When Anne Keast-Butler was announced as the new director of Britain's Government Communications Headquarters (GCHQ) she celebrated the agency's work tackling terror plots and supplying intelligence about the Russian invasion of Ukraine. But her tenure at Cheltenham, which began in office this week, comes as the agency grapples with another, more internal, challenge: recruitment and retention.
Data published in the annex of a recent Parliamentary report showed that GCHQ was unable to fill more than 460 roles in the fiscal year ending March 2021. More recent figures on overall employment numbers are yet to be published, but multiple sources at the agency told The Record that bringing in new staff and keeping hold of those already there has been an ongoing problem.
As the first woman to lead GCHQ, Keast-Butler’s appointment is in itself a triumph for the agency, which is trying to recruit candidates from more diverse backgrounds. Women are the most obviously underrepresented group among the agency’s staff, making up just over a third (34.6%) of the permanent workforce as of March 2022.
Anne Keast-Butler was announced as the new director of GCHQ in April 2023. Credit: GCHQ
As part of its efforts to improve this imbalance, GCHQ has for the last five years published an annual gender pay gap report, but this hasn’t driven a significant increase in the proportion of women employed by the agency — the most recent figures actually indicate a slight decline from 34.9% in March 2018.
The focus on diversity is not ideological, although it has been challenged on those grounds. While in office, the former government minister Jacob Rees-Mogg bemoaned “woke spies” to a tabloid newspaper covering GCHQ’s guide to inclusion.
“That's not their job to faff around with this sort of stuff, they are there to keep the country safe,” he said.
But for the agency, diversity is considered mission critical. Jo Cavan, GCHQ’s director of strategy policy and engagement, told The Guardian that counterterrorism mission teams with a better gender balance objectively performed their jobs better. The implication is that without being able to foster a diverse workforce, the agency would not do as good a job keeping the country safe.
Dan Lomas, a senior lecturer in intelligence and security studies at Brunel University London, said: “The thing to remember is that the intelligence community is not trying to recruit Jacob Rees-Mogg. They’re trying to reach out to the new generation of graduates who might not know what GCHQ is, or who might self-deselect and not apply.”
Ethnic diversity is also essential for the kinds of cultural awareness that foreign intelligence requires, as well as for providing the best recruits for language analysts, especially for the focus languages of Mandarin Chinese, Russian, Arabic, Persian, and Korean — subjects that are generally not taught in British schools and rarely studied at university.
“Language take-up at universities has been dire for a number of years, partially because of government policy and because students have opted to study other things,” said Lomas.
Work to broaden the diversity of GCHQ's applicant pool led to the scrapping of a rule last November requiring that at least one of an applicant’s parents is a British citizen. The agency now also holds “registration of interest” events to invite potential candidates from under-represented demographics to get in touch before a formal application.
“The other added problem is that there is real reluctance within some communities to work for certain parts of government because they feel that they themselves are the target. It may be justified or not, but there are perceptions in certain parts of British society that the mission is directed at ‘us’,” added Lomas.
Part of the challenge is branding, he said, especially when graduates face a choice of employers. The British government didn’t officially acknowledge the existence of GCHQ until 1994, and the agency’s greatest moment in the spotlight was when it was forced to respond to allegations of mass surveillance following Edward Snowden’s leaks in 2013.
Since then, the agency has done a lot of public engagement to clarify what its work actually involves. Despite the benefits the agency believes this engagement brings, it has not always been supported by oversight bodies — the Intelligence and Security Committee of Parliament has consistently criticized the agencies’ media engagements, even complaining about the head of the Secret Intelligence Service having a Twitter account.
The effects of the COVID-19 pandemic may have also contributed to the shortfall in hundreds of roles, but the challenges of recruitment and retention are persistent, and not simply a matter of branding or diversity.
GCHQ handles its own vetting of recruits to ensure both the agency and the candidates remain safe during their employment. Sources who spoke to The Record on condition of anonymity, as they did not have permission to speak on the record, said the department’s slow work has been a stumbling block in filling roles. A spokesperson said the team hit its targets last year without commenting on how those results compare to previous years.
Vicky and Emily are both deputy directors at GCHQ. The agency did not disclose their last names but recently highlighted their accomplishments as working mothers. Credit: GCHQ via Twitter
The lengthy hiring process — which involves not just establishing candidates’ skills, but also their personality fit, and then security vetting — can take close to a year, sometimes meaning candidates drop out or accept other opportunities. The recruitment events, such as “registration of interest” fairs, offer GCHQ the chance to try and keep hold of applicants during that process. The agency says it has been successful in doing so, providing for the first time last year a “recruitment pipeline” with 50% women and 25% ethnic minority representation.
While Keast-Butler’s appointment is a positive sign for gender equality, as a relatively external candidate — she joined from sister agency MI5 — her appointment could also be a symbol of what some perceive to be a lack of internal promotional opportunities.
