Our Terms of Reference directed us to make recommendations on:
whether there is any improvement to information sharing and analysis practices by relevant [Public] sector agencies that could have prevented the terrorist attack, or could prevent such terrorist attacks in the future, including, but not limited to, the timeliness, adequacy, effectiveness and coordination of information disclosure, sharing, or matching between [Public] sector agencies.
Sharing information is well recognised as fundamental to countering terrorism. Developing an intelligence picture to prevent a terrorist attack usually requires a combination of multiple pieces of information that, individually may be of limited significance, but together, show intent and capability. As the 9/11 Commission Report noted, no one component of the United States of America’s intelligence community held all the relevant information required to “connect the dots”130 in a way that would have enabled disruption of the 11 September 2001 terrorist attacks. But, had the information been better shared, things may have ended up differently.
In this chapter we:
- discuss the balance between privacy and interagency information sharing;
- describe previous reviews of components of the national security system related to information sharing;
- describe legislation, policy and leadership as it relates to information sharing;
- consider technical and human factors related to information sharing;
- explain how highly classified information is dealt with;
- assess the distribution of strategic assessments about terrorism threats in New Zealand; and
- set out developments that have occurred since 15 March 2019.
Our focus has been primarily on the activities relevant to the counter-terrorism effort. Information sharing between New Zealand Police and the New Zealand Security Intelligence Service is discussed in Part 8, chapter 12.
9.2 The balance between privacy and interagency information sharing
Public sector agencies, including those involved in the counter-terrorism effort, regard personal information as a resource to be used. Their ability to access and use such information is constrained by the Privacy Act 1993 and, more broadly, by the extent to which such access and use is acceptable to the public.
The Privacy Act provides for substantial privacy protection by establishing information principles that regulate the collection, use, storage and disclosure of information about individuals and for access by individuals to information that is held about them. These principles are broadly consistent with public expectations about the privacy of personal information.
Legislation may provide specifically for official access to, or sharing of, information. We provide some examples later in this chapter.
In this context, there is a need for Public sector agencies to explain to politicians and the public what information they need, how they intend to collect it, how widely it will be shared and what safeguards will be put in place to prevent that information being shared more widely than it needs to be. There is also the reality that the public has a right to be sceptical about calls for more intrusion if Public sector agencies have not complied with restrictions or have not fully used mechanisms that they have already been granted by legislation.
9.3 Previous reviews
Previous reviews of components of the national security system (see Part 8, chapter 2) have noted the fundamental importance of information sharing, observed weaknesses in current Public sector arrangements and made recommendations to address them.
In 2003, the Auditor-General observed there were “few formal processes to co-ordinate information collection and flows more widely across the various Public sector agencies”.131
The 2009 review A National Security and Intelligence Framework for New Zealand noted that “information is the currency of the agencies which make up the sector, and it is a truism (in fact a ‘no brainer’) that this infrastructure should enable information to be stored, accessed, shared and distributed among the right agencies, at the right time, to the right people so that the right use can be made of it”.132
In 2016, the Auditor-General also identified that information flows needed to improve throughout the national security system.133
Action plans developed to record and address lessons learned from national counter-terrorism exercises134 and from counter-terrorism operations have also repeatedly identified difficulties with information sharing. For example, issues identified during a 2016 counter-terrorism operation included some sensitive information being disseminated more widely than it should have been and information being shared with international partners but not with the appropriate domestic agencies.
9.4 Legislation, policy and leadership
Privacy Act 1993
The information principles under the Privacy Act provide that, generally, personal information should only be used and disclosed for the purpose for which it was collected.135 There are exceptions that allow use and disclosure where necessary for prevention, detection, investigation, prosecution and punishment of offences, and to prevent or reduce a serious threat to public health or public safety or the life or health of any individual. As well, an intelligence and security agency that holds information collected for a particular purpose may use it for another purpose if that is necessary to enable the agency to perform any of its functions.136
The Privacy Act enables, on a case-by-case basis, one Public sector agency to seek information held by another. Such requests are assessed against the information principles. The Privacy Act also enables Public sector agencies to enter into approved information sharing agreements.137 For example, 12 government departments have negotiated an information sharing agreement to enable them to share information and intelligence to reduce gang-related harm to individuals and New Zealand society. We heard that, even with this agreement in place, information sharing for those purposes is sometimes a challenge. There is no equivalent information sharing agreement for counter-terrorism purposes.
