Speech to the Aspen - Otago National Security Forum

Aspen – Otago National Security Forum

Australian-New Zealand National Security: Shared Threats, Shared Solutions

Open Session: The public-private security partnership

Address by Andrew Hampton, Director-General of Security

Saturday 11 October 2025

Thank you for the opportunity to speak with you today.

It has been really valuable to be part of such an interesting and frank discussion about issues of national security.

It has also been encouraging that today has not just been about the national security academics and those of us on the practitioner side coming together in our own little echo chamber - we’ve had representatives from the private sector here too.

That has been a real strength of this year’s National Security Forum.

We are going to need more of these kinds of interactions in the coming years in order to respond to the current national security threat environment and to build resilience for the future.

As I always say, national security is not something the intelligence and security agencies can do alone. We need the public, including business, to report to us the threats that they see so that we can work together to deter and disrupt.

We also need the private sector more broadly to understand that the threats we describe are real, and if not properly managed, can have significant implications for their profitability and reputations as well as for the country as a whole. 

Awareness of the threat is a good start but efforts to build resilience are where you safeguard your future prosperity. That’s about making sure you are operating securely and adopting best practice advice to protect your most critical assets and information.

I am keen to discuss some ideas with you today about how the intelligence and security agencies can meaningfully partner with the private sector in a way that contributes not only to a broader understanding of national security threats, but which also assists to deter and disrupt future threats.

Espionage threat

The NZSIS’s recent Security Threat Environment report highlights both a vulnerability and a challenge for New Zealand businesses.

My teams have seen multiple examples of foreign states conducting espionage to seek covert access to a range of information from Government policy positions to technological innovations and research.

Espionage against both the private and public sectors can take a range of forms. Recent intelligence indicates that cyber-attacks, obfuscation through cover companies and investment opportunities, targeting delegations travelling overseas, and exploiting insiders within organisations are all vectors for espionage against New Zealand.

And that’s just the activity we see. What we don’t see may be more concerning. It is almost certain there is espionage activity going undetected at both public and private organisations.

The vulnerability we face is real. I fear there are boards and executives in New Zealand who don’t give this matter the attention it deserves and perhaps don’t think they have any critical assets of interest to a foreign state.

Let me try to offer a counterview. It starts from the basis that every company has critical assets or information that it can’t afford to lose. Corporate leaders need to understand what those assets are, why a foreign state might be interested in them and how they can best be protected.

Foreign states, or those working on their behalf, will be keeping a close eye on a range of sectors in New Zealand, particularly those in the fields of science and technological innovation.

Your intellectual property may be sought for its potential use in military applications even if that wasn’t its intended purpose. Certain foreign states see stealing innovation as a legitimate means of gaining an edge over their competitors, including New Zealand.

However, espionage is not just about science and technology. Many companies hold significant amounts of data about their customers including names, addresses and phone numbers. Identity information is highly sought after by foreign state actors. 

If your board or leadership team think a foreign state won’t be interested in your critical assets or information, I would ask you to think a little harder.

It happens here

There also tends to be a view that espionage is something that happens somewhere else.

I still come across directors and executive leaders, including in the public sector, who think being tucked down in the south Pacific protects us from these kinds of activities. “Why would a foreign state be interested in us?”, is a common refrain.

As we know, New Zealand is home to an increasing number of innovators producing niche technologies or scientific breakthroughs, including here in Queenstown. We are also seen as a strategically important location, both due to our relationships across the Pacific and as a gateway to the Antarctic. 

For example, we have seen a foreign state persistently and covertly try to take advantage of our geographic location, and our burgeoning space industry by trying to establish ground-based space infrastructure through third-party companies. Parliament had to urgently pass legislation earlier this year to address this threat to our national security.  

Coming to terms with the issue of espionage is one challenge, but doing something about it is not as hard as you may think.

Secure innovation

Simple, cost-effective measures can go a long way to protecting your ideas, reputations and future success.

It begins with adopting a strong security mindset. A helpful framework for boards and executive teams to use is the Secure Innovation Principles that the NZSIS released with our Five Eyes partners two years ago. Last year we put out more detailed guidance based on these principles alongside the GCSB.

Let me walk you through the five principles:

1. Know the threats – understand the potential vulnerabilities that might put your organisation’s product or innovation at risk. This is where our threat environment report and the GCSB’s Cyber Threat report can give you a baseline understanding. But there are multiple other sources too to build that picture.
   
   
2. Secure your business environment - create clear lines of ownership around the management of security risks in your business. Appoint a security lead at board level who factors security considerations into decisions and initiatives.
   
   
3. Secure your products - build security into the front end of your business processes and products by design. This will help protect your intellectual property (IP), make your products more marketable and ensure your products don’t become a supply chain vulnerability for someone else.
   
   
4. Secure your partnerships - make sure the people you collaborate with are who they say they are and can be trusted with your company’s IP. As I said, front companies and investment can be a vector for state-sponsored espionage.
   
   
5. Secure your growth - be aware of security risks as you expand, such as hiring new people into positions of trust and managing risk around entering new markets.
   The Five Eyes intelligence partnership led this initiative because the threat to the technology and innovation sectors is real and because we recognise that partnerships with the private sector are key to staying ahead of the threat.

The advice is based on our collective experience and knowledge that these steps are effective for protecting your most critical assets. 

