Spy agency data centre: Government wanted a bargain and control of sensitive info

9:51 am on 19 May 2024
Mock-up of a new data centre in West Auckland.

A mock-up of the new data centre being built in west Auckland. Photo: Supplied

The need for sovereign control of spy and other sensitive data dominated the planning for a high-security data centre in west Auckland, but the government still went looking for a bargain, papers show.

The Government Communications Security Bureau (GCSB) and Security Intelligence Service (SIS) had a say "given the need for some of their information to have additional protection against malign actors".

In addition, "value for money was a strong factor," an Official Information Act (OIA) response from the GCSB said.

The only government-owned data centre is being built for $300 million at Whenuapai.

"The facility is on track to be completed in 2025," the New Zealand Intelligence Community (NZIC) told RNZ on Friday.

That would make it nine years after planning began.

Most of the unrestricted public data which was in 'the cloud' was held offshore in Australia in data centres - huge temperature-controlled server warehouses - run by US big tech firms.

But an offshore site or offshore ownership was dispensed with early on, for holding the more sensitive government data, the OIA response showed.

"Any solution which involves non-sovereign hosting of data has been excluded," said a strategy paper in April 2016.

A month earlier, the spy agencies along with the National Security Group within the Department of the Prime Minister and Cabinet - having just done a strategy and capability review - told the government it needed a data centre.

A Cabinet Committee agreed to put money in if a business case panned out.

It had to take into account the 'bible' of information security, the New Zealand Information Security Manual (NZISM), which says "jurisdictional, sovereignty and privacy risks" must be thoroughly looked into and get top-level approval if an agency wants to put data in the cloud offshore.

Recently, the GCSB worked with Microsoft and Amazon Web Services - which dominate cloud services - to have the NZISM built into cloud product templates.

A shortlisting of data centre location options in 2018 noted a "clear preference for all the build options over outsourced or offshore options".

A year later, a detailed business case had been done.

In 2020, a presentation reiterated "the project has NZ sovereign requirement for some capabilities, therefore need to be housed in own built/control facilities".

Four locations in the North Island were short-listed, and judged on cost, benefit and risk.

"Value for money was a strong factor, as was geographical diversity and resiliency, with a preference for existing Crown land," the GCSB said.

A geotechnical consultant looked at land stability, and a "specialist consultant" provided a further layer of assessment.

The key finding was that building at Whenuapai would provide "the greatest value for money". It gave equal or higher levels of resilience and security than any of the other options.

Get the RNZ app

for ad-free news and current affairs