While spinning the revolving doors, they have endangered the public by neglecting bigger security threats, like coronavirus and climate change, write Matt Kennard and Mark Curtis.
Matt KENNARD and Mark CURTIS
Almost all of Britain’s former spy chiefs are personally profiting from working for cyber security and energy companies after retiring from the U.K.’s major intelligence agencies.
In May, Declassified UK revealed that since 2000, nine out of 10 former chiefs of MI6, MI5 and GCHQ have taken jobs in the cyber security industry, a sector they promoted while in office as key to defending the U.K. from the “Russian threat.”
The British government was told for over a decade that the “gravest risk” to the country is an influenza pandemic, which its National Security Strategy identifies as a “tier one priority risk.” Yet the security services largely ignored health threats, despite claiming they are guided by the U.K.’s security strategy.
The burgeoning and profitable cyber industry in the U.K., where former spy chiefs gain employment, is now worth over £8-billion. Sir Iain Lobban, who ran GCHQ from 2008 to 2014, has become director or adviser to 10 private cyber or data security companies since leaving office. His own consultancy, Cyberswift Limited, had over £1-million in assets by the end of 2018, four years after he left GCHQ.
The “revolving door” between government and industry is meant to be regulated for conflicts of interest by the Advisory Committee on Business Appointments (ACOBA). However, Declassifiedcan find no evidence that an intelligence chief has ever had an ACOBA application rejected. This allows them to lobby their old agencies on behalf of their private interests after they leave office.
One former MI6 head, Sir John Scarlett, was given “unconditional approval” by ACOBA when he became an adviser to a major oil company in 2011, meaning he was immediately free to lobby his former colleagues in intelligence and parliament on behalf of the firm.
The last three heads of MI6 all joined oil or gas-producing companies, which are among the world’s largest contributors to climate change, after they left the service. Declassified can reveal that former MI6 chief, Sir Richard Dearlove, has earned more than £2-million from his role on the board of American oil and gas company, Kosmos Energy, which was until 2018 registered in the tax haven of Bermuda.
Another former MI6 chief, Sir John Sawers, has earned £699,000 since 2015 as a board member of oil giant BP, in addition to possessing shares in the company worth £91,300.
Climate change has also been largely ignored by the security agencies, evidence suggests, despite the U.K. government last year recognizing it as a “security risk,” adding, “There is no doubt that climate-related security challenges are real. They are here. They are now.”
Russia and cyber attacks have been evoked as the pre-eminent threats to the U.K. public, alongside terrorism, in countless public interventions by intelligence chiefs. Russia engages in offensive cyber operations, as do Britain and its allies, but the constant evocation of a threat from Russia, often without real evidence and amplified in the media, has helped U.K. security agencies accrue permissive investigatory powers and larger budgets, directly benefiting the private cyber and arms industry.
A senior U.K. military commander, Rear Admiral Neil Morisetti, said in 2013 that the threat posed to the U.K.’s security by climate change is just as grave as that posed by cyber attacks and terrorism.
Sir John Scarlett, former head of MI6, receives “unconditional approval” from the British government to lobby his former employers on behalf of oil giant Statoil. (Twelfth Annual Report 2010-2011: Advisory Committee on Business Appointments)
Badly Prepared for Coronavirus
UK Declassified’s revelations last May came amid rising public anger at how it could be that the U.K. was so badly prepared to deal with the coronavirus outbreak.
The British government had been widely criticized for its slow response and its failure to warn the public early about the level of risk posed by coronavirus, prompting calls for a reconsideration of what constitutes “security.”
The failure to address major threats to the public was striking in light of the substantial expenditure on the security services. Spending on the Single Intelligence Account – which covers MI5, MI6, and GCHQ – is predicted by the government to be £2.48-billion in 2020-2021. This works out at around £400 for every Briton.
It appears that no intelligence chief has ever made money working on the security threats posed by climate change or health pandemics. None also appears to have ever mentioned these threats while in office or after. Public warnings from intelligence chiefs which highlight the security threat from climate change would be likely to adversely impact the profitability of fossil fuel companies.