Insider threat and overseas travel

A holistic security programme in any organisation should consider the risk that threats could emanate from an insider in your organisation.

Some foreign states have attempted to exploit people inside public and private sector organisations in a deceptive, corruptive, or coercive manner, to gain influence and further their interests. The targeted individuals may be witting or unwitting participants.

Many of the behaviours and activities we describe in the insider threat section of our threat environment report come from what we’ve seen in the public sector but could feasibly apply in the private sector too.

We strongly encourage any organisation to establish an insider threat programme. Developing and maintaining a strong security culture is crucial to effectively manage your protective security. 

One last factor I would ask you to consider is taking strong precautions to protect your information when travelling overseas on business.

We know from intelligence that New Zealand Government officials and business delegations have been targeted in a variety of ways by foreign intelligence services.

The Protective Security website has practical, easy to follow advice to help you manage these risks.

And we strongly encourage public and private sector organisations to report suspicious any activity to the NZSIS.

Security vs. prosperity

In New Zealand we need to move past any misconception that security and economic growth are in competition with each other. The reality is that you can’t have one without the other.

A recent report commissioned by our partners at the Australian Security Intelligence Organisation calculated the cost of espionage to their economy. That cost was estimated at NZ$13.7 billion in a single year. Even if our losses are a small percentage of that, it is worth paying greater attention than we currently are.

Adopting a security mindset doesn’t mean you have to pull up the drawbridge and stop collaborating. Instead, it is about recognising there are risks with certain relationships that need to be managed.

At the NZSIS, we’re working hard to counter the espionage threat. We prefer New Zealand reaps the benefits from homegrown innovation and technology, not a foreign state. 

The espionage threat to New Zealand is serious, but not insurmountable. The bottom line is that we’re here to help.

Artificial intelligence

Like the private sector, we as intelligence and security agencies are grappling with how to make best use of artificial intelligence in its various forms. 

There are opportunities for us to address this challenge together also. It’s another area where we can support New Zealand to put its best foot forward and in a way that’s secure.

Artificial intelligence is important to us as intelligence and security agencies for three main reasons:

• We need to help New Zealand organisations and New Zealanders use AI safely through practical advice and guidance. 
• We need to know how our adversaries are using it to undermine our national interests.
• AI has the significant potential to help our agencies undertake our work more effectively.

Unfortunately, recent advances in AI have had a particularly outsized impact on our threat environment. The use of AI to facilitate violent extremism and state-sponsored interference activities is increasing. We are seeing:

• AI making harmful propaganda appear more authentic and is being used to distribute it at scale.
• Attack plans and capabilities are now much easier for terrorists to research.
• Vulnerable people are being radicalised by chatbots.
• States are using it more often in their intelligence collection operations and cyber attacks.

We are certainly believers in the transformational power of AI but using the technology safely in a way that doesn’t compromise our national security should be a bare minimum.

We shouldn’t think of this attitude as being an inhibiter to embracing technological advancement and future prosperity, but as a value add and force multiplier.

Partnership in the changing threat environment

With ever-changing technology and a constantly evolving threat environment, my agency is conscious of the need to constantly adapt our operational approach. Here’s another opportunity for the public-private security partnership to come to the fore.

As a security intelligence and HUMINT agency there are some core capabilities that we need to have no matter how the technology evolves. With the proper authorisation, these include the ability to:

• access and exploit devices
• conduct covert entries
• track people and conduct surveillance
• recruit human sources; and
• increasingly these days we need to be able to draw intelligence insights from big data sets.

Key to us being able to safely and effectively undertake these types of activities in our fast-changing environment is the ability to use technology to innovate. This is important because we know this is exactly what our adversaries are doing to avoid detection and to disrupt how we work.

For example, we might have an IT savvy counterterrorism target who lives at home with their Mum and Dad. We need to gain insights about this person’s intent and capability, but they might have high levels of encryption on their devices that prevent us from developing that understanding. Another potential obstacle is the ubiquity these days of high tech security cameras, and they are available online. This person might have cameras protecting their room, which makes covert entry difficult.

When faced with such a situation, we have to sit back and work out how can we beat that? What capabilities do we already have? What can we adapt from what we have already got? What new technical capabilities do we need? And more importantly, where can we look for assistance?

One of the strengths of the New Zealand technology sector is the small, niche and high quality applications that our size and scale allows businesses to specialise in.

Without giving too much away, there are examples of technology produced here in New Zealand that hasn’t been built with the intention of disrupting national security threats but which can have that effect. We have enjoyed working with those small businesses who may in the future have a significant market in the form of our Five Eyes partners. We are interested in exploring more opportunities of this nature. 

Concluding remarks

In conclusion, broader partnerships on issues of national security, including with the private sector, have moved beyond being a ‘nice to have’ to increasingly becoming a vital part of our nation’s security.

We are looking for more opportunities to not only exchange insights and share advice with business, but to also see how we can work together to deter and disrupt threats. 

I find my engagements with the private sector to be open and receptive, however, I do get the sense that levels of security maturity sit on a wide spectrum.

Addressing that variance will need to begin with a recognition that the espionage threat is real and happens here, and that security is not an inhibitor to innovation or our future prosperity, but an enabler.

Ngā mihi. Thank you for your attention.