GCHQ Boss Complains Of Cyber Brain Drain

The boss of the UK’s top secret listening station, GCHQ, has complained that it is losing valuable cyber security experts to the likes of Google, Microsoft and Amazon.

The comments made by Iain Lobban, the director of GCHQ, came to light in the Parliamentary Intelligence and Security Committee’s (ISC) annual report.

“I need some real internet whizzes in order to do cyber and I am not even sure they are even on the contractor market, so I need to work on that,” Lobban said.

Brain Drain

“They will be working for Microsoft or Google or Amazon or whoever,” said Lobban. “And I can’t compete with their salaries. I can offer them a fantastic mission, but I can’t compete with their salaries.”

“I probably have to do better than I am doing at the moment, or else my internet whizzes are not going to stay… and we do have a steady drip, I am afraid,” he warned. “Month-on-month, we are losing whizzes who’ll basically say: ‘I’m sorry, I am going to take three times the salary and the car and whatever else’.”

GCHQ apparently hired 491 new staff last year, which boosted the agency’s total headcount to 5,675. This included the use of 297 contractors at a total cost of £43.1m. Each contractor reportedly cost an average of £145,138 a year compared with an average cost of £44,534 a year for a full-time GCHQ employee.

The ISC made it clear in the report that it is highly concerned about any possible skills shortage affecting GCHQ.

“We are concerned about GCHQ’s inability to retain a suitable cadre of internet specialists to respond to the threat,” it said. “We therefore urge GCHQ to investigate what might be done within existing pay constraints to improve the situation. We also recommend that the Cabinet Office – as lead department for cyber security – considers whether a system of bonuses for specialist skills, such as exists in the United States, should be introduced.”

Equipment Loss

Meanwhile the ISC also took the opportunity to reprimand the organisation for losing track of its equipment.

A GCHQ audit apparently failed to account for 34 percent of 26,860 items in its store, thought to be worth up to £1m, over the past 10 years.

According to GCHQ 95 percent of the lost kit did not present a security risk. However the remaining 5 percent, equal to roughly 450 items, could potentially present a security risk. However GCHQ thinks that most of the missing kit was destroyed but not properly documented as being destroyed.

“What we believe has happened over a number of years is the equipment has been issued from the stores to deployment, primarily to places like Afghanistan and Iraq, and it has not been adequately updated in the records,” said GCHQ. “So the people who are running the systems have not expressed concerns that they have not been able to find the equipment. They have just been not very good at their reporting.”

“Although the Committee has no reason to believe national security has been compromised, the Agencies must do all they can to avoid the loss of potentially sensitive equipment,” said the ISC. “The public interest requires that GCHQ learns from the repeated mistakes of the past. The Committee expects GCHQ to ensure that the situation does not arise again.”

Overall, the ISC expressed concern that the 11.3 percent budget cut for the intelligence agencies, including MI5 and MI6, would affect their ability to “maintain current levels of coverage of all aspects of the threat”.

Ongoing Threats

The shortage of skilled cyber security experts comes at a time of increased threats. Last month the UK Ministry of Defence created a new joint force command unit, that integrated the MoD’s cyber warfare and military intelligence units.

This came after defence secretary Dr Liam Fox warned that Britain is under constant attack from hackers, and that last year 1,000 potentially serious offensives were blocked. And in May the British government also acknowledged it had begun work on a “toolbox” of offensive cyber-weapons to complement its existing defensive capabilities.

This followed the comments from Armed Forces Minister Nick Harvey last November, when he said that the UK must have the ability to launch its own attack against those carrying out cyberwarfare against this country and its infrastructure.