Post on 12-May-2023
Article
Small states and cyber security:The case of New Zealand
Joe Burton
AbstractWhile there is a burgeoning literature on cyber security, little scholarly work has been com-pleted on how cyber security issues are affecting small states. This article attempts to contributeto the debate by exploring whether small states are facing unique or different challenges inenhancing their cyber security. Drawing on the extensive small states literature, the articlebegins by outlining three conceptual models of small state security, based on alliances, institu-tional cooperation and norms. These models are then applied to the small state cyber securitycontext. It is argued that institutional cooperation on cyber security issues and the emergence ofcyber security norms are being hindered by strategic rivalries between the United States, Russiaand China and that military alliances are struggling to adapt to collective defence against cyberthreats. The article then explores New Zealand’s cyber security strategy and outlines the var-ious domestic and international challenges that exist for New Zealand policymakers. The articlefinds: that a globalised cyber security environment is eroding New Zealand’s geographical iso-lation; that the New Zealand government is struggling to formulate a tenable balance betweensecurity and privacy in responding to cyber security issues.
KeywordsCyber security, New Zealand, small states
Introduction
When Estonian government ministries and media outlets were taken offline by a
barrage of cyber attacks in 2007, Estonian Prime Minister Andrus Ansip asked ‘What’s
the difference between a blockade of harbours or airports of sovereign states and the
Corresponding author:
Joe Burton, Political Science and International Relations Programme, Victoria University of Wellington, PO Box
600, Wellington, New Zealand.
Email: joe.burton@vuw.ac.nz
Political Science65(2) 216–238
ª The Author(s) 2013Reprints and permissions:
sagepub.co.uk/journalsPermissions.navDOI: 10.1177/0032318713508491
pnz.sagepub.com
blockade of government institutions and newspaper websites?’1 While this may have
been an example of ‘cyber hyperbole’, the event put cyber security firmly on the
international agenda. It also demonstrated some of the complex challenges involved in
responding to cyber attacks. How can states distinguish between the projection of
power in the physical world and the virtual one? How should states respond to cyber
attacks against their government ministries and critical infrastructure? What measures
can be put in place to enhance international cooperation to mitigate these kinds of
threats?
Since the Estonian attacks, many scholars have examined these broad cyber
security issues. What has been missing from this literature, however, is a conceptual
and empirical focus on the cyber security of small states and whether they face a
unique, or at least different, set of cyber security challenges.2 This article attempts to
begin to close that gap and proceeds in three main sections. First, drawing on the
existing small states literature, three conceptual models of small state security are
outlined, based on alliances, institutions and norms. Second, the article examines the
extent to which these conceptual approaches are applicable to small states and cyber
security, and considers some of the broader challenges for small states in this area.
Lastly, the article conducts an analysis of New Zealand’s cyber security strategy,
outlining New Zealand’s efforts to build domestic and international capacity in this
area and exploring the various domestic controversies and international challenges
that have troubled New Zealand policymakers.
Three models of small state security
Within the large literature on small states, the problem of defining what is meant by
‘small’ is a common theme. Most scholars have based their approaches on a com-
bination of material factors, such as the size of a state’s population and economy,
with small states being variously categorised as having upper population limits of
between 1 and 15 million and economies constituting less than 1% of world total
output.3 The size of a state’s geographical territory has also been included in the
mix of criteria and small states have generally been seen to have limited territorial
interests and outlooks.4 In perhaps the seminal work on the influence of small states
in international politics, Annette Fox argues that ‘Small powers are almost by
1. Quoted in Thomas Rid, ‘Think Again: Cyberwar’, Foreign Policy, No. 192 (March 2012), p. 81.
2. This article adopts a broad definition of cyber security, to include security from cyber attacks
(efforts to render computers and the networks that they are attached to inoperable) and cyber
exploitation (efforts to steal data from computers and computer networks and/or covertly
control them).
3. See Matthias Maass, ‘The Elusive Definition of the Small State’, International Politics, Vol.
46, No. 1 (January 2009), pp. 75–76; Peter R. Baehr, ‘Small States: A Tool for Analysis’,
World Politics, Vol. 27, No. 3 (April 1975), p. 460.
4. See, for example, Maurice A. East, ‘Size and Foreign Policy Behavior: A Test of Two
Models’, World Politics, Vol. 25, No. 4 (July 1973), p. 557.
Burton 217
definition local powers whose demands are restricted to their own and immediately
adjacent areas, while great powers exert influence over large areas.’5
Alliances
Moving beyond material definitions of what constitutes ‘smallness’, the security
strategies of small states can be divided into three main conceptual frameworks. First,
small states lack the capacity to apply power, and/or resist the application of power
against them by larger states.6 To compensate for this vulnerability, small states will
seek to enter into alliances with more powerful states. This can take the form of
balancing behaviour, where small states join forces against a threatening state, or
bandwagoning, where states join with a threatening state.7 As Omer de Raeymaker
observes, ‘the foreign policy of small states therefore aims at withstanding pressure
from the great powers’ and is based on ‘safeguarding their territorial integrity and
independence’.8 Alliances can be temporary and focused on a specific threat – such as
the ‘coalition of the willing’ that went to war against Iraq in 2003 – or long-term,
formalised and institutionalised security partnerships, as in the case of the North
Atlantic Treaty Organisation (NATO). The vulnerabilities of small states within the
international system can also lead to intra-alliance problems. Small states can experi-
ence entrapment, for example, where their interests are subsumed by larger states. As
Heinz Gaertner explains, ‘allied support often requires minor powers to make signif-
icant autonomy concessions, allowing allies, most notably major-power allies, to gain
influence over their minor-power alliance partners’.9 Small states may also be con-
cerned with abandonment: the fear that larger states may leave alliances if their inter-
ests are no longer served.10 In this model, the foreign policies of small states are
intertwined with those of the great powers and are shaped by great power competition.
This alliance-based framework was highly relevant to explaining the foreign policies
of small states during the Cold War. The formation of NATO and the Warsaw Pact,
for example, alleviated the security concerns of small European states and levelled the
asymmetries in power that existed on the European continent. The Cold War also took
the form of a zero-sum competition for superpower influence over small states.
5. Annette Fox, The Power of Small States: Diplomacy in World War 2 (Chicago, IL: Uni-
versity of Chicago Press, 1959), p. 3.
6. Matthias Maass, ‘The Elusive Definition of the Small State’, p. 72.
7. For the most comprehensive exploration of these dynamics, see Stephen Walt, The Origins
of Alliances (New York, NY: Cornell University Press, 1987).
8. Omer De Raeymaeker, ‘Introduction’, in Omer De Raeymaeker, Willem Andries, Luc Crollen
et al. (eds), Small Powers in Alignment (Leuven: Leuven University Press, 1974), p. 18.
9. Heinz Gartner, ‘Small States and Alliances’, in Erich Reiter and Heinz Gartner (eds), Small
States and Alliances (New York, NY: Physica-Verlag Heidelberg, 2001), p. 3.
10. For a detailed analysis of intra-alliance dynamics, see Glenn H. Snyder, Alliance Politics
(New York, NY: Cornell University Press, 1997).
