Saturday, September 20, 2014

Whose Speargun is it?

In a hard to find post in the technology section of the stuff website, it was reported that the GCSB had confirmed on Friday the existence of ‘Project Speargun’, as Glenn Greenwald had claimed on Monday.

The site quotes an unnamed “GCSB spokesman” saying that Speargun was “a core component of the cyber defence project in its earlier iterations”, i.e. that it was the discarded ‘Option 2’ mentioned in the papers released by John Key few days earlier.

This is supposed to confirm what John Key said - that it was an option that never went past a business case, and that he stopped it because it was too intrusive.

What it does confirm is the veracity of Greenwald’s documents. But it doesn’t let Key or the GCSB off the hook, really.

According to the hastily declassified papers, the Cabinet Committee on State Sector Reform and Expenditure Control in April 2012 “directed the GCSB to develop a Detailed Business Case for implementation of Option 2 [Speargun] in 2013”, noting that “the implementation of Option 2 is preferred.” The committee includes of course John Key, therefore it was also his preferred option in 2012.

The NSA document from early 2013 states:
GCSB's cable access programme SPEARGUN phase 1; awaiting new GCSB Act expected July 2013; first meta data probe mid 2013.
This definitely sounds more like a project plan than the development of a business case.

Then in September 2013, cabinet “rescinded the decision [...] on the development of a detailed business case for Option 2”. Note the wording – it does not say that cabinet looked at the business case and decided not to proceed with it, as John Key claims, but that cabinet no longer required the development of the business case. Without the project being detailed, how did Key come to the conclusion that his previously preferred option was suddenly too intrusive?

One would have thought that a year and a half after being asked to develop a business case for a project that was “a core component of the cyber defence project” (according to the anonymous GCSB spokesperson), the GCSB would have done so. It sounds unlikely that the GCSB would not have made it a high priority to get on with it. Are we supposed to believe that the GCSB doesn’t really care about cyber security?

So we have the NSA document pointing to project ‘Speargun’ being well under way, with a first test having been planned for mid 2013, and a (previously top secret) cabinet paper from several months later, telling the GCSB not to bother with writing the business case for it. Could it be that this was because by that time the project had been taken over by the NSA?

What speaks for this theory is that the first paper from 2012 mentions that ‘Option 2’ “requires significant scoping and consultation in order to identify the full range of risks and dependencies for the government”, i.e. it was quite complex and possibly beyond the capabilities of the GCSB.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.