Small states and cyber security

Abstract

While there is a burgeoning literature on cyber security, little scholarly work has been completed on how cyber security issues are affecting small states. This article attempts to contribute to the debate by exploring whether small states are facing unique or different challenges in enhancing their cyber security. Drawing on the extensive small states literature, the article begins by outlining three conceptual models of small state security, based on alliances, institutional cooperation and norms. These models are then applied to the small state cyber security context. It is argued that institutional cooperation on cyber security issues and the emergence of cyber security norms are being hindered by strategic rivalries between the United States, Russia and China and that military alliances are struggling to adapt to collective defence against cyber threats. The article then explores New Zealand’s cyber security strategy and outlines the various domestic and international challenges that exist for New Zealand policymakers. The article finds: that a globalised cyber security environment is eroding New Zealand’s geographical isolation; that the New Zealand government is struggling to formulate a tenable balance between security and privacy in responding to cyber security issues.

Keywords

Cyber security New Zealand small states

Introduction

When Estonian government ministries and media outlets were taken offline by a barrage of cyber attacks in 2007, Estonian Prime Minister Andrus Ansip asked ‘What’s the difference between a blockade of harbours or airports of sovereign states and the blockade of government institutions and newspaper websites?’¹ While this may have been an example of ‘cyber hyperbole’, the event put cyber security firmly on the international agenda. It also demonstrated some of the complex challenges involved in responding to cyber attacks. How can states distinguish between the projection of power in the physical world and the virtual one? How should states respond to cyber attacks against their government ministries and critical infrastructure? What measures can be put in place to enhance international cooperation to mitigate these kinds of threats?

Since the Estonian attacks, many scholars have examined these broad cyber security issues. What has been missing from this literature, however, is a conceptual and empirical focus on the cyber security of small states and whether they face a unique, or at least different, set of cyber security challenges.² This article attempts to begin to close that gap and proceeds in three main sections. First, drawing on the existing small states literature, three conceptual models of small state security are outlined, based on alliances, institutions and norms. Second, the article examines the extent to which these conceptual approaches are applicable to small states and cyber security, and considers some of the broader challenges for small states in this area. Lastly, the article conducts an analysis of New Zealand’s cyber security strategy, outlining New Zealand’s efforts to build domestic and international capacity in this area and exploring the various domestic controversies and international challenges that have troubled New Zealand policymakers.

Three models of small state security

Within the large literature on small states, the problem of defining what is meant by ‘small’ is a common theme. Most scholars have based their approaches on a combination of material factors, such as the size of a state’s population and economy, with small states being variously categorised as having upper population limits of between 1 and 15 million and economies constituting less than 1% of world total output.³ The size of a state’s geographical territory has also been included in the mix of criteria and small states have generally been seen to have limited territorial interests and outlooks.⁴ In perhaps the seminal work on the influence of small states in international politics, Annette Fox argues that ‘Small powers are almost by definition local powers whose demands are restricted to their own and immediately adjacent areas, while great powers exert influence over large areas.’⁵

Alliances

Moving beyond material definitions of what constitutes ‘smallness’, the security strategies of small states can be divided into three main conceptual frameworks. First, small states lack the capacity to apply power, and/or resist the application of power against them by larger states.⁶ To compensate for this vulnerability, small states will seek to enter into alliances with more powerful states. This can take the form of balancing behaviour, where small states join forces against a threatening state, or bandwagoning, where states join with a threatening state.⁷ As Omer de Raeymaker observes, ‘the foreign policy of small states therefore aims at withstanding pressure from the great powers’ and is based on ‘safeguarding their territorial integrity and independence’.⁸ Alliances can be temporary and focused on a specific threat – such as the ‘coalition of the willing’ that went to war against Iraq in 2003 – or long-term, formalised and institutionalised security partnerships, as in the case of the North Atlantic Treaty Organisation (NATO). The vulnerabilities of small states within the international system can also lead to intra-alliance problems. Small states can experience entrapment, for example, where their interests are subsumed by larger states. As Heinz Gaertner explains, ‘allied support often requires minor powers to make significant autonomy concessions, allowing allies, most notably major-power allies, to gain influence over their minor-power alliance partners’.⁹ Small states may also be concerned with abandonment: the fear that larger states may leave alliances if their interests are no longer served.¹⁰ In this model, the foreign policies of small states are intertwined with those of the great powers and are shaped by great power competition. This alliance-based framework was highly relevant to explaining the foreign policies of small states during the Cold War. The formation of NATO and the Warsaw Pact, for example, alleviated the security concerns of small European states and levelled the asymmetries in power that existed on the European continent. The Cold War also took the form of a zero-sum competition for superpower influence over small states.

Institutions

A second and contrasting model is derived from liberal institutionalism. This framework examines how small states seek to establish rules and transparency within international institutions and encourage cooperative approaches to international security issues. While realist scholars continue to claim that institutions are dominated and maintained by great powers to advance their own national interests,¹¹ small state scholarship reveals a number of cases where significant institutional influence has been achieved. Peter Jakobsen, for example, reveals how small Nordic states enhanced the Civilian Crisis Management agenda within the European Security and Defence Policy (ESDP), in spite of firm opposition from France.¹² The ability of small states to influence the agenda of the United Nations (UN) Security Council has also been documented. Baldur Thorhallsson has argued that when small states invest time and resources in the UN system, are perceived as neutral, work on niche issues, develop administrative capabilities and actively work to build coalitions, the extent of their influence can be disproportionate to their size.¹³ In this respect, they can move from being beneficiaries of the UN system to active contributors to it.¹⁴ Small states may also form their own institutions to advance shared interests. The Association of Small Island States (AOSIS) advocates on the basis of its members’ shared vulnerability to climate change and works to place pressure on large powers to cut carbon emissions. While there has been slow progress in reducing global emissions, the association has served as a ‘moral conscience’ within international negotiations and advanced its members’ interests more effectively than had they worked in isolation.¹⁵

Implicit in the institutional approach are the notions that power itself has changed and that a nation’s military capabilities are not the sole factor in determining its security. Soft power, for example, which is the power of persuasion and attraction, can be effectively employed by small states.¹⁶ A number of small state scholars have followed this line of enquiry. Alan Chong argues that soft power can be used as a psychological and tactical resource to shape perceptions of the motives of small states, and explains how a small state's foreign policy apparatus may possess among its human resources intellectual and propagandistic skills that are disproportionate to its physical size.¹⁷ Annette Fox has highlighted how small states can utilise ‘economic, ideological, and diplomatic methods’ to advance their interests, and possess a ‘capacity to appeal to world interest’ when threatened.¹⁸ Small states will often exhibit a firm commitment to international law, seek multilateral solutions to security issues and generally refrain from the use of military force to solve disputes.

