all three of declassified exposures on GCHQ in english schools

The UK’s largest intelligence agency is infiltrating British schools
Matt Kennard, Declassified UK, Jun 2 2020

Pupils from Ribston Hall school in Gloucester, south-west England, take part
in an activity organised by GCHQ’s Cyber Schools Hub programme.
Anonymisation by Declassified. (Photo: Cyber Schools Hub)

Declassified UK can reveal that GCHQ, Britain’s largest intelligence agency, has gained access to at least 22k primary and secondary school children in dozens of UK schools, and that the organisation may be spying on children. GCHQ officers are operating in at least one school, while parents of pupils at schools across the programme do not appear to have been informed about the extent of the spy agency’s role in it. Evidence also suggests that quotes purporting to be from children praising the programme have been manufactured. Further, GCHQ’s Cyber Schools Hub (CSH) programme, also known as CyberFirst, appears to be disseminating propaganda to school children, telling them it acts as the “heart of the nation’s security.” This is controversial, given that GCHQ’s programmes of mass surveillance have been found to be unlawful by the ECHR and that the agency also conducts offensive cyber operations. The stated purpose of the CSH programme is to enable secondary school children aged 11 to 17 years old near GCHQ’s base in Cheltenham to “experience new ways of learning in an innovative cyber environment.” It also aims to recruit children for jobs in the sector by helping to “educate on the opportunities that exist within the cyber security and computing industry.” However, Declassified UK can reveal that the programme, which has been running since 2018, has expanded into primary schools, where students range from 4 to 11 years old. While programme literature admits that the project includes 23 schools, Declassified UK has found that nearly double this number are involved, including more than 10 primary schools.

Declassified UK has also seen evidence that a “code club” set up at one primary school is staffed entirely by officers from GCHQ. The intelligence agency has also tried to gain access to school children by providing much-needed technology to local libraries, while its “recruitment teams” have been mobilised to deal with enquiries from schools involved in the programme, according to documents seen by Declassified UK. There are suspicions that GCHQ’s programme is being used to spy on children. Declassified UK has seen evidence that GCHQ and local police launched a “joint tag team event” at one school to gain access to a pupil who had been reported to the authorities by his school for being “very talented,” such that “teachers were worried [he] may be about to cross the line with his online cyber activities.” There is no evidence the child had done anything wrong to become a target of GCHQ, or that they or their classmates were made aware they were participating in an event under false pretences. The exposures of Edward Snowden revealed that one of GCHQ’s “top objectives” in the recent past was the “delivery of a reporting service on radicalisation” for the UK Dept for Children, Schools and Families (now Dept for Education), assumed to be targeted at children in schools. It is unclear if the CSH programme is part of this “reporting service.”

An internal GCHQ slide leaked by Edward Snowden which shows the agency’s aim
to “ensure delivery of reporting service on radicalisation” to the UK government’s
Department of Children, Schools and Families.

GCHQ runs the CSH programme through one of its arms, the National Cyber Security Centre (NCSC), which opened in 2016. GCHQ says it employs almost 6k people in Cheltenham and at some smaller bases around the UK, although the agency has in recent years secretly expanded its workforce, reportedly employing thousands more staff. The majority share of the £2.48b budget for Britain’s intelligence services is taken by GCHQ, which has twice the number of personnel of the other major security services, MI5 and MI6, combined. Both GCHQ and the schools themselves cite national security exemptions to block requests for information about the cyber schools programme, but Declassified UK has seen newsletters produced for a short period from Dec 2018 to Jul 2019 which outline some activities. Jen Persson, director of Defend Digital Me, an organisation set up to defend children’s right to privacy, told Declassified UK:

GCHQ is an employer that requires a certain skill set—and perhaps a certain mind-set. Recruitment in that sector is not about a single event, but a drip-feed developed over time. Children are vulnerable as they develop into adulthood, and there is regulation in other areas, to protect them from undue adult influence, like online advertising, yet it sounds like spies can walk into schools whenever they want with no transparency or independent oversight.

Schools involved in GCHQ’s programme

A downloadable lesson plan in the CSH programme, which includes the tag “Year 7,” 11-12 year olds, has a slide which instructs the children:

GCHQ has been at the heart of the nation’s security for 100 years. It has saved countless lives, given Britain an edge, and solved or harnessed some of the world’s hardest technology challenges.

The slide is an unattributed quote from GCHQ director Jeremy Fleming. It is not known if parents are aware that such lessons are disseminating propaganda about GCHQ’s history. Files revealed by Edward Snowden in 2013 show that GCHQ had been secretly intercepting, processing and storing data concerning millions of people’s private communications, including people of no intelligence interest, in a programme named Tempora. In 2018, the ECHR ruled that UK laws enabling such mass surveillance were unlawful, violating rights to privacy and freedom of expression. GCHQ has also operated offensive cyber operations against countries such as Argentina and plays a key role in UK military interventions overseas. On top of this, GCHQ has a secret cyber warfare unit, named the Joint Threat Research Intelligence Group (JTRIG), which takes 5% of the organisation’s budget. Its stated purpose is to “destroy, deny, degrade, disrupt” enemies by “discrediting” them, and its operations include “honey traps,” “false flags” and “writing a blog purporting to be one of their victims.” According to Richard J Aldrich, a professor at Warwick University and author of the authoritative historyof GCHQ,:

One of the enemies on JTRIG’s list are investigative journalists who pose a ‘potential threat to security.’

It appears parents are not being made aware of the full gamut of GCHQ’s activities, or the extent of its role in the CSH programme. When Declassified UK asked the NCSC what information is given to parents about the programme, the agency replied:

We have no contact with parents. What teachers/schools share with parents is done independently of NCSC.