218 Political Science 65(2)
Institutions
A second and contrasting model is derived from liberal institutionalism. This framework
examines how small states seek to establish rules and transparency within international
institutions and encourage cooperative approaches to international security issues. While
realist scholars continue to claim that institutions are dominated and maintained by great
powers to advance their own national interests,11 small state scholarship reveals a number
of cases where significant institutional influence has been achieved. Peter Jakobsen, for
example, reveals how small Nordic states enhanced the Civilian Crisis Management
agenda within the European Security and Defence Policy (ESDP), in spite of firm
opposition from France.12 The ability of small states to influence the agenda of the United
Nations (UN) Security Council has also been documented. Baldur Thorhallsson has argued
that when small states invest time and resources in the UN system, are perceived as neutral,
work on niche issues, develop administrative capabilities and actively work to build
coalitions, the extent of their influence can be disproportionate to their size.13 In this
respect, they can move from being beneficiaries of the UN system to active contributors to
it.14 Small states may also form their own institutions to advance shared interests. The
Association of Small Island States (AOSIS) advocates on the basis of its members’ shared
vulnerability to climate change and works to place pressure on large powers to cut carbon
emissions. While there has been slow progress in reducing global emissions, the associ-
ation has served as a ‘moral conscience’ within international negotiations and advanced its
members’ interests more effectively than had they worked in isolation.15
Implicit in the institutional approach are the notions that power itself has changed and
that a nation’s military capabilities are not the sole factor in determining its security. Soft
power, for example, which is the power of persuasion and attraction, can be effectively
employed by small states.16 A number of small state scholars have followed this line of
enquiry. Alan Chong argues that soft power can be used as a psychological and tactical
resource to shape perceptions of the motives of small states, and explains how a small
state’s foreign policy apparatus may possess among its human resources intellectual and
propagandistic skills that are disproportionate to its physical size.17 Annette Fox has
11. See, for example, Kenneth N. Waltz, ‘NATO Expansion: A Realist’s View’, Contemporary
Security Policy, Vol. 21, No. 2 (August 2000), p. 29.
12. Peter V. Jakobsen, ‘Small States, Big Influence: The Overlooked Nordic Influence on the
Civilian ESDP’, Journal of Common Market Studies, Vol. 47, No. 1 (January 2009), p. 96.
13. Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, The
Hague Journal of Diplomacy, Vol. 7, No. 2 (2012), p. 159.
14. Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, p. 146.
15. Jon Barnett and John Campbell, Climate Change and Small Island States: Power, Knowl-
edge and the South Pacific (London: Earthscan, 2010), p. 101.
16. Robert O. Keohane and Joseph S. Nye, ‘Power and Interdependence in the Information
Age’, Foreign Affairs, Vol. 77, No. 5 (September 2009), p. 86.
17. Alan Chong, ‘Small State Soft Power Strategies: Virtual Enlargement in the Cases of the
Vatican City State and Singapore’, Cambridge Review of International Affairs, Vol. 23, No.
3 (September 2010), p. 385.
Burton 219
highlighted how small states can utilise ‘economic, ideological, and diplomatic methods’
to advance their interests, and possess a ‘capacity to appeal to world interest’ when
threatened.18 Small states will often exhibit a firm commitment to international law, seek
multilateral solutions to security issues and generally refrain from the use of military force
to solve disputes.
Identity and norms
A third model of small state security is based on identity and norms. Leaders of small
states often perceive that they lack influence over their security environment and this
will inform the strategic direction of the state. In short, if a state perceives itself to be
small, it is. As Alan Henrikson notes:
The critical test of ‘smallness’ . . . is a state’s image and its related conduct. This way of
identifying the small state phenomenon is based on the recognition that some states regard
themselves and are regarded by others as ‘small states’, and behave accordingly – in a word,
deferentially or, sometimes instead, defiantly.19
According to Laurent Goetschel, small states may also develop a ‘security identity’,
which stems from ‘past behaviour and images and myths linked to it which have been
internalized over long periods of time by the political elite and population of a state’.20
Such an identity can be based around the promotion of peace, international law and a just
world order, and is an ideational and historical reaction to smallness. Goetschel argues
that this type of security identity was influential in shaping small European states’
attitudes towards the European Union (EU) as a security actor. Small states also have a
natural interest in promoting and developing international norms in international secu-
rity, broadly defined as acceptable standards of behaviour. Christine Ingebritson argues
that small Scandinavian states have acted as ‘norm entrepreneurs’ through their pro-
motion of conflict resolution mechanisms and the award of the Nobel Peace Prize, for
example.21 Similarly, Margarita Petrova documents how small states have had an impact
on the development of norms relating to prohibitions on the use of landmines and cluster
munitions, noting that the strong involvement of civil society in Belgium has driven
national and international attention to these issues.22
18. Annette Fox, The Power of Small States: Diplomacy in World War 2, p. 2.
19. Alan K. Henrikson, ‘A Coming ‘‘Magnesian’’ Age? Small States, the Global System, and the
International Community’, Geopolitics, Vol. 6, No. 3 (2001), p. 63.
20. Laurent Goetschel, ‘The Foreign and Security Policy Interests of Small States in Today’s
Europe’, in Laurent Goetschel (ed.), Small States Inside and Outside the European Union
(Dordrecht: Kluwer, 1998), p. 28.
21. Christine Ingebritsen, ‘Norm Entrepreneurs: Scandinavia’s Role in World Politics’, Coop-
eration and Conflict, Vol. 37, No. 11 (March 2002), pp. 11–23.
22. Margarita H. Petrova, ‘Small States and New Norms of Warfare’ (2007), p. 6, available at:
http://cadmus.eui.eu/bitstream/handle/1814/7644/MWP_2007_28.pdf?sequence¼1 (accessed
10 August 2013).
220 Political Science 65(2)
While distinctions between these three approaches are analytically useful, small states
might also pursue them simultaneously through their foreign policy. Norms can emerge
through partnerships in international institutions and through alliances. Conversely, the
simultaneous pursuit of alliances and norms can be problematic for small states; strong
security alignments may undermine the ability of small states to act as neutral arbiters on
security issues.
Small states and cyber security
To what extent can these models and approaches to the foreign policy of small states be
applied to cyber security? The evidence to date indicates that military alliances and
international institutions are only just beginning to respond politically and operationally
to cyber security issues, and that a strategic divide between the great powers is stifling
the emergence of cyber norms.
Alliances are commonly based on collective defence, whereby members will provide
mutual aid in the event of an attack. There is little evidence to suggest that this is hap-
pening in the cyber security arena. Although a crisis meeting was convened within NATO
during the cyber attacks against Estonia in 2007, NATO stopped short of invoking Article
V, its collective defence clause. As the Estonian Defence Minister acknowledged:
At present, NATO does not define cyber attacks as a clear military action. This means that the
provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defence,
will not automatically be extended to the attacked country.23
Formulating a coherent alliance response to the attacks was also problematic. A
retaliatory cyber attack was impossible given the uncertain origins of the attacks, and the
Russian government refused to cooperate with Estonian authorities in investigating the
incident.24 On the other hand, the problems created by the Estonia case have driven the
intra-alliance focus on cyber security issues, and NATO’s enhanced cyber assets may
bring considerable benefits to its smaller members. NATO’s Emerging Security Chal-
lenges division, formed in 2010, has consolidated cyber security into strategic planning
and cyber security featured prominently in NATO’s 2010 Strategic Concept. The alli-
ance has also established a Cyber Defence Management Authority (CDMA), a Rapid
Reaction Team (RRT) – a team of experts that can be deployed quickly to respond to
cyber incidents – and a Cooperative Cyber Defence Centre of Excellence (CCD COE).
Similarly, cooperation within international institutions on cyber security issues is still
in an early stage of development. Progress within the UN Security Council has been
hampered by the strategic rivalries between its permanent five members, and the council
did not address or debate the Estonian cyber attacks of 2007, the Georgian attacks of
23. Quoted in Ian Traynor, ‘Russia Accused of Unleashing Cyberwar to Disable Estonia’ (May
2007), available at: http://www.guardian.co.uk/world/2007/may/17/topstories3.russia
(accessed 10 August 2013).
24. Kertu Ruus, ‘Cyber War I: Estonia Attacked from Russia’, European Affairs, Vol. 9, Nos 1/2
(Winter/Spring 2008), p. 26.