Identity and norms

A third model of small state security is based on identity and norms. Leaders of small states often perceive that they lack influence over their security environment and this will inform the strategic direction of the state. In short, if a state perceives itself to be small, it is. As Alan Henrikson notes:

The critical test of ‘smallness’ … is a state’s image and its related conduct. This way of identifying the small state phenomenon is based on the recognition that some states regard themselves and are regarded by others as ‘small states’, and behave accordingly – in a word, deferentially or, sometimes instead, defiantly.¹⁹

According to Laurent Goetschel, small states may also develop a ‘security identity’, which stems from ‘past behaviour and images and myths linked to it which have been internalized over long periods of time by the political elite and population of a state’.²⁰ Such an identity can be based around the promotion of peace, international law and a just world order, and is an ideational and historical reaction to smallness. Goetschel argues that this type of security identity was influential in shaping small European states’ attitudes towards the European Union (EU) as a security actor. Small states also have a natural interest in promoting and developing international norms in international security, broadly defined as acceptable standards of behaviour. Christine Ingebritson argues that small Scandinavian states have acted as ‘norm entrepreneurs’ through their promotion of conflict resolution mechanisms and the award of the Nobel Peace Prize, for example.²¹ Similarly, Margarita Petrova documents how small states have had an impact on the development of norms relating to prohibitions on the use of landmines and cluster munitions, noting that the strong involvement of civil society in Belgium has driven national and international attention to these issues.²²

While distinctions between these three approaches are analytically useful, small states might also pursue them simultaneously through their foreign policy. Norms can emerge through partnerships in international institutions and through alliances. Conversely, the simultaneous pursuit of alliances and norms can be problematic for small states; strong security alignments may undermine the ability of small states to act as neutral arbiters on security issues.

Small states and cyber security

To what extent can these models and approaches to the foreign policy of small states be applied to cyber security? The evidence to date indicates that military alliances and international institutions are only just beginning to respond politically and operationally to cyber security issues, and that a strategic divide between the great powers is stifling the emergence of cyber norms.

Alliances are commonly based on collective defence, whereby members will provide mutual aid in the event of an attack. There is little evidence to suggest that this is happening in the cyber security arena. Although a crisis meeting was convened within NATO during the cyber attacks against Estonia in 2007, NATO stopped short of invoking Article V, its collective defence clause. As the Estonian Defence Minister acknowledged:

At present, NATO does not define cyber attacks as a clear military action. This means that the provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defence, will not automatically be extended to the attacked country.²³

Formulating a coherent alliance response to the attacks was also problematic. A retaliatory cyber attack was impossible given the uncertain origins of the attacks, and the Russian government refused to cooperate with Estonian authorities in investigating the incident.²⁴ On the other hand, the problems created by the Estonia case have driven the intra-alliance focus on cyber security issues, and NATO’s enhanced cyber assets may bring considerable benefits to its smaller members. NATO’s Emerging Security Challenges division, formed in 2010, has consolidated cyber security into strategic planning and cyber security featured prominently in NATO’s 2010 Strategic Concept. The alliance has also established a Cyber Defence Management Authority (CDMA), a Rapid Reaction Team (RRT) – a team of experts that can be deployed quickly to respond to cyber incidents – and a Cooperative Cyber Defence Centre of Excellence (CCD COE).

Similarly, cooperation within international institutions on cyber security issues is still in an early stage of development. Progress within the UN Security Council has been hampered by the strategic rivalries between its permanent five members, and the council did not address or debate the Estonian cyber attacks of 2007, the Georgian attacks of 2008 or the Stuxnet attack against Iran.²⁵ The US and EU have resisted attempts to establish UN-level governance of the Internet through the International Telecommunications Union, which is the UN’s specialised agency for information and communication technologies (ICT),²⁶ warning against creating a ‘prescriptive regulatory code for the world’.²⁷ The EU itself has only recently produced its first comprehensive Cyber Security Strategy, and it is a long way from implementation. It also imposes significant resource and compliance challenges for small states; EU members are required to establish a national Computer Emergency Response Team (CERT), produce a Network and Information Security (NIS) strategy, and designate an NIS-responsible authority with the necessary resources to prevent, handle and respond to information security risks and incidents.²⁸

International norms in the area of cyber security are also mired in the strategic rivalries between the world’s leading powers and it will be some time before acceptable standards of cyber conduct are firmly rooted in the international system. Jason Healey distils the problem succinctly:

There are at least two camps of behavior, with divergent views of what norms should be. In the first group we have the United States and the United Kingdom and other nations arguing for controls on cyber-crime but supporting the free flow of information. China and Russia lead the opposite camp, which worries more about cross-border information which might destabilize their societies (or, rather, the grip of the current leadership).²⁹

This divide encapsulates the US desire to maintain a free and open Internet on the one hand, with the Russian and Chinese priority of being able to control information on the other. The divide is also evident in recent attempts at developing international cyber security standards. In September 2011, for example, the Chinese and Russian delegations to the UN wrote to the UN Secretary General proposing discussion of an ‘International Code of Conduct for Information Security’. While the code contained some sensible provisions, it would also have established rights for states to censor the Internet, including ‘curbing the dissemination of information’ that would undermine ‘other nations’ political, economic and social stability, as well as their spiritual and cultural environment’.³⁰

In addition to problems in applying each of these conventional approaches to cyber security, there are a number of other challenges for small states in this area of policy. At a technical level, the 13 countries with the highest Internet penetration rates – defined as the percentage of people using the Internet during 2000–2012 – are small states: the Falkland Islands, Iceland, Norway, Sweden, the Netherlands, Denmark, Luxembourg, Bermuda, Finland, New Zealand, Liechtenstein, Qatar and Bahrain.³¹ This level of reliance on information infrastructure may create enhanced vulnerabilities. A recent report by McAffee suggests that ‘the less sophisticated and widespread a country’s connection to the internet, the lesser the cyber-threat. The more services are on line, the higher the risk of cyber-attack’.³² Small states with high levels of Internet penetration are thus particularly vulnerable. Ross Stapleton-Gray and William Woodcock highlight another potential technical problem for small states:

Many smaller countries have exactly one exchange, located in the capital city. But the greatest number of countries, typically the smallest ones, has no Internet Exchange Point (IXP) at all. This means that they are heavily dependent for their domestic connectivity upon international data circuits.³³

This issue applies to developing countries disproportionally, but all small states will need to diversify their connectivity to guarantee their cyber security.

Joseph Nye has claimed that ‘the barriers to entry in the cyber domain are so low that non-state actors and small states can play significant roles at low levels of cost’.³⁴ However, the evidence appears to indicate that small states are increasingly vulnerable to cyber attacks originating from the world’s leading powers. According to Internet Security Provider Symantec, the majority of malicious cyber activity originates from larger, more powerful, states – the US (21.1%), China (9.2%), India (6.2%), Brazil (4.1%), Germany (3.9%), Russia (3.2%) and the UK (3.2%).³⁵ The world’s great powers are also heavily investing in offensive cyber security capabilities and increasingly prepared to use them in conflicts and disputes with smaller, weaker states. Russian cyber attacks against Georgia in 2008, which preceded the Russian invasion and involved extensive infiltration of Georgian government ministries and military units, serve as an illustrative example of the disparity in cyber capabilities between small and large states. The Stuxnet software deployed by the US against Iranian nuclear centrifuges is widely considered one of the most sophisticated viruses ever to have been created, and its development reflects America’s leading technological expertise. As Jeffrey Carr has said, ‘nation-states are spending millions of dollars of development for these types of cybertools, and this is a trend that will simply increase in the future’.³⁶ The Obama administration boosted the cyber security budget of the Department of Defense to US$4.7 billion in 2013³⁷ and the US military has incorporated both defensive and offensive cyber security operations into strategic doctrine.³⁸ Small states are unlikely to be able to keep up with larger states in developing and resourcing offensive and defensive capabilities.

