Speech: Understanding Intelligence

Address by Rebecca Kitteridge, Director-General of Security to the Institute of Public Administration New Zealand

18 September 2019 

Introduction

Just over six months ago on Friday the 15th of March, New Zealand suffered a terrorist attack that was unprecedented in this country and sent shock waves around the world. The senseless killing of innocent people praying peacefully in the Masjid al-Noor and Linwood Mosques – those beautiful places of worship – devastated scores of lives and caused a profound outpouring of grief.

In the immediate aftermath of the attacks, the obvious questions were “How could this happen? Could it have been stopped? Did anybody know about the attacker?”

A Royal Commission of Inquiry has been established to ensure that those important questions are answered fully and independently.  I was one of the agency heads who requested such an inquiry.  I knew that it was the only way that the families and the public would be assured that all the hard questions would be asked and that light would be shone into every corner. Such independent scrutiny matters hugely to an agency like ours, because we depend on public confidence, understanding and support to do our work.

Except for the information that is already in the public domain I will not be saying anything today about work of the New Zealand Security Intelligence Service before the mosque attacks, or what we knew or could have known about the alleged attacker. Those matters are squarely within the Terms of Reference of the Royal Commission of Inquiry, and the information is largely classified in any event.

There are, though, some things I can say today.

  • I can tell you a bit about the New Zealand Security Intelligence Service – or NZSIS as it is known.
  • I can explain in general terms how intelligence agencies conduct their security intelligence investigations and some of the challenges we face in countering threats in a challenging technological landscape.
  • I can talk at a high level about NZSIS’s role in the aftermath of the Christchurch terrorist attacks, and some of the challenges we have faced. (I note that our response post-attacks does not fall within the ambit of the Royal Commission.)
  • I can describe the challenges and opportunities with which intelligence agencies in western liberal democracies are grappling, particularly in the area of emerging technologies.
  • And I will touch on some things that all New Zealanders can do to help keep our country safer and more secure.

What is NZSIS?

First, by way of context, let me tell you a bit about NZSIS.

  • NZSIS is a “human intelligence” agency, which means we work primarily through people. By way of contrast, the Government Communications Security Bureau is a “signals intelligence” agency, and works primarily in the electronic sphere.
  • Like GCSB, our statutory objectives are to contribute to the protection of New Zealand’s national security, the international relations and well-being of New Zealand, and the economic well-being of New Zealand.
  • NZSIS’s functions include investigating, collecting and reporting on issues relating to New Zealand’s national security, such as counter-terrorism, espionage, and foreign interference. We provide this intelligence to a range of customers who need it to inform their decisions or actions, including Ministers, New Zealand Police, the New Zealand border agencies, the Ministry of Foreign Affairs and Trade, and the New Zealand Defence Force.
  • NZSIS also hosts and manages CTAG, the Combined Threat Assessment Group. This multi-agency group constantly scans classified and open source information from both domestic and international sources to produce assessments about the threats of terrorism around the world. Its assessments provide the basis for setting the New Zealand national terrorism threat level. As you know, the national threat level was raised from LOW to HIGH following the Christchurch attacks, and now stands at MEDIUM.
  • NZSIS provides protective security services, advice and assistance to government and key decision makers, with the goal of lifting the overall security culture and capability across government. 
  • We provide security clearance vetting services across government, to ensure the suitability of government employees to access classified information. We completed 6,150 clearance recommendations last year.
  • NZSIS, with GCSB, also conducts national security risk assessments for activities under the Outer Space and High Altitude Activities Act 2017.
  • We also share intelligence with other intelligence agencies around the world; primarily our Five Eyes partners (Australia, Canada, the United Kingdom and the United States), but many others as well. Intelligence agencies help one another by providing valuable intelligence, perhaps, for example, along the following lines:
  • An intelligence officer from a hostile intelligence agency is booked to fly to your country; or
  • A suspected terrorist in our country has been communicating with one of your citizens. 

When considering what information we can share with the intelligence agencies of particular countries, we conduct human rights risk assessments as we are required to do under our legislation.

So you can see that NZSIS, which has about 350 full-time equivalent staff, is a busy and complex little organisation.

How intelligence agencies conduct security intelligence investigations

As I have said, investigating terrorism threats in New Zealand is a significant focus for NZSIS.  Our work involves trying to detect threats before they manifest as physical attacks, so that they can be disrupted by the Police.

So how do we undertake our security intelligence investigations? I guess the first thing to say is that we do not look for threats by monitoring every New Zealander’s internet usage.

