Article

Small states and cyber security:The case of New Zealand

Joe Burton

AbstractWhile there is a burgeoning literature on cyber security, little scholarly work has been com-pleted on how cyber security issues are affecting small states. This article attempts to contributeto the debate by exploring whether small states are facing unique or different challenges inenhancing their cyber security. Drawing on the extensive small states literature, the articlebegins by outlining three conceptual models of small state security, based on alliances, institu-tional cooperation and norms. These models are then applied to the small state cyber securitycontext. It is argued that institutional cooperation on cyber security issues and the emergence ofcyber security norms are being hindered by strategic rivalries between the United States, Russiaand China and that military alliances are struggling to adapt to collective defence against cyberthreats. The article then explores New Zealand’s cyber security strategy and outlines the var-ious domestic and international challenges that exist for New Zealand policymakers. The articlefinds: that a globalised cyber security environment is eroding New Zealand’s geographical iso-lation; that the New Zealand government is struggling to formulate a tenable balance betweensecurity and privacy in responding to cyber security issues.

KeywordsCyber security, New Zealand, small states

Introduction

When Estonian government ministries and media outlets were taken offline by a

barrage of cyber attacks in 2007, Estonian Prime Minister Andrus Ansip asked ‘What’s

the difference between a blockade of harbours or airports of sovereign states and the

Corresponding author:

Joe Burton, Political Science and International Relations Programme, Victoria University of Wellington, PO Box

600, Wellington, New Zealand.

Email: joe.burton@vuw.ac.nz

Political Science65(2) 216–238

ª The Author(s) 2013Reprints and permissions:

sagepub.co.uk/journalsPermissions.navDOI: 10.1177/0032318713508491

pnz.sagepub.com

blockade of government institutions and newspaper websites?’1 While this may have

been an example of ‘cyber hyperbole’, the event put cyber security firmly on the

international agenda. It also demonstrated some of the complex challenges involved in

responding to cyber attacks. How can states distinguish between the projection of

power in the physical world and the virtual one? How should states respond to cyber

attacks against their government ministries and critical infrastructure? What measures

can be put in place to enhance international cooperation to mitigate these kinds of

threats?

Since the Estonian attacks, many scholars have examined these broad cyber

security issues. What has been missing from this literature, however, is a conceptual

and empirical focus on the cyber security of small states and whether they face a

unique, or at least different, set of cyber security challenges.2 This article attempts to

begin to close that gap and proceeds in three main sections. First, drawing on the

existing small states literature, three conceptual models of small state security are

outlined, based on alliances, institutions and norms. Second, the article examines the

extent to which these conceptual approaches are applicable to small states and cyber

security, and considers some of the broader challenges for small states in this area.

Lastly, the article conducts an analysis of New Zealand’s cyber security strategy,

outlining New Zealand’s efforts to build domestic and international capacity in this

area and exploring the various domestic controversies and international challenges

that have troubled New Zealand policymakers.

Three models of small state security

Within the large literature on small states, the problem of defining what is meant by

‘small’ is a common theme. Most scholars have based their approaches on a com-

bination of material factors, such as the size of a state’s population and economy,

with small states being variously categorised as having upper population limits of

between 1 and 15 million and economies constituting less than 1% of world total

output.3 The size of a state’s geographical territory has also been included in the

mix of criteria and small states have generally been seen to have limited territorial

interests and outlooks.4 In perhaps the seminal work on the influence of small states

in international politics, Annette Fox argues that ‘Small powers are almost by

1. Quoted in Thomas Rid, ‘Think Again: Cyberwar’, Foreign Policy, No. 192 (March 2012), p. 81.

2. This article adopts a broad definition of cyber security, to include security from cyber attacks

(efforts to render computers and the networks that they are attached to inoperable) and cyber

exploitation (efforts to steal data from computers and computer networks and/or covertly

control them).

3. See Matthias Maass, ‘The Elusive Definition of the Small State’, International Politics, Vol.

46, No. 1 (January 2009), pp. 75–76; Peter R. Baehr, ‘Small States: A Tool for Analysis’,

World Politics, Vol. 27, No. 3 (April 1975), p. 460.

4. See, for example, Maurice A. East, ‘Size and Foreign Policy Behavior: A Test of Two

Models’, World Politics, Vol. 25, No. 4 (July 1973), p. 557.

Burton 217

definition local powers whose demands are restricted to their own and immediately

adjacent areas, while great powers exert influence over large areas.’5

Alliances

Moving beyond material definitions of what constitutes ‘smallness’, the security

strategies of small states can be divided into three main conceptual frameworks. First,

small states lack the capacity to apply power, and/or resist the application of power

against them by larger states.6 To compensate for this vulnerability, small states will

seek to enter into alliances with more powerful states. This can take the form of

balancing behaviour, where small states join forces against a threatening state, or

bandwagoning, where states join with a threatening state.7 As Omer de Raeymaker

observes, ‘the foreign policy of small states therefore aims at withstanding pressure

from the great powers’ and is based on ‘safeguarding their territorial integrity and

independence’.8 Alliances can be temporary and focused on a specific threat – such as

the ‘coalition of the willing’ that went to war against Iraq in 2003 – or long-term,

formalised and institutionalised security partnerships, as in the case of the North

Atlantic Treaty Organisation (NATO). The vulnerabilities of small states within the

international system can also lead to intra-alliance problems. Small states can experi-

ence entrapment, for example, where their interests are subsumed by larger states. As

Heinz Gaertner explains, ‘allied support often requires minor powers to make signif-

icant autonomy concessions, allowing allies, most notably major-power allies, to gain

influence over their minor-power alliance partners’.9 Small states may also be con-

cerned with abandonment: the fear that larger states may leave alliances if their inter-

ests are no longer served.10 In this model, the foreign policies of small states are

intertwined with those of the great powers and are shaped by great power competition.

This alliance-based framework was highly relevant to explaining the foreign policies

of small states during the Cold War. The formation of NATO and the Warsaw Pact,

for example, alleviated the security concerns of small European states and levelled the

asymmetries in power that existed on the European continent. The Cold War also took

the form of a zero-sum competition for superpower influence over small states.

5. Annette Fox, The Power of Small States: Diplomacy in World War 2 (Chicago, IL: Uni-

versity of Chicago Press, 1959), p. 3.

6. Matthias Maass, ‘The Elusive Definition of the Small State’, p. 72.

7. For the most comprehensive exploration of these dynamics, see Stephen Walt, The Origins

of Alliances (New York, NY: Cornell University Press, 1987).

8. Omer De Raeymaeker, ‘Introduction’, in Omer De Raeymaeker, Willem Andries, Luc Crollen

et al. (eds), Small Powers in Alignment (Leuven: Leuven University Press, 1974), p. 18.

9. Heinz Gartner, ‘Small States and Alliances’, in Erich Reiter and Heinz Gartner (eds), Small

States and Alliances (New York, NY: Physica-Verlag Heidelberg, 2001), p. 3.

10. For a detailed analysis of intra-alliance dynamics, see Glenn H. Snyder, Alliance Politics

(New York, NY: Cornell University Press, 1997).

218 Political Science 65(2)

Institutions

A second and contrasting model is derived from liberal institutionalism. This framework

examines how small states seek to establish rules and transparency within international

institutions and encourage cooperative approaches to international security issues. While

realist scholars continue to claim that institutions are dominated and maintained by great

powers to advance their own national interests,11 small state scholarship reveals a number

of cases where significant institutional influence has been achieved. Peter Jakobsen, for

example, reveals how small Nordic states enhanced the Civilian Crisis Management

agenda within the European Security and Defence Policy (ESDP), in spite of firm

opposition from France.12 The ability of small states to influence the agenda of the United

Nations (UN) Security Council has also been documented. Baldur Thorhallsson has argued

that when small states invest time and resources in the UN system, are perceived as neutral,

work on niche issues, develop administrative capabilities and actively work to build

coalitions, the extent of their influence can be disproportionate to their size.13 In this

respect, they can move from being beneficiaries of the UN system to active contributors to

it.14 Small states may also form their own institutions to advance shared interests. The

Association of Small Island States (AOSIS) advocates on the basis of its members’ shared

vulnerability to climate change and works to place pressure on large powers to cut carbon

emissions. While there has been slow progress in reducing global emissions, the associ-

ation has served as a ‘moral conscience’ within international negotiations and advanced its

members’ interests more effectively than had they worked in isolation.15

Implicit in the institutional approach are the notions that power itself has changed and

that a nation’s military capabilities are not the sole factor in determining its security. Soft

power, for example, which is the power of persuasion and attraction, can be effectively

employed by small states.16 A number of small state scholars have followed this line of

enquiry. Alan Chong argues that soft power can be used as a psychological and tactical

resource to shape perceptions of the motives of small states, and explains how a small

state’s foreign policy apparatus may possess among its human resources intellectual and

propagandistic skills that are disproportionate to its physical size.17 Annette Fox has

11. See, for example, Kenneth N. Waltz, ‘NATO Expansion: A Realist’s View’, Contemporary

Security Policy, Vol. 21, No. 2 (August 2000), p. 29.