Finally, the strategic focus of small states on local and regional foreign policy interests is being undermined by cyber attacks. A state can be subjected to cyber attacks from anywhere in the world in a matter of milliseconds. Small states do not have the political, diplomatic or economic tools to respond to global issues in the same way that large states do. That is not to say that the cyber security of small states will not be influenced by geopolitical issues. The cyber vulnerabilities of small states will continue to be linked, to some degree, with historical and geopolitical tensions with countries in their immediate neighbourhoods. This was particularly evident in the Estonian and Georgian cases.

The case of New Zealand

Alliances, institutions and norms in New Zealand’s foreign policy history

New Zealand is a small state with a population of less than 4.5 million and a Gross Domestic Product (GDP) equivalent to just 0.26% of the world economy.³⁹ The country’s size, combined with its geographical isolation, has driven a historical foreign policy that has fluctuated between alliances, institutional cooperation and norm promotion. In the first half of the 20th century, New Zealand’s alliance with Great Britain was the bedrock of its foreign policy and New Zealand troops fought in both world wars in Britain’s defence. After World War II, due to Britain’s declining global influence and the threat from communism in Asia, New Zealand sought a closer security relationship with the US. This involved entry into the ANZUS alliance in 1951; a treaty-based, collective defence pact with Australia and America. ANZUS formed the foundation of New Zealand foreign policy for the next 30 years and New Zealand troops fought in the Korean and Vietnam wars in support of their alliance partners. However, successive New Zealand governments also promoted institutional cooperation and internationalist norms during this period. New Zealand was a founding member of the UN and advocated a strengthened role for small states within the new UN system.⁴⁰ New Zealand also played a significant role in the development of the United Nations Convention on the Law of the Sea (UNCLOS), arguing that small states in the Pacific would ‘only obtain the full benefit of their exclusive economic zones if other more powerful states are prepared to respect their international obligations in this regard’.⁴¹

The decision in 1984 by the David Lange government to prohibit all nuclear armed or propelled vessels from entering into New Zealand ports was perhaps the most prominent example of a normative approach to New Zealand foreign policy, and one that had a significant impact on its alliance relations. New Zealand had vehemently opposed French nuclear testing in the region and played a prominent role in establishing a nuclear-free zone in the South Pacific through the Treaty of Rarotonga (1985). A strong domestic and international anti-nuclear movement had also emerged in the 1970s, which generated political momentum towards a more moral and less strategic foreign policy. As Robert Patman has argued:

New Zealand’s nuclear-free stance was a powerful symbol … the working assumption here was that ideas and norms do matter at the international level, and a small country like New Zealand could make a positive difference through its own actions to the global security situation.⁴²

There was also a sense that the ANZUS alliance was no longer serving New Zealand's national interests and that the country was increasingly trapped in a relationship where its autonomy was being affected, particularly on the nuclear issue. As David Lange said at the time, `what is now on public record about the ANZUS meetings predictably suggests that the Americans did the talking and our side did the listening'.⁴³ Despite this growing sense of entrapment, the Lange government continued to see the broader benefits of the security partnership and the government did not expect or intend for the nuclear-free policy to result in the breaking of the ANZUS alliance. Opinion polls also indicated that the New Zealand public wanted to stay in ANZUS despite their aversion to US nuclear weapons.⁴⁴ In February 1985, however, shortly after the USS Buchanan was refused entry, the US suspended high-level diplomatic exchanges, restricted intelligence sharing and halted most forms of military cooperation with New Zealand.

This strategic separation continued into the post-Cold War period. New Zealand remained outside of formal alliance structures (apart from its close security relationship with Australia) and formulated its foreign policy around the promotion of multilateral cooperation through international institutions, particularly the UN. This approach was reflected in the deployment of New Zealand soldiers to support the UN-mandated mission in Bosnia (1992), a New Zealand role in the UN Regional Assistance Mission to the Solomon Islands (2003), a peacekeeping role in East Timor (1999–2012) and a strong contribution to the UN-mandated, NATO-led mission in Afghanistan (2001–2013). New Zealand’s refusal to participate in the war against Iraq in 2003 was also based on a commitment to the UN. Labour Prime Minister Helen Clark stated that ‘regime change is not something that the UN is mandated to do’ and argued that ‘Without the United Nations, multilateralism and respect for the international rule of law, the world’s prospects would be bleak indeed’.⁴⁵ The internationalist orientation of New Zealand foreign policy in the post-Cold War era suggests, in contrast to the small states literature, that New Zealand was not solely focused on local and regional security issues during this period.

More recently, the New Zealand–US security relationship has been reinvigorated. In 2005, the Helen Clark-led Labour government made a concerted effort to improve New Zealand–US relations, which corresponded with a desire on the part of the US government to rebuild international partnerships after the invasion of Iraq.⁴⁶ Intelligence sharing was re-established in 2009 under the John Key-led National government,⁴⁷ and the Wellington and Washington Declarations (2010 and 2012) paved the way for new high-level military and diplomatic exchanges between the two countries. This enhanced cooperation stemmed from America’s strategic ‘pivot’ to the Asia-Pacific region, as articulated by Secretary of State Hillary Clinton in 2011, and a desire to work with New Zealand in shaping ‘a rules-based regional and global order’.⁴⁸ It also reflected a view in the National Party that previous Labour governments had been too reliant on the UN and had neglected bilateral security partnerships. As current Deputy Prime Minister, Bill English, has said, ‘As important as the United Nations is as an international force, there are other international relationships for us that are more strategic’.⁴⁹ Robert Ayson and David Capie have argued that New Zealand has re-established a de facto alliance with the US and that recent developments reflect ‘a position of clear alignment in which New Zealand appears to have traded in some of its independence chips’.⁵⁰ While New Zealand has not abandoned institutional cooperation and norm promotion, the pendulum has swung back towards ties with ‘traditional’ partners.