The Customs and Excise Act 2018, the Immigration Act 2009 and the Intelligence and Security Act 2017 contain different bespoke information sharing regimes. For example, a direct access agreement enables New Zealand Police to directly create, amend and cancel border alerts in a New Zealand Customs Service database.
Of the direct access agreements contemplated by the Intelligence and Security Act (see Part 8, chapter 14), only some have been put in place. This suggests that establishing direct access agreements has not been a high priority for some of the relevant Public sector agencies as a collective. Establishing such agreements requires time, effort, cooperation and technical capability to enable the access.
New Zealand Customs Service and Immigration New Zealand said that other Public sector agencies were reluctant to share information. They advocate further legislation to specifically allow classes of information sharing. Immigration New Zealand observed that a legislative process would enable public consideration of where the balance should lie between the rights and interests of individuals and the public interest in the effective functioning of the national security system.
National security system leadership and coordination of information sharing
In the three years up to March 2019, the Security and Intelligence Board’s (Part 8, chapter 3) consideration of information sharing was focused primarily on practical matters such as the development of highly classified information technology systems.
The Security and Intelligence Board discussed on a number of occasions the Top Secret information technology system that the Government Communications Security Bureau provides other Public sector agencies. In 2017, the Security and Intelligence Board noted that the Government Communications Security Bureau-led programme was focused on “building the technology platform which will support … new ways for the [Public] sector to operate”.
In 2016, the Security and Intelligence Board was told that a counter-terrorism operation identified that “the system overall appears under-prepared to facilitate effectively the sharing of highly sensitive, [compartmented] intelligence to those who need it, when they need it”. The Counter-Terrorism Coordination Committee was asked to address this, along with other matters identified in a corrective action plan following that operation. The Counter-Terrorism Coordination Committee referred operational coordination matters such as this to a working group established in 2016 to “address the void” in joining up operationally-focused lines of effort. This work was not completed before 15 March 2019.
New Zealand Customs Service raised with the Security and Intelligence Board barriers to information sharing arising through “proposed and current legislative change” in 2016. The Department of the Prime Minister and Cabinet was then to provide the Security and Intelligence Board with a clear and succinct statement of the problems associated with information sharing between Public sector agencies involved in the national security system. This did not happen before 15 March 2019.
The Ministry of Health raised with the Security and Intelligence Board challenges of sharing information about individuals of national security concern with frontline staff in 2018. This was addressed by New Zealand Police updating the Ministry of Health on how they had been working at the local level with health sector staff.
The Counter-Terrorism Coordination Committee minutes did not record any discussion on information sharing before March 2019. The 2018 risk profile for terrorism (see Part 8, chapter 3) does not include information sharing as one of the national security system’s key areas of focus.
9.5 Technical and human factors related to information sharing
Information is primarily shared between Public sector agencies by email, rather than through shared databases. Relying on email to share information means there is a significant human factor to whether and what information gets shared.
Each Public sector agency involved in the counter-terrorism effort has a separate information technology system. Once information has gone from one Public sector agency to another, it is stored in the receiving agency’s internal data management system (assuming it is saved). There is no secure, shared data repository or workspace accessible to multiple Public sector agencies. This is a well-recognised issue for New Zealand’s counter-terrorism effort.
9.6 Dealing with highly classified information
What makes something highly classified?
The New Zealand Government Protective Security Requirements provide for different national security classifications depending on the level of damage the compromise of that information would pose to the national interest. The Protective Security Requirements are insufficiently detailed to inform day-to-day agency decisions on how to classify information.138
As a rule of thumb, intelligence collected by the New Zealand Security Intelligence Service using human intelligence methods is classified as Secret or above. Most intelligence collected by the Government Communications Security Bureau is classified as Secret COMINT or above, which requires more stringent handling requirements and potentially limits how many people would see it compared to a Secret report.
Over-classification of information
We have seen instances of over-classification of information. Our impression from the large quantities of information we have handled and our dealings with Public sector agencies is that there is a lack of thoughtfulness about when information needs to be highly classified and a marked tendency to over-classify information. This tendency was recently noted by the Government Inquiry into Operation Burnham.139 We can illustrate this with two examples relating to our own work.
First, the New Zealand Security Intelligence Service’s speaking notes for the closed session of Parliament’s Intelligence and Security Committee in February 2019 marked the following passage as Secret:
We have seen acts of violence in likeminded countries such as Australia, the United States of America, United Kingdom, Canada and Sweden. This includes attacks on groups of people and mosques and the use of weapons, explosives and vehicles. These attacks have caused deaths and serious injuries.