12. Peter V. Jakobsen, ‘Small States, Big Influence: The Overlooked Nordic Influence on the

Civilian ESDP’, Journal of Common Market Studies, Vol. 47, No. 1 (January 2009), p. 96.

13. Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, The

Hague Journal of Diplomacy, Vol. 7, No. 2 (2012), p. 159.

14. Baldur Thorhallsson, ‘Small States in the UN Security Council: Means of Influence?’, p. 146.

15. Jon Barnett and John Campbell, Climate Change and Small Island States: Power, Knowl-

edge and the South Pacific (London: Earthscan, 2010), p. 101.

16. Robert O. Keohane and Joseph S. Nye, ‘Power and Interdependence in the Information

Age’, Foreign Affairs, Vol. 77, No. 5 (September 2009), p. 86.

17. Alan Chong, ‘Small State Soft Power Strategies: Virtual Enlargement in the Cases of the

Vatican City State and Singapore’, Cambridge Review of International Affairs, Vol. 23, No.

3 (September 2010), p. 385.

Burton 219

highlighted how small states can utilise ‘economic, ideological, and diplomatic methods’

to advance their interests, and possess a ‘capacity to appeal to world interest’ when

threatened.18 Small states will often exhibit a firm commitment to international law, seek

multilateral solutions to security issues and generally refrain from the use of military force

to solve disputes.

Identity and norms

A third model of small state security is based on identity and norms. Leaders of small

states often perceive that they lack influence over their security environment and this

will inform the strategic direction of the state. In short, if a state perceives itself to be

small, it is. As Alan Henrikson notes:

The critical test of ‘smallness’ . . . is a state’s image and its related conduct. This way of

identifying the small state phenomenon is based on the recognition that some states regard

themselves and are regarded by others as ‘small states’, and behave accordingly – in a word,

deferentially or, sometimes instead, defiantly.19

According to Laurent Goetschel, small states may also develop a ‘security identity’,

which stems from ‘past behaviour and images and myths linked to it which have been

internalized over long periods of time by the political elite and population of a state’.20

Such an identity can be based around the promotion of peace, international law and a just

world order, and is an ideational and historical reaction to smallness. Goetschel argues

that this type of security identity was influential in shaping small European states’

attitudes towards the European Union (EU) as a security actor. Small states also have a

natural interest in promoting and developing international norms in international secu-

rity, broadly defined as acceptable standards of behaviour. Christine Ingebritson argues

that small Scandinavian states have acted as ‘norm entrepreneurs’ through their pro-

motion of conflict resolution mechanisms and the award of the Nobel Peace Prize, for

example.21 Similarly, Margarita Petrova documents how small states have had an impact

on the development of norms relating to prohibitions on the use of landmines and cluster

munitions, noting that the strong involvement of civil society in Belgium has driven

national and international attention to these issues.22

18. Annette Fox, The Power of Small States: Diplomacy in World War 2, p. 2.

19. Alan K. Henrikson, ‘A Coming ‘‘Magnesian’’ Age? Small States, the Global System, and the

International Community’, Geopolitics, Vol. 6, No. 3 (2001), p. 63.

20. Laurent Goetschel, ‘The Foreign and Security Policy Interests of Small States in Today’s

Europe’, in Laurent Goetschel (ed.), Small States Inside and Outside the European Union

(Dordrecht: Kluwer, 1998), p. 28.

21. Christine Ingebritsen, ‘Norm Entrepreneurs: Scandinavia’s Role in World Politics’, Coop-

eration and Conflict, Vol. 37, No. 11 (March 2002), pp. 11–23.

22. Margarita H. Petrova, ‘Small States and New Norms of Warfare’ (2007), p. 6, available at:

http://cadmus.eui.eu/bitstream/handle/1814/7644/MWP_2007_28.pdf?sequence¼1 (accessed

10 August 2013).

220 Political Science 65(2)

While distinctions between these three approaches are analytically useful, small states

might also pursue them simultaneously through their foreign policy. Norms can emerge

through partnerships in international institutions and through alliances. Conversely, the

simultaneous pursuit of alliances and norms can be problematic for small states; strong

security alignments may undermine the ability of small states to act as neutral arbiters on

security issues.

Small states and cyber security

To what extent can these models and approaches to the foreign policy of small states be

applied to cyber security? The evidence to date indicates that military alliances and

international institutions are only just beginning to respond politically and operationally

to cyber security issues, and that a strategic divide between the great powers is stifling

the emergence of cyber norms.

Alliances are commonly based on collective defence, whereby members will provide

mutual aid in the event of an attack. There is little evidence to suggest that this is hap-

pening in the cyber security arena. Although a crisis meeting was convened within NATO

during the cyber attacks against Estonia in 2007, NATO stopped short of invoking Article

V, its collective defence clause. As the Estonian Defence Minister acknowledged:

At present, NATO does not define cyber attacks as a clear military action. This means that the

provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defence,

will not automatically be extended to the attacked country.23

Formulating a coherent alliance response to the attacks was also problematic. A

retaliatory cyber attack was impossible given the uncertain origins of the attacks, and the

Russian government refused to cooperate with Estonian authorities in investigating the

incident.24 On the other hand, the problems created by the Estonia case have driven the

intra-alliance focus on cyber security issues, and NATO’s enhanced cyber assets may

bring considerable benefits to its smaller members. NATO’s Emerging Security Chal-

lenges division, formed in 2010, has consolidated cyber security into strategic planning

and cyber security featured prominently in NATO’s 2010 Strategic Concept. The alli-

ance has also established a Cyber Defence Management Authority (CDMA), a Rapid

Reaction Team (RRT) – a team of experts that can be deployed quickly to respond to

cyber incidents – and a Cooperative Cyber Defence Centre of Excellence (CCD COE).

Similarly, cooperation within international institutions on cyber security issues is still

in an early stage of development. Progress within the UN Security Council has been

hampered by the strategic rivalries between its permanent five members, and the council

did not address or debate the Estonian cyber attacks of 2007, the Georgian attacks of

23. Quoted in Ian Traynor, ‘Russia Accused of Unleashing Cyberwar to Disable Estonia’ (May

2007), available at: http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

(accessed 10 August 2013).

24. Kertu Ruus, ‘Cyber War I: Estonia Attacked from Russia’, European Affairs, Vol. 9, Nos 1/2

(Winter/Spring 2008), p. 26.

