Like most events in security intelligence, the resignation for “family reasons” of GCSB boss Ian Fletcher has got (a) a simple straightforward explanation and (b) a complex, conspiratorial one. It may well be that after being shoulder-tapped in Queensland for the GCSB job, three years of living in Wellington has been enough for Fletcher and his family, given that the pending review of the GCSB would have required an even longer commitment from him. Three years of Wellington’s weather is enough for anyone.
The more complex reason? No one currently knows what the review of the security agencies is actually going to ‘review.’ Rather than a routine five yearly WOF process, it could well involve a total revamp : but at this point, the government isn’t saying anything about the scope of what it has in mind. Working backwards from Fletcher’s resignation though, one can speculate that a merger of the SIS and GCSB is on the cards. Perhaps Fletcher left because – on his CV – it looks a lot better to be leaving now as head of an existing organization than to hang on and be the guy whose job has been disappeared in a corporate reshuffle. Old school chum of the PM that he may be, Fletcher would be the underdog in any contest with SIS head Rebecca Kitteridge to head a re-configured spying mega-agency.
The dubious rationale for a merger of the SIS and GCSB can wait for a later day, once it becomes clear whether that goal really is on the government’s agenda. Given that the SIS and GCSB have different roles – one is supposed to protect domestic security, the other is supposed to concentrate on international signals traffic – a merger would be bound to add a round of bureaucratic musical chairs to an already confusing mixture of terrorism, corporate espionage and state-to-state eavesdropping. A merger would not solve the basic problem that has dogged security services, here and overseas. Basically, the spooks don’t need more intrusive powers to gather information ; they need to be better at interpreting the information they already have. As things stand they either create a threat where none exists (eg Ahmed Zaoui) or under-estimate the threat that does exist ( eg the Kouachi brothers, Man Haron Monis). The main problem is one of interpretation, not detection. Would merging the SIS and GCSB increase their ability to get it right – or would it just concentrate the capacity to get things wrong, in fewer hands ?
One thing we do know – because SIS Minister Chris Finlayson said so – is that while Ian Fletcher was at the helm of the GCSB, he oversaw the installation of the Cortex cyber-security system.
“His tenure has seen New Zealand’s national security enhanced with the approval and initial roll-out of the Cortex cyber security programme for the New Zealand Government and critical infrastructure organisations.”
Cortex is a menu of tools and services. What Fletcher has revealed about it so far is that it will engage the GCSB in providing corporate security protections to the private sector that (a) the firms involved should be paying for themselves and not getting the taxpayer to provide, via the GCSB and (b) that will inevitably entail the sharing of secret intelligence with the private sector that will continue to be denied to ordinary citizens.
Fletcher says Cortex is a set of tools, rather than a single product, designed to protect key organisations in the public and private sector from cyber-attacks launched from overseas.
“I’d get into trouble if I said exactly what it does, but…that menu is adjusted to reflect the circumstances of the organisation we are dealing with.”
The criteria organisations need to meet to qualify for Cortex’ protection are also secret, but it appears significant economic targets as well as vital network utilities may come under its umbrella. “We have looked very broadly,” is all Fletcher will say.
Vital network utilities? Like say.. Spark? Kiwirail? Chorus ? Fonterra? If the GCSB really is well down the track to becoming a kind of mega cyber-security firm offering tailored services on a confidential basis to selected corporates deemed to be of vital national importance – and with whom security intelligence will presumably be shared – shouldn’t there have been some debate about this beforehand? In practice with Cortex, how will the GCSB decide what security services its corporate clients should pay for, and in what circumstances the state, via the taxpayer, should pick up the tab? Will a joint payment system apply, for services rendered ? When did Parliament get to sanction this new entrepreneurial role for the GCSB? Normally, the centre-right gets very upset whenever the state crowds out private enterprise. Not a peep so far though about this example of the process. And Cortex really is breaking new ground, beyond business as usual for the GCSB:
“The approach we have taken has been a New Zealand specific-one,” [Fletcher] says. “New Zealand does not have a big indigenous defence supply chain so we have been in a position where we have been able to think broadly from the outset.
“But everyone I talk to, both our close partners and others, are really focused on answering the question of how governments provide the ‘public good’ that is called ‘defence’ over what are broadly privatised networks and global flows of data.
And thus, private enterprise gets treated as being synonymous with the public good. Too big to fail became too big to be left to defend itself. It’s a brand new notion, as Fletcher intimates, of what constitutes “ defence.” And as we approach the 100th anniversary of Gallipolli, it seems we are all soldiers in the service of the likes of Spark, now.