In a recent Cabinet Office report, the government claimed the NCSC has responded to “over 2,500” incidents since April 2017 – including the WannaCry ransomware attack that had infected networks across Europe and effectively paralysed the National Health Service and other public services in mid-2017.
Although the attack was actually stopped by “accidental hero” Marcus Hutchins (aka ‘MalwareTech’) who had no prior links to the intelligence community and had stumbled upon the malware’s killswitch, the Cabinet Office report has credited the “seamless delivery of intelligence detection from the NCSC to Whitehall” as having resolved the issue.
That was just one of a number of justifications laid out by the report to counter accusations that the choice in 2016 of an upscale Westminster location as the GCHQ offshoot’s headquarters had been “more a matter of preference than necessity”.
Noting that “cost and value for money” had been “strong considerations” throughout the decision-making process, the report claimed that the Westminster setting had “enabled the delivery of world leading operational capabilities for the NCSC and UK Government.”
In 2016, then-Chancellor of the Exchequer George Osborne had overruled procurement rules to secure the NCSC its “preferred” base in a commercial development in Westminster rather than the shortlisted “tech hub” of Shoreditch that was “unpopular” with the intelligence agency.
Last November, the Intelligence and Security Committee (ISC) of Parliament had concluded that the GCHQ had prioritised “image over cost" and blasted its willingness to “postpone investment in operational capabilities... in order to allocate the NCSC more expensive accommodation.”
In its report, the ISC highlighted a list of shortcomings in the procurement process, including “arbitrary timetable” and deadlines, “faulty criteria”, “absurd weighting mechanism”, “unjustified score changes”, and the inclusion of a “no hoper alternative” in the final round of selection.
The shift to Westminster “considerably over-shot” the funds initially allocated for setting up the office, which led to spending cuts in other GCHQ areas. The agency is reportedly locked into a 15-year lease that costs £6.4 million annually while the original budget called for a £3.5 million yearly expenditure.
Meanwhile, the other finalist for the NCSC office had been a building in the Canary Wharf area that would have cost £3.1 million per year. This means that the NCSC could have saved around £50 million in public funds over the term of the lease if it had chosen the cheaper office.
However, the Cabinet Office countered that the additional cost was a “carefully thought through and routine one-time reprioritisation of the GCHQ Estate budget” and claimed that “no operational activities or mission priority areas” were affected as a result.
“The operational value of the NCSC has been clear, and our investment in Nova South [the commercial building] visibly demonstrated our commitment to being at the centre of ensuring the UK’s Cyber Security future,” the Cabinet Office responded in its report.
But the government admitted that there was a need for additional oversight and “independent scrutiny” in all future procurement exercises and pointed to the establishment of an “internal Commercial and Legal Oversight Group”.