In the weeks following the Christchurch attacks, I was surprised by how many people seemed to think that NZSIS or GCSB were, or should be, monitoring the entire internet. This expectation surprised me because, along with the Director-General of the GCSB, I have spent considerable time and effort in the last five years explaining in various forums that the New Zealand intelligence agencies do not monitor internet usage across the board.  There are several reasons for that, including legal constraints, technical issues (such as encryption) and resourcing.

Just on the resourcing point – even in relation to publicly available data, such as social media platforms, consider the volume. Twitter and Facebook, for example, each host hundreds of millions of posts per day. Even the smaller chatrooms, like 4Chan, host hundreds of thousands of posts per day. Those numbers are increasing exponentially.

Having said that, we do regularly become aware of concerning activity on the internet, through what we term a “lead.” Every security investigation starts with a lead.  A lead is the initial information that indicates a potential threat to national security.

Leads come from a range of sources, including:

  • from NZSIS’s authorised security and intelligence activities - both national security investigations and what we term ‘discovery’ work, where we look for indicators of violent extremist views or activities;
  • from overseas partners;
  • tips from members of the public; or
  • members of various communities speaking to us about their concerns.

Every lead is inquired into, and an assessment is made to determine whether it is a national security issue that needs investigating, and whether it is credible. 

First, any NZSIS investigation must be within the scope of the national security and intelligence priorities set by government.  The intelligence agencies do not decide our own areas of focus. NZSIS investigates matters in accordance with our legislation and the priorities set by Cabinet. The details of these priorities are classified, but longstanding focus areas include counter-terrorism, espionage, and foreign interference.

A lead that falls outside the national security and intelligence priorities (for example, something that appears to be purely criminal) might be referred to another agency, such as the Police.

A lead might be determined to be not credible, in which case we will not take it further.

A lead might, however, become an initial national security investigation, or a full national security investigation.

If a full national security investigation is required, we will conduct that investigation using the intelligence cycle.

The purpose of a security intelligence investigation is to understand what particular actors of concern are doing, and to provide intelligence about those actors to agencies (like the Police) that can take enforcement action to mitigate the threat. 

The investigator begins by considering a number of questions, or “intelligence requirements”, which in a counter-terrorism investigation will likely include intent, capability, access to weapons and credibility of information.  

An assessment will be made about the best and most efficient way to collect the intelligence that will answer the intelligence requirements. Intelligence collection can take various forms, including physical surveillance by specially trained staff, seeking information from human sources, engaging with communities, collecting publicly available information from the internet, obtaining information from partners (including New Zealand agencies and foreign intelligence agencies), and intrusive measures carried out under an intelligence warrant. We use the least intrusive investigative method necessary and proportionate to the threat we are investigating. Even where our collection activity is lawful (such as surveillance of a person in a public place) we are required to conduct that activity in accordance with our legislation, a range of Ministerial Policy Statements, and operational policies and procedures that are all subject to oversight.

If the only way to collect important intelligence means undertaking activity that would be unlawful (such as telecommunications interception or technical surveillance) we will first seek a warrant. The bar is set high; we do not seek warrants lightly.  The warrant application must satisfy the legal tests set out in our legislation, and show that the action we seek to take is both necessary and proportionate. 

All warrants are issued by the Minister Responsible for NZSIS, and dependent on the type of warrant may have to be jointly issued by a Commissioner of Intelligence Warrants, who is a former High Court Judge.  After each warrant is issued, it is reviewed retrospectively by the Inspector-General of Intelligence and Security.

As the intelligence is collected, it is compiled to create as accurate and comprehensive a picture of the threat as possible. This part of the intelligence cycle involves integrating, evaluating and analysing strands of available information, and distilling them down to the key issues and risks.  This process can be very challenging, because usually our targets are actively keeping their activities secret. Through this process we often find that more information is required, in which case the investigator will develop further intelligence requirements for collection. At various points we will take the distilled information and write it up into an intelligence report.

Our intelligence reports are rigorously reviewed, classified and given to cleared individuals within agencies who need the information to inform their decision making or their actions, such as law enforcement actions.  Of course, if the intelligence raises immediate issues about public safety we connect with the Police straight away so they can determine the next steps.

Sometimes the agencies that receive our intelligence reporting come back with more questions.  These questions may require further intelligence collection, so it is very much a cycle of intelligence collection, analysis, and reporting.

