Economic espionage
Delivered to New Zealand Institute of Directors
Andrew Hampton, Director-General of Security
20 February 2024
Kia ora koutou, thank you for the opportunity to speak with you this evening.
Economic espionage is not a subject we New Zealanders tend to talk a lot about but it’s an issue that is coming to the fore as a by-product of the geostrategic competition in which we currently find ourselves.
Like the spy novels with which you may be more familiar, the world of espionage is a murky topic.
What I’m keen to do tonight is shed more light on the issue so that you as directors are aware of the threat and can be better prepared to manage the associated risks.
I thought I would start by talking about what we as intelligence and security agencies mean when we use the terms foreign interference and espionage (including economic espionage), the nature of the threat as we see it, and the role we play at NZSIS to counter it.
A key way espionage is carried out is through cyber-attacks. That was a major focus for me in my previous role as Director-General of the Government Communications Security Bureau, and a topic I’ve presented to business leaders on in the past on many occasions. But it’s not what I’m here to discuss tonight.
Instead, I plan to talk you through a set of principles that the heads of Five Eyes security agencies launched at the end of last year to help guide private sector organisations to innovate securely and increase their resilience to espionage threats.
One particular way espionage can be committed is through the actions of a trusted insider. I have some practical advice on how you can foster a strong security culture in your organisations, which can contribute to lowering the risk of your employees acting against your best interests.
And finally, I’m keen to share my thoughts, and more importantly hear from you, on how the NZSIS can find more ways to forge closer cooperation with the private sector so that our services can be leveraged to better protect your businesses as well as the country’s national security at the same time.
Role of the NZSIS
Our mission at the NZSIS is to keep New Zealand and New Zealanders safe and secure.
As an organisation we are driven to protect Aotearoa New Zealand as a free, open and democratic society for future generations by staying ahead of the threats we face.
We are New Zealand’s lead agency for security intelligence. That means we detect, investigate, assess and mitigate threats to New Zealand’s national security. In carrying out this role we aim to deliver a range of impacts:
First is countering foreign interference and espionage:
- By foreign interference we mean activity undertaken by foreign states, or their proxies, which aims to influence, disrupt or subvert our national interests in ways that are deceptive, corrupt or coercive. Espionage is often used to facilitate foreign interference.
Next is countering violent extremism and terrorism.
- We detect and investigate threats of violent extremism in New Zealand and overseas and we partner with other agencies to stop these threats escalating into acts of terrorism.
We also have a foreign intelligence mandate.
- This is not a function we have traditionally spoken a great deal about. It involves collecting, analysing and sharing intelligence to further New Zealand’s interests and those of our region. Our work includes supporting Pacific partners to build their own protective security frameworks and resilience.
This leads me on to our other major function, protective security.
- The role of our Protective Security function is to enhance the ability of New Zealand government agencies and other organisations to protect their people, information and assets by taking a holistic approach to security and resilience.
- One of the ways we do that is by producing a best practice framework – the Protective Security Requirements or PSR. While the PSR is focused on supporting government agencies, we make the PSR framework available along with associated resources to all New Zealand organisations through the PSR website.
We, of course, work very closely with the GCSB, who are the government’s signals (or electronic) intelligence and cyber security agency. Between us, we share a number of enablement functions, which is really important given the current focus on achieving back office efficiencies.
Foreign Interference and espionage in New Zealand
I think it’s fair to say that New Zealanders have probably struggled with the concept that a foreign state could be interested in our affairs.
In the past New Zealand has seen its geographic isolation in the southern Pacific as a defence against many forms of harm. Even if that was ever true, it is certainly no longer the case.
On 15 March 2019, a terrorist entered two sacred places of worship in Christchurch and took the lives of 51 innocent people. Eight people were injured in another terrorist attack in Auckland just two years ago.
We have been subject to crippling cyber-attacks from both state-backed and criminal actors, and many others have been prevented.
And, increasingly New Zealand is feeling the impact of geostrategic competition in our home region of the Pacific through an uptick in foreign interference activity.
NZSIS’s public threat assessment, published last August, identified a small number of countries, including the People’s Republic of China, Russia and Iran who undertake interference activities in our country.
We also see a number of foreign intelligence services who persistently and opportunistically undertake espionage against New Zealand and New Zealanders both domestically and abroad.
Historically espionage targeted government networks and classified information but today, information or individuals on the margins of government work could be targeted. This includes corporate New Zealand, academics, research institutions and others.
There is ongoing activity in and against New Zealand and our home region that is linked with the People’s Republic of China’s intelligence services. The PRC is a complex intelligence concern for our country.
Implications for New Zealand businesses
So what does this all mean for you as private sector leaders?