Burton 221

2008 or the Stuxnet attack against Iran.25 The US and EU have resisted attempts to

establish UN-level governance of the Internet through the International Telecommunica-

tions Union, which is the UN’s specialised agency for information and communication

technologies (ICT),26 warning against creating a ‘prescriptive regulatory code for the

world’.27 The EU itself has only recently produced its first comprehensive Cyber Secu-

rity Strategy, and it is a long way from implementation. It also imposes significant resource

and compliance challenges for small states; EU members are required to establish a

national Computer Emergency Response Team (CERT), produce a Network and Informa-

tion Security (NIS) strategy, and designate an NIS-responsible authority with the necessary

resources to prevent, handle and respond to information security risks and incidents.28

International norms in the area of cyber security are also mired in the strategic riv-

alries between the world’s leading powers and it will be some time before acceptable

standards of cyber conduct are firmly rooted in the international system. Jason Healey

distils the problem succinctly:

There are at least two camps of behavior, with divergent views of what norms should be. In the

first group we have the United States and the United Kingdom and other nations arguing for

controls on cyber-crime but supporting the free flow of information. China and Russia lead the

opposite camp, which worries more about cross-border information which might destabilize

their societies (or, rather, the grip of the current leadership).29

This divide encapsulates the US desire to maintain a free and open Internet on the one

hand, with the Russian and Chinese priority of being able to control information on the

25. Tim Maurer has noted that the work of the UN Security Council has largely been limited to

the Working Group on Countering the Use of the Internet for Terrorist Purposes, part of the

Counter-Terrorism Implementation Task Force (CTITF). See Tim Maurer, ‘Cyber Norm

Emergence at the United Nations: An Analysis of the Activities at the UN Regarding

Cyber-security’ (September 2011), available at: http://belfercenter.ksg.harvard.edu/files/

maurer-cyber-norm-dp-2011-11-final.pdf (accessed 10 August 2013).

26. For the official US position, see US Department of State, ‘Fast Facts on United States

Submitting Initial Proposals to World Telecom Conference’ (August 2012), available at:

http://www.state.gov/e/eb/rls/fs/2012/195921.htm (accessed 10 August 2013).

27. New Zealand also voted against these changes. See Terry Kramer, ‘The WCIT: Globalizing

a Transatlantic Legacy’ (November 2012), available at: http://www.europeaninstitute.org/

EA-November-2012/the-wcit-globalizing-a-transatlantic-legacy.html (accessed 10 August

2013); Chris Keal, ‘NZ Joins US, other Western Nations in Rejecting UN Control of Inter-

net’ (December 2012), available at: http://www.nbr.co.nz/opinion/nz-will-vote-against-

un-taking-control-internet (accessed 11 August 2013).

28. European Union External Action Service, ‘EU Cybersecurity Plan to Protect Open Internet

and Online Freedom and Opportunity’ (February 2013), available at: http://europa.eu/rapid/

press-release_IP-13-94_en.htm (accessed 10 August 2013).

29. Jason Healey, ‘Breakthrough or Just Broken? China and Russia’s UNGA Proposal on Cyber

Norms’ (September 2011), available at: http://www.atlanticcouncil.org/blogs/new-atlanti

cist/breakthrough-or-just-broken-china-and-russia-s-unga-proposal-on-cyber-norms (acces-

sed 10 August 2013).

222 Political Science 65(2)

other. The divide is also evident in recent attempts at developing international cyber

security standards. In September 2011, for example, the Chinese and Russian dele-

gations to the UN wrote to the UN Secretary General proposing discussion of an

‘International Code of Conduct for Information Security’. While the code contained

some sensible provisions, it would also have established rights for states to censor the

Internet, including ‘curbing the dissemination of information’ that would undermine

‘other nations’ political, economic and social stability, as well as their spiritual and

cultural environment’.30

In addition to problems in applying each of these conventional approaches to cyber

security, there are a number of other challenges for small states in this area of policy. At a

technical level, the 13 countries with the highest Internet penetration rates – defined as

the percentage of people using the Internet during 2000–2012 – are small states: the

Falkland Islands, Iceland, Norway, Sweden, the Netherlands, Denmark, Luxembourg,

Bermuda, Finland, New Zealand, Liechtenstein, Qatar and Bahrain.31 This level of

reliance on information infrastructure may create enhanced vulnerabilities. A recent

report by McAffee suggests that ‘the less sophisticated and widespread a country’s

connection to the internet, the lesser the cyber-threat. The more services are on line, the

higher the risk of cyber-attack’.32 Small states with high levels of Internet penetration are

thus particularly vulnerable. Ross Stapleton-Gray and William Woodcock highlight

another potential technical problem for small states:

Many smaller countries have exactly one exchange, located in the capital city. But the greatest

number of countries, typically the smallest ones, has no Internet Exchange Point (IXP) at all.

This means that they are heavily dependent for their domestic connectivity upon international

data circuits.33

This issue applies to developing countries disproportionally, but all small states will

need to diversify their connectivity to guarantee their cyber security.

Joseph Nye has claimed that ‘the barriers to entry in the cyber domain are so low that non-

state actors and small states can play significant roles at low levels of cost’.34 However, the

30. Ministry of Foreign Affairs of the People’s Republic of China, ‘China, Russia and Other

Countries Submit the Document of International Code of Conduct for Information Security

to the United Nations’ (September 2011), available at: http://www.fmprc.gov.cn/eng/wjdt/

wshd/t858978.htm (accessed 10 August 2013).

31. International Telecommunications Union, ‘Time Series by Country (2000–2012) – Per-

centage of People Using the Internet’ (February 2013), available at: http://www.itu.int/en/

ITU-D/Statistics/Pages/stat/default.aspx (accessed 10 August 2013).

32. McAfee, ‘Cyber-security: The Vexed Question of Global Rules’ (February 2012), available

at: http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf (accessed 10

August 2013).

33. Ross Stapleton-Gray and William Woodcock, ‘National Internet Defense: Small States on

the Skirmish Line’, Communications of the ACM, Vol. 54, No. 3 (2011), pp. 50–55.

34. Joseph Nye, ‘Nuclear Lessons for Cyber Security?’, Strategic Studies Quarterly, Vol. 5, No.

4, (Winter 2011), p. 20.

Burton 223

evidence appears to indicate that small states are increasingly vulnerable to cyber attacks

originating from the world’s leading powers. According to Internet Security Provi-

der Symantec, the majority of malicious cyber activity originates from larger, more

powerful, states – the US (21.1%), China (9.2%), India (6.2%), Brazil (4.1%), Ger-

many (3.9%), Russia (3.2%) and the UK (3.2%).35 The world’s great powers are also

heavily investing in offensive cyber security capabilities and increasingly prepared

to use them in conflicts and disputes with smaller, weaker states. Russian cyber

attacks against Georgia in 2008, which preceded the Russian invasion and involved

extensive infiltration of Georgian government ministries and military units, serve as

an illustrative example of the disparity in cyber capabilities between small and large

states. The Stuxnet software deployed by the US against Iranian nuclear centrifuges

is widely considered one of the most sophisticated viruses ever to have been created,

and its development reflects America’s leading technological expertise. As Jeffrey

Carr has said, ‘nation-states are spending millions of dollars of development for

these types of cybertools, and this is a trend that will simply increase in the future’.36

The Obama administration boosted the cyber security budget of the Department of

Defense to US$4.7 billion in 201337 and the US military has incorporated both defen-

sive and offensive cyber security operations into strategic doctrine.38 Small states are

unlikely to be able to keep up with larger states in developing and resourcing offensive

and defensive capabilities.

Finally, the strategic focus of small states on local and regional foreign policy

interests is being undermined by cyber attacks. A state can be subjected to cyber attacks

from anywhere in the world in a matter of milliseconds. Small states do not have the

political, diplomatic or economic tools to respond to global issues in the same way that

large states do. That is not to say that the cyber security of small states will not be

influenced by geopolitical issues. The cyber vulnerabilities of small states will continue

to be linked, to some degree, with historical and geopolitical tensions with countries in

their immediate neighbourhoods. This was particularly evident in the Estonian and

Georgian cases.

35. Malicious activity includes data from malicious code reports, spam zombies, phishing

hosts, bot-infected computers, network attack origins and web-based attack origins.

See Symantec, ‘Symantec Report on Threat Activity Trends’ (2013), available at:

http://www.symantec.com/threatreport/topic.jsp?id¼threat_activity_trends&aid¼malici

ous_activity_by_source (accessed 10 August 2013).

36. Quoted in David Kushner, ‘The Real Story of Stuxnet’, IEEE Spectrum, Vol. 50, No.3

(March 2013), p. 53.

37. Andy Sullivan, ‘Obama Budget Makes Cybersecurity a Growing U.S. Priority’ (April 2013),

available at: http://articles.chicagotribune.com/2013-04-10/business/sns-rt-us-usa-fiscal-

cybersecuritybre93913s-20130410_1_cyber-command-cybersecurity-budget-proposal

(accessed 10 August 2013).