What I have described to you is the basic security intelligence cycle, which is aimed at ensuring that we can detect national security threats, and work with enforcement agencies to disrupt them. 

For completeness, I should add that as well as investigating “known knowns” in accordance with the intelligence cycle, we also work to understand “known unknowns.” That seems a strange turn of phrase – but what it means is there are areas where we know we don’t have any information to fill in the blank.

This work involves proactively assessing and understanding any areas of threat that may be trending internationally or emerging domestically. 

As has been said publicly, we had been conducting this kind of assessment in relation to violent right wing extremism, as well as other threat areas, over a nine month period before the Christchurch mosque attacks. That work will, of course, be scrutinised by the Royal Commission of Inquiry.

NZSIS’s role in the aftermath of the Christchurch terrorist attacks

The investigative work that I have been describing is designed to get ahead of threats, and to ensure as far as possible that they do not succeed.  But when the thing we dread the most has happened, and an attack has occurred, what then is the role of a security intelligence agency?

I will answer that question in the context of the Christchurch attacks.

On the afternoon of the 15th of March, I received an urgent call from Mike Bush, the Commissioner of Police.  The call from Commissioner Bush was brief but extremely concerning. He described an unfolding shooting situation with multiple fatalities at two Christchurch mosques. 

I knew straight away that this was an event of horrific magnitude. And when I saw, a short time later, the attacker’s so-called “manifesto,” I knew we were dealing with a terrorist attack.

The “manifesto” was significant because of the first step in the intelligence cycle – determining whether NZSIS has a mandate to involve itself under its legislation and the government’s security and intelligence priorities.

A mass shooting within New Zealand will not always be a legitimate focus of investigation for NZSIS.  NZSIS will only have a role if the shooting is, or appears to be, an act of terrorism or violent extremism.  Both require an intention to advance an ideological, political, or religious cause. Note, incidentally, that “intention” is ideology-neutral.

You will recall the massacre of 13 people committed by David Gray in Aramoana in 1990.  David Gray committed horrible acts of violence, but he did not kill people in order to advance an ideology.  Accordingly the Aramoana massacre was not a terrorist attack and was solely a law enforcement matter.

The killings in Christchurch were different. It was almost immediately apparent that there was the intent to advance an ideological cause, with the intent of creating terror in the populace.  It was a terrorist act.

The situation in Christchurch was one in which terrible crimes had been committed, and there were ongoing issues of public safety.  The Police, therefore, were the lead agency.  But because the attacks fulfilled the definition of terrorism, NZSIS had a role to play.  Our job in this situation was to provide as much intelligence as possible to support the Police and to detect any further attacks.

The immediate intelligence requirements were:

  • What do we know about the alleged attacker?
  • Is he working alone, or is he part of a group?
  • Is this one of a number of planned attacks?
  • Will this attack inspire or provoke other attacks?

You may recall that the situation was very confusing in the immediate aftermath of the attacks. There were reports of multiple attackers. A number of people were taken into custody by the Police, although all except the alleged attacker were later released. 

There were also reports of multiple attack sites, including reports of a gunman at Christchurch Hospital as well as a bomb scare at Britomart train station in Auckland.

NZSIS went into full-scale response mode - immediately.  One of the most humbling and gratifying aspects of my role is the quality and commitment of the people who choose to work for NZSIS. They are highly motivated by the spirit of service to New Zealand, and the mission of keeping New Zealand and New Zealanders safe and secure.

The moment we learned of the attacks, NZSIS stood up a response team that worked shifts 24/7 starting that night.  The investigations fell naturally into three areas:

  • First, getting a complete picture of the alleged attacker, finding out everything possible about him and his plans, with an immediate focus on whether he was part of a group and whether any other attacks were planned.
  • Second, reviewing everything we knew about extreme right-wing groups in New Zealand, to detect any “copycat attacks” inspired by the Christchurch attacks.
  • And third, detecting any suggestion of a revenge attack either in New Zealand or against New Zealand interests offshore – and you may recall that ISIS quickly called for such revenge attacks.

In all of these areas, we have worked, and continue to work, extremely closely with our Police colleagues. We were supported in our work by GCSB, which assisted us through its technical capabilities and links with foreign intelligence partners. 

NZSIS too engaged with international counterparts around the world, partly because the alleged attacker was an Australian who had travelled extremely widely before the attacks, and partly because the possibility of copycat or revenge attacks is an international issue. We were overwhelmed by the response we received from those intelligence agencies. Even those agencies with whom we do not have regular engagement reached out to us, offering whatever intelligence they had that might be relevant to the investigation.

