Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Fears that coding work outsourced to Russia and its allies could pose national security threat
Britain’s nuclear submarine engineers use software that was designed in Russia and Belarus, in contravention of Ministry of Defence rules, The Telegraph can reveal.
The software should have been created by UK-based staff with security clearance, but its design was partially outsourced to developers in Siberia and Minsk, the capital of Belarus.
There are fears that the code built by the Russian and Belarussian developers could be exploited to reveal the location of Britain’s submarines.
The Telegraph understands that the MoD considered the security breach a serious threat to UK defence and launched an investigation.
The inquiry discovered that the firm that outsourced the work – on a staff intranet for nuclear submarine engineers – to Russia and Belarus initially kept it secret and discussed whether it could disguise where the workers were based by giving them fake names of dead British people.
As well as the UK’s submarine fleet, there are fears that further defence capabilities could have been compromised because it has emerged that a previous project was also outsourced to developers in Minsk.
On Friday, experts warned that the UK’s national security could have been jeopardised if personal details of those with classified knowledge of Britain’s nuclear submarine fleet fell into the wrong hands, leaving them exposed to blackmail or targeted attacks.
Ben Wallace, the former defence secretary, said the breach “potentially left us vulnerable to the undermining of our national security”. He added: “Time and time again, countries like China and Russia have targeted the supply chains of our defence contractors. This is not a new phenomenon.”
James Cartlidge, the shadow defence secretary, said it was an “absolute imperative” to ensure “our most sensitive defence programmes have total resilience and security”.
Rolls-Royce Submarines, which designs and runs the UK’s nuclear submarine fleet on behalf of the Royal Navy, wanted to upgrade its staff intranet and had subcontracted the work to WM Reply, a digital consultancy firm.
WM Reply then used developers based in Belarus – Russia’s closest ally – one of whom was actually working from home in Tomsk, Siberia, according to documents submitted to the MoD’s inquiry.
The intranet system included personal details of all Rolls-Royce Submarines employees as well as the organisational structure of those working on the UK’s submarine fleet.
In the summer of 2020, staff at WM Reply began to sound the alarm over the security implications of using Belarusian staff for the project and suggested that Rolls-Royce should be informed.
By November, a team meeting – a transcript of which was provided to MoD investigators – revealed the serious concerns of some staff members.
But they were told by superiors there was no need to “panic” and that Rolls-Royce should not be informed as there was a risk it might cancel the project if it found out.
It was only in the spring of 2021, when concerns were reported directly to Rolls-Royce, that an investigation was launched. The matter was subsequently brought to the MoD in the summer of 2022, triggering a further investigation which concluded in February last year.
Dr Marion Messmer, senior research fellow at the think-tank Chatham House, said that allowing Belarusian and Russian developers to work on this kind of project constituted a clear “national security risk”.
Any rogue actors gaining access to personal data of those working on the UK’s submarine fleet carried a risk of “blackmail or a targeted attack”, she said.
“From a strategic perspective, the great thing about the submarines is that they are very hard to detect and very mobile. If anyone had access to a tracking system that shows where submarines are at all times, that would give them a huge strategic advantage – if planning an attack on the UK they could first target the nuclear submarines and disable Trident.”
Recommended
A Rolls-Royce spokesman said: “We can categorically state that at no point was there any risk of data, classified or otherwise, being accessed or made available to non-security cleared individuals. It is not possible for non-security cleared individuals to access any sensitive data via our company intranet. It is used to provide business updates, wellbeing support and a channel for collaboration between our colleagues.
“All our suppliers comply with strict security requirements. Once we were made aware of these allegations that clearly breached these requirements, and following a rigorous internal investigation that concluded in 2021, Rolls-Royce Submarines ceased working with WM Reply. We have not awarded them any further contracts.”
Rolls-Royce said it had carried out full IT security checks on any coding before it was introduced to its network. The company is understood to be confident that WM Reply employees and their subcontractors did not have access to information on secure servers.
A spokesman for WM Reply denied the claim that its actions could have endangered national security.