38. Tina Miles, ‘Army Activates First-of-its-kind Cyber Brigade’ (December 2011), available

at: http://www.army.mil/article/70611/Army_activates_first_of_its_kind_Cyber_Brigade/

(accessed 10 August 2013).

224 Political Science 65(2)

The case of New Zealand

Alliances, institutions and norms in New Zealand’s foreign policy history

New Zealand is a small state with a population of less than 4.5 million and a Gross

Domestic Product (GDP) equivalent to just 0.26% of the world economy.39 The coun-

try’s size, combined with its geographical isolation, has driven a historical foreign policy

that has fluctuated between alliances, institutional cooperation and norm promotion. In

the first half of the 20th century, New Zealand’s alliance with Great Britain was the

bedrock of its foreign policy and New Zealand troops fought in both world wars in

Britain’s defence. After World War II, due to Britain’s declining global influence and the

threat from communism in Asia, New Zealand sought a closer security relationship with

the US. This involved entry into the ANZUS alliance in 1951; a treaty-based, collective

defence pact with Australia and America. ANZUS formed the foundation of New Zeal-

and foreign policy for the next 30 years and New Zealand troops fought in the Korean

and Vietnam wars in support of their alliance partners. However, successive New Zeal-

and governments also promoted institutional cooperation and internationalist norms dur-

ing this period. New Zealand was a founding member of the UN and advocated a

strengthened role for small states within the new UN system.40 New Zealand also played

a significant role in the development of the United Nations Convention on the Law of the

Sea (UNCLOS), arguing that small states in the Pacific would ‘only obtain the full ben-

efit of their exclusive economic zones if other more powerful states are prepared to

respect their international obligations in this regard’.41

The decision in 1984 by the David Lange government to prohibit all nuclear armed or

propelled vessels from entering into New Zealand ports was perhaps the most prominent

example of a normative approach to New Zealand foreign policy, and one that had a

significant impact on its alliance relations. New Zealand had vehemently opposed

French nuclear testing in the region and played a prominent role in establishing a

nuclear-free zone in the South Pacific through the Treaty of Rarotonga (1985). A strong

domestic and international anti-nuclear movement had also emerged in the 1970s, which

generated political momentum towards a more moral and less strategic foreign policy.

As Robert Patman has argued:

New Zealand’s nuclear-free stance was a powerful symbol . . . the working assumption here

was that ideas and norms do matter at the international level, and a small country like New

39. Trading Economics, ‘New Zealand GDP’ (August 2013), available at: http://www.trad

ingeconomics.com/new-zealand/gdp (accessed 11 August 2013).

40. New Zealand Prime Minster Peter Fraser argued strongly against the establishment of a veto

power in the UN Security Council, despite the fact that Great Britain benefited greatly from

it, and for small states to have greater influence through a strengthened General Assembly.

See Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the World

since 1935 (Auckland: Auckland University Press, 1993), pp. 57–62.

41. Quoted in Malcolm McKinnon, Independence and Foreign Policy: New Zealand in the

World since 1935, p. 270.

Burton 225

Zealand could make a positive difference through its own actions to the global security

situation.42

There was also a sense that the ANZUS alliance was no longer serving New

Zealand’s national interests and that the country was increasingly trapped in a rela-

tionship where its autonomy was being affected, particularly on the nuclear issue. As

David Lange said at the time, ‘what is now on public record about the ANZUS

meetings predictably suggests that the Americans did the talking and our side did the

listening’.43 Despite this growing sense of entrapment, the Lange government con-

tinued to see the broader benefits of the security partnership and the government did

not expect or intend for the nuclear-free policy to result in the breaking of the ANZUS

alliance. Opinion polls also indicated that the New Zealand public wanted to stay in

ANZUS despite their aversion to US nuclear weapons.44 In February 1985, however,

shortly after the USS Buchanan was refused entry, the US suspended high-level dip-

lomatic exchanges, restricted intelligence sharing and halted most forms of military

cooperation with New Zealand.

This strategic separation continued into the post-Cold War period. New Zealand

remained outside of formal alliance structures (apart from its close security relation-

ship with Australia) and formulated its foreign policy around the promotion of multi-

lateral cooperation through international institutions, particularly the UN. This

approach was reflected in the deployment of New Zealand soldiers to support the

UN-mandated mission in Bosnia (1992), a New Zealand role in the UN Regional Assis-

tance Mission to the Solomon Islands (2003), a peacekeeping role in East Timor

(1999–2012) and a strong contribution to the UN-mandated, NATO-led mission in

Afghanistan (2001–2013). New Zealand’s refusal to participate in the war against Iraq

in 2003 was also based on a commitment to the UN. Labour Prime Minister Helen

Clark stated that ‘regime change is not something that the UN is mandated to do’ and

argued that ‘Without the United Nations, multilateralism and respect for the interna-

tional rule of law, the world’s prospects would be bleak indeed’.45 The internationalist

orientation of New Zealand foreign policy in the post-Cold War era suggests, in con-

trast to the small states literature, that New Zealand was not solely focused on local and

regional security issues during this period.

More recently, the New Zealand–US security relationship has been reinvigorated. In

2005, the Helen Clark-led Labour government made a concerted effort to improve New

Zealand–US relations, which corresponded with a desire on the part of the US

42. Robert G. Patman, ‘Globalisation, Sovereignty, and the Transformation of New Zealand

Foreign Policy’ (2005), available at: http://www.victoria.ac.nz/hppi/centres/strategic-stu

dies/publications/working-papers/WP21.pdf (accessed 11 August 2013).

43. Quoted in Wade Huntley, ‘The Kiwi that Roared: Nuclear Free New Zealand in a Nuclear

Armed World’, The Nonproliferation Review, Vol. 4, No. 1 (March 1996), p. 8.

44. See Malcolm McKinnon, Independence in Foreign Policy: New Zealand in the World since

1945 (Auckland: Auckland University Press, 1993), p. 289.

45. Quoted in David McGraw, ‘New Zealand Foreign Policy Under the Clark Government: High

Tide of Liberal Internationalism’, Pacific Affairs, Vol. 78, No. 2 (Summer 2005), p. 225.

226 Political Science 65(2)

government to rebuild international partnerships after the invasion of Iraq.46 Intelli-

gence sharing was re-established in 2009 under the John Key-led National govern-

ment,47 and the Wellington and Washington Declarations (2010 and 2012) paved

the way for new high-level military and diplomatic exchanges between the two coun-

tries. This enhanced cooperation stemmed from America’s strategic ‘pivot’ to the

Asia-Pacific region, as articulated by Secretary of State Hillary Clinton in 2011, and

a desire to work with New Zealand in shaping ‘a rules-based regional and global

order’.48 It also reflected a view in the National Party that previous Labour govern-

ments had been too reliant on the UN and had neglected bilateral security partnerships.

As current Deputy Prime Minister, Bill English, has said, ‘As important as the United

Nations is as an international force, there are other international relationships for us

that are more strategic’.49 Robert Ayson and David Capie have argued that New Zeal-

and has re-established a de facto alliance with the US and that recent developments

reflect ‘a position of clear alignment in which New Zealand appears to have traded

in some of its independence chips’.50 While New Zealand has not abandoned institu-

tional cooperation and norm promotion, the pendulum has swung back towards ties

with ‘traditional’ partners.

New Zealand’s cyber security challenges: Domestic and internationalcapacity building

New Zealand’s recent cyber security challenges are closely linked with the emergence of

a globalised cyber security environment and indicate that focusing solely on local and

regional interests will not safeguard the country from cyber attacks. The New Zealand

Security Intelligence Service (SIS)51 has said that the incidence of such attacks is on the

increase in New Zealand, from 90 attacks categorised as a threat to government and

critical infrastructure in 2011, rising to 134 in 2012, with 60% of those emanating from

46. Bruce R. Vaughan, ‘The United States and New Zealand: Perspectives on a Pacific Part-

nership’ (August 2012), p. 21, available at: http://www.fulbright.org.nz/wp-content/uploads/

2012/08/axford2012_vaughn.pdf (accessed 26 August 2013).

