Government Data Security Crisis: Unvetted Third Parties Handle Sensitive Information

A concerning pattern of cybersecurity vulnerabilities has emerged across New Zealand's public sector, with government agencies reporting that sensitive data is being managed by unvetted third-party vendors, according to a Treasury report obtained by RNZ.

The revelation highlights systemic weaknesses in how our digital-first government protects citizen data while navigating the complex landscape of cloud computing and offshore services.

Transparency Delayed, Questions Unanswered

The Government Communications Security Bureau (GCSB) took an unprecedented 120 working days to respond to official information requests about these security concerns, six times longer than legally required. Director-general Andrew Clark apologised for the delay but refused to answer virtually all questions posed by RNZ.

"Some agencies reported that vendors had offshored some services without their prior approval, meaning government data was being managed or held by unvetted third parties," the Treasury's quarterly investment report revealed. This practice raises serious questions about data sovereignty and the protection of New Zealanders' personal information.

Market Size Creates Vulnerability

The report suggests New Zealand's small market size contributes to these security gaps. Limited competition and reduced vendor investment in our comparatively smaller contracts create a perfect storm of poor service delivery and security vulnerabilities.

"Low competition, coupled with poor service delivery from some vendors, has also led to high reliance by many Government agencies on the same few vendors," the Treasury noted. This concentration risk means a single cybersecurity incident could cascade across multiple government departments.

Many agencies have become increasingly dependent on cloud computing services from major US technology companies, raising questions about digital sovereignty and data protection in our interconnected world.

Systemic Procurement Problems

The government's approach to IT procurement remains "outdated and fragmented," according to the chief digital officer. This comes six years after Treasury recommended an all-of-government approach to reduce the multi-billion dollar IT upgrade burden.

Current financing rules prevent agencies from modernising their cybersecurity infrastructure, making it difficult to transition from vulnerable on-site hardware to more secure service-based solutions. The Treasury's own investment management system fails to recognise ongoing cybersecurity costs, creating a dangerous cycle of underinvestment.

Transparency vs Security Balance

Clark defended the GCSB's secrecy, arguing that revealing specific vulnerabilities or vendor names would compromise future intelligence gathering and have commercial implications. However, this approach leaves the public in the dark about risks to their personal data held by government agencies.

The National Cyber Security Centre has developed "minimum cyber security standards" to address basic vulnerabilities, but subsequent Treasury reports suggest these measures haven't eliminated the underlying systemic issues.

As New Zealand continues its digital transformation, balancing transparency, security, and innovation remains a critical challenge. Citizens deserve assurance that their government is protecting their data while embracing the technologies needed for a modern, inclusive society.