Decision

Advice Letter: Gaven Smith, Technical Committee Member, Cyber Monitoring Centre

Published 11 June 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/smith-gaven-director-general-technology-government-communications-headquarters-acoba-advice/advice-letter-gaven-smith-technical-committee-member-cyber-monitoring-centre

1. BUSINESS APPOINTMENT APPLICATION: Gaven Smith CB FReng, former Director General Technology GCHQ- paid appointment with the Cyber Monitoring Centre

Mr Smith sought advice from the Advisory Committee on Business Appointments (the Committee) under the government’s Business Appointments Rules for Former Crown Servants (the Rules) on his proposal to work with the Cyber Monitoring Centre.

The purpose of the Rules is to protect the integrity of the government. The Committee has considered the risks associated with the actions and decisions Mr Smith made during his time in office, alongside the information and influence he may offer the Cyber Monitoring Centre. The material information taken into consideration by the Committee is set out in the annex.

The Committee’s advice is not an endorsement of the appointment - it imposes a number of conditions to mitigate the potential risks to the government associated with the appointment under the Rules.

The Rules[footnote 1] set out that Crown servants must abide by the Committee’s advice. It is an applicant’s personal responsibility to manage the propriety of any appointment. Former Crown servants are expected to uphold the highest standards of propriety and act in accordance with the 7 Principles of Public Life.

2. The Committee’s consideration of the risk presented

The Cyber Monitoring Centre describes itself as an independent, non-profit organisation which seeks to monitor, define and classify cyber events impacting UK organisations; and to provide this information at no cost to those who want it. It said many physical events such as earthquakes, floods, and hurricanes have easily understandable classification systems, designed to convey the intensity of events. It seeks to develop a system that communicates the seriousness and severity of cyber events as they are occurring.

There is no direct relationship between GCHQ and the Cyber Monitoring Centre. GCHQ confirmed the National Cyber Security Centre (NCSC), which is separate from the department, is growing a relationship with the newly formed organisation. Mr Smith was not responsible for cyber security, did not make any policy or commercial decisions specific to the Cyber Monitoring Centre, nor did he meet with the organisation. Therefore, the Committee[footnote 2] considered the risk that this role could have been offered this role as a reward is low.

As Director General Technology, Mr Smith would have had access to a broad array of information. Part of Mr Smith’s role entailed working across the intelligence community to improve the use of data capabilities in national security, which could have overlapped with cyber security. It is significant that cyber security policy was not within Mr Smith’s responsibility, nor GCHQ’s - as this policy is owned by the National Cyber Security Centre. Further, Mr Smith has not had access to information for over four months which creates a gap between his access to information and this proposed role.

Mr Smith likely has a network of contacts and influence across government that could provide his employer an unfair advantage. Mr Smith confirmed that he will not have any contact or dealings with government in the role, which will be internal facing and focussed on reviewing and deciding on the correct classification of events. This organisation does not have commercial competitors and has already started developing a relationship with government, as the NCSC has an interest in the classification of cyber events.

3. The Committee’s advice

The Committee determined the risks identified in this application can be appropriately mitigated by the conditions below. These make it clear Mr Smith cannot make use of privileged information, contacts, or influence to unfairly benefit the Cyber Monitoring Centre or its partners.

The Committee advises, under the government’s Business Appointment Rules, that Mr Smith’s appointment with the Cyber Monitoring Centre be subject to the following conditions:

  • he should not draw on (disclose or use for the benefit of himself or the persons or organisations to which this advice refers) any privileged information available to him from his time in Crown service;

  • for two years from his last day in Crown service, he should not become personally involved in lobbying government or any of its arm’s length bodies on behalf of the Cyber Monitoring Centre (including parent companies, subsidiaries, partners and clients); nor should he make use, directly or indirectly, of his contacts in government and/or Crown service to influence policy, secure business/funding or otherwise unfairly advantage the Cyber Monitoring Centre (including parent companies, subsidiaries, partners and clients); and

  • for two years from his last day in Crown service, he should not provide advice to the Cyber Monitoring Centre (including parent companies, subsidiaries, partners and clients) on the terms of, or with regard to the subject matter of, a bid with, or contract relating directly to the work of the UK government or its arm’s length bodies.