47. Nicky Hager, ‘Wikileaks: Leaked US Cables Spill the Beans on NZ Ties’ (December 2010),

available at: http://www.nickyhager.info/wikileaks-leaked-us-cables-spill-the-beans-on-nz-

ties/ (accessed 11 August 2013).

48. Hillary Clinton, ‘America’s Pacific Century’ (November 2011), available at: http://

www.foreignpolicy.com/articles/2011/10/11/americas_pacific_century?page¼0,2 (accessed

26 August 2013).

49. Quoted in David McCraw, ‘New Zealand Foreign Policy Under the Clark Government: High

Tide of Liberal Internationalism?’, p. 224.

50. Robert Ayson and David Capie, ‘Part of the Pivot? The Washington Declaration and US–NZ

Relations’, Asia-Pacific Bulletin, No. 172 (July 2012), p. 2.

51. The SIS was established in 1956 and is responsible for investigating threats to New Zeal-

and’s national security (including sabotage, subversion, espionage and acts of terrorism),

collecting foreign intelligence and providing a range of protective security and advice

services to government.

Burton 227

overseas.52 The SIS 2012 Annual Report concluded that ‘New Zealand is subject to

systematic cyber intrusion targeting both government and key economic and intellectual

property generators’ and that ‘state sponsored actors posed the greatest threat to New

Zealand’. It also noted that foreign intelligence agencies were directly involved in cyber

espionage against government and private entities in New Zealand, although the agencies

responsible were not named in the report.53 Cyber attacks have also gained heightened

media attention in recent years. In October 2012, for example, a hacker gained access to

confidential client details through the Work and Income New Zealand (WINZ) website, and

in July 2013, ‘Anonymous New Zealand’ conducted distributed denial of service (DDoS)

attacks against at least a dozen National Party websites, including the personal website of

Prime Minister John Key. Cyber attacks directed against the private sector and the New

Zealand public are also a growing problem. A 2011 Symantec survey of 100 New Zealand

companies found two-thirds experiencing a cyber attack in the preceding 12 months, with

25% losing corporate data and 25% experiencing a financial loss of NZ$70,000.54 Recently

released statistics suggest that cybercrime against New Zealanders costs NZ$625 million

annually55 and one survey rated New Zealand mobile phone ‘app’ users in the 10 most vul-

nerable in the world to cyber attacks.56 Given that 44% of New Zealanders use smart phones,

this is a significant vulnerability.57

In order to respond to these growing challenges – and in the absence of broader

institutional cooperation and cyber security norms – New Zealand has taken steps to

enhance both its domestic cyber security capacity and its international cyber security

partnerships. The government has produced a National Cyber Security Strategy, which

aims to enhance New Zealand’s resilience across sectors to cybercrime, cyber espionage,

hacktivism and terrorist use of the Internet.58 A National Cyber Security Centre (NCSC)

has been established as part of the Government Communications Security Bureau

52. National Cyber Security Centre, ‘2012 Incident Summary’ (2012), pp. 2–4, available at: http://

ncsc.govt.nz/sites/default/files/articles/NCSC-%202012%20Incident%20Report_0.pdf (acces-

sed 11 August 2013).

53. New Zealand Security Intelligence Service, ‘Annual Report’ (September 2012), p. 19,

available at: http://www.nzic.govt.nz/assets/Publications/NZSIS-Annual-Report-2012.pdf

(accessed August 2013).

54. Symantec, ‘NZ Organisations Rank Cyber Attacks as #1 Risk’ (June 2011), available

at: http://www.scoop.co.nz/stories/SC1106/S00061/nz-organisations-rank-cyberattacks-

as-1-risk.htm (accessed 11 August 2013).

55. Government Communications Security Bureau, ‘Regulatory Impact Statement’ (March

2013), p. 10, available at: http://www.gcsb.govt.nz/about-us/documents/GCSB%20Act

%20Review%20Regulatory%20Impact%20Statement.PDF (accessed 11 August 2013).

56. Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’ (January 2013), available at:

http://www.nzherald.co.nz/business/news/article.cfm?c_id¼3&objectid¼ 10860719 (accessed

11 August 2013).

57. Anonymous, ‘NZ App Users at Risk of Cyber Attacks – Survey’.

58. Department of Prime Minister and Cabinet, ‘New Zealand’s Cyber Security Strategy’ (June

2011), p. 5, available at: http://www.dpmc.govt.nz/sites/all/files/publications/ncpo-speech-

nzisf-11apr13.pdf (accessed 11 August 2013).

228 Political Science 65(2)

(GCSB), which is New Zealand’s primary signals intelligence agency and part of the

Echelon network, along with the US National Security Agency (NSA), the UK Gov-

ernment Communications Headquarters (GCHQ), Australia’s Defence Signals Direc-

torate (DSD) and Canada’s Communications Security Establishment Canada (CSEC).

Stronger cyber security links are being formed between the New Zealand government

and private entities, particularly those responsible for providing critical infrastructure,59

and transnational cooperation is emerging. A new cyber security research facility at

Auckland’s Unitec Institute for Technology, for example, has developed links with

research institutes in Japan on cyber security issues.60

Despite these positive developments, New Zealand continues to face significant

resource challenges in enhancing its cyber security, and this is indicative of the

common challenges small states face in this and other areas of security policy. A

recent report into the role of the GCSB noted that the agency has fewer than 300

staff and ‘is very widely spread and in places very thin’.61 New Zealand’s intelli-

gence agencies have received a significant boost in funding since 2003, with a total

increase in budget for the SIS and GCSB from NZ$45 million in 2003 to NZ$97

million in 2012,62 yet staffing levels at the GCSB have fallen by 20% since 2007.63

Challenges also exist in retaining highly specialised ICT professionals in the public

sector, and keeping ICT specialists in New Zealand when there are higher-paid jobs

overseas. The New Zealand government has openly acknowledged these resource

challenges. A recent review of the GCSB’s functions revealed, ‘in a small jurisdic-

tion such as New Zealand we cannot afford to duplicate expensive and sophisticated

assets, and there are limited numbers of people that can work with such assets’.64

59. The NCSC has recently developed voluntary standards for operators of Industrial Control

Systems, for example. See Paul Nash, ‘Cyber Security: Why it Matters for New Zealand’

(April 2013), available at: http://www.dpmc.govt.nz/sites/all/files/publications/ncpo-

speech-nzisf-11apr13.pdf (accessed 11 August 2013).

60. Japan’s National Institute of Information and Communications Technology (NICT) and the

Nara Institute of Science and Technology (NAIST). The institutes will conduct decentralised

monitoring of the number of malicious threats on New Zealand networks and their country

of origin and will develop advanced information technologies in New Zealand.

61. Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security

Bureau’ (March 2013), p. 64, available at: http://www.gcsb.govt.nz/newsroom/reports-publi-

cations/Review%20of%20Compliance_%20final%2022%20March%202013.pdf (11 August

2013).

62. Pete George, ‘More Money and More Spies’ (July 2013), available at: http://yournz.org/

2013/07/16/more-money-and-more-spies/ (accessed 11 August 2013).

63. The agency went from a total of 370 staff in 2007 to 294 in 2012. See Government Com-

munications Security Bureau, ‘Annual Reports’ (2007 and 2012), available at: http://

www.gcsb.govt.nz/newsroom/annual-report.html (accessed 23 October 2013).

64. Office of the Minister Responsible for the GCSB Cabinet Domestic and External Security

Committee, ‘Review of Government Communications Security Bureau Act 2003’ (June

2013), p. 5, available at: http://www.nzic.govt.nz/assets/Uploads/GCSB-Cabinet-paper-

1.pdf (accessed 11 August 2013).

Burton 229

The volume of work generated by the agency is also likely to increase significantly

as a result of the growing number and diversity of cyber attacks against New Zeal-

and targets. More broadly, New Zealand continues to be reliant on intelligence from

its international partners. Bruce Ferguson, a former head of the GCSB, has said that

New Zealand receives approximately five times more intelligence than it produces

and continues to be dependent upon the US for intelligence relating to peacekeeping

operations and foreign troop deployments, including in Afghanistan, where New

Zealand forces were deployed after 9/11.65 As a small state, New Zealand continues

to be a net consumer of intelligence on a wide range of security issues, including

maritime security, trade and counterterrorism, and this dependency is likely to

continue.

