managed to dodge.
Here’s a few for starters:
Why did you inform the public that the GCSB Amendment Bill would not lead to an expansion of powers when at the same time you were planning the Speargun mass surveillance initiative?
Why was phase one of the Speargun project completed if it was, as Prime Minister Key has claimed, something that never made it past the “business case”?
Why were New Zealanders not informed about the Cortex project until the government’s hand was forced by disclosures based on documents from Snowden?
How much data is collected on a daily basis by GCSB under the Cortex project, and how does the agency ensure this data does not “incidentally” include the content or metadata of citizens’ communications?
The Cortex documents refer to the use of technology that “has been in use for some time.” What technology is this?
Is any information collected by GCSB under Cortex — or any other program that accesses internet data — shared with the NSA and/or other Five Eyes agencies through systems such as XKEYSCORE?
Does GCSB have access to XKEYSCORE and, if so, for how long has this been the case?
Does GCSB use its access to internet data streams — under initiatives like Cortex or similar — to launch active/offensive cyber operations that involve hacking computer systems to collect information?
When will you declassify documents detailing the Speargun project and showing that it was not completed?
Radio NZ: ‘Moment of Truth’ on world stage
Radio NZ: Key silent on spy programme
NZ Herald on Sunday: Revealed – The names NZ targeted using NSA’s XKeyscore system
TV3 The Nation: Interview – GCSB Acting Director Una Jagose
TV3 The Nation: Interview – GCSB Acting Director Una Jagose (transcript)
Beehive: Cabinet Minute 1
Beehive: Cabinet Minute 4
Department of the Prime Minister and Cabinet: National Cyber Policy Office
Connect Smart: Partners
Spark NZ: Terms and Conditions
No Right Turn: The GCSB’s PR campaign
Public Address: Crowdsourcing Project Cortex
The Daily Blog: Martyn Bradbury – GCSB begin marketing campaign to con NZers
Previous related blogposts
= fs =