Slides from a downloadable lesson plan made available by GCHQ’s
schools programme. (Photo: Cyber Schools Hub)

The CSH programme has already reached over 22k children in its pilot phase in schools in Gloucestershire, south-west England, but the British government plans to expand the programme across the whole country. The NCSC recently announced that because “the CSH pilot has proved to be successful at a local level” it now “wishes to increase the scale of ambition and formally recognise schools” in a new CyberFirst schools programme, which will include schools in Wales. The NCSC team is already covering expenses to enable teachers from around the country to attend CSH events in Gloucestershire, according to documents seen by Declassified UK. Only two questions have been asked in Britain’s parliament about the CSH programme, and its total cost, paid for by the UK taxpayer, is classified. The NCSC told Declassified UK that the agency “wouldn’t offer comment on finance specifics.” GCHQ recently boasted:

These programmes are not public. GCHQ quotes primary school children apparently praising the intelligence agency’s educational outreach. “I think it’s the best thing EVER,” one child apparently said. “The lesson was fabulous,” another was purported to say. All secondary schools in Gloucestershire were invited to tender to be a hub for the CSH programme in October 2017. But, according to documents seen by Declassified UK, by the end of 2018 the NCSC had “started a focused primary school trial” by using CSH schools to run after-hours clubs in “feeder” schools for 4-11-year-olds. Schools supported include the Kings, Linden and Abbeymead primary schools, all in the vicinity of GCHQ’s Cheltenham HQ. The computer science teacher at another nearby school, Denmark Road, provided a further three “exciting and stimulating” computer science outreach sessions at Kingsholm, another local primary school. The CSH website states that primary school teachers can collect “teacher crates” from the NCSC which can be used to “develop lesson and activity plans.” The programme has a list of courses, some devised by private sector partners, specifically aimed at primary school children, including playing the game Minecraft while learning the Python computer coding software. In Spring 2019, St James primary school in Gloucester launched a “code club” for its pupils. The club, the newsletter notes, is “staffed entirely by software engineers from GCHQ, which allows the club to be offered for free.” The club was scheduled to run until the end of the school year with “lots of new topics.” The NCSC told Declassified UK:

Secondary teachers involved in the initiative expressed the need to develop interest in computing at primary school level. We supported primary schools in delivering stimulating Cyber Schools lessons.

An entry in the Mar/Apr 2019 newsletter, produced by GCHQ, which outlines
its officers’ entry into one primary school to set up a “code club.”

Declassified UK has seen evidence that GCHQ’s project is closely supported by the police’s regional cyber crime unit, with police officers involved in the programme entering schools to provide “fun sessions around ethics … and the Computer Misuse Act.” The NCSC notes:

On several occasions this has been done as a tag team with NCSC providing insight into the role of both GCHQ and NCSC, and the associated career opportunities if students stay on the right side of the law.

On one occasion, the West Midlands police cyber crime unit was called in to a school in Hereford, which is not mentioned as being part of the CSH programme, because there was a “very talented student that the teachers were worried may be about to cross the line with his online cyber activities.” The child had expressed interest in working for GCHQ. The NCSC team suggested a “joint tag team event” with the police, where they would “emulate the sessions” they had previously run with the police. The school acceded and a session was run for a morning with the individual and his classmates. “Hopefully a clear and correct pathway highlighted to the talented student,” notes the newsletter. It is unclear if the student was at a primary or secondary school. Despite putting on the event, the NCSC told Declassified UK:

We don’t have any information on this.

An entry in the Jun 2019 newsletter, produced by GCHQ, which outlines
the activities in its schools programme, suggesting it is being used
to spy on children.

One newsletter notes another event for girls held at a school close to GCHQ headquarters and includes Ella and Chloe in Year 8 (12-13 years old) together proffering the quote:

Diversity in perspectives, leadership and experience is good for Cyber. The wider variety of people and experience we have defending our systems, the better chances of keep the UK safe.

But this quote may not be genuine since, aside from sounding more like language used by GCHQ media relations than a Year 8 pupil, the same quote is attributed to a different 13-year-old pupil, “Evie,” on another CSH blog post. The NCSC told Declassified UK:

Teachers provide the quotes from students.

A suspicious quote praising GCHQ’s schools programme, which in the first CSH blog post
is attributed to 13-year-old pupil “Evie” and in the CSH newsletter below
is attributed to two different pupils: “Ella and Chloe in Year 8.”

Before the coronavirus crisis hit the UK, I took a 25-minute drive west from GCHQ in Cheltenham to Newent Community School. Driving through lush countryside and quaint villages, it felt far away from the world of high-stakes surveillance by the time I arrived in Newent, a village of around 5k people. But Newent School is at the centre of attempts by GCHQ to cultivate the next generation of cyber-competent spies and expand into Britain’s educational system. The school is one of just two “hub schools” which are the centrepiece of the CSH programme. My email and phone requests for interviews to Newent and its sister hub, Cleeve School, were initially answered, but then ignored. When I arrived unannounced in person, the Newent principal Alan Johnson acceded to speaking to me. Initially, he said he would give me an interview on the record, but then said he would only speak on background. He could tell me nothing tangible that being a “hub school” has done, saying it has brought no investment or new facilities. The programme, he said, has simply made the school focus more on “cyber security.” A CSH newsletter, however, outlines that the NCSC team funded two companies to run sessions for 50 11-year-olds on “e-textiles” at Newent School. the newsletter continued:

The school is now looking to run a regular wearable tech focused lunchtime club.