The New Zealand Security Intelligence Service acknowledged that this over-classification was in error. It also told us that this error “did not inhibit effective sharing of such information with domestic partners in other, lowly classified documents”.
Second, we have also seen information becoming over-classified in misplaced reliance on a clause in the Protective Security Requirements, which provides:
A discrete collection of information may be assessed as requiring a higher protective marking where the aggregated information is significantly more valuable, because it reveals new and/or more sensitive information or intelligence than would be apparent from the individual data sources. Examples could include data collections that support intelligence assessments or are designed to show evidence of fraud.
We received a package of Cabinet papers classified Top Secret New Zealand Eyes Only from the Department of the Prime Minister and Cabinet. This reflected the classification of the highest classified document in the package. One of the individual papers that was the subject of the Top Secret New Zealand Eyes Only classification was publicly available on the Department of the Prime Minister and Cabinet’s website.
A secure physical space
The requirements for a physical space secure enough to hold highly classified information and information technology systems140 are rigorous, which makes them expensive. There are secure physical spaces in some military facilities. However, a number of Public sector agencies do not have regular access to secure physical spaces in New Zealand outside Auckland, Wellington and Christchurch. This means they do not have easy access to a highly classified information technology system outside of those centres. This makes it difficult to share or work on highly classified information around the country. The development of a strategy to improve access was put on the Department of the Prime Minister and Cabinet’s work programme in 2016. We were told that limited progress had been made.
A secure information technology system
Once a Public sector agency has a secure physical space, it can then make arrangements to install and use a highly classified information technology system within it. Public sector agencies either have their own highly classified information technology system or pay the Government Communications Security Bureau to run one for them. By the New Zealand Intelligence Community’s own assessment in 2018, its customers had been “badly served” by highly classified information technology and changes to it “have been a long time coming”.141 Work continues on developing the Top Secret computer network.
National security cleared people
The people who can see highly classified information are first vetted to ensure that they are suitable to access that information. The New Zealand Security Intelligence Service conducts this process at the request of other Public sector agencies and the relevant chief executive then decides whether to grant the clearance on its advice. That Public sector agency then has ongoing obligations relating to its cleared staff to ensure those staff remain suitable to hold a national security clearance, such as watching out for any signs that could suggest that the person is unreliable or susceptible to pressure.
The New Zealand Security Intelligence Service has made good progress in recent years decreasing the average time taken to grant a national security clearance. That said, there will always be a delay between a Public sector agency identifying a person who requires a clearance and that person gaining the relevant national security clearance. This needs to be carefully managed within and across Public sector agencies.
“Need to know”
Once a person has a relevant national security clearance and access to a secure physical space and network, the “need to know” principle applies. This principle means that a person should only share classified information with others who hold the right level of national security clearance and who need it to do their work. It also means that the risk associated with sharing information is borne by the person sharing it.
We would like to see Public sector agencies who produce classified information thinking hard about what “need to know” means for the information they hold and share for the purposes of the counter-terrorism effort. Our sense is that Public sector agencies are thinking about it in more restrictive terms – as a rationale for not sharing information. But the “need to know” principle is consistent with a positive or enabling mindset, which encourages Public sector agencies to think of what information they hold that other Public sector agencies might benefit from.
Deciding whether someone else or another Public sector agency “needs to know” information requires an appreciation of what that person and Public sector agency does in the counter‑terrorism effort and how that information might be useful to them. This includes not just the counter‑terrorism agencies, but also those involved in the wider counter‑terrorism effort, including, local government who have a role to play. We are not confident that this knowledge and perspective is widespread in the relatively insular agencies that produce most highly classified information.
Partner-supplied highly classified information
Public sector agencies receive highly classified information from international intelligence and security agencies, principally those in the Five Eyes partnership. As such, New Zealand’s standards for dealing with highly classified information are consistent with those of its Five Eyes partners.
Where there is a sensitivity, the international partner providing the intelligence requires the New Zealand Public sector agency receiving it to check before sharing it further. We have seen no evidence that this obligation has prevented intelligence relevant to counter-terrorism operations from being shared in a timely fashion within New Zealand.
Improving access to highly classified information
One option to make sharing highly classified information easier is to build more secure facilities in different parts of New Zealand, put the highly classified network in those spaces, and clear more people in Public sector agencies to be able to use it. Obviously substantial resources would be required to do this. We were told that the New Zealand Security Intelligence Service intends to advocate for more Public sector agencies to have facilities and information technology systems that can store and send classified intelligence, and more staff cleared at appropriate levels, especially for New Zealand Police and particularly in the South Island.