Paul Rogers, emeritus professor of peace studies at Bradford University, told Declassified: “The revolving door and its impact in the defence sector are fairly well known but this new investigation of its extent in the intelligence industry is a real eye-opener.” Rogers, who is also an honorary fellow at the U.K. military’s Joint Services Command and Staff College, added: “It does much to explain why the pandemic and climate change threats have been so widely discounted in the British security services.”
MI5 is Britain’s domestic security agency, while MI6 gathers intelligence externally. GCHQ, the largest of the UK’s spy agencies, collects signals intelligence.
Where Are They Now?
Nine of the 10 former heads of MI5, MI6 and GCHQ since 2000 have gone on to work for companies in the cyber and data security sector. Since 1992 – the first year after the end of the cold war – 13 of the 16 heads of agencies have done the same. The term “cyber security” is often used as a euphemism for offensive and surveillance products.
Sir Jonathan Evans led MI5 from 2007 until 2013 and within five months of leaving office became a member of the advisory board of Darktrace, a cybersecurity company created by the UK intelligence establishment. He also became an adviser on digital security to Luminance Technologies, an artificial intelligence platform, and chair of the advisory board of Blackdot Solutions, an internet intelligence company. Evans’ remuneration in these roles is not known.
In 2012, the year before he left MI5, Evans made his first public speech in two years in which he claimed there were “industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber espionage and organised cyber crime”. He added: “Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” before concluding, “The extent of what is going on is astonishing.”
To the astonishment of even the Times newspaper, Jonathan Evans was in 2018 appointed to chair the government’s Committee on Standards in Public Life. He had six other paid jobs at the time.
In July 2015, Evans joined the board of Ark Data Centres, a company which offers “highly secure” data storage centres in the UK. In that role, Evans replaced his predecessor at MI5, Dame Eliza Manningham-Buller.
Manningham-Buller, who headed MI5 from 2002 to 2007, had in 2012 become a director of Ark, whose other staff include former UK military personnel and is based in Corsham in Wiltshire, where the Ministry of Defence (MOD) runs the British government’s new £40-million Cyber Security Operations Centre.
In March 2015, Ark won a £700-million outsourcing deal with the Cabinet Office to supply the government’s entire data centre estate. Two months later, Manningham-Buller stepped down from her position as a director of the company.
The year after she joined Ark, Manningham-Buller told a conference that, “It seems to me that a lot of people don’t want to recognise the threat” from possible cyber attacks. She added, “They want IT systems, they want connectivity, they want ease of access, they want business efficiency, and they choose quite often to ignore substantial threats.”
Sir Stephen Lander, head of MI5 from 1996 to 2002, became director of two companies in 2004: Streamshield Networks, which produces cybersecurity products, and Northgate Information Solutions, which develops IT software for police services and government.
Sir Jonathan Evans, head of MI5 from 2007-2013, gives his thoughts on the “cyber threat landscape” to Darktrace, a private cybersecurity company whose advisory board he joined in 2013, the same year he left service. Darktrace was valued at £1.65bn in 2018.
MI6 likewise has seen its former heads make significant sums in private cyber-related companies.
Sir John Sawers, head of MI6 from 2009 to 2014, created his own “political risk” consultancy in 2018, Newbridge Advisory, to help businesses and investors “understand” the threat of “cyber attacks, terrorism, political upheaval”, among other areas. Sawers charges up to $75,000 (£65,000) to speak on “cyber security”. “He looks at the current cyber threats, the policy of cyber security, the likelihood of a wide scale attack, and what organisations can do to protect themselves,” Sawers’ agency website notes.
Sawers’ predecessor, Sir John Scarlett – who headed MI6 from 2004 to 2009 – joined the board of advisors at the Chertoff Group, a US-based corporation which “delivers security and cybersecurity risk management”, soon after he left the service. General Michael Hayden, former director of the National Security Agency and CIA, is currently a principal at the firm. Scarlett also charges up to $55,000 (£48,000) to speak on “cyber threats”, specifically the question: “How vulnerable is our infrastructure to cyber attack and what should we do about it?”
Sir Richard Dearlove, who served as head of MI6 from 1999 to 2004 – overseeing the intelligence controversies which led to the US/UK invasion of Iraq in 2003– later became director of Crossword Cybersecurity, a technology company focusing exclusively on the cybersecurity sector. He serves in the firm alongside Lord Nick Houghton, former Chief of the Defence Staff of the UK military, who is on its advisory board.