Johnson pointed to a shelf in his office which has toys for toddlers and explained that all of them are potential surveillance devices. This is the big lesson he wants his pupils to imbibe, he told me. Johnson took me on a tour of the school and judging by the peeling paint and sparse facilities, the reason for his contention that he will take investment from anywhere he can get it became obvious.

Shelves full of electronic toys in the office of Alan Johnson, the principal of Newent
Community School, which Johnson uses to demonstrate the dangers of surveillance
to the children in his school. (Photo: Matt Kennard)

Cleeve School, which is the lead hub school in the GCHQ programme, and located just a 10 minute drive from its headquarters, provides a different picture. From the outside it looks state-of-the-art architecturally, and as you walk to reception, well-equipped computer rooms run along the side of the building. The receptionist initially looked proud when I asked if it is a cyber “hub school” and said she would go to get some information and ask about an interview. She returned after speaking to someone on the phone for a couple of minutes. She said there was no information on the programme she could give me and the person who runs it was in a meeting and wouldn’t be out until the end of the school day. When I returned I was told he was still not available. I requested basic information about what the GCHQ programme is promoting at Cleeve using the Freedom of Information Act provisions, but the IT teacher running the programme, Martin Peake, wrote back, stating:

The information requested is exempt under section 23(1) of the Freedom of Information Act 2000 which relates to information supplied by, or relating to, bodies dealing with security matters. This is an absolute exemption and does not, therefore require the application of the public interest test in favour of disclosure.

Jen Persson, director of Defend Digital Me, told Declassified UK:

If I were a parent at a school that cited a national security ‘exemption’ to a question about what GCHQ is promoting to my child, I’d be on the phone to the governors to find out why, and want a very thorough and public explanation of their purposes. I’d ask, is my child being groomed?

Peake joined Cleeve as head of computer science in Sep 2017, the month before the tenders to NCSC were submitted. He says:

I am currently working with NCSC to develop the Cyber Schools Hub.

Peake has a history working in the arms industry, from 1988-1994 as a software developer for “defence communications projects in the air defence sector” where he “successfully bid for new contracts in the UK and France.” Before that he had been a software engineer on the head-up displays for the military jet fighters Sea Harrier and Tornado. Email and telephone requests to the NCSC have yielded next to no further information about the CSH programme. Declassified UK tried both press numbers on the agency’s website and neither worked. An email was eventually answered and a request for a school visit and an interview with someone running the programme was put in. Despite saying that a visit could be arranged, nothing was heard for several months, and requests for updates were not forthcoming. No interview with any administrator at the NCSC was granted. One thing that has been publicised is that students from Newent and Cleeve were invited to the main GCHQ building in Cheltenham to “help GCHQ celebrate its centenary year” along with Prince Charles. The newsletter noted:

HRH went to great lengths to show how impressed he was with the NCSC running such a project, with the teachers and students involved. The project teachers and students were thrilled to be given such a fantastic opportunity and to talk to HRH about the impact the project has had on them and their schools.

In Mar 2019, Years 7 and 8 students from Newent also visited the NCSC offices in London as the guests of its deputy director for defence and national security. The newsletter reported that the pupils returned to school “buzzing.” It noted: “They loved the opportunity to visit the NCSC offices in London,” adding the students were left “thrilled and enthralled” by seeing what the NCSC does. In 2019 the CSH project supported students at another school, Wyedean to attend the Cheltenham Science Festival where GCHQ sponsored the Cyber Zone area. Students were so engaged with the activities, the NCSC claimed, “that they nearly forgot to get on the bus back to school at the end of the day.”

Prince Charles meets staff and students from Newent and Wyedean,
two schools involved in the Cyber Schools Hub programme,
at GCHQ in Cheltenham, Jul 13 2019. (Photo: GCHQ)

The plethora of programmes GCHQ has initiated in recent years is intended to create the next generation of cyber-competent spies. The secret intelligence service, MI6 also recently revealed it has cut its age of enlistment to 18 to attract more technologically savvy officers. GCHQ has been keen to mend its reputation after the Snowden revelations and is targeting young children in several ways. Blue Peter, the flagship children’s show on BBC, ran a competition last year “giving three lucky viewers” the chance to visit GCHQ in Cheltenham. The BBC added:

To be in for a chance at winning this incredible prize, you must create a simple code to spell ‘Enigma’ and hide it within a poster you’ve designed to mark GCHQ’s 100th anniversary.

In 2017, GCHQ created the CyberFirst girls competition for children aged 12-13 years old with the stated aim of increasing female participation in the cyber sector. By 2020, 520 schools across Britain had signed up to participate. Alex Chalk, the Conservative MP for Cheltenham, has been a supporter of GCHQ moving into Gloucestershire’s schools. he told me last year:

The thing that struck me was that we had an asset in GCHQ, which was absorbing a growing amount of public money, billions of pounds, and yet its impact … was quite limited. I read around the subject and saw what the Israelis had done in a place called Beer Sheva in Israel, where they’ve got their equivalent of GCHQ, and their equivalent of Cambridge University, which is called Ben Gurion University.

In May 2018, as GCHQ’s schools programme was being launched – Conservative Friends of Israel and the Israeli Ministry of Foreign Affairs donated £1,800 to Chalk to cover a trip to Israel to see the CyberSpark Cyber Innovation Centre in Beer Sheva. The British government has another project, Cyber Discovery, which costs £20m and aims to provide “free online extra-curricular” cyber activities to children as young as five years old. This project is adapting to the coronavirus crisis. Last month the government set up an online “cyber security school” aimed at “thousands of young people.” The government stated:

At a time when schools remain closed to most children, the online initiative aims to inspire future talent to work in the cyber security sector.