We heard that other countries have built greater numbers of secure facilities and cleared more people to enable intelligence and security and law enforcement agencies to work more closely together.
2018 Inspector-General of Intelligence and Security report
In 2018, the Inspector-General of Intelligence and Security undertook a review of the New Zealand security classification system to improve security, reduce costs and increase transparency. The report A review of the New Zealand Security Classification System recommended several areas for improvement.142 We support the following recommendations:
- Add [classification] principles that:
- no information may remain classified indefinitely; and
- if there is any significant doubt about the appropriate level of classification, it is to be classified at the lower level.
- Revise agency classification guides, ensuring they supplement not repeat primary classification guidance, using agency-specific examples. Test revised guides with staff.
- Adopt a topic-based approach to systematic declassification of historic classified records, supervised by a multi-agency group. Consult the public, experts and Archives New Zealand on priorities for review.
- Develop a training programme to accompany classification reform. Specify the requirements for ongoing training in classification with more particularity. Extend the requirement for refresher training beyond the holders of security clearances. Require agencies to track their compliance with training requirements.
- Task a coordinating agency with consulting agencies on the feasibility of establishing basic ongoing measures of classified data stocks and flows. Compile this information with agency measures of their classification review activity and their compliance with training requirements. Use this information to start building a set of basic indicators of classification system function and performance.
9.7 Dissemination of strategic assessments about terrorism threats in New Zealand
Strategic assessments about terrorism threats in New Zealand are written to be widely shared and their volume is such – fewer than ten a year – that there should be no concerns about overloading other Public sector agencies with unwanted information. Apart from potential complications from classification, there are no legislative, policy or technical reasons of which we are aware that might limit their dissemination. How widely they were shared provides a rough indication – or a place to start – as to the state of information sharing across the counter-terrorism effort.
Strategic assessments produced by the Combined Threat Assessment Group, the National Assessments Bureau, New Zealand Police and the New Zealand Security Intelligence Service were distributed to the Public sector agencies on the Security and Intelligence Board with a few additions (Part 8, chapter 4). Other than New Zealand Police assessments, these were generally classified Secret, hindering their dissemination within Public sector agencies. Restricted versions of some reports were produced. These contained less detailed but still valuable information. Although they had a lower classification, they were not necessarily disseminated more widely.
Several ministers were routinely provided with the National Assessments Bureau assessments, but the New Zealand Security Intelligence Service and the Combined Threat Assessment Group assessments on the terrorism threat in New Zealand are not typically shared with ministers other than the Minister Responsible for the New Zealand Security Intelligence Service.
Ministers on the Cabinet External Relations and Security Committee received strategic assessments in 2012, 2016 and 2018 when approving the National Intelligence Priorities and National Security and Intelligence Priorities (Part 8, chapter 3). These included assessments about terrorism threats in New Zealand.
Members of the Intelligence and Security Committee of Parliament are not provided with assessments of terrorism threats in New Zealand except as reflected in the annual reports or statements of intent of the New Zealand Security Intelligence Service or the oral reports of the Director-General of Security.
The national security system involves wider groups of Public sector agencies, local government and civil society than those on the distribution list for assessment products on terrorism threats in New Zealand. Those agencies and groups require information to be able to inform their own plans and activity. An example is Civil Defence and Emergency Management groups, which are required to identify, assess and manage all relevant hazards and risks.143 The statutory definition of “emergency” is not limited to natural hazards,144 which means these groups are required to develop and implement Civil Defence Emergency Management plans for the risk from terrorism.145 Most of these plans assess the threat and risk from terrorism. Nothing we saw indicates that these plans were consistently informed by the Combined Threat Assessment Group assessments or the terrorism risk profile in the National Risk Register (see Part 8, chapter 3).
9.8 Developments since 15 March 2019
The dissemination of the Combined Threat Assessment Group New Zealand threat assessments remained limited. Shortly after the 15 March 2019 terrorist attack, only some of the 36 agencies who should have been briefed on the increased threat level and the actions they should take were briefed. This was identified as a problem in a paper considered by the Counter-Terrorism Coordination Committee regarding agency responses to a change in the national domestic terrorism threat level.
