Government departments are failing to use IT security services offered by GCHQ, a parliamentary committee has found.
The Intelligence and Security Committee said it is "disappointed" that departments have not invested in the services provided by GCHQ’s Communications-Electronics Security Group (CESG).
CESG offers IT security advice and assistance to the whole of government, the armed forces, other public sector bodies such as the NHS and the police, and private sector companies that support the UK’s national infrastructure. It operates on cost recovery basis, meaning that departments are supposed to pay for the services they consume.
However, an investigation by the Intelligence and Security Committee found that departments did use CESG’s services in the 2009/10 tax year to pay for its budget, leading to the £3.6 million shortfall.
Iain Lobban, the director of GCHQ, told the committee that he was very disappointed that CESG had been unable to get satisfactory funding from the rest of government over the past two years. "We have tried very hard with the cabinet secretary’s support, but it has never quite come to fruition," he said.
The report said that the funding shortfall in 2009/10 had followed the same pattern as that in 2008/9, saying that it appears government departments and agencies do not view IA investment as a priority. Devising a future funding model was tasked to the Deputy National Security Advisor, to be implemented within six months.
Lobban also voiced concerns over GHCQ’s "inability to retain a suitable cadre of Internet specialists". "I need some real internet whizzes in order to do cyber and I am not even sure they are even on the contractor market, so I need to work on that," he told the committee. "They will be working for Microsoft or Google or Amazon or whoever. And I can’t compete with their salaries; I can offer them a fantastic mission, but I can’t compete with their salaries."