Even though the alleged attacker was not a New Zealander, the Christchurch attacks prompted many New Zealanders to contact either the Police or NZSIS to report concerns about people who had expressed racist, Nazi, identitarian, or white supremacist views.  In the days following the attacks NZSIS received hundreds and hundreds of calls and messages, as did Police.

Each call was a lead that needed to be investigated, deconflicted with Police, and triaged into high, medium or low priority depending on the information to hand – a very challenging task given the level of public alarm and the sketchy nature of much of the information provided.

I can’t speak highly enough of the selfless dedication of my staff, as they worked through this process day and night. It is stressful work to assess the significance of incomplete information. As they do every day, my staff bore the weight of potentially terrible consequences if they missed something or made a line call that turned out to be incorrect. But they are intelligent, conscientious people who are well trained and follow proper systems. They kept working through the leads.

At the same time as all of this was going on, there was an understandable demand for information from the public and news media about what NZSIS knew or did not know about the alleged attacker, and what work we had been doing in the area of violent right wing extremism before the attacks. The country was in agony. It is understandable that people were looking for certainty and answers.

We were able to release some basic information – that the alleged attacker was not known as a person of national security concern to us, or to NZ Police, or our Australian counterparts; and that NZSIS had been looking specifically at violent right wing extremism for about nine months before the attacks.  Anything further than that immediately took us into the realm of classified intelligence, which we could not disclose publicly.

Public commentary assuming that there had been an intelligence failure was tough for me and my staff.  I am a person whose default setting is openness, so it was frustrating to me that in these circumstances we could not put all the relevant intelligence into the public domain.  Unfortunately, revealing information about our work would make us less effective in the future. 

It is understandable that the information vacuum has tended to be filled with a range of speculative conclusions. But often those conclusions have been inaccurate, and dealing with that has not been easy for me or my staff.

Please don’t get me wrong. I am not saying there was or was not a failure on the part of the Service or any other agency – that is for the Royal Commission to determine. But until the Commission issues its report it is not fair to make any assumptions.

I want to make a further point.  In the case of the Christchurch mosque attacks, the alleged attacker was not known to us. But even where an attacker is known to an intelligence agency, experience in other countries has shown that that fact alone does not necessarily indicate an intelligence failure.

Every day around the world security intelligence investigators are sifting through strands of intelligence to build a complete intelligence picture of thousands of people who would do us harm and who are doing everything they can to avoid detection.

This process is always challenging, but particularly so in the online world where lots of people espouse extreme ideologies. A surprising number of those people speak casually in favour of violence, but in almost every case it is just talk, or use of irony, or an unpleasant brand of humour – there is no indication of actual planning or preparation.

Some use their real names; most do not. In the online world, identities and geographical locations may be obscured. And many people hide their most extreme rhetoric in closed groups that are suspicious of outsiders and behind a wall of encryption. 

So even where an intelligence agency has a lead (such as an actual name or a user name) it can be very challenging to assess the extent to which a person is a national security threat.  These kinds of situations require fine judgements about intent and capability based on often imperfect intelligence.

It is entirely possible that an intelligence agency might assess a person who espouses extremist rhetoric, and determine on the basis of all the available intelligence that the person is not a terrorist threat.  Agencies cannot use their limited resources to monitor people who are just venting.  Ideological rhetoric may be disturbing but there is a very high bar before it will be a national security threat – that is, violent extremism or terrorism. 

Even where we have decided that a person justifies a full investigation, we are required for both legal and resourcing reasons to continuously assess whether the investigation is justified.  Over time, for example, subjects of investigation may moderate their rhetoric.  We may assess, on the basis of the available intelligence, that they no longer pose a threat that justifies our ongoing investigation.  At this point, an assessment to discontinue the investigation may be made.  That judgement is made on the basis of a risk methodology, which is properly documented.

This process is vital, because it allows us to focus our resources on people whom our intelligence indicates to be a higher threat. Closed investigations may, however, be periodically reviewed. 

Judgements to close investigations are made by intelligence professionals, but they are still made on the basis of imperfect information. That is the reality of intelligence.

A subsequent attack by an extremist who has been assessed in this way by an intelligence agency will not necessarily mean there was an intelligence failure.  Perhaps a person became inspired to commit violence after the investigation concluded, or perhaps the intelligence agency’s understanding of the person was imperfect because critical intelligence was hidden from the agency. There have been many such cases around the world.