New Zealand’s cyber security challenges: Domestic and international capacity building

New Zealand’s recent cyber security challenges are closely linked with the emergence of a globalised cyber security environment and indicate that focusing solely on local and regional interests will not safeguard the country from cyber attacks. The New Zealand Security Intelligence Service (SIS)⁵¹ has said that the incidence of such attacks is on the increase in New Zealand, from 90 attacks categorised as a threat to government and critical infrastructure in 2011, rising to 134 in 2012, with 60% of those emanating from overseas.⁵² The SIS 2012 Annual Report concluded that ‘New Zealand is subject to systematic cyber intrusion targeting both government and key economic and intellectual property generators’ and that ‘state sponsored actors posed the greatest threat to New Zealand’. It also noted that foreign intelligence agencies were directly involved in cyber espionage against government and private entities in New Zealand, although the agencies responsible were not named in the report.⁵³ Cyber attacks have also gained heightened media attention in recent years. In October 2012, for example, a hacker gained access to confidential client details through the Work and Income New Zealand (WINZ) website, and in July 2013, ‘Anonymous New Zealand’ conducted distributed denial of service (DDoS) attacks against at least a dozen National Party websites, including the personal website of Prime Minister John Key. Cyber attacks directed against the private sector and the New Zealand public are also a growing problem. A 2011 Symantec survey of 100 New Zealand companies found two-thirds experiencing a cyber attack in the preceding 12 months, with 25% losing corporate data and 25% experiencing a financial loss of NZ$70,000.⁵⁴ Recently released statistics suggest that cybercrime against New Zealanders costs NZ$625 million annually⁵⁵ and one survey rated New Zealand mobile phone ‘app’ users in the 10 most vulnerable in the world to cyber attacks.⁵⁶ Given that 44% of New Zealanders use smart phones, this is a significant vulnerability.⁵⁷

In order to respond to these growing challenges – and in the absence of broader institutional cooperation and cyber security norms – New Zealand has taken steps to enhance both its domestic cyber security capacity and its international cyber security partnerships. The government has produced a National Cyber Security Strategy, which aims to enhance New Zealand’s resilience across sectors to cybercrime, cyber espionage, hacktivism and terrorist use of the Internet.⁵⁸ A National Cyber Security Centre (NCSC) has been established as part of the Government Communications Security Bureau (GCSB), which is New Zealand’s primary signals intelligence agency and part of the Echelon network, along with the US National Security Agency (NSA), the UK Government Communications Headquarters (GCHQ), Australia’s Defence Signals Directorate (DSD) and Canada’s Communications Security Establishment Canada (CSEC). Stronger cyber security links are being formed between the New Zealand government and private entities, particularly those responsible for providing critical infrastructure,⁵⁹ and transnational cooperation is emerging. A new cyber security research facility at Auckland’s Unitec Institute for Technology, for example, has developed links with research institutes in Japan on cyber security issues.⁶⁰

Despite these positive developments, New Zealand continues to face significant resource challenges in enhancing its cyber security, and this is indicative of the common challenges small states face in this and other areas of security policy. A recent report into the role of the GCSB noted that the agency has fewer than 300 staff and ‘is very widely spread and in places very thin’.⁶¹ New Zealand’s intelligence agencies have received a significant boost in funding since 2003, with a total increase in budget for the SIS and GCSB from NZ$45 million in 2003 to NZ$97 million in 2012,⁶² yet staffing levels at the GCSB have fallen by 20% since 2007.⁶³ Challenges also exist in retaining highly specialised ICT professionals in the public sector, and keeping ICT specialists in New Zealand when there are higher-paid jobs overseas. The New Zealand government has openly acknowledged these resource challenges. A recent review of the GCSB’s functions revealed, ‘in a small jurisdiction such as New Zealand we cannot afford to duplicate expensive and sophisticated assets, and there are limited numbers of people that can work with such assets’.⁶⁴ The volume of work generated by the agency is also likely to increase significantly as a result of the growing number and diversity of cyber attacks against New Zealand targets. More broadly, New Zealand continues to be reliant on intelligence from its international partners. Bruce Ferguson, a former head of the GCSB, has said that New Zealand receives approximately five times more intelligence than it produces and continues to be dependent upon the US for intelligence relating to peacekeeping operations and foreign troop deployments, including in Afghanistan, where New Zealand forces were deployed after 9/11.⁶⁵ As a small state, New Zealand continues to be a net consumer of intelligence on a wide range of security issues, including maritime security, trade and counterterrorism, and this dependency is likely to continue.

In order to close this capabilities gap, the New Zealand government has focused on extending its international cyber security partnerships. In June 2012, New Zealand entered into an Individual Partnership Cooperation Programme with NATO, which provides for consultation and cooperation on cyber security issues and continued intelligence sharing.⁶⁶ In January 2013, Foreign Minister Murray McCully announced a deal with the UK government that will allow New Zealand to benefit from research and development at a new global cyber security facility in the UK,⁶⁷ and the Washington and Wellington declarations have resulted in a high-level strategic dialogue between US and New Zealand officials on ‘cyber policy’ and ‘scientific cooperation’.⁶⁸ Alignment with the US has traditionally given its allies access to strategies and technologies that have enhanced their security and this is increasingly the case in the area of cyber security. In September 2011, moreover, around the 60th anniversary of the signing of the ANZUS treaty, the US and Australian governments announced that their ongoing ANZUS commitments would be extended into cyberspace:

Mindful of our longstanding defense relationship and the 1951 Security Treaty between Australia, New Zealand, and the United States of America (ANZUS Treaty), our Governments share the view that, in the event of a cyber attack that threatens the territorial integrity, political independence or security of either of our nations, Australia and the United States would consult together and determine appropriate options to address the threat.⁶⁹

It is unclear from this statement how severe cyber attacks would need to be to trigger collective action.⁷⁰ Nevertheless, the reorientation of the US and Australian alliance relationship to deal with cyber security challenges is a positive development, and one that New Zealand will likely benefit from, even though it was not party to the statement.

GCSB reform: Domestic and international controversies

The most contentious aspect of New Zealand’s emerging cyber security strategy has been changes to the role of the GCSB. The GCSB and Related Legislation Reform Bill, which was passed by the New Zealand Parliament in August 2013, extended the GCSB’s cyber security functions to the domestic arena, creating a legal basis for the agency to intercept electronic communications from and to New Zealand citizens and permanent residents for the first time.⁷¹ These reforms created a heated political debate in New Zealand that highlighted the difficult task of achieving a tenable balance between privacy and security in cyberspace. The New Zealand government emphasised that intercepting communications was not the same as spying on New Zealanders, and that only metadata – the origins and destinations of communications and the type of malicious code attached – would be subject to interception in the first instance, and on the basis of a warrant. John Key personally emphasised that a second warrant would need to be issued to allow the content of electronic communications to be analysed, and only when it related to a ‘significant threat’ to the country.⁷² Such assurances have been greeted with a degree of scepticism by the New Zealand public. Of respondents to one August 2012 Fairfax Media-Ipsos poll, 75.3% indicated that they were worried about plans to allow the GCSB to monitor New Zealanders.⁷³ However, in the same poll, over 50% of respondents stated that they trusted the government to protect their right to privacy under the new system.

