Parliamentary criticism of the National Cyber Security Centre's "image over cost" London HQ is being shrugged off by the government because of the GCHQ offshoot's successful response to the WannaCry ransomware outbreak.
George "Eleventy Jobs" Osborne, who at the time of NCSC's establishment in 2016 was the Chancellor of the Exchequer, overrode procurement processes and gave the panicking Cheltenham set at GCHQ their desired Westminster base – and not the grubby Shoreditch "tech hub" the spies feared they'd be dropped into.
Last winter Parliament's Intelligence and Security Committee (ISC) condemned the procurement of NCSC's Nova South HQ, opposite London's Victoria railway station. The Conservative-dominated committee described Osborne's pick of Nova South, which wasn't even on a shortlist prepared by the National Security Adviser (NSA), as "image over cost."
This week the government published its formal response to the Whitehall office lease bunfight, and, to quote our sovereign monarch's communications secretary, it appears recollections may vary.
The ISC said [PDF] Sir Mark Lyall-Grant, who was National Security Advisor when the lease had to be decided, initially refused to sign off GCHQ's left-field suggestion that the new NCSC should be based in Westminster.
Instead, he sided with consultants who recommended locating the NCSC in tech-friendly Shoreditch, which at the time was undergoing a transformation from a grubby backwater to the heart of London's tech startup scene. At the core were tensions over NCSC's role: would it be an industry-facing body or another quango talking to government?
- UK.gov's Huawei watchdog says firm made 'no overall improvement' on firmware security but won't say why
- UK and chums call out Chinese Ministry of State Security for Hafnium Microsoft Exchange Server attacks
- Biden to Putin: Get your ransomware gangs under control and don’t you dare cyber-attack our infrastructure
- NCSC's London HQ was chosen because GCHQ spies panicked at the prospect of grubby Shoreditch offices
Lyall-Grant's decision was quashed in a formal ministerial direction by Osborne, who was the minister backing NCSC's creation. When Osborne - the number two man in the government - waved his hand and said make it so, it appears that formal value-for-money processes were just ignored.
According to the Cabinet Office, Lyall-Grant "subsequently provided his approval of the Business Case once GCHQ had responded," and apparently didn't "regard himself as being overruled on his initial view, and therefore does not believe a ministerial direction was required" – which fails to explain why Osborne gave one in the first place.
The ISC reckoned the Civil Service dug its heels in, forcing a ministerial direction to be given. In the weird world of Whitehall this is a big deal; rather like disputing the service charge on your restaurant bill. It's just not done, old boy.
"The extent to which HM Treasury officials’ advice focuses on GCHQ being 'adamantly opposed' to Canary Wharf [and Shoredtch] – set against the fact that it met most of the criteria, the timeframe and the funds allocated – is striking," the ISC said. "His officials made clear that the Chancellor would have to have strong feelings to outweigh the unpopularity of the option with GCHQ."
And so a decision was made.
"The Chancellor ultimately determined on the balance of evidence and advice put to him that Nova South best met the accommodation requirements and aims to deliver world leading operational cyber capabilities," said the Cabinet Office, responding on behalf of the government. But that wasn't all.
WannaCry trumps everything
Not to be lectured by some jumped-up group of backbench MPs, the Cabinet Office's formal response to the ISC also pulled out what it clearly imagined was a trump card: the NCSC's WannaCry response role. In mid-2017 the ransomware rampaged through Britain, paralysing the NHS until a smart chap called Marcus Hutchins found its killswitch by accident.
"The need and timeliness for the incorporation of the NCSC was immediately demonstrated in the UK's response to the WannaCry attack in May 2017," boasted the Cabinet Office.
"This saw the seamless delivery of world leading intelligence detection from the NCSC to Whitehall and the simultaneous industry and public engagement required to resolve the issue and address public concern. This response required a fully coordinated approach which would not have been capable under the preexisting working arrangements".
Hutchins wasn't working in Nova South or Shoreditch at the time he found the WannaCry killswitch - his background is as an independent infosec bod. Nonetheless, it's touching of the Cabinet Office to invoke his achievement to score points in a public dispute over commercial property leases.
More to the point, NCSC – being a GCHQ offshoot – splits itself between London and other sites to this day, adopting "fragmented working arrangements, resources and operational capabilities," stated the Cabinet Office's public response.
Fans of oversight have one crumb to seize, however. The ISC heavily criticised GCHQ for rewriting its location scoring process after realising an honest exercise would result in NCSC being formed either in Shoreditch or among the bullish City boys of Canary Wharf (a whopping six tube stops from Westminster).
Accepting this was wrong, the Cabinet Office said GCHQ had since set up "an internal Commercial and Legal Oversight Group" to ensure future efforts at keeping well-heeled spies from being forced to mix with the great unwashed are at least publicly defensible. ®