Source: Radio New Zealand
Government Communications Security Bureau director-general Andrew Clark. RNZ / Samuel Rillstone
The Government Communications Security Bureau (GCSB) spy agency has taken six times longer than it should have to address questions about lax cyber security identified in a Treasury report.
The report last year mentioned that government data was “being managed or held by unvetted third parties”.
It gave no details, so RNZ sought them.
Director-general Andrew Clark apologised for taking 120 working days to respond, instead of the statutory 20 under the Official Information Act (OIA).
He then refused to answer virtually all of the dozen questions.
Clark said they had to keep incidents and vulnerabilities confidential or people would not share with them, and they needed that information to counter threats.
The Treasury report said government agencies had continued to raise concerns about the security of third-party vendors’ products and services, including poor security controls and unpatched software.
“Some agencies reported that vendors had offshored some services without their prior approval, meaning government data was being managed or held by unvetted third parties,” said the quarterly investment report for the three months to December 2024. Such reports are released publicly many months after they are done.
New Zealand’s small size as a market was biting it, the report suggested.
“Agencies assess that poor service delivery is likely driven by lower competition and less resourcing for comparably smaller contracts in New Zealand versus larger markets,” it said, under the title ‘Other emerging … issues’.
“Low competition, coupled with poor service delivery from some vendors, has also led to high reliance by many Government agencies on the same few vendors, which creates risk to service delivery across the public sector should those vendors suffer a cyber security incident or event.”
Many government agencies had become increasingly reliant on cloud-computing services from US Big Tech companies.
RNZ asked the GCSB, National Cyber Security Centre and Internal Affairs who the problem vendors were. Clark in his response would not name them or say anything about them.
“Providing this information would likely have commercial implications for these vendors” so that was refused on the grounds of unreasonably prejudicing someone’s position.
What about the government agencies that had raised the alarm?
“I am refusing those parts of your request where you have asked for information that has been provided to the GCSB in confidence by agencies,” was the reply, otherwise it might prejudice the supply of such info in future.
The unvetted third parties were not disclosed, and neither were the risks to service delivery that Treasury had told ministers were in play.
The risks information was refused on the grounds the GCSB “does not hold this information in the manner or format you have requested”.
Work was underway on digital investment and procurement, Clark said.
Asked what measures were taken, he said the National Cyber Security Centre provided a range of advice, and they had recently developed “minimum cyber security standards” to focus on the basics and encourage good practices.
The subsequent three quarterly reports after this one did not mention the threat again.
But other weaknesses did come up in them, and in one case Treasury was called out for them, in the latest quarterly report, to September 2025.
It said many data and digital projects did not include information relating to cyber security management or improvement.
It went on to fault the Treasury’s investment management system because it did not recognise the ongoing cost of cyber security, “making it difficult” to upgrade old systems and move away from on-site hardware to ‘as-a-service’ tech “which we know deliver better security results”.
“The current financing rules and settings around capital and operating expenditure are preventing agencies from modernising and improving their cyber security.”
Agencies’ approach to procuring IT systems or services was called “outdated and fragmented” by the government chief digital officer in the September quarterly report, six years after Treasury told the public sector to take an all-of-government approach to try to cut the IT upgrade bill of multi-billions of dollars.
The long wait for the response to the OIA request was put down by the GCSB to consultation and the “volume of information requested” by RNZ.
Most of Clark’s three-page response was taken up outlining the grounds for refusing the information.
RNZ asked for any report that focused on the threat, but did not get one.
Clark apologised for the wait.
“Our response … did not meet the statutory deadline and I do apologise for that. Thank you for your patience while we completed our response.”
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
