GCHQ shrinks amid recruitment and retention challenges

Recruitment and retention challenges at Britain’s GCHQ have seen the intelligence agency’s total headcount shrink to the lowest level in three years, according to data published Tuesday by a British parliamentary committee.

As previously reported by Recorded Future News, bringing in new staff and convincing existing personnel to stay at the agency have proven a significant challenge in recent years. The lengthy hiring process and the distance between public and private sector salaries for cyber specialists are contributing factors, as was the COVID-19 pandemic.

According to an annex of the Intelligence and Security Committee’s (ISC) annual report, the total number of full-time equivalent staff employed by GCHQ in the year ending March 2022 — a year when inflation peaked at 11% in the United Kingdom — dropped to 7,082.

This was a minor drop of just over 1% from the 7,181 people employed by the agency in the previous year but is the first time that the agency’s total headcount has gone down in the five years that the ISC has been reporting on its recruitment numbers.

Despite more than 200 roles going unfilled in that year, and more than 460 unfilled the year prior, the agency reported several “major achievements” to the parliamentary committee, including that GCHQ and the National Cyber Force supported the British government’s response to Russia’s invasion of Ukraine. The specifics of this achievement were not detailed.

Also hailed was how GCHQ’s work had been a “key factor in revising the severity of the threat assessment for Kabul airport” during the withdrawal from Afghanistan. This, the ISC report stated, ultimately affected how British Forces were deployed at the airport and had a “significant impact in reducing casualties and saving lives in relation to the suicide attack that took place.”

Separately from the recruitment figures included in the ISC report, the committee published a redacted description of two incidents that it said raised “questions regarding GCHQ’s security culture and systems.”

One incident, which has previously been widely reported on, regarded an attempted murder by a former GCHQ employee of a woman who worked for the U.S. National Security Agency and was co-located in Cheltenham. Public reports indicate this was an isolated incident.

A spokesperson for the agency confirmed that was its view too: “This was a shocking, unprovoked attack and its isolated nature does not make it any less upsetting. Our thoughts are with the victims and their families. GCHQ has been working closely with police during their investigation and we welcome justice being done.”

The nature of the other incident mentioned by the ISC is not clear as the report is heavily redacted when referring to it. These redactions use three asterisks (***) to conceal the length of the sections of text that had been removed from the report.

The report says: “In late 2022, GCHQ wrote to the Committee to inform it about an ongoing investigation into ***, caused by ***. Investigations concluded that *** has had a significant effect on ***. GCHQ concluded that, as per its equities process, it had no option but to *** to ensure that *** an unacceptable cyber-security risk.”

GCHQ's equities process covers how the agency handles any vulnerabilities found in technology. The goal is to balance the risk the vulnerabilities pose to the United Kingdom and its allies against the potential benefits that exploiting them for intelligence purposes could allow.

No further details were available on the nature of the incident.

According to the ISC, whatever it was “raises concerns regarding GCHQ’s approach to recruitment and vetting, as well as the stringency of *** protocols in place to ***. The Committee is particularly concerned with regard to ***. The Committee intends to scrutinise this issue further.”

A spokesperson for GCHQ said the agency was unable to comment on redacted areas of the report.