The innovation and profitability of New Zealand’s companies is a core component of our national advantage and our national security.
Technology, for example, is our second biggest export earner and is growing nine times faster than other sectors. Key drivers of our culture of technological innovation are our willingness to collaborate internationally as well as the support innovators receive from offshore investment. However, this openness potentially presents threats both to the companies involved and to New Zealand’s national security.
In the context of increasing global inter-state competition we are seeing the blurring of lines between the goals of certain nations and the private companies affiliated with them.
Increasingly, this has seen the tools of the nation state being used in the business world to access sensitive technologies, supply chains, intellectual property and critical infrastructure. The methodologies for gaining access are broad: they range from cyber intrusion, the exploitation of trusted insiders, theft or technical surveillance of personal electronic devices, exploitation of supply chains, through to aggressive targeted investment.
We have seen many examples of this activity on the global stage. New Zealand is not immune to these activities, and we must prepare ourselves for doing business in a less benign world.
While states that New Zealand organisations engage with have the same motivations as us to make money and prosper, there are some that choose to opt out of the other end of the bargain. They actively choose to go against some of the values and principles which provide a fair and level playing field for doing business. The kind of principles they eschew include a respect for democracy, human rights and the rule of law.
Anyone doing business with a China-based company needs to be aware that the country’s national security legislation creates a legal obligation to prioritise the interests of the PRC above all. The law gives PRC authorities the legal grounds and means to compel or pressure PRC companies and citizens in New Zealand to cooperate with their directives. New Zealand businesses operating in China are subject to these same laws and would be required to cooperate if authorities requested access to information, data and systems.
I should emphasise here that the Chinese population is not the threat here, and I am certainly not talking about Chinese communities in New Zealand, who are often the victims of foreign interference themselves. It is the PRC state, its intelligence services and its proxies who cause us concern.
To be clear: I’m not saying that New Zealand shouldn’t do business with China. Tremendous business opportunities remain. What we ask is that you engage with your eyes wide open – that you are aware of the potential threats and are actively managing your levels of risk appropriately.
Raising awareness and sharing best practice
The NZSIS is committed and geared towards detecting foreign interference and espionage activities and providing advice to New Zealanders and New Zealand organisations about how to be harder targets for such activity.
Key to managing these threats is intelligence and security agencies, such as my own, working with the private sector and academia. The idea is that security doesn’t stifle business innovation, but enables it.
An important role we can play is by raising awareness and sharing best practice advice on how to mitigate threats and manage risks and encourage that security considerations are built into your products, services and supply chains by design.
Much of the protective security advice that the NZSIS and the GCSB develop is in collaboration with our Five Eyes intelligence and security partners. This is just one of a whole list of benefits we derive from our membership in this long-standing partnership.
Together with our Five Eyes partners, we have identified the threat to our countries’ innovators and competitive advantage through acts of economic espionage.
As part of a joint response, we have drawn upon a broad base of collective knowledge, classified intelligence and experience to develop frameworks that can help organisations manage risk.
Five Eyes security principles
I recently stood on stage with my Five Eyes colleagues in Palo Alto California where we endorsed and launched five secure innovation principles.
Adopting these five principles is a valuable first step for any innovator looking to protect their hard work from those that wish to steal it.
The principles broadly align with existing products and advice that New Zealand security agencies frequently share on cyber security, information security and physical security.
As senior business leaders, you may already be familiar with many of these concepts, but let me talk you through them:
First principle is Know the threats – understand the potential vulnerabilities that might put your product or innovation at risk. NZSIS has publications that can help with that. Our recent public threat assessment outlines the security threats facing New Zealand. The next assessment is due out in August. We also have a range of guidance on the Protective Security Requirements website, which can explain to you the various ways in which you may be targeted and how you manage that risk.
The second principle is Secure your business environment. This is about creating clear lines of ownership around the management of security risks in a business. We advise appointing a security lead at board level who factors in security considerations into decisions and initiatives.
Third is Secure your products which is about building security into the front end of your products by design. This will help protect your IP, make your products more marketable and ensure your products don’t become a supply chain vulnerability.
Securing your partnerships is about making sure the people you work with are who they say they are and can be trusted with your companies IP. We have some Due Diligence guidance for business relationships that can provide a framework for checking who you are doing business with.
And finally, Secure your growth. As you grow and expand, more security risks will emerge that you will need to manage such as on-boarding new people into positions of trust and managing risk around entering new markets.
Those are the Five Eyes secure innovation principles, which I think can inform some of the questions you may want to ask at a governance level.