Harry Potter, British spies, and the arms corporations penetrating UK schools
Matt Kennard, Mark Curtis, Declassified, Jun 3 2020

Pupils from Denmark Road High School for Girls close to GCHQ in Cheltenham learn how
to build “quadcopters” with Raytheon. Anonymisation by Declassified.
(Photo: Cyber-Schools Hub)

Declassified UK can reveal that a secretive GCHQ programme is allowing officials from British and Pindo arms companies involved in human rights abuses against children overseas to enter dozens of UK schools and recruit children for “work placement opportunities.” The UK’s largest arms exporter, BAE Systems, is being facilitated to offer careers advice and workshops to children aged 9-12 years old. In some cases, pre-teenage and teenage children are being taught by arms company staff how to build drones and “sniff” on their classmates’ internet connections. The programme, known as the Cyber-Schools Hub (CSH) or Cyber-First, is operating in over 40 schools and gives GCHQ access to British children as young as four for activities promoting so-called “cyber-security.” The UK government plans to roll out the programme nationwide. Programme literature shows that GCHQ is aggressively pushing for arms companies to enter schools. It can further be revealed that the programme, paid for by British taxpayers, is providing equipment to the world’s largest arms company, Lockheed Martin, to incentivise it to enter schools in Gloucestershire, the county in south-west England where the CSH pilot scheme is mainly running. The taxpayer has paid undisclosed sums for school-children to attend work experience at Lockheed Martin, which opened a £3m “Cyber-Works” facility in Gloucester in 2017.

Lockheed Martin, which has been awarded exclusive “associate” status in GCHQ’s schools programme, manufactures the Mark 82 bomb which was used by the Toads in Aug 2018 to blow up more than 40 children on a school bus in Yemen. The ongoing war in Yemen, which began in 2015, has produced the world’s largest humanitarian disaster where 2.2m children are acutely malnourished. Other arms companies involved in the CSH programme include Northrop Grumman and Raytheon, the latter a manufacturer of arms for use in Yemen and Iraq which have killedscores of civilians, including children. Meanwhile, with the support of the British government, BAE Systems plays a key role in sustaining the Toads war in Yemen, maintaining Toad warplanes at their main operating bases. Amnesty International is calling for both BAE and Raytheon to be investigated by the International Criminal Court for complicity in war crimes.

Yemeni children take part in a rally against the Toad-led airstrike which hit a school bus
with Lockheed Martin’s Mark 82 bomb, killing at least 50 people, mostly children,
Sana’a, Yemen, Aug 12 2018. (Photo: Yahya Arhab/EPA)

A number of schools involved in the GCHQ programme have hosted “cyber days” where arms companies such as Raytheon and Lockheed Martin, among others, undertake visits for what GCHQ calls a “speed dating” experience with pupils. One school aimed this “experience” at Year 8s (i.e. 12-year-olds). A permission slip in one school seen by Declassified suggests that parents are not being fully informed about the involvement of arms companies or GCHQ in the CSH programme. Only limited details about the project have been made public and the overall cost is classified. Andrew Smith of Campaign Against Arms Trade told Declassified:

This is very concerning. Arms companies exist for one reason only, and that is to sell as many weapons as possible. GCHQ should not be allowing them into schools under the guise of education. They are not investing time and resources into visiting schools because they care about education, they are doing it because they want to influence young people and improve their image among parents. The arms company reps won’t be highlighting the terrible damage that their weapons have caused around the world. BAE and Raytheon, for example, will not be talking about the schools that have been bombed in Yemen, which their fighter jets and bombs have played a key part in. This programme needs to be stopped.

An entry in the Jan 2019 newsletter produced by GCHQ, which outlines the activities
in its schools programme, which details “speed dating” between school-children
and arms companies such as Lockheed Martin and Raytheon.

GCHQ runs the Cyber-Schools Hub programme through one of its arms, the National Cyber Security Centre (NCSC), which opened in 2016. The programme has been running since 2018 and lists a number of “partners” which include major private arms companies from the US and UK. However, the true extent of arms company involvement is larger than declared by the programme. Declassified has seen evidence that French arms manufacturer Thales has entered one school to “support” a group of Year 8 girls (ie 12-year-olds) despite having no official or public connection to the programme. Another company, Raytheon, was only recently listed as a CSH “partner” despite being involved since at least Jan 2019. It is not known if other arms companies are operating in the schools off-the-books. Raytheon made £59b in sales last year, while its UK subsidiary is a major supplier to the British Ministry of Defence. The company’s factory in Glenrothes, Scotland, produces circuit boards for the Paveway missiles, which are exported by Britain to the Toads, whose air force has used them to devastating effect in the war in Yemen. Pictures have been posted of children from Denmark Road High School for Girls in Gloucester building quadcopters, often used as drones, with Raytheon. At Crypt School, also in Gloucester, a team of Year 9 students took part in the Quadcopter Challenge, organised by Raytheon. The aim was to design, build, programme and test a quadcopter, before competing against other local schools. The school notes proudly:

Ambassadors from Raytheon will be on hand to support the students in developing new skills.

Another school, Kingsholm primary in Gloucester, hosted a “Raytheon junior cyber-day” where students undertook activities such as “learning how you can eavesdrop on a computer screen using a simple radio tuner, antenna and free software.” The event was hosted by 12 staff from Raytheon along with members of the Gloucestershire and Manchester police.

An entry in the May 2019 newsletter, produced by GCHQ, outlining the “junior cyber-day”
run by Raytheon in Kingsholm primary school in Gloucester.

