Rolls Royce Submarines, which manufactures nuclear submarines for the British military, outsourced its intranet development to a third-party vendor, who then knowingly employed developers based Belarus and Siberia, Russia without security clearance in contravention of UK Ministry of Defence (MoD) rules.

Rolls-Royce Submarines’ intranet is an internal portal that contains personal details of all its employees and the organizational structure of those working on Britain’s submarine fleet.

As reported by The Telegraph, the MoD considered the incident a serious threat to British defense, including the potential leak of British submarine locations, and it launched an investigation that concluded in February 2023.

A MoD spokesperson said that “at no point was the integrity of the system compromised” following the investigation.

Advertisement

Rolls Royce Submarines, whose internal investigation concluded in 2021, also said it vetted all coding before it was introduced to its network, and no data breaches took place.

“We can categorically state that at no point was there any risk of data, classified or otherwise, being accessed or made available to non-security cleared individuals. It is not possible for non-security cleared individuals to access any sensitive data via our company intranet.

“It is used to provide business updates, wellbeing support and a channel for collaboration between our colleagues,” a Rolls-Royce spokesman said, adding that the company has ceased working with WM Reply, the digital consultancy it contracted for its intranet development.

Estonia Moves to Ban Russian, Belarusian Residents From Voting in Local Elections
Other Topics of Interest

Estonia Moves to Ban Russian, Belarusian Residents From Voting in Local Elections

The move aims to safeguard against potential interference from Moscow and Minsk.

The MoD investigation established that WM Reply knowingly employed those based in Belarus and Russia without security clearance on at least one previous occasion and attempted to conceal their identities to avoid losing the contract that was worth half a million pounds ($638,492).

The transcript of a video call between WM Reply employees in November 2020, before the project commenced, was made available to the MoD inquiry, during which some employees proposed having one UK-based engineer compile the code written by the Russian and Belarusian developers to conceal the origin, with others proposing to use the names of “dead people in the UK” to conceal the Belarusian-sounding names.

Advertisement

“We are thinking of a legitimate way to do this because... we were going back and forth thinking we could create fake accounts, so it is not traced to [the company in Minsk] creating the code. But then the fake accounts for fake – maybe dead people in the UK which is not really nice,” one message read.

Following the meeting, senior staff at WM Reply said it obtained permission from Rolls Royce Submarines to employ offshore workers for the project, though the MoD inquiry later established that WM Reply did not explicitly state to Rolls-Royce that the developers were based in Belarus and Siberia, which warrants extra security caution.

Rolls Royce was informed of the concerns in the spring of 2021 and launched an investigation, with the MoD launching a subsequent investigation starting in the summer of 2022.

WM Reply maintained that security measures were in place and that its actions did not endanger national security.

Advertisement

“WM Reply regularly reviews its delivery processes and procedures, respects the needs and processes of its customers and enjoys transparent and long-standing relationships with those customers,” said a WM Reply spokesperson.

Dr. Marion Messmer, a senior research fellow at Chatham House, a think tank, told The Telegraph that companies tend to outsource software development to third countries such as Belarus, Russia, Poland and Ukraine “as a cost-cutting measure,” which is normally “completely harmless” but could “[become] a huge security concern” if they are to work on critical national infrastructure.

Ben Wallace, the UK’s former defense secretary, cautioned that the incident highlighted the vulnerability of supply chains in Britain’s defense sector.

“Time and time again, countries like China and Russia have targeted the supply chains of our defense contractors. This is not a new phenomenon,” said Wallace.

To suggest a correction or clarification, write to us here
You can also highlight the text and press Ctrl + Enter