A "light security review" by the GCSB warned of a number of security concerns around the use of Zoom in Cabinet meetings on the eve of level 4 lockdown.
And emails from officials in the days leading up to the more than four-week lockdown period reveal concerns that Zoom was "not secure enough for classified communications".
Despite the concerns, it appears Prime Minister Jacinda Ardern did give the green-light for Cabinet to meet via Zoom after her officials felt confident that appropriate security measures had been taken.
The lockdown meant the weekly top-level meeting between Government Ministers had to be done remotely.
The emails – as well as high-level advice from the Government Communications Security Bureau (GCSB) – were released under the official information act (OIA).
The day before the level 4 lockdown began on March 26, the GCSB provided advice in the form of a memo regarding the Government's use of Zoom during alert level 3 and 4.
The emergency advice – which the memo said was produced "at pace" – was provided given the fact that the usual meeting processes could not be in place during lockdown.
The memo noted that Zoom has had publically disclosed security vulnerability in the past – including issues identified where hackers could remotely access video conferencing.
When it comes to the use of Zoom, the memo warned: "There is a suite of security risks associated with using video conferencing tools".
The GCSB ranked those in a list which contained "moderate and high risks associated with Zoom".
Those risks include:
- A Zoom-enabled device could be remotely controlled by a hacker, which would give them access to the microphones and cameras.
- The Zoom-enabled device could be used to "attack internal systems".
- Stored Zoom communications could be intercepted and compromised.
• Official classified documents could be intercepted if the "share document" Zoom feature is used.
The GCSB memo outlined a number of ways these risks could be mitigated, including requiring passwords for all meetings, disabling the "join before Host" feature and locking the session once everyone has joined.
"These mitigations are important, but we acknowledge they may be impractical or hard to achieve before enabling staff to use during Covid-19 alert level 4, or with all users."
Three days after the GCSB advice was provided, an email from an official from the Department of Prime Minister and Cabinet (DPMC) advised that it was Ardern's expectation that Zoom was to be used for the upcoming Cabinet meeting.
Advice from the Government's chief information security officer, Steve Honiss – also released under the OIA – said ordinarily, systems like Zoom would not be deployed without a full accreditation process being run by GCSB.
"However, the urgency around keeping the business of Parliament and the Executive Branch working over the lockdown period has meant that a light security review was able to be undertaken before Zoom could be deployed."
He said there are important security measures that must be followed when using Zoom, in order to minimise security risks.
Subsequent emails reveal that officials were confident that these measures were taken – "it looks like we are in a good place for Cabinet tomorrow," an email from March 29 read.
Not long after that Cabinet meeting, National called for the Government to find a more secure platform than Zoom.
Ardern said at the time that Zoom had been vetted by security agencies.
She said it had been given the green light for conversations up to "Restricted" level - or below the Secret and Top Secret levels in the GCSB's official guidelines.