Burton 221
2008 or the Stuxnet attack against Iran.25 The US and EU have resisted attempts to
establish UN-level governance of the Internet through the International Telecommunica-
tions Union, which is the UN’s specialised agency for information and communication
technologies (ICT),26 warning against creating a ‘prescriptive regulatory code for the
world’.27 The EU itself has only recently produced its first comprehensive Cyber Secu-
rity Strategy, and it is a long way from implementation. It also imposes significant resource
and compliance challenges for small states; EU members are required to establish a
national Computer Emergency Response Team (CERT), produce a Network and Informa-
tion Security (NIS) strategy, and designate an NIS-responsible authority with the necessary
resources to prevent, handle and respond to information security risks and incidents.28
International norms in the area of cyber security are also mired in the strategic riv-
alries between the world’s leading powers and it will be some time before acceptable
standards of cyber conduct are firmly rooted in the international system. Jason Healey
distils the problem succinctly:
There are at least two camps of behavior, with divergent views of what norms should be. In the
first group we have the United States and the United Kingdom and other nations arguing for
controls on cyber-crime but supporting the free flow of information. China and Russia lead the
opposite camp, which worries more about cross-border information which might destabilize
their societies (or, rather, the grip of the current leadership).29
This divide encapsulates the US desire to maintain a free and open Internet on the one
hand, with the Russian and Chinese priority of being able to control information on the
25. Tim Maurer has noted that the work of the UN Security Council has largely been limited to
the Working Group on Countering the Use of the Internet for Terrorist Purposes, part of the
Counter-Terrorism Implementation Task Force (CTITF). See Tim Maurer, ‘Cyber Norm
Emergence at the United Nations: An Analysis of the Activities at the UN Regarding
Cyber-security’ (September 2011), available at: http://belfercenter.ksg.harvard.edu/files/
maurer-cyber-norm-dp-2011-11-final.pdf (accessed 10 August 2013).
26. For the official US position, see US Department of State, ‘Fast Facts on United States
Submitting Initial Proposals to World Telecom Conference’ (August 2012), available at:
http://www.state.gov/e/eb/rls/fs/2012/195921.htm (accessed 10 August 2013).
27. New Zealand also voted against these changes. See Terry Kramer, ‘The WCIT: Globalizing
a Transatlantic Legacy’ (November 2012), available at: http://www.europeaninstitute.org/
EA-November-2012/the-wcit-globalizing-a-transatlantic-legacy.html (accessed 10 August
2013); Chris Keal, ‘NZ Joins US, other Western Nations in Rejecting UN Control of Inter-
net’ (December 2012), available at: http://www.nbr.co.nz/opinion/nz-will-vote-against-
un-taking-control-internet (accessed 11 August 2013).
28. European Union External Action Service, ‘EU Cybersecurity Plan to Protect Open Internet
and Online Freedom and Opportunity’ (February 2013), available at: http://europa.eu/rapid/
press-release_IP-13-94_en.htm (accessed 10 August 2013).
29. Jason Healey, ‘Breakthrough or Just Broken? China and Russia’s UNGA Proposal on Cyber
Norms’ (September 2011), available at: http://www.atlanticcouncil.org/blogs/new-atlanti
cist/breakthrough-or-just-broken-china-and-russia-s-unga-proposal-on-cyber-norms (acces-
sed 10 August 2013).
222 Political Science 65(2)
other. The divide is also evident in recent attempts at developing international cyber
security standards. In September 2011, for example, the Chinese and Russian dele-
gations to the UN wrote to the UN Secretary General proposing discussion of an
‘International Code of Conduct for Information Security’. While the code contained
some sensible provisions, it would also have established rights for states to censor the
Internet, including ‘curbing the dissemination of information’ that would undermine
‘other nations’ political, economic and social stability, as well as their spiritual and
cultural environment’.30
In addition to problems in applying each of these conventional approaches to cyber
security, there are a number of other challenges for small states in this area of policy. At a
technical level, the 13 countries with the highest Internet penetration rates – defined as
the percentage of people using the Internet during 2000–2012 – are small states: the
Falkland Islands, Iceland, Norway, Sweden, the Netherlands, Denmark, Luxembourg,
Bermuda, Finland, New Zealand, Liechtenstein, Qatar and Bahrain.31 This level of
reliance on information infrastructure may create enhanced vulnerabilities. A recent
report by McAffee suggests that ‘the less sophisticated and widespread a country’s
connection to the internet, the lesser the cyber-threat. The more services are on line, the
higher the risk of cyber-attack’.32 Small states with high levels of Internet penetration are
thus particularly vulnerable. Ross Stapleton-Gray and William Woodcock highlight
another potential technical problem for small states:
Many smaller countries have exactly one exchange, located in the capital city. But the greatest
number of countries, typically the smallest ones, has no Internet Exchange Point (IXP) at all.
This means that they are heavily dependent for their domestic connectivity upon international
data circuits.33
This issue applies to developing countries disproportionally, but all small states will
need to diversify their connectivity to guarantee their cyber security.
Joseph Nye has claimed that ‘the barriers to entry in the cyber domain are so low that non-
state actors and small states can play significant roles at low levels of cost’.34 However, the
30. Ministry of Foreign Affairs of the People’s Republic of China, ‘China, Russia and Other
Countries Submit the Document of International Code of Conduct for Information Security
to the United Nations’ (September 2011), available at: http://www.fmprc.gov.cn/eng/wjdt/
wshd/t858978.htm (accessed 10 August 2013).
31. International Telecommunications Union, ‘Time Series by Country (2000–2012) – Per-
centage of People Using the Internet’ (February 2013), available at: http://www.itu.int/en/
ITU-D/Statistics/Pages/stat/default.aspx (accessed 10 August 2013).
32. McAfee, ‘Cyber-security: The Vexed Question of Global Rules’ (February 2012), available
at: http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf (accessed 10
August 2013).
33. Ross Stapleton-Gray and William Woodcock, ‘National Internet Defense: Small States on
the Skirmish Line’, Communications of the ACM, Vol. 54, No. 3 (2011), pp. 50–55.
34. Joseph Nye, ‘Nuclear Lessons for Cyber Security?’, Strategic Studies Quarterly, Vol. 5, No.
4, (Winter 2011), p. 20.
Burton 223
evidence appears to indicate that small states are increasingly vulnerable to cyber attacks
originating from the world’s leading powers. According to Internet Security Provi-
der Symantec, the majority of malicious cyber activity originates from larger, more
powerful, states – the US (21.1%), China (9.2%), India (6.2%), Brazil (4.1%), Ger-
many (3.9%), Russia (3.2%) and the UK (3.2%).35 The world’s great powers are also
heavily investing in offensive cyber security capabilities and increasingly prepared
to use them in conflicts and disputes with smaller, weaker states. Russian cyber
attacks against Georgia in 2008, which preceded the Russian invasion and involved
extensive infiltration of Georgian government ministries and military units, serve as
an illustrative example of the disparity in cyber capabilities between small and large
states. The Stuxnet software deployed by the US against Iranian nuclear centrifuges
is widely considered one of the most sophisticated viruses ever to have been created,
and its development reflects America’s leading technological expertise. As Jeffrey
Carr has said, ‘nation-states are spending millions of dollars of development for
these types of cybertools, and this is a trend that will simply increase in the future’.36
The Obama administration boosted the cyber security budget of the Department of
Defense to US$4.7 billion in 201337 and the US military has incorporated both defen-
sive and offensive cyber security operations into strategic doctrine.38 Small states are
unlikely to be able to keep up with larger states in developing and resourcing offensive
and defensive capabilities.
Finally, the strategic focus of small states on local and regional foreign policy
interests is being undermined by cyber attacks. A state can be subjected to cyber attacks
from anywhere in the world in a matter of milliseconds. Small states do not have the
political, diplomatic or economic tools to respond to global issues in the same way that
large states do. That is not to say that the cyber security of small states will not be
influenced by geopolitical issues. The cyber vulnerabilities of small states will continue
to be linked, to some degree, with historical and geopolitical tensions with countries in
their immediate neighbourhoods. This was particularly evident in the Estonian and
Georgian cases.
35. Malicious activity includes data from malicious code reports, spam zombies, phishing
hosts, bot-infected computers, network attack origins and web-based attack origins.
See Symantec, ‘Symantec Report on Threat Activity Trends’ (2013), available at:
http://www.symantec.com/threatreport/topic.jsp?id¼threat_activity_trends&aid¼malici
ous_activity_by_source (accessed 10 August 2013).
36. Quoted in David Kushner, ‘The Real Story of Stuxnet’, IEEE Spectrum, Vol. 50, No.3
(March 2013), p. 53.