Keast-Butler’s predecessor, Jeremy Fleming, similarly joined the agency from MI5. The director before him, Robert Hannigan, was a civil servant who had specialized in intelligence work. Iain Lobban, who led the agency from 2008 until 2014, was the most recent director who had spent his career at the agency. Perhaps incidentally, he was also extremely popular among staff.
The Record understands that only one of the applicants interviewed for the director role in this year’s process is currently serving at the agency, in a senior technical role.
Ciaran Martin, a former senior civil servant at GCHQ who went on to found the National Cyber Security Centre (NCSC) — a part of the agency that engages with the public on cybersecurity — said that at “the GCHQ I joined… certainly some of the folklore was the really, really technical specialists just looked up and didn't see anybody like them at the top of the organization.”
“That's no longer true,” he said. “Not all of the technologists do want to manage and lead people, but for those who do, they can do it.”
He cited Paul Chichester and Ian Levy, senior figures at NCSC with extensive technical knowledge who had been appointed to the agency’s board as directors. “As well as giving me, when I was head, a group of people who were very useful to listen to because they had so much experience and expertise, it also meant the technical people [saw themselves reflected in leadership positions],” he said.
Numerous industry bodies have complained about a global workforce shortage for skilled workers in the cybersecurity sector, with estimates of several million more roles than candidates. A British government-sponsored report published last year estimated the “shortfall in cyber security personnel” as being greater than 14,000 annually.
Martin said that the skills gap was “very easy to be depressed about.”
“I remember in about 2015, a GCHQ veteran who I greatly respected and liked said the whole NCSC idea was mad. I had plenty of people tell me the NCSC idea was mad, but not for this reason… [that] there just weren't enough skilled people either to do it, or even if there were, to receive its output.”
Martin said he respected the veteran, whom he didn’t name, but was glad he ignored their warning. “It’s easy to give up,” he said.
An aerial shot of GCHQ headquarters in Cheltenham. Credit: GCHQ via Wikimedia
Before joining GCHQ, Martin was an official at the Treasury and he compared the concerns about the “cyber skills gap” to an issue that His Majesty's Revenue and Customs (HMRC) is sometimes called to account for: the tax gap, calculated as the difference between how much tax should be collected based on population and earnings versus how much actually ends up in government coffers.
“Basically, you're measuring against perfection, but life isn't perfect — it’s only like tax collection,” he said
Martin added that he thought the cyber skills shortage was being conceived of in similarly flawed terms: “So this is perfect and we're X short of perfection.”
“In government, sometimes you do have acute skill shortages. Sometimes they're in specific areas, because you know there are different specialisms, and actually [only] a handful of people can solve it... so you need a small number of elite, you really do.”
But he argued that government “has actually managed, by and large, to retain that ability.”
“You'd always like more, but it has managed to get enough. You then have highly or medium-competent cybersecurity professionals and you can have those in government, you can have them in industry and so forth. So that's what you might call a second layer. And then the third layer is just the general public being a bit savvier than they were. And these are three different problems, three different challenges.”
During his time at the agency, Martin said the key focus with its outreach efforts was on the top layer “where actually a few thousand people” shared between sensitive government and the private sector “can make a huge difference,” something that “big aggregate data doesn't quite capture.”
Simply as a matter of supply and demand, the market value of this skilled labor is very high — and that takes pay far beyond what the public sector can afford to cover. His Majesty's Treasury was mocked in March for advertising a head of cybersecurity role with a stated salary of £57,000 (about $70,000) per year.
The dramatic distance between public sector cybersecurity salaries, at a time when inflation has been above 10% for the past year, may be driving what anecdotally appears to be a greater number of GCHQ alumni entering the private sector. A senior source at the agency said that hard data on the number of people actually leaving was likely to be highly classified.
Speaking at the CyberUK conference in Belfast earlier this year, Deputy Prime Minister Oliver Dowden referenced the criticism of the job posting and the discrepancy in pay, stating “a cyber specialist knows they can earn five to seven times, if not more, for the same role in the private sector,” while adding that he was “examining what more we can do to improve salaries and other parts of our offer, so that we can continue to attract the very best cyber experts into the civil service.”
Martin told The Record that retention was an issue he had focused on during his time in office: “We thought very hard about what kept people there. Because even if you can give people a bit more money — and sometimes you can — you can't compete with the private sector salaries. It would be ridiculous, it would be a national scandal, if people thought the taxpayer was funding those types of salaries, particularly at a time like this.”
Despite the challenges of recruitment and retention, there are certainly thousands of men and women at GCHQ who are highly qualified and highly motivated by the importance of their job, Martin said. “The fact is that some of the government work is inherently interesting.”
“At a time, frankly, when loads of people are complaining about various aspects of the state not working and various aspects of the public realm being a bit decrepit, I think we can look at the people who are employed in the cyber sphere in state service with a lot of pride.”
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.