In order to close this capabilities gap, the New Zealand government has focused

on extending its international cyber security partnerships. In June 2012, New

Zealand entered into an Individual Partnership Cooperation Programme with NATO,

which provides for consultation and cooperation on cyber security issues and con-

tinued intelligence sharing.66 In January 2013, Foreign Minister Murray McCully

announced a deal with the UK government that will allow New Zealand to benefit

from research and development at a new global cyber security facility in the UK,67

and the Washington and Wellington declarations have resulted in a high-level stra-

tegic dialogue between US and New Zealand officials on ‘cyber policy’ and ‘scien-

tific cooperation’.68 Alignment with the US has traditionally given its allies access

to strategies and technologies that have enhanced their security and this is increas-

ingly the case in the area of cyber security. In September 2011, moreover, around

the 60th anniversary of the signing of the ANZUS treaty, the US and Australian

governments announced that their ongoing ANZUS commitments would be

extended into cyberspace:

Mindful of our longstanding defense relationship and the 1951 Security Treaty between

Australia, New Zealand, and the United States of America (ANZUS Treaty), our Gov-

ernments share the view that, in the event of a cyber attack that threatens the territorial

integrity, political independence or security of either of our nations, Australia and the

65. Nick Perry and Paisley Dodds, ‘‘‘Five Eyes’’ Spy Alliance Will Survive Snowden’ (July

2013), available at: http://www.newsfactor.com/story.xhtml?story_id¼11000APTXRP6&

page¼2 (accessed 11 August 2013).

66. New Zealand Government, ‘Individual Partnership and Co-operation Programme between

New Zealand and NATO’ (June 2012), available at: http://www.beehive.govt.nz/sites/all/

files/New_Zealand_NATO_Partnership_and_Cooperation_Programme.pdf (accessed 28

August 2013).

67. Michael Field, ‘Super-Cyber Security NZ–UK Alliance’ (January 2013), available at:

http://www.stuff.co.nz/technology/digital-living/8180398/Super-cyber-security-NZ-UK-

alliance (accessed 11 August 2013).

68. US Department of State, ‘Joint Statement: US–New Zealand Strategic Dialogue’ (May

2013), available at: http://www.state.gov/r/pa/prs/ps/2013/05/209799.htm (accessed 28

August 2013).

230 Political Science 65(2)

United States would consult together and determine appropriate options to address the

threat.69

It is unclear from this statement how severe cyber attacks would need to be to trigger

collective action.70 Nevertheless, the reorientation of the US and Australian alliance

relationship to deal with cyber security challenges is a positive development, and one

that New Zealand will likely benefit from, even though it was not party to the statement.

GCSB reform: Domestic and international controversies

The most contentious aspect of New Zealand’s emerging cyber security strategy has

been changes to the role of the GCSB. The GCSB and Related Legislation Reform

Bill, which was passed by the New Zealand Parliament in August 2013, extended

the GCSB’s cyber security functions to the domestic arena, creating a legal basis for

the agency to intercept electronic communications from and to New Zealand citizens

and permanent residents for the first time.71 These reforms created a heated political

debate in New Zealand that highlighted the difficult task of achieving a tenable

balance between privacy and security in cyberspace. The New Zealand government

emphasised that intercepting communications was not the same as spying on New

Zealanders, and that only metadata – the origins and destinations of communications

and the type of malicious code attached – would be subject to interception in the

first instance, and on the basis of a warrant. John Key personally emphasised that a

second warrant would need to be issued to allow the content of electronic com-

munications to be analysed, and only when it related to a ‘significant threat’ to the

country.72 Such assurances have been greeted with a degree of scepticism by the

New Zealand public. Of respondents to one August 2012 Fairfax Media-Ipsos poll,

75.3% indicated that they were worried about plans to allow the GCSB to monitor

New Zealanders.73 However, in the same poll, over 50% of respondents stated that

they trusted the government to protect their right to privacy under the new system.

69. US Department of State, ‘U.S.–Australia Ministerial Consultations 2011 Joint Statement on

Cyberspace’ (September 2011), available at: http://www.state.gov/r/pa/prs/ps/2011/09/

172490.htm (accessed 2 September 2013).

70. For a detailed discussion of ANZUS and cyber security issues, see Andrew Davies, James

Andrew Lewis, Jessica Herrera Flanigan et al., ‘ANZUS 2.0: Cybersecurity and Australia–

US Relations’ (April 2012), available at: http://www.isn.ethz.ch/Digital-Library/Publi

cations/Detail/?ots591¼0c54e3b3-1e9c-be1e-2c24-a6a8c7060233&lng¼en&id¼161646

(accessed 2 September 2013).

71. And to share that information with the New Zealand Police, the New Zealand Defence Force

(NZDF) and the SIS, although when doing so, it will be subject to the various statutory

regulations that bind those agencies.

72. John Key, ‘GCSB: Prime Minister John Key’s Speech’ (August 2013), available at: http://

www.stuff.co.nz/national/politics/9070452/GCSB-Prime-Minister-John-Keys-speech (accessed

2 September 2013).

73. Andrea Vance, ‘Kiwis Do Care, Prime Minister’ (August 2013), available at: http://www.stu

ff.co.nz/national/politics/9066527/Kiwis-do-care-prime-minister (accessed 2 September 2013).

Burton 231

While the balance between privacy and security has been a central issue in this

debate, it is difficult to argue that this is a particular problem for New Zealand or,

indeed, for small states. The political and legal controversies around this legislation,

however, do illustrate some of the challenges that small states face in enhancing

their cyber security. First, the erosion of New Zealand’s geographical isolation is

evident in its struggle to respond to global cyber security challenges. The government’s

justification for the extension of state power to the domestic arena was explicitly framed

in the context of New Zealand’s adaptation to the global challenges of the post-9/11

security environment. In April 2013, John Key referred to ‘evidence of cyber espionage

in New Zealand’, including ‘covert attempts to acquire New Zealand science and

technology for programmes relating to weapons of mass destruction or weapons

delivery systems’.74 In July 2013, he said:

In New Zealand there are people who have been trained for al-Qaeda camps who operate out of

New Zealand, who are in contact with people overseas, who have gone off to Yemen and other

countries to train. I’m sorry, but that’s the real world.75

The explanatory note to the bill also recognised some of the challenges small

states are confronting in the area of cyber security, and especially the tension

between a focus on local/regional security issues and globalised security challenges.

It stated that ‘New Zealand faces a changing security environment in which threats

are increasingly interconnected and national borders are less meaningful’, and

claimed that ‘Globalisation means New Zealand is no longer as distant from security

threats as it once was’.76

The scandal over the interception of Kim Dotcom’s electronic communications, the

founder of the ‘Megaupload’ file-sharing website, was also particularly prominent in

driving changes to the GCSB’s role. Dotcom was indicted by US authorities on 5 Jan-

uary 2012 on charges including online piracy, copyright infringement and money

laundering. On 20 January 2012, the New Zealand police, working with the US Fed-

eral Bureau of Investigation (FBI), raided Dotcom’s Auckland mansion. The legal

case that followed revealed: that warrants used in the raid were illegal because they

were used to seize material that was irrelevant to the investigation; that the FBI had

illegally copied the contents of computer hard drives seized in the raid; and that the

GCSB had unlawfully spied on Dotcom prior to the raid, supplying information to the

police relating to his movements and personal communications. Dotcom was granted

74. Anonymous, ‘Key Reveals WMD Cyber Terrorism Threat to NZ’ (April 2013), available at:

http://tvnz.co.nz/national-news/key-reveals-wmd-cyber-terrorism-threat-nz-5407210 (accessed

11 August 2013).

75. Rebecca Quilliam and Claire Trevett, ‘PM Justifies Spy Bill: Kiwis Trained by Al-Qaeda’

(August 2013), available at: http://www.nzherald.co.nz/nz/news/article.cfm?c_id¼1&

objectid¼10906592 (accessed 11 August 2013).