In these circumstances the intelligence agency is highly unlikely to be able to explain publicly everything it did to obtain intelligence about the person, and why the attacker was assessed not to be a terrorist.  That kind of classified information would be invaluable to those who wish to evade detection. Instead there will generally need to be an independent review or inquiry, held in the classified domain, to assess the adequacy of the agency’s actions.

At this time an intelligence agency will feel acutely a sense of agony that an attack has succeeded, and a sense of determination to apply any lessons so that similar attacks can be prevented in the future, if that is possible.

Lessons, challenges and opportunities

The importance of learning from an attack is hugely important.  Attacks inevitably reveal vulnerabilities in our systems or societies.  How far we go to tackle those vulnerabilities is a matter for public debate.  The lessons to be learned from the Christchurch mosque attacks will form part of the report of the Royal Commission of Inquiry, and that will be invaluable. 

Some of the challenges are already obvious. Encryption of sites, chatrooms, apps and other platforms (including gaming) is a huge challenge for all security and law enforcement agencies.  The use of social media to spread extremist material and to recruit to terrorist causes is a worldwide issue.  The widespread use of anonymised identities online makes assessing the credibility of threats extremely difficult. Compelling or encouraging technology companies to cooperate with law enforcement and intelligence agencies is an ongoing challenge – particularly where they are located in a foreign jurisdiction.  And although it is sometimes possible to work constructively with larger providers in like-minded jurisdictions subject to the rule of law, that is not the case where content originates from less reputable locations.

These are global issues.  Many jurisdictions and international bodies are debating the extent to which law enforcement and intelligence agencies should be able to require access to information online, including the so-called “dark web,” encrypted sites and apps; and where to find the balance between state access and privacy.  Right now the internet is like the Wild West in the 1800s – an expanding domain where application of law proves challenging to an extent that most of us would find completely unacceptable in the physical world.  It remains to be seen whether the public will continue to tolerate the licence to operate afforded to criminals and terrorists by the online world. Global leadership is required to solve this global problem. Sadly, the attacks in Christchurch have given New Zealand a compelling and legitimate role in building support for a concerted push for change.

New technologies offer the intelligence agencies opportunities as well as challenges. An important policy area being worked through in western liberal democracies concerns data sharing and data analytics.  As we all know, commercial entities collect, analyse and exploit our personal data for financial gain.  The intelligence agencies, with appropriate legal authorities, constraints and oversight, can use similar technologies to tip the odds further in favour of detecting terrorist and other national security threats. 

As Andrew Parker, the head of MI5, said in a recent article in The Times:

“Used in combination with knowledge from our behavioural science experts, [data analytics and related technologies] will give us an earlier and richer picture of our cases.  [Data analytics] could also help us spot more quickly when individuals known to us from the past re-engage with terrorism.  We do not have the resources or the legal justification to actively monitor those … individuals.  The challenge we are addressing is how to detect signs of developing intent.”

These matters are within the terms of reference of the Royal Commission of Inquiry.  Their consideration of the issues will be informed by a range of perspectives, and any recommendations they make will be a measured and useful contribution to the public discussion.

In the meantime, I have a lot of confidence in the commitment of my talented staff to continue to do everything within their power to keep New Zealand safe and secure.   I hope I have left you with a better understanding of the way they do their work.

Conclusion

I have described to you some of the challenges NZSIS faces.  But in fact these challenges are not ours alone – we share them as a country.  That means we all have a role to play.

This means that the public needs to be a bit less complacent, and a bit more vigilant. This is not about being constantly worried; New Zealand remains a safe country.  We do, though, need to a little more aware of security.

As I have explained, NZSIS relies a great deal on the help and support of the New Zealand public, and every citizen can help us to keep the country safe by providing us with leads to investigate if they see activity of concern.

If you or anybody you know sees or hears something that seems concerning, then do something. You can contact NZSIS through our website or our 0800 contact number, or you can contact the Police.

But just as important is the preventative effort.  Taking active steps to build social cohesion in our communities is probably the best line of defence, and the most useful thing that we can do to help keep New Zealand safe.

It is up to all of us to include people, welcome people and not to accept exclusion or prejudice.  Every one of us can commit to these principles, which collectively will have a powerful and positive impact on our communities and our society.

National security is a much bigger task than NZSIS – or indeed any government agency – can tackle alone.  Every person in this country has the responsibility of ensuring that New Zealand is not just diverse, but truly inclusive. 

Thank you.

 

Latest headlines

Back to News