37. Andy Sullivan, ‘Obama Budget Makes Cybersecurity a Growing U.S. Priority’ (April 2013),
available at: http://articles.chicagotribune.com/2013-04-10/business/sns-rt-us-usa-fiscal-
cybersecuritybre93913s-20130410_1_cyber-command-cybersecurity-budget-proposal
(accessed 10 August 2013).
38. Tina Miles, ‘Army Activates First-of-its-kind Cyber Brigade’ (December 2011), available
at: http://www.army.mil/article/70611/Army_activates_first_of_its_kind_Cyber_Brigade/
(accessed 10 August 2013).
224 Political Science 65(2)
The case of New Zealand
Alliances, institutions and norms in New Zealand’s foreign policy history
New Zealand is a small state with a population of less than 4.5 million and a Gross
Domestic Product (GDP) equivalent to just 0.26% of the world economy.39 The coun-
try’s size, combined with its geographical isolation, has driven a historical foreign policy
that has fluctuated between alliances, institutional cooperation and norm promotion. In
the first half of the 20th century, New Zealand’s alliance with Great Britain was the
bedrock of its foreign policy and New Zealand troops fought in both world wars in
Britain’s defence. After World War II, due to Britain’s declining global influence and the
threat from communism in Asia, New Zealand sought a closer security relationship with
the US. This involved entry into the ANZUS alliance in 1951; a treaty-based, collective
defence pact with Australia and America. ANZUS formed the foundation of New Zeal-
and foreign policy for the next 30 years and New Zealand troops fought in the Korean
and Vietnam wars in support of their alliance partners. However, successive New Zeal-
and governments also promoted institutional cooperation and internationalist norms dur-
ing this period. New Zealand was a founding member of the UN and advocated a
strengthened role for small states within the new UN system.40 New Zealand also played
a significant role in the development of the United Nations Convention on the Law of the
Sea (UNCLOS), arguing that small states in the Pacific would ‘only obtain the full ben-
efit of their exclusive economic zones if other more powerful states are prepared to
respect their international obligations in this regard’.41
The decision in 1984 by the David Lange government to prohibit all nuclear armed or
propelled vessels from entering into New Zealand ports was perhaps the most prominent
example of a normative approach to New Zealand foreign policy, and one that had a
significant impact on its alliance relations. New Zealand had vehemently opposed
French nuclear testing in the region and played a prominent role in establishing a
nuclear-free zone in the South Pacific through the Treaty of Rarotonga (1985). A strong
domestic and international anti-nuclear movement had also emerged in the 1970s, which
generated political momentum towards a more moral and less strategic foreign policy.
As Robert Patman has argued:
New Zealand’s nuclear-free stance was a powerful symbol . . . the working assumption here
was that ideas and norms do matter at the international level, and a small country like New
39. Trading Economics, ‘New Zealand GDP’ (August 2013), available at: http://www.trad
ingeconomics.com/new-zealand/gdp (accessed 11 August 2013).
40. New Zealand Prime Minster Peter Fraser argued strongly against the establishment of a veto
power in the UN Security Council, despite the fact that Great Britain benefited greatly from
it, and for small states to have greater influence through a strengthened General Assembly.
See Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the World
since 1935 (Auckland: Auckland University Press, 1993), pp. 57–62.
41. Quoted in Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the
World since 1935, p. 270.
Burton 225
Zealand could make a positive difference through its own actions to the global security
situation.42
There was also a sense that the ANZUS alliance was no longer serving New
Zealand’s national interests and that the country was increasingly trapped in a rela-
tionship where its autonomy was being affected, particularly on the nuclear issue. As
David Lange said at the time, ‘what is now on public record about the ANZUS
meetings predictably suggests that the Americans did the talking and our side did the
listening’.43 Despite this growing sense of entrapment, the Lange government con-
tinued to see the broader benefits of the security partnership and the government did
not expect or intend for the nuclear-free policy to result in the breaking of the ANZUS
alliance. Opinion polls also indicated that the New Zealand public wanted to stay in
ANZUS despite their aversion to US nuclear weapons.44 In February 1985, however,
shortly after the USS Buchanan was refused entry, the US suspended high-level dip-
lomatic exchanges, restricted intelligence sharing and halted most forms of military
cooperation with New Zealand.
This strategic separation continued into the post-Cold War period. New Zealand
remained outside of formal alliance structures (apart from its close security relation-
ship with Australia) and formulated its foreign policy around the promotion of multi-
lateral cooperation through international institutions, particularly the UN. This
approach was reflected in the deployment of New Zealand soldiers to support the
UN-mandated mission in Bosnia (1992), a New Zealand role in the UN Regional Assis-
tance Mission to the Solomon Islands (2003), a peacekeeping role in East Timor
(1999–2012) and a strong contribution to the UN-mandated, NATO-led mission in
Afghanistan (2001–2013). New Zealand’s refusal to participate in the war against Iraq
in 2003 was also based on a commitment to the UN. Labour Prime Minister Helen
Clark stated that ‘regime change is not something that the UN is mandated to do’ and
argued that ‘Without the United Nations, multilateralism and respect for the interna-
tional rule of law, the world’s prospects would be bleak indeed’.45 The internationalist
orientation of New Zealand foreign policy in the post-Cold War era suggests, in con-
trast to the small states literature, that New Zealand was not solely focused on local and
regional security issues during this period.
More recently, the New Zealand–US security relationship has been reinvigorated. In
2005, the Helen Clark-led Labour government made a concerted effort to improve New
Zealand–US relations, which corresponded with a desire on the part of the US
42. Robert G. Patman, ‘Globalisation, Sovereignty, and the Transformation of New Zealand
Foreign Policy’ (2005), available at: http://www.victoria.ac.nz/hppi/centres/strategic-stu
dies/publications/working-papers/WP21.pdf (accessed 11 August 2013).
43. Quoted in Wade Huntley, ‘The Kiwi that Roared: Nuclear Free New Zealand in a Nuclear
Armed World’, The Nonproliferation Review, Vol. 4, No. 1 (March 1996), p. 8.
44. See Malcolm McKinnon, Independence in Foreign Policy: New Zealand in the World since
1945 (Auckland: Auckland University Press, 1993), p. 289.
45. Quoted in David McGraw, ‘New Zealand Foreign Policy Under the Clark Government: High
Tide of Liberal Internationalism’, Pacific Affairs, Vol. 78, No. 2 (Summer 2005), p. 225.
226 Political Science 65(2)
government to rebuild international partnerships after the invasion of Iraq.46 Intelli-
gence sharing was re-established in 2009 under the John Key-led National govern-
ment,47 and the Wellington and Washington Declarations (2010 and 2012) paved
the way for new high-level military and diplomatic exchanges between the two coun-
tries. This enhanced cooperation stemmed from America’s strategic ‘pivot’ to the
Asia-Pacific region, as articulated by Secretary of State Hillary Clinton in 2011, and
a desire to work with New Zealand in shaping ‘a rules-based regional and global
order’.48 It also reflected a view in the National Party that previous Labour govern-
ments had been too reliant on the UN and had neglected bilateral security partnerships.
As current Deputy Prime Minister, Bill English, has said, ‘As important as the United
Nations is as an international force, there are other international relationships for us
that are more strategic’.49 Robert Ayson and David Capie have argued that New Zeal-
and has re-established a de facto alliance with the US and that recent developments
reflect ‘a position of clear alignment in which New Zealand appears to have traded
in some of its independence chips’.50 While New Zealand has not abandoned institu-
tional cooperation and norm promotion, the pendulum has swung back towards ties
with ‘traditional’ partners.
New Zealand’s cyber security challenges: Domestic and internationalcapacity building
New Zealand’s recent cyber security challenges are closely linked with the emergence of
a globalised cyber security environment and indicate that focusing solely on local and
regional interests will not safeguard the country from cyber attacks. The New Zealand
Security Intelligence Service (SIS)51 has said that the incidence of such attacks is on the
increase in New Zealand, from 90 attacks categorised as a threat to government and
critical infrastructure in 2011, rising to 134 in 2012, with 60% of those emanating from
46. Bruce R. Vaughan, ‘The United States and New Zealand: Perspectives on a Pacific Part-
nership’ (August 2012), p. 21, available at: http://www.fulbright.org.nz/wp-content/uploads/
2012/08/axford2012_vaughn.pdf (accessed 26 August 2013).