While the balance between privacy and security has been a central issue in this debate, it is difficult to argue that this is a particular problem for New Zealand or, indeed, for small states. The political and legal controversies around this legislation, however, do illustrate some of the challenges that small states face in enhancing their cyber security. First, the erosion of New Zealand’s geographical isolation is evident in its struggle to respond to global cyber security challenges. The government’s justification for the extension of state power to the domestic arena was explicitly framed in the context of New Zealand’s adaptation to the global challenges of the post-9/11 security environment. In April 2013, John Key referred to ‘evidence of cyber espionage in New Zealand’, including ‘covert attempts to acquire New Zealand science and technology for programmes relating to weapons of mass destruction or weapons delivery systems’.⁷⁴ In July 2013, he said:

In New Zealand there are people who have been trained for al-Qaeda camps who operate out of New Zealand, who are in contact with people overseas, who have gone off to Yemen and other countries to train. I’m sorry, but that’s the real world.⁷⁵

The explanatory note to the bill also recognised some of the challenges small states are confronting in the area of cyber security, and especially the tension between a focus on local/regional security issues and globalised security challenges. It stated that ‘New Zealand faces a changing security environment in which threats are increasingly interconnected and national borders are less meaningful’, and claimed that ‘Globalisation means New Zealand is no longer as distant from security threats as it once was’.⁷⁶

The scandal over the interception of Kim Dotcom’s electronic communications, the founder of the ‘Megaupload’ file-sharing website, was also particularly prominent in driving changes to the GCSB’s role. Dotcom was indicted by US authorities on 5 January 2012 on charges including online piracy, copyright infringement and money laundering. On 20 January 2012, the New Zealand police, working with the US Federal Bureau of Investigation (FBI), raided Dotcom’s Auckland mansion. The legal case that followed revealed: that warrants used in the raid were illegal because they were used to seize material that was irrelevant to the investigation; that the FBI had illegally copied the contents of computer hard drives seized in the raid; and that the GCSB had unlawfully spied on Dotcom prior to the raid, supplying information to the police relating to his movements and personal communications. Dotcom was granted New Zealand permanent residency in November 2010, and was thus protected from GCSB surveillance under the previous statutory framework. As a result of the controversy, an investigation into the activities of the GCSB took place, which culminated in the release of the Kitteridge Report. The report revealed 55 incidences of unlawful GCSB surveillance over nine years, involving 88 New Zealand citizens and permanent residents.⁷⁷ The 2013 GCSB bill thus provided a new legal basis for activities that the agency had already been carrying out.

The release of classified information by former NSA contractor Edward Snowden also had a significant impact on the New Zealand debate. In a series of leaks in July and August 2013, as the GCSB bill was being debated, Snowden revealed that the US government had been collecting, processing and analysing vast data and phone records from some of the world’s leading ICT companies and covertly tapping into global fibre-optic cables with a view to monitoring electronic communications. The activities of the NSA demonstrate the enormous power that the US has accumulated in cyberspace and the capabilities gap that exists between small and large states, as detailed in the previous section. Snowden also directly emphasised links between the National Security Agency's (NSA) activities and the Echelon network, revealing that the NSA had been funding the UK GCHQ since 2009⁷⁸ and claiming that America’s Five Eyes partners ‘sometimes go even further than the NSA people themselves’.⁷⁹ The New Zealand government’s strategy for enhancing New Zealand cyber security has been tarnished and complicated by the global controversy created by the affair and there has been an unprecedented degree of conflation between the privacy issues involved and New Zealand’s core cyber security interests.

Another controversy that has influenced New Zealand’s emerging cyber security strategy relates to China’s extension into the New Zealand broadband market. The New Zealand government awarded a major contract to Chinese firm Huawei in 2011 as part of the rollout of New Zealand’s ultra-fast broadband initiative. In October 2012, the US House Intelligence Committee stated that the company’s provision of equipment to US critical infrastructure ‘could undermine core U.S. national security interests’, and noted the links between company directors and the Chinese Communist Party and military.⁸⁰ The Australian government blocked a broadband contract on the basis of security concerns.⁸¹ Huawei have labelled suggestions that they are a threat as ‘baseless’, but the controversy raises important questions for New Zealand’s cyber security.⁸² Why did New Zealand’s assessment of the risks differ from that of its security partners, and if the New Zealand government had blocked the contract, would the country’s close economic relationship with China have been affected?

Collectively, these scandals have focused the attention of the New Zealand public on the country’s renewed status as a de facto ally of the US, and the GCSB’s relationship with the NSA has come under greater scrutiny. There have been a number of recent assertions that New Zealand’s political autonomy is being undermined by this relationship and that changes to the powers of the GCSB have been driven by US influence. Kim Dotcom has claimed that John Key has a ‘subservient relationship with the United States’ and that ‘The GCSB was utilised to surveil all my communication in order to give the US Government full access to all my communication’.⁸³ An editorial for the Waikato Times, entitled ‘NZ: 51st State of the US’, suggested that the affair had ‘Heightened suspicions that this country’s relationship with the United States has become one of servility rather than friendship’ and argued that ‘The Government’s unquestioning readiness to co-operate with American authorities seriously corrodes our claims to be an independent state’.⁸⁴ Hone Harawira, leader of the Mana Party, has said that the NZ–US cyber security partnership could undermine the country’s status at the UN and its bid for a UN Security Council seat in 2015:

Now New Zealand wants a seat of the UN Security Council and our case will inevitably be tainted by our association with US foreign policy strategies operating through the GCSB. In recent years the National government has pushed New Zealand further into the US corner and further from the independence which would give us greater assurance and credibility in the world.⁸⁵

These arguments are not just being made by opposition politicians. Rodney Harrison QC, a prominent New Zealand lawyer, has claimed that the GCSB’s Waihopai satellite communications interception station is ‘tacitly treated by government and the GCSB as an operation of the USA and other security partners not covered by the New Zealand legislation’. He has further claimed that the issue ‘goes to the heart of New Zealand’s sovereignty – our right to independent self-government without interference from outside’.⁸⁶ The potential impact of the close US–New Zealand cyber security partnership on New Zealand’s relationships with its Asian trading partners has also come under increasing scrutiny. Former diplomat Terence O’Brien has argued that ‘our important relationships in Asia could be compromised by our close association with the US and its hoovering up of big data’,⁸⁷ and Dr Russel Norman, leader of the New Zealand Green Party, has said that ‘China would view the Five Eyes network with some concern. There is no doubt they would view Five Eyes as an impediment to a better relationship with New Zealand’.⁸⁸

But how accurate are these claims? Are New Zealand’s interests and autonomy being subsumed by the country’s cyber security links to its larger, more powerful, security partners? Kim Dotcom’s assertion that New Zealand has a subservient relationship with the US should be treated with caution, especially as he is facing extradition to the US. The notion that New Zealand’s cyber security links to the US will undermine New Zealand’s bid for a seat on the UN Security Council in 2015 is similarly unpersuasive. New Zealand’s two rival candidates for the seat – Spain and Turkey – are both NATO members and close US allies. It is unlikely that these issues would be raised by these countries during the UN selection process and there has been no criticism from foreign governments relating to New Zealand’s cyber security links with the US. The New Zealand government has also directly refuted claims that its interests and autonomy are being undermined by the US–New Zealand intelligence and cyber security partnership. In April 2010, after protests and vandalism at the Waihopai signals intelligence facility, the GCSB took the uncommon step of publicly emphasising New Zealand’s independence, claiming that ‘The Waihopai station is not a US-run “spybase”. It is totally operated and controlled by New Zealand, through the GCSB as an arm of the New Zealand Government’.⁸⁹ John Key has further stated that the GCSB bill gives the agency a clear legal framework that establishes rules around its cooperation with its intelligence partners. In response to a question from New Zealand journalist John Campbell, Mr Key said: ‘If you are asking us do we in New Zealand go round the back door and ask our partners to do things for us that would be otherwise not legal for GCSB to do, the answer is unequivocally no’.⁹⁰ Finally, China has always viewed New Zealand as being closely aligned with the US. While a delicate balancing act is emerging in managing New Zealand’s economic relationship with China and its security relationship with the US, trade with China is unlikely to be undermined by these links.⁹¹

Conclusion

New Zealand has experienced a polarising and contentious debate about the power of the state to intercept online communications, and a series of political scandals have highlighted the difficult task New Zealand faces in adapting to a rapidly evolving cyber security environment. Achieving an acceptable balance between security and liberty is not a new challenge, yet the balance may be more difficult to achieve given the globalisation of security threats and the growth in malicious online activity. To a large extent, however, finding this balance is a challenge faced by all states regardless of their size, and it is useful to separate this aspect of the debate from New Zealand’s emerging cyber security strategy.