As I said earlier, the information on these principles is free and available online on the UK National Protective Security Authority website, as well as the range of materials on the NZSIS website for you to use if you wish. It is over to you on how best to implement this in your own context but there are a range of commercial providers out there who can assist on that front.
Insider threat
The topic of insider threat is relevant here too and something worth taking an interest in at a board level.
Insider threats are anyone who exploits or who intends to exploit their legitimate access to an organisation’s assets to harm the security of that organisation, and indeed of New Zealand. The harmful actions may be through espionage, terrorism, unauthorised disclosure of information, or the loss or degradation of a resource or capability. There is also a risk that insider threats could be exploited for foreign interference purposes.
Your organisations, like my organisation are full of trusted insiders who have access to your most vital assets such as your people, your information and infrastructure, and who can impact your reputations. All your trusted insiders have the potential to intentionally or unintentionally cause harm and compromise your critical assets.
Broadly speaking, there are two types of insiders. You have intentional insiders – those who betray your trust in them deliberately, either to cause harm or to benefit themselves or others. Or you have unintentional insiders, who are unaware they are aiding an adversary or compromising security. Their harm can be caused by complacency, carelessness or ignorance, or because their organisation has a weak security culture. Sometimes it can be our own organisations that create the conditions for an insider to cause damage.
Unfortunately insider threats do happen here in New Zealand, they are very real, and they can happen to each and every one of us.
They can be as damaging as someone taking information trusted to your organisation or precious intellectual property for their own personal gain.
It could involve manipulating people and information systems for personal profit at the expense of your organisation.
It could be someone with conflicting or misguided loyalties, who wants to do the right thing but goes about it in the wrong way.
It could also be as simple as someone sending an email containing private or personal information to the wrong recipient.
There are many potential types of insider threats but when we build strong security cultures, and foster strong organisational culture more generally, our workplaces will be better equipped to manage the potential harms and mitigate the risks.
The shadow of COVID-19
Building strong security cultures in the past few years within government has not been easy, noting the disruption the pandemic caused to traditional ways of working and exposure to security practice and norms in the office. I’m sure you have experienced similar challenges in the private sector.
The pandemic has a lot to answer for and the impact on insider threat is part of COVID-19’s long tail.
In the past couple of years, a rise in the number of people who hold conspiracy beliefs, and an increased polarisation of society present risks for increased insider threat in New Zealand.
These factors are still around and have almost certainly contributed to the more recent phenomenon – a rise in disillusionment and distrust in New Zealand institutions. In addition, many New Zealanders are suffering from mental health concerns and increasing financial pressure, either caused or exacerbated by the pandemic.
The combination of the rise in disillusionment and distrust along with the mental health and financial troubles could result in greater insider threat risks over the coming 12 months.
The most effective way to respond
Having laid out the risks of insider threat for you this evening, I now want to assure you that there is plenty we can all do to counter it.
The number one way to counter insider threats is by having an effective insider threat programme and supportive security culture.
Programmes need to be coordinated across your business with all the proper governance and responsibilities identified.
I cannot stress enough how crucial it is to have a well-functioning insider threat programme where staff members share responsibility for their organisation’s security.
The best programmes take a multi-disciplinary approach to insider acts and security breaches. They work well when supported by your legal, recruitment, HR, IT and security teams, and if you have them, psychological support too.
Making intelligence insights more accessible and partnering for impact
Finally tonight, I would like to discuss with you, and perhaps kick off a broader conversation about how we in the intelligence and security agencies and you in the private sector can deliver better national security outcomes together.
Something I think we can do better and more of from our side is making our intelligence insights more accessible, while recognising at the same time the resource constraints we all face.
There will always continue to be a large secret component to our work. That’s important in order to protect our sources and methods but there is a lot of information we can get out there, which can help you at a board level to manage risk.
Increasingly, we find that it’s not just leaders and decision makers who can make good use of our intelligence and insights – there is a much wider cross-section of New Zealanders in business, in civil society and in communities, who armed with the right intelligence and the right knowledge of how certain risks can be mitigated, can contribute to making New Zealand safe and secure.
Our agencies have made significant progress in recent years building connections with Māori leaders, community groups, academic institutions and the private sector, but there is plenty more work to do.
If we can point you, in the private sector, towards tools and advice that help make you more security aware then your organisations will become better placed to help us too by reporting suspicious approaches and potential security breaches. A two-way relationship helps us to better understand the threat environment and the type of actions needed to counter it. It could also result in enhanced insights available to the private sector too.
A key priority for me as Director-General is to continually find ways we can partner for impact. I am therefore very keen to hear your perspectives as business leaders on any national security-related threats that you are aware of in your companies, and what are the intelligence and practical insights that would be most useful to you.
Ngā mihi nui. Thank you