76. Government Communications Security Bureau and Related Legislation Amendment Bill,

‘Explanatory Note’ (2013), available at: http://www.nzic.govt.nz/assets/Publications/

GCSB-and-related-legislation-amendment-bill.pdf (accessed 11 August 2013).

232 Political Science 65(2)

New Zealand permanent residency in November 2010, and was thus protected from

GCSB surveillance under the previous statutory framework. As a result of the contro-

versy, an investigation into the activities of the GCSB took place, which culminated in

the release of the Kitteridge Report. The report revealed 55 incidences of unlawful

GCSB surveillance over nine years, involving 88 New Zealand citizens and permanent

residents.77 The 2013 GCSB bill thus provided a new legal basis for activities that the

agency had already been carrying out.

The release of classified information by former NSA contractor Edward Snowden

also had a significant impact on the New Zealand debate. In a series of leaks in July and

August 2013, as the GCSB bill was being debated, Snowden revealed that the US

government had been collecting, processing and analysing vast data and phone records

from some of the world’s leading ICT companies and covertly tapping into global fibre-

optic cables with a view to monitoring electronic communications. The activities of the

NSA demonstrate the enormous power that the US has accumulated in cyberspace and

the capabilities gap that exists between small and large states, as detailed in the previous

section. Snowden also directly emphasised links between the National Security Agen-

cy’s (NSA) activities and the Echelon network, revealing that the NSA had been funding

the UK GCHQ since 200978 and claiming that America’s Five Eyes partners ‘sometimes

go even further than the NSA people themselves’.79 The New Zealand government’s

strategy for enhancing New Zealand cyber security has been tarnished and complicated

by the global controversy created by the affair and there has been an unprecedented

degree of conflation between the privacy issues involved and New Zealand’s core cyber

security interests.

Another controversy that has influenced New Zealand’s emerging cyber security

strategy relates to China’s extension into the New Zealand broadband market. The New

Zealand government awarded a major contract to Chinese firm Huawei in 2011 as part of

the rollout of New Zealand’s ultra-fast broadband initiative. In October 2012, the US

House Intelligence Committee stated that the company’s provision of equipment to

US critical infrastructure ‘could undermine core U.S. national security interests’, and

noted the links between company directors and the Chinese Communist Party and mil-

itary.80 The Australian government blocked a broadband contract on the basis of security

77. Rebecca Kitteridge, ‘Review of Compliance at the Government Communications Security

Bureau’, p. 18.

78. Nick Hopkins and Julian Borger, ‘Exclusive: NSA Pays £100 m in Secret Funding for

GCHQ’ (August 2013), available at:http://www.theguardian.com/uk-news/2013/aug/01/

nsa-paid-gchq-spying-edward-snowden (accessed 2 September 2013).

79. Anonymous, ‘Snowden Links NZ to US Spy Programme’ (July 2013), available at: http://

www.stuff.co.nz/world/americas/8893187/Snowden-links-NZ-to-US-spy-programme (accessed

2 September 2013).

80. Mike Rogers and Dutch Ruppersberger, ‘Investigative Report on the U.S. National Security

Issues Posed by Chinese Telecommunications Companies Huawei and ZTE’ (October

2012), p. vi, available at: http://intelligence.house.gov/sites/intelligence.house.gov/files/

Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf (accessed 28 September

2013).

Burton 233

concerns.81 Huawei have labelled suggestions that they are a threat as ‘baseless’, but the

controversy raises important questions for New Zealand’s cyber security.82 Why did

New Zealand’s assessment of the risks differ from that of its security partners, and if the

New Zealand government had blocked the contract, would the country’s close economic

relationship with China have been affected?

Collectively, these scandals have focused the attention of the New Zealand public on

the country’s renewed status as a de facto ally of the US, and the GCSB’s relationship

with the NSA has come under greater scrutiny. There have been a number of recent

assertions that New Zealand’s political autonomy is being undermined by this rela-

tionship and that changes to the powers of the GCSB have been driven by US influence.

Kim Dotcom has claimed that John Key has a ‘subservient relationship with the United

States’ and that ‘The GCSB was utilised to surveil all my communication in order to give

the US Government full access to all my communication’.83 An editorial for the Waikato

Times, entitled ‘NZ: 51st State of the US’, suggested that the affair had ‘Heightened

suspicions that this country’s relationship with the United States has become one of

servility rather than friendship’ and argued that ‘The Government’s unquestioning

readiness to co-operate with American authorities seriously corrodes our claims to be an

independent state’.84 Hone Harawira, leader of the Mana Party, has said that the NZ–US

cyber security partnership could undermine the country’s status at the UN and its bid for

a UN Security Council seat in 2015:

Now New Zealand wants a seat of the UN Security Council and our case will inevitably be

tainted by our association with US foreign policy strategies operating through the GCSB. In

recent years the National government has pushed New Zealand further into the US corner and

further from the independence which would give us greater assurance and credibility in the

world.85

These arguments are not just being made by opposition politicians. Rodney Harrison

QC, a prominent New Zealand lawyer, has claimed that the GCSB’s Waihopai satellite

communications interception station is ‘tacitly treated by government and the GCSB as

an operation of the USA and other security partners not covered by the New Zealand

81. Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US Com-

mittee’ (October 2012), available at: http://www.theguardian.com/technology/2012/oct/08/

china-huawei-zte-security-threat (accessed 11 August 2013).

82. Charles Arthur, ‘China’s Huawei and ZTE Pose National Security Threat, Says US

Committee’.

83. Quoted in Andrea Vance, ‘Dotcom More Popular than Banks’ (October 2012), available

at: http://www.stuff.co.nz/dominion-post/news/politics/7802709/Dotcom-more-popular-

than-Banks (accessed 11 August 2013).

84. Waikato Times, ‘Editorial – NZ: 51st state of the US’ (September 2012), available at: http://

www.stuff.co.nz/waikato-times/opinion/editorials/7730013/Editorial-NZ-51st-state-of-

the-US (accessed 11 August 2013).

85. Mana Party, ‘Mana Calls for NZ to Withdraw from Spy Network’ (July 2013), available at:

http://www.scoop.co.nz/stories/PA1307/S00436/mana-calls-for-nz-to-withdraw-from-

five-eyes-spy-network.htm (accessed 11 August 2013).

234 Political Science 65(2)

legislation’. He has further claimed that the issue ‘goes to the heart of New Zealand’s

sovereignty – our right to independent self-government without interference from out-

side’.86 The potential impact of the close US–New Zealand cyber security partnership

on New Zealand’s relationships with its Asian trading partners has also come under

increasing scrutiny. Former diplomat Terence O’Brien has argued that ‘our important

relationships in Asia could be compromised by our close association with the US and its

hoovering up of big data’,87 and Dr Russel Norman, leader of the New Zealand Green

Party, has said that ‘China would view the Five Eyes network with some concern. There

is no doubt they would view Five Eyes as an impediment to a better relationship with

New Zealand’.88

But how accurate are these claims? Are New Zealand’s interests and autonomy

being subsumed by the country’s cyber security links to its larger, more powerful,

security partners? Kim Dotcom’s assertion that New Zealand has a subservient rela-

tionship with the US should be treated with caution, especially as he is facing extra-

dition to the US. The notion that New Zealand’s cyber security links to the US will

undermine New Zealand’s bid for a seat on the UN Security Council in 2015 is

similarly unpersuasive. New Zealand’s two rival candidates for the seat – Spain and

Turkey – are both NATO members and close US allies. It is unlikely that these issues

would be raised by these countries during the UN selection process and there has been

no criticism from foreign governments relating to New Zealand’s cyber security links

with the US. The New Zealand government has also directly refuted claims that its

interests and autonomy are being undermined by the US–New Zealand intelligence and

cyber security partnership. In April 2010, after protests and vandalism at the Waihopai

signals intelligence facility, the GCSB took the uncommon step of publicly empha-

sising New Zealand’s independence, claiming that ‘The Waihopai station is not a US-

run ‘‘spybase’’. It is totally operated and controlled by New Zealand, through the

GCSB as an arm of the New Zealand Government’.89 John Key has further stated that

the GCSB bill gives the agency a clear legal framework that establishes rules around its

cooperation with its intelligence partners. In response to a question from New Zealand

journalist John Campbell, Mr Key said: ‘If you are asking us do we in New Zealand go

round the back door and ask our partners to do things for us that would be otherwise not

86. Quoted in Chris Barton, ‘Can NZ Say No to the US?’ (August 2013), available at: http://

www.nzherald.co.nz/opinion/news/article.cfm?c_id¼466&objectid¼10908486 (accessed

11 August 2013).

87. Terence O’Brien, ‘Five Eyes an Anachronistic Setup’ (July 2013), available at: http://www.stuff.

co.nz/dominion-post/comment/columnists/8881376/Five-Eyes-an-anachronistic-setup (accessed

11 August 2013).

88. Quoted in David Fisher, ‘Secret Network ‘‘Has to Be in Probe’’’ (June 2013), available at:

http://www.nzherald.co.nz/nz/news/article.cfm?c_id¼1&objectid¼10890675 (accessed 11

August 2013).