So, do small states face unique or different challenges in enhancing their cyber security arena, and how does New Zealand’s cyber security strategy relate to the established small states literature detailed in the first two sections of this article? First, it is clear that New Zealand faces significant technical hurdles and resource challenges. New Zealand is struggling to commit the necessary financial resources to effectively enhance its cyber security, and faces a challenge in developing the human resources, technical expertise and knowledge to keep up with a rapidly changing cyber security environment. There is also a growing cyber capabilities gap between small and large powers, which makes small states vulnerable. While claims about New Zealand’s lack of autonomy in its cyber and intelligence links should be treated with caution, there may be a growing dependency on its international partners in the cyber security arena.

Second, New Zealand’s international engagement in the post-Cold War era suggests that its foreign policy has not been solely or even primarily focused on local and regional interests. This more globally focused foreign policy does not fit well with the existing small states scholarship. Globalisation appears to have enlarged the security interests and outlook of New Zealand and this may be the case for other small states too. Cyber security issues are also clearly global in scope and make the pursuit of a locally and regionally focused foreign policy increasingly unrealistic and untenable. However, cyber security cooperation is not contingent on states being in close geographical proximity, as New Zealand’s recent agreements with the UK, NATO and the US demonstrate. In other words, while cyber threats are global in scope, cyber cooperation can be too.

Third, the evidence in this article suggests that small states that remain outside formalised security pacts like NATO may need to compensate for the benefits and assets they provide in the area of cyber security. The New Zealand government appears to have recognised this, and its cooperation with NATO, the UK and through the Echelon network provides a solid foundation for enhancing the country’s cyber security. There is a broader point here with respect to alliances. The idea of collective defence is clearly changing in the cyber security context. Collective defence is more problematic against cyber attacks due to the difficulties of attribution, deterrence, the diversity in the type and scope of attacks, and the fact that many cyber threats emanate from non-state actors. However, that is not to say that alliances do not retain a useful function in confronting cyber security challenges. Historically, alliances have provided a mechanism for the defence of physical territory but they are also now providing tools and resources for the defence of cyberspace. States are cooperating on these issues, developing capabilities and sharing technologies, and small states are clearly benefiting from this. NATO, in particular, has undergone a process of adaption to globalised security threats in the post-Cold War era, and an integral part of its refocusing has been the development of security partnerships with a wider and more geographically distant group of non-NATO members. Cyber security is an increasingly important part of that wider pattern of cooperation, and New Zealand is increasingly involved. This also demonstrates that, even though there are strategic rivalries between the great powers in cyberspace, countries that have closely aligned strategic interests can make progress on cyber security issues.

Fourth, while there has been little progress within international institutions on cyber security, the next decade could present opportunities for small states to influence the development of international cooperation and the emergence of cyber security norms. Despite recent assertions to the contrary, New Zealand’s reputation as a neutral, honest broker is intact, and it is hard to see how a closer cyber security and intelligence partnership with the US and other states would practically inhibit its ability to articulate and promote such norms. In fact there are many avenues of influence for New Zealand, including through the Association of Southeast Asian Nations (ASEAN) Regional Forum, through the Asia Pacific Cooperation (APEC) forum, at the UN (especially if New Zealand is successful in its bid for a UN Security Council seat), and through Track 1.5 and Track 2 diplomacy. Success in these areas will depend upon New Zealand forming coalitions with other small states and driving ‘small–small’ cooperation. As on other security issues, small states’ institutional influence will also be contingent upon the development of administrative capabilities and knowledge of the issues, and New Zealand must choose to prioritise cyber security if it wishes to have a positive impact. Ultimately, international cooperation on cyber security issues and norm development is contingent upon great power cooperation, but small states working together could have a positive role to play.

Finally, what are the ongoing challenges and opportunities for the cyber security literature in this area? The three models of small state security outlined in this article have proved to be useful lenses through which to analyse New Zealand’s cyber security challenges. A tighter focus on how small states are responding to other globalised security challenges, such as climate-related conflict, energy security and counterterrorism, would be beneficial. The literature would also benefit from a comparative perspective on how other small states are responding to cyber security issues. It should not be assumed that New Zealand is a typical small state. Finally, the question of whether small democratic states face different cyber security challenges to small non-democratic states would be a fruitful avenue for research. The need to balance security and privacy may well be substantially different in non-democracies, and patterns of alliance formation and international cooperation are also likely to vary.

Footnotes

Acknowledgements

The author wishes to thank David Capie and Kate McMillan for their editorial help and the reviewers for their constructive feedback and suggestions.

1.

Quoted in Thomas Rid, ‘Think Again: Cyberwar’, Foreign Policy, No. 192 (March 2012), p. 81.

2.

This article adopts a broad definition of cyber security, to include security from cyber attacks (efforts to render computers and the networks that they are attached to inoperable) and cyber exploitation (efforts to steal data from computers and computer networks and/or covertly control them).

3.

See Matthias Maass, ‘The Elusive Definition of the Small State’, International Politics, Vol. 46, No. 1 (January 2009), pp. 75–76; Peter R. Baehr, ‘Small States: A Tool for Analysis’, World Politics, Vol. 27, No. 3 (April 1975), p. 460.

4.

See, for example, Maurice A. East, ‘Size and Foreign Policy Behavior: A Test of Two Models’, World Politics, Vol. 25, No. 4 (July 1973), p. 557.

5.

Annette Fox, The Power of Small States: Diplomacy in World War 2 (Chicago, IL: University of Chicago Press, 1959), p. 3.

6.

Matthias Maass, ‘The Elusive Definition of the Small State’, p. 72.

7.

For the most comprehensive exploration of these dynamics, see Stephen Walt, The Origins of Alliances (New York, NY: Cornell University Press, 1987).

8.

Omer De Raeymaeker, ‘Introduction’, in Omer De Raeymaeker, Willem Andries, Luc Crollen et al. (eds), Small Powers in Alignment (Leuven: Leuven University Press, 1974), p. 18.

9.

Heinz Gartner, ‘Small States and Alliances’, in Erich Reiter and Heinz Gartner (eds), Small States and Alliances (New York, NY: Physica-Verlag Heidelberg, 2001), p. 3.

10.

For a detailed analysis of intra-alliance dynamics, see Glenn H. Snyder, Alliance Politics (New York, NY: Cornell University Press, 1997).

11.

See, for example, Kenneth N. Waltz, ‘NATO Expansion: A Realist’s View’, Contemporary Security Policy, Vol. 21, No. 2 (August 2000), p. 29.