In June 2019, the Counter-Terrorism Coordination Committee agreed that information access and sharing were vital to understanding the threat. It suggested removing legislative barriers, leveraging open-source intelligence capability, developing online platforms for agencies to collaborate and enhancing information sharing mechanisms between Public sector agencies and selected private organisations. We understand from the New Zealand Security Intelligence Service, which is leading this work, that its focus is on the acquisition and analysis of data to inform discovery efforts (Part 8, chapter 10).
The December 2019 Combined Threat Assessment Group assessment of the New Zealand terrorism threatscape was classified Restricted and disseminated to a wider group than previous assessments. This document shows that assessments can be informed by analysts’ access to highly classified information but need not reference it. This provided the opportunity for a wider readership, but it could have been usefully disseminated even more widely.
9.9 Concluding comments
In New Zealand’s counter-terrorism effort, sharing of information between Public sector agencies is critical to the effectiveness of the system as a whole. This chapter has identified several issues in relation to information sharing practices.
Agencies do not take full advantage of current legislation for information sharing
Relevant Public sector agencies have not been fully using current legislation to share information as systematically and widely as they might. For example, the Intelligence and Security Act permits direct access agreements to be established between intelligence and security agencies and other specified Public sector agencies, but only some have been agreed (see Part 8, chapter 14). Our sense is that Public sector agencies are not prioritising this work.
Altering practices regarding highly classified information
The more highly classified a document, the fewer people can see it. The main barriers to sharing highly classified information relate to human decisions and attitudes. System-wide efforts to improve sharing of highly classified information have been inconsistent. The “need to know” principle appears to be applied as a rationale for not sharing information rather than as an opportunity to think through whose work could be better enabled by access to it. Public sector agencies tend to over-classify information. Public sector agencies could make more effort to produce information at lower classifications either through ensuring documents are correctly classified at the lowest appropriate level or producing different versions of the information.
Sharing strategic assessments – practices need to change
Strategic assessments about terrorism threats in New Zealand are the culmination of a great deal of investment. They should present the most authoritative and complete picture of the threatscape possible. Wherever possible, they should be classified at a level that permits distribution and enables them to best inform government decisions and activity.
Information sharing must be considered in a whole-of-system way
No one Public sector agency holds all of the finished intelligence or information produced by all the Public sector agencies involved in the counter-terrorism effort. This makes it harder to connect the dots and increases the risk that something could be missed. To ensure that there is improved information sharing among Public sector agencies and other key stakeholders, it should be considered in a whole-of-system way.
While there have been efforts to improve secure information technology, we have not seen a coordinated effort led by the Department of the Prime Minister and Cabinet and the Security and Intelligence Board to focus attention on information sharing and to overcome barriers to sharing highly classified information with all the agencies whose work would benefit from receiving it.
130. The 9/11 Commission Report, footnote 81 above.
131. Office of the Controller and Auditor-General, footnote 8 above at page 52.
132. Michael Wintringham and Jane Jones, footnote 53 above at page 38.
133. Office of the Controller and Auditor-General, footnote 52 above.
134. Counter-terrorism exercises are run through the national exercise programme. The last national-level counter-terrorism exercise before the 15 March 2019 terrorist attack was in 2014. Comprehensive evaluation reports are prepared after each exercise, which include lessons identified and corrective action plans to address those.
135. Privacy Act 1993 section 6, information privacy principles 10 and 11.
136. Privacy Act 1993, section 6, information privacy principle 10(2).
137. Privacy Act 1993, Part 9A.
138. Office of the Inspector-General of Intelligence and Security A review of the New Zealand Security Classification System (August 2018).
139. Sir Terence Arnold QC and Sir Geoffrey Palmer QC Report of the Government Inquiry into Operation Burnham (17 July 2020) at page 381.
140. These secure physical spaces are referred to as SCIFs (Sensitive Compartmented Information Facilities) within the national security agencies.
141. New Zealand Intelligence Community NZIC Follow-up Self-review (March 2018).
142. Office of the Inspector-General of Intelligence and Security, footnote 138 above.
143. Civil Defence Emergency Management Act 2002, section 17(1)(a).
144. Civil Defence Emergency Management Act 2002, section 4. “Emergency” includes a situation that “is the result of any happening, whether natural or otherwise, including without limitation, any explosion, earthquake, eruption, tsunami, land movement, flood, storm, tornado, cyclone, serious fire, leakage or spillage of any dangerous gas or substance, technological failure, infestation, plague, epidemic, failure of or disruption to an emergency service or a lifeline utility, or actual or imminent attack or warlike act”.
145. Civil Defence Emergency Management Act 2002, section 17(1)(i).