The news that the development of an IT system used by British nuclear submarine engineers was outsourced to Belarusian developers has led to calls that the U.K. must carry out an urgent review of defense supply chains, the Telegraph reported on Aug. 3.
The Telegraph first reported on Aug. 2 that part of the IT software used by British nuclear submarine engineers had been outsourced to Belarusian developers, one of whom was working from Russia.
The software was supposed to have been developed solely by U.K.-based IT workers with security clearance. The incident took place before Russia's full-scale invasion of Ukraine.
Belarus has long been a key ally to Moscow and supported Russian aggression against Ukraine, though it has not committed its own forces directly to hostilities.
A digital consultancy firm, WM Reply, was subcontracted by Rolls-Royce Submarines, the company responsible for powering the British Navy's nuclear submarine fleet, to upgrade its staff intranet system.
The Telegraph reported that WM Reply subcontracted the work to IT developers based in Belarus, "one of whom was actually working from home in Tomsk in Russia, according to documents submitted to the MoD's inquiry."
Employees of WM Reply "began to sound the alarm over the security implications of using Belarusian staff for the project" in the summer of 2020, the Telegraph said.
The employees were reportedly told not to panic by their superiors and the company initially kept the fact that the work had been outsourced to Belarus secret.
The staff intranet system contained the personal data of all employees working for Rolls-Royce Submarines and the organizational structure of the wider workforce of the U.K.'s submarine fleet, leaving staff at risk of being targeted or blackmailed.
According to the Telegraph, "Rolls-Royce said it had carried out full IT security checks on any coding before it was introduced to its network" and is confident that outsourced developers "did not have access to information on secure servers."
"We can categorically state that at no point was there any risk of data, classified or otherwise, being accessed or made available to non-security cleared individuals," Rolls-Royce said.
The company stopped working with WM Reply after a "rigorous internal investigation" that was completed in 2021.
Ben Wallace, the Defense Secretary at the time, was quoted by the Telegraph as saying the breach left the U.K. potentially "vulnerable to the undermining of our national security."
Former Navy Admiral Alan West has also urged the U.K. Defense Ministry to conduct a further review of its supply chains.
In another case of IT systems leaving British nuclear infrastructure open to potential attack, the Guardian reported in December 2023 that lax security protocols at the Sellafield nuclear waste site had left it open to hacking from Russian and Chinese-linked cyber groups.
Sellafield's insecure servers resulted in foreign hackers gaining access to high-level confidential material, which could include radioactive waste movements, leak monitoring, and fire checks.
Emergency planning documents, used in case the U.K. comes under foreign attack, could have also been compromised, according to the Guardian.
Martin Fornusek
(Updated: )