MI6 chiefs have all raised the spectre of the Russian cyber threat as they have taken jobs in the cyber security sector. In 2015, the year after he left MI6, Sawers publicly flagged the risk of Russian cyber attacks. Dearlove said in 2019 that “It’s deeply embedded in Russia’s DNA to use the capabilities that it has to disrupt our nations.”
Similarly, in 2018, Scarlett publicly proclaimed the “normal practice” of Russian “interference” in elections before the 2016 cyber attack on the Democratic National Committee.
The heads of GCHQ, the U.K. government’s signal intelligence agency, have also found lucrative positions in the private cyber sector after leaving the service.
Robert Hannigan was GCHQ’s director from 2014 to 2017, establishing the National Cyber Security Centre as part of GCHQ in 2016, while being responsible for the U.K.’s first cyber strategy in 2009. Three months after he stepped down from GCHQ, in July 2017, Hannigan publicly warned that “a disproportionate amount of mayhem in cyber-space” was coming from Russia, and called for “pushback”.
The following month, Hannigan became chair of the European advisory board of BlueVoyant, a cybersecurity firm producing products to protect businesses against “sophisticated cyber attackers”, including nation state actors. In 2018, Hannigan became chair of BlueVoyant International.
Hannigan also set up his own consultancy, Tunny Associates, about which little is known, although the Tunny was the name given by British spies to a Nazi cipher machine cracked by Bletchley Park, the UK’s wartime code-breaking centre.
Hannigan’s predecessor, Sir Iain Lobban, who ran GCHQ from 2008 to 2014, has joined or advised no less than 10 cyber or data security companies since leaving office, including Hakluyt Cyber, Prevalent AI, and C5 Capital.
A biography on the C5 website states that Lobban “set new direction in cyber security for innovative partnerships internationally, with the private sector and with academia,” adding, “Sir Iain now focuses on the advocacy and demystification of cyber security, providing strategic advice and personal perspective, nationally and internationally, to governments and businesses.” The biography ends with the line, “He is also active in entrepreneurship, in the broadest sense of the word.”
In a 2011 article in the Times, Lobban argued that “the volume of e-crime and attacks on government and industry systems continues to be disturbing” and concluded that the “UK’s continued economic well-being” was under threat from cyber attacks.
Biography of Sir Iain Lobban, who was director of GCHQ from 2008-2014, on the website of C5 Capital, an investment firm focused on cybersecurity, which he joined in 2015, the year he left GCHQ. He says he is “active in entrepreneurship, in the broadest sense of the word.”
Before Lobban, GCHQ’s director was Sir David Pepper, who managed the agency from 2003 to 2008. After leaving GCHQ, Pepper joined the advisory board of Thales, an arms and cyber security company, and became a strategic adviser to Defence Strategy and Solutions, which helps arms firms secure government contracts.
Pepper’s predecessor was Sir Francis Richards who directed GCHQ from 1998-2003. In 2007, Richards became chairman of the National Security Inspectorate, a certification body that approves security providers. Richards is the only head of MI5, MI6 or GCHQ since 1992 who does not appear to have personally benefited from working in the private cyber or energy sector after leaving office. (Former MI6 chief, Sir David Spedding, died two years after he retired in 1999.)
Richards’ three immediate predecessors all joined cyber or data security companies. Sir Kevin Tebbitt and Sir David Omand became board members of Leonardo, the Italian weapons manufacturer that specializes in cybersecurity. Omand also joined the board of Babcock International, another arms company with a long line in cybersecurity products, while Sir John Adye, GCHQ director from 1989-1996, joined the board of two companies – Identity Assurance Systems and Opera Limited – focused on data and cyber security.
Earning from Fossil Fuel Corporations
The three former heads of MI6 since 2000 have all taken jobs with energy companies after leaving office – despite climate change being recognized as a major threat to the UK.
Sir Richard Dearlove has been on the board of Kosmos Energy – an oil and gas exploration company based in Texas – since 2012, where he also sits on the compensation committee. In the seven years from 2013 to 2019, Dearlove earned more than $2.5-million (£2-million) in fees from the company, having attended an average of 12 meetings a year. In 2018, Dearlove was Kosmos’ best compensated director. US filings show that on appointment Dearlove was also awarded restricted shares worth $140,000 (£113,400).