Photos were also recently posted of Raytheon delivering talks at another school, Cleeve, in Cheltenham, home of GCHQ, to mark International Women’s Week in March. In 2015, Raytheon opened a Cyber-Innovation Centre in Gloucester that it says is focused on “big data, analytics and network defence,” while Gloucestershire Conservative MP Jack Lopresti received gifts worth£320 from Raytheon UK in Jan 2020. In 2017, Lopresti lobbied a government minister in parliament for the RAF to retain a surveillance aircraft, Sentinel, whose radar system has been developed by Raytheon. The chair of Raytheon UK is ‘Lord’ Strathclyde, a former Conservative leader of the House of Lords. GCHQ divulges little information about arms company activities in the CSH programme, but Declassified has seen a newsletter produced for a short period from Dec 2018 to Jul 2019, which gives some details. One newsletter notes:

Industry engagement is a massive bonus for schools in general, but for cyber-schools in particular. Massive enterprises such as Northrop Grumman and Raytheon are involved with the programme, developing special work placement opportunities and realising that there are a whole group of non-degree-educated youngsters they might miss out on.

The companies themselves do not list their activities in the CSH programme on their websites.

A collage of logos of corporations involved in GCHQ’s schools programmes,
including a number of arms companies. Despite Raytheon working in schools
at the time, its logo did not appear on this promotional material
(Photo: Cyber-Schools Hub)

The CSH programme advertises the fact that BAE Systems, the UK’s largest arms corporation with sales of £20b in 2019, has delivered workshops for Year 5 (age 9-10) students. It adds that BAE has also provided “careers advice” for Year 7 (age 11-12) students at a school which is not part of the programme, in its national careers week. BAE has also been “acting as guardians” for the “Cyber-First Girls” teams entered by two local schools, although it is unclear what this involves. On one occasion, GCHQ noted it “had just got BAE Systems on board” and passed on a “request for support” from another school, Wyedean, also in Gloucestershire, for a GCHQ programme aimed at Year 8 girls. The newsletter notes:

Together with Tom, the BAE Systems project coordinator, they very quickly organised a large number of staff volunteers to support the school.

Thales was also contacted to provide support, to which it agreed. These arms companies were focused on “forming” the Year 8 children’s “thought processes,” the newsletter notes. When another school, Ribston Hall, wanted to improve its 15th position in the “Cyber-First Girls” competition, it put out a “cry for help.” the newsletter notes:

This cry for help was answered by both Lockheed Martin and BAE Systems, with staff from both companies going into school to help the girls again in a pastoral/thinking perspective.

The NCSC states that it has set up “distribution centres with the support of the schools and industries involved in the project” to loan out technology. It is unclear which arms companies, if any, are involved in this activity. But the NCSC has said that staff at Lockheed Martin, “working closely” with the computer science teacher at one school, facilitated three students on a week’s work experience opportunity at the firm, funded by the NCSC project team. The children were meant to “learn about all the different ways into industry and what the company does.” The experience at the arms company ended with a “BBQ social.” Offering work experience in arms companies is an expanding programme. One newsletter notes:

Having a flexible time for work placements and selecting appropriate students will help us increase the number of placements. Lockheed Martin and Northrop Grumman are expanding the numbers of students that they can accommodate.

Further information about the nature of these work placements and what the parents of the children are told has not been made public. One newsletter notes, however:

Northrop Grumman continues to undertake E-mentoring with both Year 11 and Year 13 Cleeve School students, helping them prepare for their recent exams.

This mentoring has utilised Skype and email.

An entry in the Feb 2019 newsletter, produced by GCHQ, which details how BAE Systems
and Thales were enlisted by one school to help in “forming” the 12-year-old children’s
“thought processes.”

In mid-2019, Wyedean School, where Harry Potter author JK Rowling was a pupil, hosted 200 Year 5 primary school children for a full day of “experiencing” cyber-security. Some 40 representatives of arms and cyber-companies, including BAE Systems and Raytheon, also took part. The “experience” finished with a Harry Potter afternoon tea. It is not known if the children’s parents knew that arms companies were giving them lessons. Wyedean School also launched the “Philosopher’s Den of Cyber-Innovation and Magic,” used to support “lunchtime, breaktime and after-school” cyber-security events. The new “Den” included 10 Harry-Potter-themed workstations funded by the NCSC, as well as “Interactive Picture Frames (just like on the stairs in the Harry Potter movies)” and “Hagrid’s Cottage, a very upcycled summer-house that has been skilfully decorated and animated by staff and students.” The newsletter adds as an aside: “Local companies also supported the development of the Den,” without divulging which companies. The Den was officially opened with BAE Systems in attendance.

The launch of Wyedean School’s “Philosopher’s Den of Cyber-Innovation and Magic,”
used to support cyber-security events, and “supported” by the UK’s largest
arms company, BAE Systems. Anonymisation by Declassified.
(Photo: Cyber-Schools Hub)

One newsletter notes:

Can we help you develop an activity? When the NCSC team visit a company who are keen to support schools with computer science, we quite often run into the issue that while companies can provide the time for their staff to go into schools, they do not have funding lines that they can tap into to provide equipment to support the activity, so the NCSC team are now supporting companies with equipment.

One recipient is Lockheed Martin, which was given equipment “to help develop activities on logic gates and 3D printing.” Lockheed, with a large UK operation, is the biggest arms company in the world with revenue in 2019 of £47.6b. Lockheed Martin’s UK operation is headedby Peter Ruddock, a former Air Marshal in the RAF. There is evidence that GCHQ’s programme is not following guidelines on obtaining parental consent. The permission slip for parents in one school seen by Declassified makes no mention of the arms companies involved in the programme. Neither does the slip mention that the NCSC is part of GCHQ, which was in 2013 exposed as running programmes of mass surveillance and was found by the European Court of Human Rights to be breaking the law. Good practice school guidelines state:

Where consent is required, the key is to provide parents with sufficient information to make an informed decision about the participation of their child.