47. Nicky Hager, ‘Wikileaks: Leaked US Cables Spill the Beans on NZ Ties’ (December 2010),
available at: http://www.nickyhager.info/wikileaks-leaked-us-cables-spill-the-beans-on-nz-
ties/ (accessed 11 August 2013).
48. Hillary Clinton, ‘America’s Pacific Century’ (November 2011), available at: http://
www.foreignpolicy.com/articles/2011/10/11/americas_pacific_century?page¼0,2 (accessed
26 August 2013).
49. Quoted in David McCraw, ‘New Zealand Foreign Policy Under the Clark Government: High
Tide of Liberal Internationalism?’, p. 224.
50. Robert Ayson and David Capie, ‘Part of the Pivot? The Washington Declaration and US–NZ
Relations’, Asia-Pacific Bulletin, No. 172 (July 2012), p. 2.
51. The SIS was established in 1956 and is responsible for investigating threats to New Zeal-
and’s national security (including sabotage, subversion, espionage and acts of terrorism),
collecting foreign intelligence and providing a range of protective security and advice
services to government.
Burton 227
overseas.52 The SIS 2012 Annual Report concluded that ‘New Zealand is subject to
systematic cyber intrusion targeting both government and key economic and intellectual
property generators’ and that ‘state sponsored actors posed the greatest threat to New
Zealand’. It also noted that foreign intelligence agencies were directly involved in cyber
espionage against government and private entities in New Zealand, although the agencies
responsible were not named in the report.53 Cyber attacks have also gained heightened
media attention in recent years. In October 2012, for example, a hacker gained access to
confidential client details through the Work and Income New Zealand (WINZ) website, and
in July 2013, ‘Anonymous New Zealand’ conducted distributed denial of service (DDoS)
attacks against at least a dozen National Party websites, including the personal website of
Prime Minister John Key. Cyber attacks directed against the private sector and the New
Zealand public are also a growing problem. A 2011 Symantec survey of 100 New Zealand
companies found two-thirds experiencing a cyber attack in the preceding 12 months, with
25% losing corporate data and 25% experiencing a financial loss of NZ$70,000.54 Recently
released statistics suggest that cybercrime against New Zealanders costs NZ$625 million
annually55 and one survey rated New Zealand mobile phone ‘app’ users in the 10 most vul-
nerable in the world to cyber attacks.56 Given that 44% of New Zealanders use smart phones,
this is a significant vulnerability.57
In order to respond to these growing challenges – and in the absence of broader
institutional cooperation and cyber security norms – New Zealand has taken steps to
enhance both its domestic cyber security capacity and its international cyber security
partnerships. The government has produced a National Cyber Security Strategy, which
aims to enhance New Zealand’s resilience across sectors to cybercrime, cyber espionage,
hacktivism and terrorist use of the Internet.58 A National Cyber Security Centre (NCSC)
has been established as part of the Government Communications Security Bureau
52. National Cyber Security Centre, ‘2012 Incident Summary’ (2012), pp. 2–4, available at: http://
ncsc.govt.nz/sites/default/files/articles/NCSC-%202012%20Incident%20Report_0.pdf (acces-
sed 11 August 2013).
53. New Zealand Security Intelligence Service, ‘Annual Report’ (September 2012), p. 19,
available at: http://www.nzic.govt.nz/assets/Publications/NZSIS-Annual-Report-2012.pdf
(accessed August 2013).
54. Symantec, ‘NZ Organisations Rank Cyber Attacks as #1 Risk’ (June 2011), available
at: http://www.scoop.co.nz/stories/SC1106/S00061/nz-organisations-rank-cyberattacks-
as-1-risk.htm (accessed 11 August 2013).
55. Government Communications Security Bureau, ‘Regulatory Impact Statement’ (March
2013), p. 10, available at: http://www.gcsb.govt.nz/about-us/documents/GCSB%20Act
%20Review%20Regulatory%20Impact%20Statement.PDF (accessed 11 August 2013).
56. Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’ (January 2013), available at:
http://www.nzherald.co.nz/business/news/article.cfm?c_id¼3&objectid¼ 10860719 (accessed
11 August 2013).
57. Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’.
58. Department of Prime Minister and Cabinet, ‘New Zealand’s Cyber Security Strategy’ (June
2011), p. 5, available at: http://www.dpmc.govt.nz/sites/all/files/publications/ncpo-speech-
nzisf-11apr13.pdf (accessed 11 August 2013).
228 Political Science 65(2)
(GCSB), which is New Zealand’s primary signals intelligence agency and part of the
Echelon network, along with the US National Security Agency (NSA), the UK Gov-
ernment Communications Headquarters (GCHQ), Australia’s Defence Signals Direc-
torate (DSD) and Canada’s Communications Security Establishment Canada (CSEC).
Stronger cyber security links are being formed between the New Zealand government
and private entities, particularly those responsible for providing critical infrastructure,59
and transnational cooperation is emerging. A new cyber security research facility at
Auckland’s Unitec Institute for Technology, for example, has developed links with
research institutes in Japan on cyber security issues.60
Despite these positive developments, New Zealand continues to face significant
resource challenges in enhancing its cyber security, and this is indicative of the
common challenges small states face in this and other areas of security policy. A
recent report into the role of the GCSB noted that the agency has fewer than 300
staff and ‘is very widely spread and in places very thin’.61 New Zealand’s intelli-
gence agencies have received a significant boost in funding since 2003, with a total
increase in budget for the SIS and GCSB from NZ$45 million in 2003 to NZ$97
million in 2012,62 yet staffing levels at the GCSB have fallen by 20% since 2007.63
Challenges also exist in retaining highly specialised ICT professionals in the public
sector, and keeping ICT specialists in New Zealand when there are higher-paid jobs
overseas. The New Zealand government has openly acknowledged these resource
challenges. A recent review of the GCSB’s functions revealed, ‘in a small jurisdic-
tion such as New Zealand we cannot afford to duplicate expensive and sophisticated
assets, and there are limited numbers of people that can work with such assets’.64
59. The NCSC has recently developed voluntary standards for operators of Industrial Control
Systems, for example. See Paul Nash, ‘Cyber Security: Why it Matters for New Zealand’
(April 2013), available at: http://www.dpmc.govt.nz/sites/all/files/publications/ncpo-
speech-nzisf-11apr13.pdf (accessed 11 August 2013).
60. Japan’s National Institute of Information and Communications Technology (NICT) and the
Nara Institute of Science and Technology (NAIST). The institutes will conduct decentralised
monitoring of the number of malicious threats on New Zealand networks and their country
of origin and will develop advanced information technologies in New Zealand.
61. Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security
Bureau’ (March 2013), p. 64, available at: http://www.gcsb.govt.nz/newsroom/reports-publi-
cations/Review%20of%20Compliance_%20final%2022%20March%202013.pdf (11 August
2013).
62. Pete George, ‘More Money and More Spies’ (July 2013), available at: http://yournz.org/
2013/07/16/more-money-and-more-spies/ (accessed 11 August 2013).
63. The agency went from a total of 370 staff in 2007 to 294 in 2012. See Government Com-
munications Security Bureau, ‘Annual Reports’ (2007 and 2012), available at: http://
www.gcsb.govt.nz/newsroom/annual-report.html (accessed 23 October 2013).
64. Office of the Minister Responsible for the GCSB Cabinet Domestic and External Security
Committee, ‘Review of Government Communications Security Bureau Act 2003’ (June
2013), p. 5, available at: http://www.nzic.govt.nz/assets/Uploads/GCSB-Cabinet-paper-
1.pdf (accessed 11 August 2013).
Burton 229
The volume of work generated by the agency is also likely to increase significantly
as a result of the growing number and diversity of cyber attacks against New Zeal-
and targets. More broadly, New Zealand continues to be reliant on intelligence from
its international partners. Bruce Ferguson, a former head of the GCSB, has said that
New Zealand receives approximately five times more intelligence than it produces
and continues to be dependent upon the US for intelligence relating to peacekeeping
operations and foreign troop deployments, including in Afghanistan, where New
Zealand forces were deployed after 9/11.65 As a small state, New Zealand continues
to be a net consumer of intelligence on a wide range of security issues, including
maritime security, trade and counterterrorism, and this dependency is likely to
continue.
