GCSB's warning to ministers about sending classified information via apps

Newshub can reveal the strict guidelines for ministers about what phone applications they can use to send classified information, but experts are concerned the rules are out of date.

The Government Communications Security Bureau (GCSB) updated its advice to ministers in 2017, warning them not to send classified information via apps "such as" Skype, Snapchat, WhatsApp, Wickr and Messenger. 

Security experts are now questioning why the advice hasn't been updated since then, and for what reason those specific apps were mentioned. 

"Applications such as those must not be used to convey classified information," the advice, obtained by Newshub under the Official Information Act, said. 

"Classified and sensitive conversations should only be held within embassies or secure compartmented information facilities using secure communications, or in person."

It said the apps mentioned use encryption but it is not government-level encryption accredited by the New Zealand Intelligence Community (NZIC) "designed to protect against sophisticated actors". 

In a 2016 briefing paper to then-GCSB Minister Chris Finlayson, it said the risks were reinforced following a security scare in Australia. 

It was revealed at the time former Australian PM Malcolm Turnbull and senior cabinet ministers had been using WhatsApp to conduct confidential discussions, prompting security experts to issue warnings about the risks. 

The GCSB's advice to ministers was then updated to say "only approved, secure, communications devices and applications should be used for communicating official government business". 

Some of the advice:

  • Never use personal mobile devices for official business
  • Never use private email accounts for official information
  • Never forward email from corporate email systems to personal email accounts
  • Ensure that PINs and passwords are regularly changed
  • If device goes missing, treat it as compromised
  • If device isn't being used, consider disabling wireless and Bluetooth

Was the advice good enough? 

Just a few months ago, WhatsApp suspected a security breach may have come from a government using surveillance technology developed by a private company - and yet the advice to ministers hasn't been updated for years. 

The Prime Minister's use of the app was revealed last year when her correspondence with Derek Handley was released by the Government, following a controversial CTO recruitment process.     

Alastair Nisbet from Auckland University of Technology's Computer Science Department said the Government puts too much trust in the companies that own apps. 

"The issue from the Government's point of view is that they are to a certain extent trusting these companies to tell us that their encryption is robust," he told Newshub. 

"It's all very well to say these applications are considered suitable for use at this level now, but whether they will be considered suitable in a year's time, is a different question.

"Even messages that were sent a year ago may still be something that you want to keep confidential, but technology has moved on."

Minister Responsible for the GCSB, Andrew Little.
Minister Responsible for the GCSB, Andrew Little. Photo credit: Getty

GCSB Minister Andrew Little said the advice provided in 2016 and 2017 "remains current" and "continues to be effective mitigation" for the risks associated with using third party communication apps on personal devices. 

"All technology carries risks," he told Newshub. 

A spokesperson for the GCSB also insisted the advice remains current, based on the agency having access to classified intelligence as well as its own understanding of technology developments. 

"The advice and briefings identify examples of messaging applications; the list is not intended to be exhaustive. Instead, the advice applies to all applications of this nature," the spokesperson said.  

"In an environment where products continue to evolve and new products are constantly coming to the market, our approach is to identify risks, and recommend actions that can be taken to mitigate the range of risks."

Ian Welch from Victoria University in Wellington's School of Engineering and Computer Science said the list of apps provided was useful, but also seemed incomplete. 

"I would expect them to have WeChat - it seems like an incomplete list," he said, referring to the Chinese messaging app, which is understood to be used for mass surveillance in China. 

Nisbet agreed that the list should have provided more specific reasons for why those apps listed aren't considered secure enough to send classified information. 

He said each of the apps "should be looked at" individually and reasons should be provided for "whether they're acceptable or not... rather than 'we just don't want people to use it', because people will use it."

The Government's cyber-security strategy for 2019 recognised the challenges in maintaining cyber-security in a rapidly evolving technology landscape. 

It highlighted the 2017 WannaCry ransomware outbreak that affected over 200,000 computers in at least 100 countries. It was linked to North Korea, which the GCSB acknowledged at the time. 

Welch said ministers need to be careful and use common sense, especially with the potential for increasing national security issues posed by the adoption of 5G.

"You can compartmentalise your traffic talking to constituents and stuff like that. But you certainly wouldn't want to use those apps for anything top secret. "