The NCSC told Declassified that in the CSH programme:

Parents are consulted through the schools’ standard processes.

In the seven newsletters Declassified has seen, which run to 22k words, the words “arms” or “weapons” do not appear once. The manufacturers of deadly weapons are referred to simply as “companies” or “enterprises.” It is not known if that is how they are presented to unwitting parents. When Declassified asked the NCSC what information is given to parents about the programme, the agency replied:

We have no contact with parents. What teachers/schools share with parents is done independently of NCSC.

After answering questions on Declassified’s first investigation of its school programme, the NCSC did not respond to further questions about the role of arms companies.

Veterans of the UK military’s cyber-warfare unit are teaching schoolchildren how to launch cyber-attacks
Matt Kennard, Mark Curtis, Declassified UK, Jun 4 2020

A screenshot of a hacking lesson produced for British school-children by
a company founded by veterans of GCHQ’s cyber-warfare unit.

GCHQ is promoting a programme in dozens of primary and secondary schools where children are being taught how to launch a “cyber-attack” against “a large school or university,” how to hack passwords and “vulnerable machines,” and how to spy on other children’s wifi traffic. The programme, known as the Cyber-Schools Hub or CyberFirst, is operated in partnership with Cyber-Security Associates (CSA), a company set up by former members of the Ministry of Defence’s Joint Cyber-Offensive Unit, which is housed at GCHQ in Cheltenham. Documents seen by Declassified suggest that CSA has worked closely with GCHQ to design the schools programme from the beginning, and that GCHQ is using taxpayers’ money to pay the company to develop “cyber-security” products. CSA has also hosted dozens of children at its offices as part of a work experience programme. It is not known if parents are told that the company is run by former government cyber-warfare specialists. The sensitive nature of the skills children are being taught is illustrated by a disclaimer in CSA material which states:

The misuse of the information in this document can result in criminal charges brought against the persons in question.

CSA was established by David Woodfine, a former commander of the Joint Cyber-Offensive Unit, the month following his departure from the MOD. His co-director, James Griffiths, was an “operator providing cyber-offensive capability” in the same unit. The unit’s existence appears to have only ever been recognised in online biographies of Woodfine and Griffiths, and it is not known what operations it has been involved in. Declassified has also seen evidence that CSA has been provided with equipment by GCHQ to incentivise it to go into the schools, to “help develop activities based on the roles within a Security Operations Centre,” which is another cyber-unit in the MOD that Woodfine commanded for a number of years.

Two students pose with certificates after completing work experience at Cyber-Security
Associates. Anonymisation by Declassified. (Photo: Cyber Schools Hub)

CSA was incorporated as a company in Apr 2016, the month before GCHQ’s schools programme was launched. Woodfine and Griffiths have established eight variants of CSA, with slightly different names, since 2013. GCHQ runs the Cyber Schools Hub (CSH) programme through one of its arms, the National Cyber Security Centre (NCSC), which opened in 2016. The NCSC and CSA did not respond to questions about whether CSA was set up with GCHQ’s blessing to help run its schools programme. Emma Sangster, coordinator of ForcesWatch, an organisation set up to track the militarisation of British society, said:

Training school students into the murky world of cyber warfare under the guise of improving their aspirations is immoral, dangerous and deeply worrying. The creep of the security state into schools is not receiving the public scrutiny it deserves. Not only is the understandable interest of children and teenagers in this area being exploited for the benefit of under-the-radar interests, but facilitating activities such as hacking puts young people at risk by encouraging potentially illegal activity. We hope that parents and school governors will look carefully at the duty of care implications and challenge the involvement of their schools with the state’s security forces.

Declassified has revealed that the CSH programme is promoting arms corporations involved in war crimes overseas to British school-children. It has also been revealed that GCHQ officers themselves are operating in at least one school, while parents of pupils at schools across the programme do not appear to have been informed about the extent of the spy agency’s role in it. GCHQ divulges little information about the schools programme and did not respond to queries for this article, but Declassified has seen a newsletter produced for a short period from Dec 2018 to Jul 2019, which gives some details. The UK government has a National Offensive Cyber-Programme, run jointly by the MOD and GCHQ, which has a budget of £250m and 2k staff. Disclosures from Edward Snowden in 2013 revealed that GCHQ has a secret cyber-warfare unit, named the Joint Threat Research Intelligence Group (JTRIG), which takes 5% of the organisation’s budget. Its stated purpose is to “destroy, deny, degrade, disrupt” enemies by “discrediting” them, and its operations include “honey traps”, “false flags” and “writing a blog purporting to be one of their victims.” Richard J Aldrich, a professor at Warwick University in central England and author of the authoritative history of GCHQ, writes:

One of the enemies on JTRIG’s list is investigative journalists who pose a ‘potential threat to security.’

JTRIG also undertook a “pioneering effects operation” or cyber-warfare programme against Argentina, a friendly country with whom the UK is not engaged in hostilities. Documents released from the Snowden archive do not cover the Joint Cyber-Offensive Unit (JCOU), whose activities are likely to be just as sensitive.

A slide from JTRIG, a secretive cyber-warfare unit of GCHQ, which outlines
the methods it uses to discredit targets, leaked by Edward Snowden in 2013.