The advice and the conditions under the government’s Business Appointment Rules relate to Mr Smith’s previous role in government only; they are separate from rules administered by other bodies such as the Office of the Registrar of Consultant Lobbyists, the Parliamentary Commissioner for Standards and the Registrar of Lords’ Interests[footnote 3]. It is an applicant’s personal responsibility to understand any other rules and regulations they may be subject to in parallel with this Committee’s advice.

By ‘privileged information’ we mean official information to which a minister or Crown servant has had access as a consequence of his or her office or employment and which has not been made publicly available. Applicants are also reminded that they may be subject to other duties of confidentiality, whether under the Official Secrets Act, the Ministerial Code/Civil Service Code or otherwise.

The Business Appointment Rules explain that the restriction on lobbying means that the former Crown servant/Minister “should not engage in communication with Government (Ministers, civil servants, including special advisers, and other relevant officials/public office holders) – wherever it takes place - with a view to influencing a Government decision, policy or contract award/grant in relation to their own interests or the interests of the organisation by which they are employed, or to whom they are contracted or with which they hold office.”

Mr Smith must inform us as soon as he takes up this work or if it is announced that he will do so. Similarly, he must inform us if he proposes to extend or otherwise change his role with the organisation as depending on the circumstances, it might be necessary for him to seek fresh advice.

Once this appointment has been publicly announced or taken up, we will publish this letter on the Committee’s website.

4. Annex- material information

4.1 The role

Mr Smith wishes to take up a paid, part-time role with the Cyber Monitoring Centre as a Technical Committee Member. Mr Smith said that the Cyber Monitoring Centre focuses on risk classification of cyber events. According to the company’s website:

  • a.    It is an independent, non-profit organisation which seeks to monitor, define and classify cyber events impacting UK organisations, and providing this information at no cost, to any interest organisation and individuals. For example, it said many physical events such as earthquakes, floods, and hurricanes have easily understandable classification systems, designed to convey the intensity of events. The Cyber Monitoring Centre seeks to create the equivalent for the digital world- to design a way of consistently describing and communicating the seriousness and the severity of cyber events as they are occurring.

  • b.    It is a new organisation that has been funded by the private sector. The initial funding was provided by CFC Group Limited (who provide specialist insurance products such as cyber cover). The initial set-up work was done in collaboration with law firm Weightmans, and data specialists QualRisk.

  • c.     It said that during 2024, it will test and improve its methodology in classifying cyber events and that event categorisations will not be made available during this time. It expects to publish its categorisation of such events in early 2025.

It will work in partnership with organisations (yet to be named) that are involved in and can provide insights into cyber events. This will include companies that provide technical indicators such as cloud and IT infrastructure downtime, and companies that are involved in responding to cyber events including cloud vendors, incident response firms, and insurance related companies.

Mr Smith said that his role will involve reviewing cyber events and agreeing the final determination of the category of the event alongside other members of the committee. Mr Smith said his role would not involve contact or deals with government.

4.2 Dealings in office

Mr Smith said he was not responsible for cyber security while in office as that responsibility sat with the National Cyber Security Centre. As such, he confirmed he was not involved in policy formation or any decisions specific to this organisation.

4.3 Departmental assessment

GCHQ confirmed the details in Mr Smith’s application - that he made no decisions specific to cyber security, the responsibility for which sat outside his responsibilities as Director General Technology.

GCHQ confirmed that the National Cyber Security Centre (NCSC) is growing a relationship with the Cyber Monitoring Centre, a private sector initiative aimed at strengthening the UK’s cyber security. The NCSC’s focus is on consistency of the accurate categorisation of cyber events without interfering with independent judgements on either side.

GCHQ recommended standard conditions be applied to this appointment.

  1. Which apply by virtue of the Civil Service Management Code, The Code of Conduct for Special Advisers, The King’s Regulations and the Diplomatic Service Code. 

  2. This application for advice was considered by Andrew Cumpsty; Isabel Doverty; Hedley Finn OBE; The Rt Hon Baroness Jones of Whitchurch; The Rt Hon Lord Eric Pickles; Michael Prescott; and Mike Weir. Sarah de Gay and Dawid Konotey-Ahulu CBE DL were unavailable. 

  3. All Peers and Members of Parliament are prevented from paid lobbying under the House of Commons Code of Conduct and the Code of Conduct for Members of the House of Lords. Advice on obligations under the Code can be sought from the Parliamentary Commissioners for Standards, in the case of MPs, or the Registrar of Lords’ Interests, in the case of peers. 

Back to top