Dearlove has also been an adviser to a variety of consultancies that give advice on energy and extractives, while he charges up to £20,000 as a speaking fee where “the invasions of Iraq and Afghanistan” are touted as conversation topics.
Dearlove made widely-covered public interventions during the 2017 and 2019 UK election campaigns warning that Labour leader Jeremy Corbyn was a “danger” and “threat” to Britain’s national security. Labour’s manifesto in 2017 promised “strict standards of transparency for crown dependencies and overseas territories, including a public register of owners, directors, major shareholders and beneficial owners for all companies and trusts.”
Kosmos Energy was until 2018 registered in the British overseas territory and tax haven of Bermuda. Since 2006, Dearlove has also been the non-executive chairman of Ascot Group – an insurance business domiciled in Bermuda.
In 2011, Sir John Scarlett became chair of the Strategy Advisory Committee at Norwegian oil giant, Statoil (now named Equinor). Scarlett’s name does not appear in the company’s annual reports or on its website and it is not known how much he has been paid in this role.
There are also two consultancies – SC Strategy and J&G Consulting – which Scarlett has started whose operations and clients are so secretive it is impossible to know if they involve cybersecurity or energy. It has been reported he earned £400,000 over three years from one of these.
Sir John Sawers was appointed a director of oil company BP in 2015, the year after he left MI6. “His management of reform at MI6,” BP wrote in its 2015 annual report, “complements BP’s focus on value and simplification.”
It appears that upon appointment, Sawers was awarded restricted shares worth over £90,000. Declassified can also reveal that in the four and a half years to 2019, Sawers earned £699,000 in fees and benefits from BP.
“BP will benefit from his extensive experience of the Middle East’s hotspots while a career diplomat, and his influential roles in formulating foreign policy,” wrote TheFinancial Times. Sawers was a foreign policy adviser to Prime Minister Tony Blair and was appointed Britain’s special representative to Iraq in 2003. BP returned to Iraq in 2009 after a 35-year absence. The BP annual reports refer often to Sawers’ experience in the Middle East as a particular boon for the company and note that he has been at meetings which discuss “developments in the Middle East.”
In February 2015, Sawers also became a director of Macro Advisory Partners, a consultancy whose clients include the world’s leading energy institutions. Michael Daly, BP’s former global exploration chief, was also added to the board four months before Sawers.
The true extent of security services personnel profiting after service is unclear as the names of nearly all intelligence personnel are highly classified. But it has been revealed that former MI6 head of counterterrorism, Sir Mark Allen, also joined BP after leaving service, helping the company to negotiate a £15-billion oil drilling contract with Muammar Gaddafi, the then Libyan dictator. Allen had developed a relationship with the Gaddafi regime while in MI6 and was investigated for his role in the snatching and transfer of a Libyan couple to the north African country in 2004.
Chiefs of MI5 and GCHQ have also gained from oil and gas companies. Former GCHQ director Sir Iain Lobban became an advisor to Shell. Dame Stella Rimington, who was director-general of MI5 from 1992 to 1996, joined the board of BG Group – the oil and gas multinational – in 1997, the year after she left service.
She stepped down from the board in 2005 when the company was bought by Shell for £47-billion. Rimington was a company shareholder as well as earning £57,500 in fees from BG Group in 2004, her last full year on the board.
Adjusting the Dials?
Although the U.K. spends significant sums on its “security services,” there is no evidence that any of the British intelligence agencies has significantly prepared for health pandemics or have substantial expertise to work on the issue, as Declassified UK has revealed. Recent heads of MI5 and MI6 were promoted after working in counter terrorism.
The incoming head of MI5, Ken McCallum, has worked for the intelligence service for 25 years, but appears to specialize in cyber security and to have no health or climate expertise. At one point, he appears to have been seconded to the Department for Business, Innovation and Skills and became the department’s cyber security head. McCallum is also said to have headed MI5’s cyber activities around a decade ago.
Sources have said McCallum wants to “work more closely with the private sector in harnessing artificial intelligence” and “to be clearer about the threat posed by China – particularly in terms of industrial espionage and cyberwarfare”.