12.

Peter V. Jakobsen, ‘Small States, Big Influence: The Overlooked Nordic Influence on the Civilian ESDP’, Journal of Common Market Studies, Vol. 47, No. 1 (January 2009), p. 96.

13.

Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, The Hague Journal of Diplomacy, Vol. 7, No. 2 (2012), p. 159.

14.

Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, p. 146.

15.

Jon Barnett and John Campbell, Climate Change and Small Island States: Power, Knowledge and the South Pacific (London: Earthscan, 2010), p. 101.

16.

Robert O. Keohane and Joseph S. Nye, ‘Power and Interdependence in the Information Age’, Foreign Affairs, Vol. 77, No. 5 (September 2009), p. 86.

17.

Alan Chong, ‘Small State Soft Power Strategies: Virtual Enlargement in the Cases of the Vatican City State and Singapore’, Cambridge Review of International Affairs, Vol. 23, No. 3 (September 2010), p. 385.

18.

Annette Fox, The Power of Small States: Diplomacy in World War 2, p. 2.

19.

Alan K. Henrikson, ‘A Coming “Magnesian” Age? Small States, the Global System, and the International Community’, Geopolitics, Vol. 6, No. 3 (2001), p. 63.

20.

Laurent Goetschel, ‘The Foreign and Security Policy Interests of Small States in Today’s Europe’, in Laurent Goetschel (ed.), Small States Inside and Outside the European Union (Dordrecht: Kluwer, 1998), p. 28.

21.

Christine Ingebritsen, ‘Norm Entrepreneurs: Scandinavia’s Role in World Politics’, Cooperation and Conflict, Vol. 37, No. 11 (March 2002), pp. 11–23.

22.

Margarita H. Petrova, ‘Small States and New Norms of Warfare’ (2007), p. 6, available at: (accessed 10 August 2013).

23.

Quoted in Ian Traynor, ‘Russia Accused of Unleashing Cyberwar to Disable Estonia’ (May 2007), available at: (accessed 10 August 2013).

24.

Kertu Ruus, ‘Cyber War I: Estonia Attacked from Russia’, European Affairs, Vol. 9, Nos 1/2 (Winter/Spring 2008), p. 26.

25.

Tim Maurer has noted that the work of the UN Security Council has largely been limited to the Working Group on Countering the Use of the Internet for Terrorist Purposes, part of the Counter-Terrorism Implementation Task Force (CTITF). See Tim Maurer, ‘Cyber Norm Emergence at the United Nations: An Analysis of the Activities at the UN Regarding Cyber-security’ (September 2011), available at: (accessed 10 August 2013).

26.

For the official US position, see US Department of State, ‘Fast Facts on United States Submitting Initial Proposals to World Telecom Conference’ (August 2012), available at: (accessed 10 August 2013).

27.

New Zealand also voted against these changes. See Terry Kramer, ‘The WCIT: Globalizing a Transatlantic Legacy’ (November 2012), available at: http://www.europeaninstitute.org/EA-November-2012/the-wcit-globalizing-a-transatlantic-legacy.html (accessed 10 August 2013); Chris Keal, ‘NZ Joins US, other Western Nations in Rejecting UN Control of Internet’ (December 2012), available at: (accessed 11 August 2013).

28.

European Union External Action Service, ‘EU Cybersecurity Plan to Protect Open Internet and Online Freedom and Opportunity’ (February 2013), available at: (accessed 10 August 2013).

29.

Jason Healey, ‘Breakthrough or Just Broken? China and Russia’s UNGA Proposal on Cyber Norms’ (September 2011), available at: (accessed 10 August 2013).

30.

Ministry of Foreign Affairs of the People’s Republic of China, ‘China, Russia and Other Countries Submit the Document of International Code of Conduct for Information Security to the United Nations’ (September 2011), available at: (accessed 10 August 2013).

31.

International Telecommunications Union, ‘Time Series by Country (2000–2012) – Percentage of People Using the Internet’ (February 2013), available at: (accessed 10 August 2013).

32.

McAfee, ‘Cyber-security: The Vexed Question of Global Rules’ (February 2012), available at: (accessed 10 August 2013).

33.

Ross Stapleton-Gray and William Woodcock, ‘National Internet Defense: Small States on the Skirmish Line’, Communications of the ACM, Vol. 54, No. 3 (2011), pp. 50–55.

34.

Joseph Nye, `Nuclear Lessons for Cyber Security?', Strategic Studies Quarterly, Vol. 5, No. 4, (Winter 2011), p. 20.

35.

Malicious activity includes data from malicious code reports, spam zombies, phishing hosts, bot-infected computers, network attack origins and web-based attack origins. See Symantec, ‘Symantec Report on Threat Activity Trends’ (2013), available at: http://www.symantec.com/threatreport/topic.jsp?id=threat_activity_trends&aid=malicious_activity_by_source (accessed 10 August 2013).

36.

Quoted in David Kushner, ‘The Real Story of Stuxnet’, IEEE Spectrum, Vol. 50, No.3 (March 2013), p. 53.

36.

Andy Sullivan, ‘Obama Budget Makes Cybersecurity a Growing U.S. Priority’ (April 2013), available at: (accessed 10 August 2013).

37.

Andy Sullivan, ‘Obama Budget Makes Cybersecurity a Growing U.S. Priority’ (April 2013), available at: (accessed 10 August 2013).

38.

Tina Miles, ‘Army Activates First-of-its-kind Cyber Brigade’ (December 2011), available at: (accessed 10 August 2013).

39.

Trading Economics, ‘New Zealand GDP’ (August 2013), available at: (accessed 11 August 2013).

40.

New Zealand Prime Minster Peter Fraser argued strongly against the establishment of a veto power in the UN Security Council, despite the fact that Great Britain benefited greatly from it, and for small states to have greater influence through a strengthened General Assembly. See Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the World since 1935 (Auckland: Auckland University Press, 1993), pp. 57–62.

41.

Quoted in Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the World since 1935, p. 270.

42.

Robert G. Patman, ‘Globalisation, Sovereignty, and the Transformation of New Zealand Foreign Policy’ (2005), available at: (accessed 11 August 2013).

43.

Quoted in Wade Huntley, ‘The Kiwi that Roared: Nuclear Free New Zealand in a Nuclear Armed World’, The Nonproliferation Review, Vol. 4, No. 1 (March 1996), p. 8.

44.

See Malcolm McKinnon, Independence in Foreign Policy: New Zealand in the World since 1945 (Auckland: Auckland University Press, 1993), p. 289.

45.

Quoted in David McGraw, ‘New Zealand Foreign Policy Under the Clark Government: High Tide of Liberal Internationalism’, Pacific Affairs, Vol. 78, No. 2 (Summer 2005), p. 225.

46.

Bruce R. Vaughan, ‘The United States and New Zealand: Perspectives on a Pacific Partnership’ (August 2012), p. 21, available at: (accessed 26 August 2013).

47.

Nicky Hager, ‘Wikileaks: Leaked US Cables Spill the Beans on NZ Ties’ (December 2010), available at: (accessed 11 August 2013).

48.