“WM Reply regularly reviews its delivery processes and procedures, respects the needs and processes of its customers and enjoys transparent and long-standing relationships with those customers,” they said.
An MoD spokesman said: “This matter was fully investigated by Rolls-Royce. As they have said, at no point was the integrity of the system compromised.”
By Camilla Turner
It was several minutes into a conference call between WM Reply staff members when one employee summed up the concerns of those in the meeting.
“We are talking about serious stuff here, this is our defence … this could screw the company if it got out,” they said.
Having won a contract from Rolls-Royce Submarines to carry out an upgrade of its intranet, the digital consultancy’s team had spent much of the call trying to work out how they could cover up the fact sensitive work was to be carried out by developers in Belarus, an ally of Russia so close some describe it as a vassal state.
As one of them put it: “I think as soon as we mention Minsk … I think they will just go wahhhh!”
During the brainstorming session, one employee suggested WM Reply could hide the involvement of offshore developers by concealing their Belarusian-sounding names. This could be achieved, it was suggested, by using the names of “dead people in the UK” instead.
The Microsoft Teams video conference call, which took place in November 2020, is at the centre of revelations about how highly sensitive work was outsourced to people in Belarus and Russia.
Rolls-Royce Submarines, which runs Britain’s fleet of nuclear submarines on behalf of the Ministry of Defence, stipulated that the work on its intranet upgrade should only be carried out by UK-based security-cleared individuals.
Those working on the project for WM Reply in the UK, who did have security clearance, were told they should obtain advice before even travelling to certain countries where “special security restrictions” applied, which included Belarus and Russia.
The Teams call – a transcript of which was passed to MoD investigators – took place towards the end of the “discovery” phase of the work and just days before the project was officially due to start. By this point, some of those working on the project at WM Reply were becoming uncomfortable about using coders based out of an office in Minsk in apparent contravention of the instructions from the MoD.
Various options were discussed by senior managers at WM Reply about ways to conceal the identities of the Belarusian coders from Rolls-Royce, such as having one British developer compile all the software which was produced in Belarus to make it look as though the entire code had been created in the UK.
Another employee on the call stated Rolls-Royce must not be told about the Belarusian developers, saying: “We can’t tell them we are doing this, unfortunately.”
Another team member asked why, if they were not doing anything wrong, could Rolls-Royce not be informed?
A more senior team member warned against escalating the concerns to a higher level of management, saying this could lead to them deciding to “completely pull the plug” on the project and risk losing a contract worth half a million pounds.
They went on to reassure other team members by claiming that the risk was “minimal” given that they had already undertaken previous projects for Rolls-Royce using developers in Minsk without any problems.
They argued that they could make it “secure” so the Minsk team “don’t even know what they are working on” and told staff to stop “talking each other into a panic” about it.
After the meeting, the senior employee at WM Reply told the team they had spoken to a contractor at Rolls-Royce who indicated he was happy for offshore workers without security clearance to take part in the project “where required to achieve accelerated timelines and only in the WM environment”.
However, it was not explicitly stated to Rolls-Royce that this involved using workers based in Belarus or Russia, according to documents studied by the MoD.
It was alleged WM Reply wanted to use developers based out of an office in the Belarusian capital of Minsk to cut costs, according to documents submitted to the MoD’s inquiry. Developers in Belarus would have cost “substantially less” than those in the UK, so contracting them for the project – worth around half a million pounds in total – would “increase the profit margin”, it was claimed.
Dr Marion Messmer, senior research fellow at Chatham House, a think tank, said that IT and software development work was increasingly outsourced to agencies in countries such as Belarus, Russia, Poland and Ukraine which was “done as a cost-cutting measure”.
“This could be completely harmless but it becomes a huge security concern if it is work on critical national infrastructure,” she said.
James Cartlidge, the shadow defence minister, said: “The country needs to be reassured that everything is being done to look into this.”
He added that a “much greater focus on the resilience of supply chains” is needed across the board, in both the public and private sectors.