In order to close this capabilities gap, the New Zealand government has focused
on extending its international cyber security partnerships. In June 2012, New
Zealand entered into an Individual Partnership Cooperation Programme with NATO,
which provides for consultation and cooperation on cyber security issues and con-
tinued intelligence sharing.66 In January 2013, Foreign Minister Murray McCully
announced a deal with the UK government that will allow New Zealand to benefit
from research and development at a new global cyber security facility in the UK,67
and the Washington and Wellington declarations have resulted in a high-level stra-
tegic dialogue between US and New Zealand officials on ‘cyber policy’ and ‘scien-
tific cooperation’.68 Alignment with the US has traditionally given its allies access
to strategies and technologies that have enhanced their security and this is increas-
ingly the case in the area of cyber security. In September 2011, moreover, around
the 60th anniversary of the signing of the ANZUS treaty, the US and Australian
governments announced that their ongoing ANZUS commitments would be
extended into cyberspace:
Mindful of our longstanding defense relationship and the 1951 Security Treaty between
Australia, New Zealand, and the United States of America (ANZUS Treaty), our Gov-
ernments share the view that, in the event of a cyber attack that threatens the territorial
integrity, political independence or security of either of our nations, Australia and the
65. Nick Perry and Paisley Dodds, ‘‘‘Five Eyes’’ Spy Alliance Will Survive Snowden’ (July
2013), available at: http://www.newsfactor.com/story.xhtml?story_id¼11000APTXRP6&
page¼2 (accessed 11 August 2013).
66. New Zealand Government, ‘Individual Partnership and Co-operation Programme between
New Zealand and NATO’ (June 2012), available at: http://www.beehive.govt.nz/sites/all/
files/New_Zealand_NATO_Partnership_and_Cooperation_Programme.pdf (accessed 28
August 2013).
67. Michael Field, ‘Super-Cyber Security NZ–UK Alliance’ (January 2013), available at:
http://www.stuff.co.nz/technology/digital-living/8180398/Super-cyber-security-NZ-UK-
alliance (accessed 11 August 2013).
68. US Department of State, ‘Joint Statement: US–New Zealand Strategic Dialogue’ (May
2013), available at: http://www.state.gov/r/pa/prs/ps/2013/05/209799.htm (accessed 28
August 2013).
230 Political Science 65(2)
United States would consult together and determine appropriate options to address the
threat.69
It is unclear from this statement how severe cyber attacks would need to be to trigger
collective action.70 Nevertheless, the reorientation of the US and Australian alliance
relationship to deal with cyber security challenges is a positive development, and one
that New Zealand will likely benefit from, even though it was not party to the statement.
GCSB reform: Domestic and international controversies
The most contentious aspect of New Zealand’s emerging cyber security strategy has
been changes to the role of the GCSB. The GCSB and Related Legislation Reform
Bill, which was passed by the New Zealand Parliament in August 2013, extended
the GCSB’s cyber security functions to the domestic arena, creating a legal basis for
the agency to intercept electronic communications from and to New Zealand citizens
and permanent residents for the first time.71 These reforms created a heated political
debate in New Zealand that highlighted the difficult task of achieving a tenable
balance between privacy and security in cyberspace. The New Zealand government
emphasised that intercepting communications was not the same as spying on New
Zealanders, and that only metadata – the origins and destinations of communications
and the type of malicious code attached – would be subject to interception in the
first instance, and on the basis of a warrant. John Key personally emphasised that a
second warrant would need to be issued to allow the content of electronic com-
munications to be analysed, and only when it related to a ‘significant threat’ to the
country.72 Such assurances have been greeted with a degree of scepticism by the
New Zealand public. Of respondents to one August 2012 Fairfax Media-Ipsos poll,
75.3% indicated that they were worried about plans to allow the GCSB to monitor
New Zealanders.73 However, in the same poll, over 50% of respondents stated that
they trusted the government to protect their right to privacy under the new system.
69. US Department of State, ‘U.S.–Australia Ministerial Consultations 2011 Joint Statement on
Cyberspace’ (September 2011), available at: http://www.state.gov/r/pa/prs/ps/2011/09/
172490.htm (accessed 2 September 2013).
70. For a detailed discussion of ANZUS and cyber security issues, see Andrew Davies, James
Andrew Lewis, Jessica Herrera Flanigan et al., ‘ANZUS 2.0: Cybersecurity and Australia–
US Relations’ (April 2012), available at: http://www.isn.ethz.ch/Digital-Library/Publi
cations/Detail/?ots591¼0c54e3b3-1e9c-be1e-2c24-a6a8c7060233&lng¼en&id¼161646
(accessed 2 September 2013).
71. And to share that information with the New Zealand Police, the New Zealand Defence Force
(NZDF) and the SIS, although when doing so, it will be subject to the various statutory
regulations that bind those agencies.
72. John Key, ‘GCSB: Prime Minister John Key’s Speech’ (August 2013), available at: http://
www.stuff.co.nz/national/politics/9070452/GCSB-Prime-Minister-John-Keys-speech (accessed
2 September 2013).
73. Andrea Vance, ‘Kiwis Do Care, Prime Minister’ (August 2013), available at: http://www.stu
ff.co.nz/national/politics/9066527/Kiwis-do-care-prime-minister (accessed 2 September 2013).
Burton 231
While the balance between privacy and security has been a central issue in this
debate, it is difficult to argue that this is a particular problem for New Zealand or,
indeed, for small states. The political and legal controversies around this legislation,
however, do illustrate some of the challenges that small states face in enhancing
their cyber security. First, the erosion of New Zealand’s geographical isolation is
evident in its struggle to respond to global cyber security challenges. The government’s
justification for the extension of state power to the domestic arena was explicitly framed
in the context of New Zealand’s adaptation to the global challenges of the post-9/11
security environment. In April 2013, John Key referred to ‘evidence of cyber espionage
in New Zealand’, including ‘covert attempts to acquire New Zealand science and
technology for programmes relating to weapons of mass destruction or weapons
delivery systems’.74 In July 2013, he said:
In New Zealand there are people who have been trained for al-Qaeda camps who operate out of
New Zealand, who are in contact with people overseas, who have gone off to Yemen and other
countries to train. I’m sorry, but that’s the real world.75
The explanatory note to the bill also recognised some of the challenges small
states are confronting in the area of cyber security, and especially the tension
between a focus on local/regional security issues and globalised security challenges.
It stated that ‘New Zealand faces a changing security environment in which threats
are increasingly interconnected and national borders are less meaningful’, and
claimed that ‘Globalisation means New Zealand is no longer as distant from security
threats as it once was’.76
The scandal over the interception of Kim Dotcom’s electronic communications, the
founder of the ‘Megaupload’ file-sharing website, was also particularly prominent in
driving changes to the GCSB’s role. Dotcom was indicted by US authorities on 5 Jan-
uary 2012 on charges including online piracy, copyright infringement and money
laundering. On 20 January 2012, the New Zealand police, working with the US Fed-
eral Bureau of Investigation (FBI), raided Dotcom’s Auckland mansion. The legal
case that followed revealed: that warrants used in the raid were illegal because they
were used to seize material that was irrelevant to the investigation; that the FBI had
illegally copied the contents of computer hard drives seized in the raid; and that the
GCSB had unlawfully spied on Dotcom prior to the raid, supplying information to the
police relating to his movements and personal communications. Dotcom was granted
74. Anonymous, ‘Key Reveals WMD Cyber Terrorism Threat to NZ’ (April 2013), available at:
http://tvnz.co.nz/national-news/key-reveals-wmd-cyber-terrorism-threat-nz-5407210 (accessed
11 August 2013).
75. Rebecca Quilliam and Claire Trevett, ‘PM Justifies Spy Bill: Kiwis Trained by Al-Qaeda’
(August 2013), available at: http://www.nzherald.co.nz/nz/news/article.cfm?c_id¼1&
objectid¼10906592 (accessed 11 August 2013).