Hillary Clinton, ‘America’s Pacific Century’ (November 2011), available at: (accessed 26 August 2013).

49.

Quoted in David McCraw, ‘New Zealand Foreign Policy Under the Clark Government: High Tide of Liberal Internationalism?’, p. 224.

50.

Robert Ayson and David Capie, ‘Part of the Pivot? The Washington Declaration and US–NZ Relations’, Asia-Pacific Bulletin, No. 172 (July 2012), p. 2.

51.

The SIS was established in 1956 and is responsible for investigating threats to New Zealand’s national security (including sabotage, subversion, espionage and acts of terrorism), collecting foreign intelligence and providing a range of protective security and advice services to government.

52.

National Cyber Security Centre, ‘2012 Incident Summary’ (2012), pp. 2–4, available at: (accessed 11 August 2013).

53.

New Zealand Security Intelligence Service, ‘Annual Report’ (September 2012), p. 19, available at: (accessed August 2013).

54.

Symantec, ‘NZ Organisations Rank Cyber Attacks as #1 Risk’ (June 2011), available at: (accessed 11 August 2013).

55.

Government Communications Security Bureau, ‘Regulatory Impact Statement’ (March 2013), p. 10, available at: (accessed 11 August 2013).

56.

Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’ (January 2013), available at: http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10860719 (accessed 11 August 2013).

57.

Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’.

58.

Department of Prime Minister and Cabinet, ‘New Zealand’s Cyber Security Strategy’ (June 2011), p. 5, available at: (accessed 11 August 2013).

59.

The NCSC has recently developed voluntary standards for operators of Industrial Control Systems, for example. See Paul Nash, ‘Cyber Security: Why it Matters for New Zealand’ (April 2013), available at: (accessed 11 August 2013).

60.

Japan’s National Institute of Information and Communications Technology (NICT) and the Nara Institute of Science and Technology (NAIST). The institutes will conduct decentralised monitoring of the number of malicious threats on New Zealand networks and their country of origin and will develop advanced information technologies in New Zealand.

61.

Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security Bureau’ (March 2013), p. 64, available at: (11 August 2013).

62.

Pete George, ‘More Money and More Spies’ (July 2013), available at: (accessed 11 August 2013).

63.

The agency went from a total of 370 staff in 2007 to 294 in 2012. See Government Communications Security Bureau, `Annual Reports' (2007 and 2012), available at: (accessed 23 October 2013).

64.

Office of the Minister Responsible for the GCSB Cabinet Domestic and External Security Committee, ‘Review of Government Communications Security Bureau Act 2003’ (June 2013), p. 5, available at: (accessed 11 August 2013).

65.

Nick Perry and Paisley Dodds, ‘“Five Eyes” Spy Alliance Will Survive Snowden’ (July 2013), available at: http://www.newsfactor.com/story.xhtml?story_id=11000APTXRP6&page=2 (accessed 11 August 2013).

66.

New Zealand Government, ‘Individual Partnership and Co-operation Programme between New Zealand and NATO’ (June 2012), available at: (accessed 28 August 2013).

67.

Michael Field, ‘Super-Cyber Security NZ–UK Alliance’ (January 2013), available at: (accessed 11 August 2013).

68.

US Department of State, ‘Joint Statement: US–New Zealand Strategic Dialogue’ (May 2013), available at: (accessed 28 August 2013).

69.

US Department of State, ‘U.S.–Australia Ministerial Consultations 2011 Joint Statement on Cyberspace’ (September 2011), available at: (accessed 2 September 2013).

70.

For a detailed discussion of ANZUS and cyber security issues, see Andrew Davies, James Andrew Lewis, Jessica Herrera Flanigan et al., ‘ANZUS 2.0: Cybersecurity and Australia–US Relations’ (April 2012), available at: http://www.isn.ethz.ch/Digital-Library/Publications/Detail/?ots591=0c54e3b3-1e9c-be1e-2c24-a6a8c7060233&lng=en&id=161646 (accessed 2 September 2013).

71.

And to share that information with the New Zealand Police, the New Zealand Defence Force (NZDF) and the SIS, although when doing so, it will be subject to the various statutory regulations that bind those agencies.

72.

John Key, ‘GCSB: Prime Minister John Key’s Speech’ (August 2013), available at: (accessed 2 September 2013).

73.

Andrea Vance, ‘Kiwis Do Care, Prime Minister’ (August 2013), available at: (accessed 2 September 2013).

74.

Anonymous, ‘Key Reveals WMD Cyber Terrorism Threat to NZ’ (April 2013), available at: (accessed 11 August 2013).

75.

Rebecca Quilliam and Claire Trevett, ‘PM Justifies Spy Bill: Kiwis Trained by Al-Qaeda’ (August 2013), available at: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10906592 (accessed 11 August 2013).

76.

Government Communications Security Bureau and Related Legislation Amendment Bill, ‘Explanatory Note’ (2013), available at: (accessed 11 August 2013).

77.

Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security Bureau’, p. 18.

78.

Nick Hopkins and Julian Borger, ‘Exclusive: NSA Pays £100 m in Secret Funding for GCHQ’ (August 2013), available at:

(accessed 2 September 2013).

79.

Anonymous, ‘Snowden Links NZ to US Spy Programme’ (July 2013), available at: (accessed 2 September 2013).

80.

Mike Rogers and Dutch Ruppersberger, ‘Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE’ (October 2012), p. vi, available at: (accessed 28 September 2013).

81.

Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US Committee’ (October 2012), available at: (accessed 11 August 2013).

82.

Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US Committee’.

83.

Quoted in Andrea Vance, ‘Dotcom More Popular than Banks’ (October 2012), available at: (accessed 11 August 2013).

84.

Waikato Times, ‘Editorial – NZ: 51st state of the US’ (September 2012), available at: (accessed 11 August 2013).

85.

Mana Party, ‘Mana Calls for NZ to Withdraw from Spy Network’ (July 2013), available at: (accessed 11 August 2013).

86.

Quoted in Chris Barton, ‘Can NZ Say No to the US?’ (August 2013), available at: http://www.nzherald.co.nz/opinion/news/article.cfm?c_id=466&objectid=10908486 (accessed 11 August 2013).

87.

Terence O’Brien, ‘Five Eyes an Anachronistic Setup’ (July 2013), available at: (accessed 11 August 2013).

88.

Quoted in David Fisher, ‘Secret Network “Has to Be in Probe”’ (June 2013), available at: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10890675 (accessed 11 August 2013).

89.

Government Communications Security Bureau, ‘Press Release: GCSB Directors Refute Allegations Concerning the WAIHOPAI Station’ (April 2010), available at: (accessed 28 August 2013).

90.

John Key, ‘John Key Defends the GCSB Bill’ (August 2013), available at: (accessed 28 August 213).

91.

Trade between New Zealand and China has grown by over a third since the signing of the 2008 Free Trade Agreement between the two countries. See Matt Crawford, Alasdair Thompson and Peter Conway, ‘Public Input into Free Trade Negotiations: The New Zealand–China FTA’, in James Headley, Andreas Reitzig and Joe Burton (eds), Public Participation in Foreign Policy (London: Palgrave Macmillan, 2012), p. 153.