The Government Communications Headquarters (GCHQ), which is responsible for key aspects of the UK's cybersecurity, has lost equipment worth up to £1m, the latest Intelligence and Security Committee (ISC) report reveals.
The ISC was set up in 1994 to examine the policy, administration and expenditure of the Security Service, Secret Intelligence Service (SIS) and GCHQ, and also examines the work of the Joint Intelligence Committee (JIC), the Assessments Staff and the National Security Secretariat in the Cabinet Office, and Defence Intelligence (DI) in the Ministry of Defence.
The report says that while most of the items that could not be traced attracted no security risk, GCHQ has admitted that it cannot guarantee that this is the case for 5% of these items.
Although the ISC has no reason to believe national security has been compromised, the report says security agencies must do all they can to avoid the loss of potentially sensitive equipment.
"The public interest requires that GCHQ learns from the repeated mistakes of the past. The Committee expects GCHQ to ensure that the situation does not arise again," the report says.
Internet specialists required
The report also expresses concern about GCHQ's inability to retain a suitable cadre of internet specialists to respond to the threat.
The ISC urges GCHQ to investigate what might be done within existing pay constraints to improve the situation, and recommends the Cabinet Office, as lead department for cybersecurity, considers whether a system of bonuses for specialist skills, such as exists in the US, should be introduced.
Also on the subject of remuneration, the report says that although the ISC recognises that the Security Service needs IT specialists to deliver its major technology projects, spending on consultants and contractors continues to increase at a significant rate.
"The Service should consider whether collaborative working, with GCHQ in particular, could provide some savings in this area," the report says, warning that the ISC will examine the use of consultants and contractors in greater detail in the coming year.
While welcoming the identification of cybersecurity as a Tier One risk in the National Security Strategy and the increased investment in this crucial area, the ISC says concerns expressed in its previous annual report concerning the lack of clear lines of responsibility and the potential risk of duplication of effort remain.
"The interests of national security demand that there should be clear lines of ministerial accountability. We expressed concern that the original system was neither sensible nor appropriate. We strongly support the government's decision to move ministerial responsibility to the Cabinet Office," the report says.