76. Government Communications Security Bureau and Related Legislation Amendment Bill,
‘Explanatory Note’ (2013), available at: http://www.nzic.govt.nz/assets/Publications/
GCSB-and-related-legislation-amendment-bill.pdf (accessed 11 August 2013).
232 Political Science 65(2)
New Zealand permanent residency in November 2010, and was thus protected from
GCSB surveillance under the previous statutory framework. As a result of the contro-
versy, an investigation into the activities of the GCSB took place, which culminated in
the release of the Kitteridge Report. The report revealed 55 incidences of unlawful
GCSB surveillance over nine years, involving 88 New Zealand citizens and permanent
residents.77 The 2013 GCSB bill thus provided a new legal basis for activities that the
agency had already been carrying out.
The release of classified information by former NSA contractor Edward Snowden
also had a significant impact on the New Zealand debate. In a series of leaks in July and
August 2013, as the GCSB bill was being debated, Snowden revealed that the US
government had been collecting, processing and analysing vast data and phone records
from some of the world’s leading ICT companies and covertly tapping into global fibre-
optic cables with a view to monitoring electronic communications. The activities of the
NSA demonstrate the enormous power that the US has accumulated in cyberspace and
the capabilities gap that exists between small and large states, as detailed in the previous
section. Snowden also directly emphasised links between the National Security Agen-
cy’s (NSA) activities and the Echelon network, revealing that the NSA had been funding
the UK GCHQ since 200978 and claiming that America’s Five Eyes partners ‘sometimes
go even further than the NSA people themselves’.79 The New Zealand government’s
strategy for enhancing New Zealand cyber security has been tarnished and complicated
by the global controversy created by the affair and there has been an unprecedented
degree of conflation between the privacy issues involved and New Zealand’s core cyber
security interests.
Another controversy that has influenced New Zealand’s emerging cyber security
strategy relates to China’s extension into the New Zealand broadband market. The New
Zealand government awarded a major contract to Chinese firm Huawei in 2011 as part of
the rollout of New Zealand’s ultra-fast broadband initiative. In October 2012, the US
House Intelligence Committee stated that the company’s provision of equipment to
US critical infrastructure ‘could undermine core U.S. national security interests’, and
noted the links between company directors and the Chinese Communist Party and mil-
itary.80 The Australian government blocked a broadband contract on the basis of security
77. Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security
Bureau’, p. 18.
78. Nick Hopkins and Julian Borger, ‘Exclusive: NSA Pays £100 m in Secret Funding for
GCHQ’ (August 2013), available at:http://www.theguardian.com/uk-news/2013/aug/01/
nsa-paid-gchq-spying-edward-snowden (accessed 2 September 2013).
79. Anonymous, ‘Snowden Links NZ to US Spy Programme’ (July 2013), available at: http://
www.stuff.co.nz/world/americas/8893187/Snowden-links-NZ-to-US-spy-programme (accessed
2 September 2013).
80. Mike Rogers and Dutch Ruppersberger, ‘Investigative Report on the U.S. National Security
Issues Posed by Chinese Telecommunications Companies Huawei and ZTE’ (October
2012), p. vi, available at: http://intelligence.house.gov/sites/intelligence.house.gov/files/
Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf (accessed 28 September
2013).
Burton 233
concerns.81 Huawei have labelled suggestions that they are a threat as ‘baseless’, but the
controversy raises important questions for New Zealand’s cyber security.82 Why did
New Zealand’s assessment of the risks differ from that of its security partners, and if the
New Zealand government had blocked the contract, would the country’s close economic
relationship with China have been affected?
Collectively, these scandals have focused the attention of the New Zealand public on
the country’s renewed status as a de facto ally of the US, and the GCSB’s relationship
with the NSA has come under greater scrutiny. There have been a number of recent
assertions that New Zealand’s political autonomy is being undermined by this rela-
tionship and that changes to the powers of the GCSB have been driven by US influence.
Kim Dotcom has claimed that John Key has a ‘subservient relationship with the United
States’ and that ‘The GCSB was utilised to surveil all my communication in order to give
the US Government full access to all my communication’.83 An editorial for the Waikato
Times, entitled ‘NZ: 51st State of the US’, suggested that the affair had ‘Heightened
suspicions that this country’s relationship with the United States has become one of
servility rather than friendship’ and argued that ‘The Government’s unquestioning
readiness to co-operate with American authorities seriously corrodes our claims to be an
independent state’.84 Hone Harawira, leader of the Mana Party, has said that the NZ–US
cyber security partnership could undermine the country’s status at the UN and its bid for
a UN Security Council seat in 2015:
Now New Zealand wants a seat of the UN Security Council and our case will inevitably be
tainted by our association with US foreign policy strategies operating through the GCSB. In
recent years the National government has pushed New Zealand further into the US corner and
further from the independence which would give us greater assurance and credibility in the
world.85
These arguments are not just being made by opposition politicians. Rodney Harrison
QC, a prominent New Zealand lawyer, has claimed that the GCSB’s Waihopai satellite
communications interception station is ‘tacitly treated by government and the GCSB as
an operation of the USA and other security partners not covered by the New Zealand
81. Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US Com-
mittee’ (October 2012), available at: http://www.theguardian.com/technology/2012/oct/08/
china-huawei-zte-security-threat (accessed 11 August 2013).
82. Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US
Committee’.
83. Quoted in Andrea Vance, ‘Dotcom More Popular than Banks’ (October 2012), available
at: http://www.stuff.co.nz/dominion-post/news/politics/7802709/Dotcom-more-popular-
than-Banks (accessed 11 August 2013).
84. Waikato Times, ‘Editorial – NZ: 51st state of the US’ (September 2012), available at: http://
www.stuff.co.nz/waikato-times/opinion/editorials/7730013/Editorial-NZ-51st-state-of-
the-US (accessed 11 August 2013).
85. Mana Party, ‘Mana Calls for NZ to Withdraw from Spy Network’ (July 2013), available at:
http://www.scoop.co.nz/stories/PA1307/S00436/mana-calls-for-nz-to-withdraw-from-
five-eyes-spy-network.htm (accessed 11 August 2013).
234 Political Science 65(2)
legislation’. He has further claimed that the issue ‘goes to the heart of New Zealand’s
sovereignty – our right to independent self-government without interference from out-
side’.86 The potential impact of the close US–New Zealand cyber security partnership
on New Zealand’s relationships with its Asian trading partners has also come under
increasing scrutiny. Former diplomat Terence O’Brien has argued that ‘our important
relationships in Asia could be compromised by our close association with the US and its
hoovering up of big data’,87 and Dr Russel Norman, leader of the New Zealand Green
Party, has said that ‘China would view the Five Eyes network with some concern. There
is no doubt they would view Five Eyes as an impediment to a better relationship with
New Zealand’.88
But how accurate are these claims? Are New Zealand’s interests and autonomy
being subsumed by the country’s cyber security links to its larger, more powerful,
security partners? Kim Dotcom’s assertion that New Zealand has a subservient rela-
tionship with the US should be treated with caution, especially as he is facing extra-
dition to the US. The notion that New Zealand’s cyber security links to the US will
undermine New Zealand’s bid for a seat on the UN Security Council in 2015 is
similarly unpersuasive. New Zealand’s two rival candidates for the seat – Spain and
Turkey – are both NATO members and close US allies. It is unlikely that these issues
would be raised by these countries during the UN selection process and there has been
no criticism from foreign governments relating to New Zealand’s cyber security links
with the US. The New Zealand government has also directly refuted claims that its
interests and autonomy are being undermined by the US–New Zealand intelligence and
cyber security partnership. In April 2010, after protests and vandalism at the Waihopai
signals intelligence facility, the GCSB took the uncommon step of publicly empha-
sising New Zealand’s independence, claiming that ‘The Waihopai station is not a US-
run ‘‘spybase’’. It is totally operated and controlled by New Zealand, through the
GCSB as an arm of the New Zealand Government’.89 John Key has further stated that
the GCSB bill gives the agency a clear legal framework that establishes rules around its
cooperation with its intelligence partners. In response to a question from New Zealand
journalist John Campbell, Mr Key said: ‘If you are asking us do we in New Zealand go
round the back door and ask our partners to do things for us that would be otherwise not
86. Quoted in Chris Barton, ‘Can NZ Say No to the US?’ (August 2013), available at: http://
www.nzherald.co.nz/opinion/news/article.cfm?c_id¼466&objectid¼10908486 (accessed
11 August 2013).
87. Terence O’Brien, ‘Five Eyes an Anachronistic Setup’ (July 2013), available at: http://www.stuff.
co.nz/dominion-post/comment/columnists/8881376/Five-Eyes-an-anachronistic-setup (accessed
11 August 2013).
88. Quoted in David Fisher, ‘Secret Network ‘‘Has to Be in Probe’’’ (June 2013), available at:
http://www.nzherald.co.nz/nz/news/article.cfm?c_id¼1&objectid¼10890675 (accessed 11
August 2013).