89. Government Communications Security Bureau, ‘Press Release: GCSB Directors Refute

Allegations Concerning the WAIHOPAI Station’ (April 2010), available at: http://

www.scoop.co.nz/stories/PO1004/S00071.htm (accessed 28 August 2013).

Burton 235

legal for GCSB to do, the answer is unequivocally no’.90 Finally, China has always

viewed New Zealand as being closely aligned with the US. While a delicate balancing

act is emerging in managing New Zealand’s economic relationship with China and its

security relationship with the US, trade with China is unlikely to be undermined by

these links.91

Conclusion

New Zealand has experienced a polarising and contentious debate about the power of the

state to intercept online communications, and a series of political scandals have high-

lighted the difficult task New Zealand faces in adapting to a rapidly evolving cyber

security environment. Achieving an acceptable balance between security and liberty is

not a new challenge, yet the balance may be more difficult to achieve given the glo-

balisation of security threats and the growth in malicious online activity. To a large

extent, however, finding this balance is a challenge faced by all states regardless of their

size, and it is useful to separate this aspect of the debate from New Zealand’s emerging

cyber security strategy.

So, do small states face unique or different challenges in enhancing their cyber

security arena, and how does New Zealand’s cyber security strategy relate to the

established small states literature detailed in the first two sections of this article? First, it

is clear that New Zealand faces significant technical hurdles and resource challenges.

New Zealand is struggling to commit the necessary financial resources to effectively

enhance its cyber security, and faces a challenge in developing the human resources,

technical expertise and knowledge to keep up with a rapidly changing cyber security

environment. There is also a growing cyber capabilities gap between small and large

powers, which makes small states vulnerable. While claims about New Zealand’s lack of

autonomy in its cyber and intelligence links should be treated with caution, there may be

a growing dependency on its international partners in the cyber security arena.

Second, New Zealand’s international engagement in the post-Cold War era suggests

that its foreign policy has not been solely or even primarily focused on local and

regional interests. This more globally focused foreign policy does not fit well with the

existing small states scholarship. Globalisation appears to have enlarged the security

interests and outlook of New Zealand and this may be the case for other small states

too. Cyber security issues are also clearly global in scope and make the pursuit of a

locally and regionally focused foreign policy increasingly unrealistic and untenable.

However, cyber security cooperation is not contingent on states being in close

90. John Key, ‘John Key Defends the GCSB Bill’ (August 2013), available at: http://

www.3news.co.nz/John-Key-defends-the-GCSB-bill/tabid/817/articleID/309018/Default.aspx

(accessed 28 August 213).

91. Trade between New Zealand and China has grown by over a third since the signing of the

2008 Free Trade Agreement between the two countries. See Matt Crawford, Alasdair

Thompson and Peter Conway, ‘Public Input into Free Trade Negotiations: The New Zeal-

and–China FTA’, in James Headley, Andreas Reitzig and Joe Burton (eds), Public Par-

ticipation in Foreign Policy (London: Palgrave Macmillan, 2012), p. 153.

236 Political Science 65(2)

geographical proximity, as New Zealand’s recent agreements with the UK, NATO and

the US demonstrate. In other words, while cyber threats are global in scope, cyber

cooperation can be too.

Third, the evidence in this article suggests that small states that remain outside for-

malised security pacts like NATO may need to compensate for the benefits and assets

they provide in the area of cyber security. The New Zealand government appears to have

recognised this, and its cooperation with NATO, the UK and through the Echelon net-

work provides a solid foundation for enhancing the country’s cyber security. There is a

broader point here with respect to alliances. The idea of collective defence is clearly

changing in the cyber security context. Collective defence is more problematic against

cyber attacks due to the difficulties of attribution, deterrence, the diversity in the type and

scope of attacks, and the fact that many cyber threats emanate from non-state actors.

However, that is not to say that alliances do not retain a useful function in confronting

cyber security challenges. Historically, alliances have provided a mechanism for the

defence of physical territory but they are also now providing tools and resources for the

defence of cyberspace. States are cooperating on these issues, developing capabilities

and sharing technologies, and small states are clearly benefiting from this. NATO, in par-

ticular, has undergone a process of adaption to globalised security threats in the post-

Cold War era, and an integral part of its refocusing has been the development of security

partnerships with a wider and more geographically distant group of non-NATO mem-

bers. Cyber security is an increasingly important part of that wider pattern of coopera-

tion, and New Zealand is increasingly involved. This also demonstrates that, even

though there are strategic rivalries between the great powers in cyberspace, countries that

have closely aligned strategic interests can make progress on cyber security issues.

Fourth, while there has been little progress within international institutions on cyber

security, the next decade could present opportunities for small states to influence the

development of international cooperation and the emergence of cyber security norms.

Despite recent assertions to the contrary, New Zealand’s reputation as a neutral, honest

broker is intact, and it is hard to see how a closer cyber security and intelligence part-

nership with the US and other states would practically inhibit its ability to articulate and

promote such norms. In fact there are many avenues of influence for New Zealand,

including through the Association of Southeast Asian Nations (ASEAN) Regional

Forum, through the Asia Pacific Cooperation (APEC) forum, at the UN (especially if

New Zealand is successful in its bid for a UN Security Council seat), and through Track

1.5 and Track 2 diplomacy. Success in these areas will depend upon New Zealand

forming coalitions with other small states and driving ‘small–small’ cooperation. As on

other security issues, small states’ institutional influence will also be contingent upon the

development of administrative capabilities and knowledge of the issues, and New

Zealand must choose to prioritise cyber security if it wishes to have a positive impact.

Ultimately, international cooperation on cyber security issues and norm development is

contingent upon great power cooperation, but small states working together could have a

positive role to play.

Finally, what are the ongoing challenges and opportunities for the cyber security

literature in this area? The three models of small state security outlined in this article

have proved to be useful lenses through which to analyse New Zealand’s cyber security

Burton 237

challenges. A tighter focus on how small states are responding to other globalised

security challenges, such as climate-related conflict, energy security and counterterror-

ism, would be beneficial. The literature would also benefit from a comparative perspec-

tive on how other small states are responding to cyber security issues. It should not be

assumed that New Zealand is a typical small state. Finally, the question of whether small

democratic states face different cyber security challenges to small non-democratic states

would be a fruitful avenue for research. The need to balance security and privacy may

well be substantially different in non-democracies, and patterns of alliance formation

and international cooperation are also likely to vary.

Acknowledgements

The author wishes to thank David Capie and Kate McMillan for their editorial help and the

reviewers for their constructive feedback and suggestions.

Author biography

Joe Burton is a Lecturer in the Political Science and International Relations Programme

at Victoria University of Wellington, New Zealand. He holds a PhD and Master of Inter-

national Studies degree from the University of Otago, and a BSc. Econ in International

Relations from the University of Wales, Aberystwyth. Joe’s doctoral research was on the

NATO alliance. His current research is focused on US and New Zealand foreign policy,

contemporary security issues, and how states, non-state actors, international organisa-

tions and alliances are adapting to deal with evolving strategic challenges. Joe has also

worked in professional politics: as a ministerial advisor, national campaign coordinator,

legislative assistant, researcher, and political organiser.

238 Political Science 65(2)