Mr Cartlidge, a former minister for defence procurement, said that when he was in the MoD, officials were looking at supply chains, in particular the issue of ensuring the UK did not become “over-reliant on certain suppliers for items that are significant for our critical infrastructure”.
Ed Arnold, at the Royal United Services Institute for Defence and Security Studies, said in this case there was a “principal security threat” of state-sponsored sabotage but also the potential for information to fall into the hands of criminals.
“The issue with data these days is you can store it pretty quickly and easily. Once you lose control of the data, you can’t get it back,” he said.
“It would give a state actor a pretty good intelligence start point. If you want to compromise systems, you need to first work out who to target. If you can get a dataset which does the pre-sifting for you, it means that subsequent approaches and targeted pitches are more productive.”
He said that Russia, the closest ally of Belarus, is one of the “primary” national security threats to the UK. “The threat is made up of capability, opportunity, intent – they have it all,” he said.
“The MoD should be asking itself, ‘What if there wasn’t a whistleblower?’ This wasn’t the MoD identifying the problem, it wasn’t Rolls-Royce. If it hadn’t been alerted to this, there would potentially be a vulnerability that could have been used and exploited for a longer period of time.”
Rolls-Royce, which launched an investigation into what happened after it was contacted directly about the issue in spring 2021, says it is confident its intranet is secure.
A spokesman said that all software or development work that was subcontracted out, including “off-the-shelf” software packages, went through rigorous security testing before being considered for use.
It said it carried out IT “health checks” annually across all of its networks and regularly took part in exercises with the National Cyber Security Centre to ensure networks remain secure.
A spokesman for WM Reply said it denied the claim its actions could have endangered national security. “WM Reply regularly reviews its delivery processes and procedures, respects the needs and processes of its customers and enjoys transparent and long-standing relationships with those customers,” it said.
Georgina Halford-Hall, chief executive of Whistleblowers UK, said: “There were multiple whistleblowers here who were doing the right thing and raising concerns.
“In a case like this, one would expect that the company would take matters seriously and act on the evidence provided by the whistleblower. But rather than acting on the concerns, they closed it down. The whistleblowers felt ignored, sidelined, and targeted by their employer.”
Con Coughlin
She is among those campaigning for whistleblowing laws that could result in companies being fined millions of pounds for attempted cover-ups.
Ministers are being urged to back a Whistleblowing Bill which will also outlaw non-disclosure agreements and set up a new tribunal where whistleblowing cases will be heard.
Previous iterations of the Whistleblowing Bill – which have been introduced in both the Commons and the Lords – received backing from senior Labour figures including Dame Margaret Hodge and Lord Browne, who was defence secretary under Sir Tony Blair and Gordon Brown.
Campaigners hope the Bill, which would protect whistleblowers from criminal or civil action being taken against them, will win the backing of Sir Keir Starmer’s government.
The current whistleblowing regime enables workers to bring an employment tribunal claim against their organisation if they are dismissed or treated unfairly at work because they have made a “protected disclosure” about wrongdoing.
These protections were set up in the Public Interest Disclosure Act 1998 (PIDA) but many are deterred by the cost and complexity of the system. The legislation would see people compensated for any loss they experienced – such as being dismissed from their job – as a result of their whistleblowing.
It would also set up a regulator, the Office of the Whistleblower, to investigate protected disclosures. It would set minimum standards for workplace whistleblowing policies, monitor and enforce compliance, and bring prosecutions.
Civil penalties – with a maximum fine set at 10 per cent of a company’s turnover up to £18 million – would be levied for those who fail to comply with an order from the Office of the Whistleblower. And a new criminal offence of subjecting a whistleblower to detriment is included in the draft bill, which carries a maximum jail term of 18 months.
Ms Halford-Hall is also urging the legal watchdog, which oversees the professional conduct of lawyers, to ensure that solicitors firms are not allowed to facilitate cover-ups of national security issues.
“It is time that the SRA stopped pussyfooting around with this and brought forward meaningful regulations and serious consequences for lawyers,” Ms Halford-Hall said. “Every lawyer should be compelled to report national security or other safeguarding issues to the relevant regulators and/or the police.”