89. Government Communications Security Bureau, ‘Press Release: GCSB Directors Refute
Allegations Concerning the WAIHOPAI Station’ (April 2010), available at: http://
www.scoop.co.nz/stories/PO1004/S00071.htm (accessed 28 August 2013).
Burton 235
legal for GCSB to do, the answer is unequivocally no’.90 Finally, China has always
viewed New Zealand as being closely aligned with the US. While a delicate balancing
act is emerging in managing New Zealand’s economic relationship with China and its
security relationship with the US, trade with China is unlikely to be undermined by
these links.91
Conclusion
New Zealand has experienced a polarising and contentious debate about the power of the
state to intercept online communications, and a series of political scandals have high-
lighted the difficult task New Zealand faces in adapting to a rapidly evolving cyber
security environment. Achieving an acceptable balance between security and liberty is
not a new challenge, yet the balance may be more difficult to achieve given the glo-
balisation of security threats and the growth in malicious online activity. To a large
extent, however, finding this balance is a challenge faced by all states regardless of their
size, and it is useful to separate this aspect of the debate from New Zealand’s emerging
cyber security strategy.
So, do small states face unique or different challenges in enhancing their cyber
security arena, and how does New Zealand’s cyber security strategy relate to the
established small states literature detailed in the first two sections of this article? First, it
is clear that New Zealand faces significant technical hurdles and resource challenges.
New Zealand is struggling to commit the necessary financial resources to effectively
enhance its cyber security, and faces a challenge in developing the human resources,
technical expertise and knowledge to keep up with a rapidly changing cyber security
environment. There is also a growing cyber capabilities gap between small and large
powers, which makes small states vulnerable. While claims about New Zealand’s lack of
autonomy in its cyber and intelligence links should be treated with caution, there may be
a growing dependency on its international partners in the cyber security arena.
Second, New Zealand’s international engagement in the post-Cold War era suggests
that its foreign policy has not been solely or even primarily focused on local and
regional interests. This more globally focused foreign policy does not fit well with the
existing small states scholarship. Globalisation appears to have enlarged the security
interests and outlook of New Zealand and this may be the case for other small states
too. Cyber security issues are also clearly global in scope and make the pursuit of a
locally and regionally focused foreign policy increasingly unrealistic and untenable.
However, cyber security cooperation is not contingent on states being in close
90. John Key, ‘John Key Defends the GCSB Bill’ (August 2013), available at: http://
www.3news.co.nz/John-Key-defends-the-GCSB-bill/tabid/817/articleID/309018/Default.aspx
(accessed 28 August 213).
91. Trade between New Zealand and China has grown by over a third since the signing of the
2008 Free Trade Agreement between the two countries. See Matt Crawford, Alasdair
Thompson and Peter Conway, ‘Public Input into Free Trade Negotiations: The New Zeal-
and–China FTA’, in James Headley, Andreas Reitzig and Joe Burton (eds), Public Par-
ticipation in Foreign Policy (London: Palgrave Macmillan, 2012), p. 153.
236 Political Science 65(2)
geographical proximity, as New Zealand’s recent agreements with the UK, NATO and
the US demonstrate. In other words, while cyber threats are global in scope, cyber
cooperation can be too.
Third, the evidence in this article suggests that small states that remain outside for-
malised security pacts like NATO may need to compensate for the benefits and assets
they provide in the area of cyber security. The New Zealand government appears to have
recognised this, and its cooperation with NATO, the UK and through the Echelon net-
work provides a solid foundation for enhancing the country’s cyber security. There is a
broader point here with respect to alliances. The idea of collective defence is clearly
changing in the cyber security context. Collective defence is more problematic against
cyber attacks due to the difficulties of attribution, deterrence, the diversity in the type and
scope of attacks, and the fact that many cyber threats emanate from non-state actors.
However, that is not to say that alliances do not retain a useful function in confronting
cyber security challenges. Historically, alliances have provided a mechanism for the
defence of physical territory but they are also now providing tools and resources for the
defence of cyberspace. States are cooperating on these issues, developing capabilities
and sharing technologies, and small states are clearly benefiting from this. NATO, in par-
ticular, has undergone a process of adaption to globalised security threats in the post-
Cold War era, and an integral part of its refocusing has been the development of security
partnerships with a wider and more geographically distant group of non-NATO mem-
bers. Cyber security is an increasingly important part of that wider pattern of coopera-
tion, and New Zealand is increasingly involved. This also demonstrates that, even
though there are strategic rivalries between the great powers in cyberspace, countries that
have closely aligned strategic interests can make progress on cyber security issues.
Fourth, while there has been little progress within international institutions on cyber
security, the next decade could present opportunities for small states to influence the
development of international cooperation and the emergence of cyber security norms.
Despite recent assertions to the contrary, New Zealand’s reputation as a neutral, honest
broker is intact, and it is hard to see how a closer cyber security and intelligence part-
nership with the US and other states would practically inhibit its ability to articulate and
promote such norms. In fact there are many avenues of influence for New Zealand,
including through the Association of Southeast Asian Nations (ASEAN) Regional
Forum, through the Asia Pacific Cooperation (APEC) forum, at the UN (especially if
New Zealand is successful in its bid for a UN Security Council seat), and through Track
1.5 and Track 2 diplomacy. Success in these areas will depend upon New Zealand
forming coalitions with other small states and driving ‘small–small’ cooperation. As on
other security issues, small states’ institutional influence will also be contingent upon the
development of administrative capabilities and knowledge of the issues, and New
Zealand must choose to prioritise cyber security if it wishes to have a positive impact.
Ultimately, international cooperation on cyber security issues and norm development is
contingent upon great power cooperation, but small states working together could have a
positive role to play.
Finally, what are the ongoing challenges and opportunities for the cyber security
literature in this area? The three models of small state security outlined in this article
have proved to be useful lenses through which to analyse New Zealand’s cyber security
Burton 237
challenges. A tighter focus on how small states are responding to other globalised
security challenges, such as climate-related conflict, energy security and counterterror-
ism, would be beneficial. The literature would also benefit from a comparative perspec-
tive on how other small states are responding to cyber security issues. It should not be
assumed that New Zealand is a typical small state. Finally, the question of whether small
democratic states face different cyber security challenges to small non-democratic states
would be a fruitful avenue for research. The need to balance security and privacy may
well be substantially different in non-democracies, and patterns of alliance formation
and international cooperation are also likely to vary.
Acknowledgements
The author wishes to thank David Capie and Kate McMillan for their editorial help and the
reviewers for their constructive feedback and suggestions.
Author biography
Joe Burton is a Lecturer in the Political Science and International Relations Programme
at Victoria University of Wellington, New Zealand. He holds a PhD and Master of Inter-
national Studies degree from the University of Otago, and a BSc. Econ in International
Relations from the University of Wales, Aberystwyth. Joe’s doctoral research was on the
NATO alliance. His current research is focused on US and New Zealand foreign policy,
contemporary security issues, and how states, non-state actors, international organisa-
tions and alliances are adapting to deal with evolving strategic challenges. Joe has also
worked in professional politics: as a ministerial advisor, national campaign coordinator,
legislative assistant, researcher, and political organiser.
238 Political Science 65(2)