An emphasis on “image rather than cost” led to GCHQ overshooting its budget for the new National Cyber Security Centre (NCSC) headquarters by almost £3 million per year, an influential parliamentary committee has found.
In a damning report on the intelligence organisation’s “unacceptable” procurement process for accommodation, the Intelligence and Security Committee (ISC) said better decision making would have benefited the public purse.
The formation of the NCSC was announced in 2015 and shortly afterwards a property advisory consultancy firm began seeking office space for the organisation.
In 2016, it produced a shortlist of properties – with one in Canary Wharf already leased by the Government marked as the top option. New-build commercial properties in Victoria and Shoreditch came joint second.
GCHQ decided that the Victoria office – Nova South – was its preferred option, which the ISC said appeared to be due to a late change in criteria that the accommodation should be near Westminster rather than “tech hubs”.
However, according to a draft full business case outlined in the committee’s report, Nova South’s running costs were estimated to be £6.4 million per annum, while Canary Wharf’s were £3.1 million.
The ISC said the cost of Nova South equates to more than “£21,000 per staff member per annum” – more than double the average Government cost for London-based staff.
The funding originally allocated for the NCSC’s office stood at £3.5 million per year.
GCHQ funded the shortfall out of its main budget, the committee said, meaning it had to reduce funding for other investments and was “unable to fund the repair of some infrastructure and security upgrades”.
The ISC said: “In our view, operational capabilities should almost always come first – and the justification for departing from this was not made during the selection process.”
It criticised GCHQ for putting “excessive” weight on the “quality and appearance of the office accommodation” with “no case being made for it”.
ISC members – Labour MP Kevan Jones and and SNP MP Stewart Hosie – said: “Our inquiry has discovered very significant shortcomings throughout the procurement process – including an arbitrary timetable, faulty criteria, ignored warnings, an absurd weighting mechanism, unjustified score changes, a ‘no-hoper’ alternative and, finally, the Principal Accounting Officer being overruled.
“From the outset, the selection criteria used were faulty: an unnecessarily tight timetable was imposed arbitrarily at the outset, resulting in excessive haste which potentially led to faulty decision-making – and to good options being summarily dismissed due to non-availability within that timescale.
“Locations outside London were never considered and great emphasis was placed on finding high-end accommodation – without any case being made for that being necessary.
“Then, at a late stage, the location requirement was changed from the initial one of ‘tech hubs’ such as Shoreditch, to the Westminster area – despite this never being formally specified as a criterion and the case for it also not being made. This switch at such a late stage in the process meant that much of the work undertaken previously was rendered useless.
“Even disregarding the faulty criteria, it is clear that GCHQ selected Nova South against all the evidence and warnings that it would neither be ready on time nor receive approval from the Government Property Unit.”
They added: “While the procurement process was unacceptable – with an emphasis on image rather than cost – the scope of the Committee’s report is solely about that process, which was run by GCHQ.
“NCSC was at that point still not in existence and our findings do not reflect in any way on the quality of the NCSC’s work or its overall success as a new institution.
“We had, for a number of years, criticised the number of different teams across Government which had overlapping roles in relation to cyber security and the creation of the NCSC appears to have addressed our concern.
“We therefore welcome the establishment of a single body with responsibility in this area, even if the way in which its accommodation was selected was highly questionable.”
Prime Minister Boris Johnson said the Government “acknowledges there are lessons that can be learned from the procurement process” and would respond to the committee’s recommendations in due course.
But in a written statement he said: “As the public-facing part of GCHQ and the UK’s lead technical authority on cyber security, the NCSC required a workspace which balanced the need for accessibility and operational capability to defend the UK against cyber threats effectively.
“Nova South met all the key criteria required by Government, including proximity to Whitehall and other stakeholders within the Government Secure Zone.
“A further contributing factor to its selection was its availability, which allowed the NCSC to be established at pace, within a year, providing a centre at a time when there was an urgent need for the Government to increase its defensive cyber capabilities and respond to global cyber incidents like WannaCry.
“Nova South has provided a much-needed central focus for UK cyber security since its procurement, hosting a wide range of Government and industry partners as well as contributing to our global commitment to cyber security and the UK’s ranking as number one by the Global Cybersecurity Index.”