MI5 states that the “cyber” threat is one of its four main focus areas, but it does not mention health security issues despite claiming to be guided by the U.K.’s national security strategy which highlights an “influenza pandemic” as a tier one threat.
In contrast to the U.K., the CIA has a dedicated unit for health issues, while the U.S. Defense Intelligence Agency has a National Center for Medical Intelligence which undertakes “collection, evaluation, and all-source analysis of worldwide health threats and issues.”
The outgoing head of MI5, Andrew Parker, has recently intimated that the government needs to recalibrate its security priorities. He said earlier this month: “There is no doubt at all that, having lived through the worst pandemic in a century, the government is bound to think differently about how to configure against that risk and adjust the dials accordingly across public spending, I’m sure. But all of those decisions are yet to be taken.”
According to Parker, some doctors and nurses who usually work at MI5 have been released back to the NHS so they can serve on the frontline, while MI5 has also been providing protective security to the design and construction of the new temporary care ‘Nightingale’ hospitals, but which have been revealed to be so badly staffed they have turned away patients.
GCHQ has made several public interventions since the coronavirus crisis began – all on the cyber threat posed by the pandemic, such as warning that criminals are using the coronavirus outbreak to launch online attacks.
Britain’s Cyber Industry
A recent government report states that the U.K. cyber security sector is worth £8.3-billion and includes over 1,200 companies, a number which has increased by 44 percent from 2017 to 2019. This growth is the equivalent to a new cyber security business setting up in the U.K. every week.
The government is allocating large amounts of money to cyber security. In 2016, it announced a National Cyber Security Strategy involving spending of £1.9-billion. A further £250-million is expected to be spent on a new joint MOD-GCHQ cyber force to combat “the rising cyber threat from nations such as Russia and Iran, as well as terrorist groups like ISIS.” With 2,000 personnel, it will have experts from the military, security services, and the cyber security industry.
The government has also allocated £23-million to building a “cyber business park” near GCHQ’s headquarters in Cheltenham, southwest England, and established a £135-million National Security Strategic Investment Fund so that British intelligence agencies can nurture start-ups developing technology seen as supporting the country’s national security priorities.
Alex Chalk, the Conservative MP for Cheltenham, has been a big supporter of the U.K. government’s cyber strategy in his constituency. “The thing that struck me was that we had an asset in GCHQ, which was absorbing a growing amount of public money, billions of pounds, and yet its impact… was quite limited,” he told Declassified. “I read around the subject and saw what the Israelis had done in a place called Beersheba in Israel, where they’ve got their equivalent of GCHQ.” In 2014, the Israeli government passed a resolution designating the city of Beersheba the country’s cyber capital, and it is now referred to as a “cybertech oasis.”
It is not just intelligence agency chiefs who have moved into the lucrative world of cyber technology. The most successful British cybersecurity firm is Darktrace, which works on artificial intelligence-based cybersecurity and was incorporated four days after the first of the revelations by U.S. whistleblower Edward Snowden was published by The Guardian in June 2013.
Darktrace has been valued at £1.65bn. Company material openly mentions “the UK intelligence officials who founded Darktrace”. Among its team are “senior members of the UK’s and US’s intelligence agencies including the Government Communications Headquarters (GCHQ), the Security Service (MI5) and the NSA.”
One co-founder was Stephen Huxter, a senior figure in MI5’s “cyber defence team” who became Darktrace’s managing director. Huxter then hired 30-year GCHQ veteran Andrew France as the company’s chief executive. France, like Huxter, had been involved in dealing with “cyber threats”, rising to the position of deputy director of cyber defence operations at GCHQ, where he was charged with “protecting government data” from cyber threats.
Darktrace later appointed Dave Palmer, who had worked at MI5 and GCHQ, as its director of technology, while John Richardson OBE, its director of security, had a long career in “UK government security and intelligence” working on “cyber defence”. Darktrace staff have also included ex-MI6 officials. Poppy Gustafsson, co-founder, has said that her work left her feeling like she was “living in a story by the novelist John le Carré”.
Declassified contacted Sir Richard Dearlove and Sir John Sawers for comment, but neither responded. Sir Iain Lobban declined to comment.