Before running JCOU, Woodfine was commanding officer of the Security Operations Centre at the MOD base at Corsham in Wiltshire, which is the centre of the UK’s cyber warfare activities. His partner, James Griffiths, who worked at GCHQ on cyber warfare for five years, was previously in the British Army and “specialised in information systems”, being deployed at home and overseas, and “often working with special forces in hostile environments.” It is possible Griffiths was deployed in one of the seven covert wars being fought by Britain’s special forces in places like Syria and Libya. Last year, the British parliament’s oversight body, the Intelligence and Security Committee, found evidence that GCHQ had played a role in supporting the CIA’s post-9/11 kidnap and torture programme. The committee unearthed examples of GCHQ’s intelligence being used to locate and detain terrorism suspects who were subsequently rendered and tortured, as well as providing intelligence to assist the interrogation of terrorism suspects held at CIA “black sites.” According to documents seen by Declassified, CSA has worked closely with GCHQ to design the Cyber Schools Hub programme, which was set up in 2017, from the beginning. A staffer from CSA, identified only as Madeline, created and ran the now-defunct @CyberSchoolsHub twitter handle which GCHQ used to promote the project. Months later, the same Madeline “spent a day every week with the NCSC team.” She was entrusted with several tasks by GCHQ “including overhauling the CSH informal website and correlating and coordinating industry support requirements from schools.” Madeline was also given an @cyberhub.uk email address. It is assumed the Madeline referred to in the documents is Madeline Howard, who was previously Business Development Manager at CSA, during which time she gave talks in schools involved in GCHQ’s programme. The then 21-year-old Howard began working for CSA soon after it was incorporated, helping to publicly promote the company. She is now director of CyNam, “a Cheltenham-centric platform that connects the best cyber security minds and local [businesses] and start-ups,” which is closely linked to CSA. Howard is emblazoned on the front page of a new magazine produced by Cheltenham Borough Council, promoting the council’s Golden Valley development, which will include a £400m “cyber-campus” on a 200 hectare site next door to GCHQ. In her article, Howard writes extensively of GCHQ’s schools programme, saying:

The program seeks to give young students the space and the opportunity to excel and explode into the market of cyber-security and innovation.

An entry from the Feb 2019 newsletter, produced by GCHQ to provide updates
on its schools programme, which suggests that CSA staff created
and ran the programme’s Twitter account.

When a steering group made up of representatives from companies involved in the project was created to develop industry engagement further, Madeline was GCHQ’s point of contact “if you or your company would like to be involved in this group”. At the Cheltenham Science Festival, attended by school students, GCHQ sponsored the Cyber Zone area and included a CSA exhibit. GCHQ, meanwhile, has facilitated the entry of both CSA’s co-founders, Woodfine and Griffiths, into schools in Gloucestershire to work with children. The CSA website has three pages on its “About” section, one of which is dedicated to the Cyber-Schools Hub. The company is one of only two “partners” in the programme and is an “approved school supplier” which allows it to provide cyber projects and vocational courses for schools “across the UK.” In 2019, the company had 11 staff. David Woodfine told Declassified in Mar 2019 that CSA has contracts with GCHQ and that it also offers “a range of cyber managed services to the commercial market.” It is not known if parents of children involved in the CSH project have been made aware of CSA’s connections to GCHQ. In early 2019, CSA launched its flagship educational product, named the Cyberdea Immersive Zone. Built on the bottom floor of the CSA offices in Quedgeley, a small town south-west of Gloucester, Cyberdea is a specialised cyber-training facility primarily for use by school students. Able to host up to 24 children at a time, the facility offers a range of courses for all abilities. One seven-hour course for basic to intermediate level, which runs for school hours of 9am to 4pm, is titled “cyber-offensive session.” The promotional blurb says:

The class will fully immerse the students into the mindset of a cyber-attacker, where they will be taken through the reconnaissance, analysis, penetration and exploitation phases of a cyber-attack. Using our simulated and virtualised environment, a number of realistic networks and scenarios will be available to attack. These range from a small business network to a large school or university network.

According to documents seen by Declassified, in Feb-Mar 2019, seven Gloucestershire schools booked to bring their students to Cyberdea for training. It is not known if these included primary schools. The NCSC says that having the Cyberdea facility close to the schools in the programme helped, because after trips to Bletchley Park and the Bank of England, “the project teachers informed us that these required a lot of paperwork overhead.” Lighter paperwork was apparently needed to send children to Cyberdea. It is unclear if Cyberdea was created by CSA on a contract from GCHQ. The Cyber Schools Hub logo appears prominently on the Cyberdea website.

Pupils attend Cyberdea, the training facility for school-children set up
by veterans of GCHQ’s offensive cyber-warfare unit, which includes
courses in hacking and cyber-attacks. (Photo: Twitter)

The second major project CSA has devised for GCHQ’s schools programme is called Cyber-Pi, a series of boxes containing projects on small single-board computers that introduce children to programming and hacking. As one CSA staffer puts it, the project gives the children “hands-on opportunities to try out these things that they’ve heard about on TV and seen in movies.” The boxes include a “wifi jammer project” and a “rogue access point project” where children can spy on other children’s wifi traffic. Despite government funding for the schools programme being classified, Declassified has seen evidence that GCHQ is using taxpayers’ money to pay CSA to develop hacking and other products for use by children in schools. CSA appears to be the only company producing technology specifically for the CSH project. One newsletter notes:

The GCHQ team asked if CSA could develop 12 new projects based around the Internet of Things as part of purchasing an additional classroom drop crate of 15 Cyber-Pi Kits. CSA did a fine job and have hosted the new projects on the Cyber-Pi website.

Drop-crates including the Cyber-Pi boxes were initially distributed by GCHQ using a courier service. But the surveillance agency then decided it would be better to have “distribution centres” with its own booking system, and the CSA office in Quedgeley was designated one such centre. As part of the Cyber-Pi project, “Jamie at CSA,” assumed to be James Griffiths, set up a “hacking server” configured to have 12 vulnerable “virtual machines” running. This allows students to connect to the network and “test their skills at exploiting and hacking the vulnerable machines.” This was said to be based on experience that CSA had gained from “developing products for commercial customers.” The hacking video classes, overlaid with trance music, include lines like:

Once the exploit has completed properly, we can explore the target machine… Make sure the victim machine is active.

One lesson titled “Brute Force” instructs the children: “type run to start this brute force attack.” There are 24 projects available. CSA also supported a weekend “Hack Day” for 19 students at one school, which saw them “attacking the vulnerable server” provided by the company. The newsletter notes:

These are young people who might not be instantly seen as hackers, but they have already seen the satisfaction and employment opportunities offered in ethical hacking.

It adds that one student presented Cleeve, a school near Cheltenham which is the lead “hub” in the schools programme, “with a list of every network password found on a laptop.” The nature of the skills being imparted is clearly sensitive. CSA includes a disclaimer in its materials stating:

The misuse of the information in this document can result in criminal charges brought against the persons in question.

An entry from the Feb 2019 newsletter, produced by GCHQ to provide updates
on its schools programme, which shows CSA supporting a “Hack Day”
at a school close to GCHQ.

At Beaufort school, a 20-minute walk from CSA headquarters in Quedgeley, David Woodfine “took time out of his calendar to chat and meet with students, holding a question and answer session,” a newsletter notes. It adds that “as a way of trying to improve some of the student’s aspirations,” the former head of MOD’s offensive cyber-operations shared “his own personal story and understanding of opportunities that are presenting themselves for students looking to move into the cyber-security career field when they leave education.” Declassified has seen evidence that CSA has also been provided with equipment by GCHQ to “help develop activities based on the roles within a Security Operations Centre”, which is another cyber-unit that Woodfine previously commanded. CSA appears to have deeply penetrated British schools, entering numerous of them on a regular basis to roll out its Cyber-Pi project. It also appears that a staffer from CSA was appointed to the board of “Women in Cyber” at Wyedean school, just north of Bristol. CSA is revealed in the newsletters to be “working closely” with Wyedean school “to help develop appropriate learning material for both students and teachers.” Students from this school were then used by CSA to test the company’s new technology.

As a thank you and to also help CSA test their new … concept, CSA hosted 24 female students at their facility in Quedgeley for the day.

The experience “was hyped as part reward for some excellent school work.” In 2019, female students were selected from four CSH schools to attend a Wyedean-organised “cyber-day” at the University of South Wales. The teachers and students were joined by staff from CSA.

David Woodfine, co-founder of CSA and former commander of the MOD’s
offensive cyber-warfare unit, gives a talk at Wyedean School
near GCHQ. (Photo: Cyber-Schools Hub)

When students at Wyedean came up with the idea of creating a CyberTV channel to document their involvement in the CSH project, the first episode involved CSA staff, in addition to Wyedean students, and was shown within GCHQ itself. Another Wyedean project involved an event based on the BBC One series, The Apprentice. The school sourced its own panel of experts, including staff from CSA and BAE Systems, the UK’s largest arms exporter, while the NCSC’s director of operations, Paul Chichester, took the “starring role” as Alan Sugar. The CSH programme also runs “Cyber-Nights” where primary and secondary school teachers are educated by CSA “on hacking techniques.” Ribston Hall school in Gloucester held a cyber-day for Year 8 students, in which CSA participated. One session on the day was titled “Popstars and Passwords” and focused on how to hack passwords. The newsletter noted:

Student feedback showed that they found the whole day very enjoyable and informative, with the industry perspectives and activities being the highlight of the day.

In Mar 2019, the CSH project held an “industry support recognition evening” in Gloucester at which the NCSC team gave out awards to specific companies for their involvement. Winner of the small enterprise award was CSA, which was also one of only two organisations awarded the most senior “partner” status in the CSH project. The other “partner” is the South-West Police cyber-crime unit. Arms companies Lockheed Martin and Northrop Grumman achieved only “associate” status. CSA has also hosted dozens of children at its offices as part of its work experience programme. GCHQ noted in Dec 2018 that CSA was “expanding the numbers of students that they can accommodate.” Seven months later, in Jul 2019, CSA was praised by GCHQ for “once again doing a massive job of supporting the project schools with work experience opportunities,” a system of placements which “continues to grow.” The newsletter noted that in 2018 it was just two students a week, but in 2019 “they have provided work experience for three students at a time given the interest.” In the two months Jun-Jul 2019, 17 students were placed at CSA. It is unknown if this rate has continued.

An entry from the Jul 2019 newsletter, produced by GCHQ to provide updates
on its schools programme, outlining the growing work experience
opportunities at CSA for school children.

At least five of the schools placing their students at CSA were not officially part of the CSH programme, raising further concerns about duty of care and consent. These non-affiliated schools included Bredon School in Gloucestershire, which is a specialist school for children as young as seven with learning difficulties. It is possible that another of the schools, identified only as “Malmesbury,” is a primary school since this town in Wiltshire has both primary and secondary schools. The software director at Deep3, another “cyber-security” company, was said to be “hoping to be able to get his company into a similar position as CSA and be able to offer work experience opportunities to large numbers of students, as he realises the impact this has on their career choices.” After answering questions on Declassified’s first investigation of its school programme, the NCSC did not respond to further questions about the role of CSA. David Woodfine, James Griffiths and Madeline Howard were approached for comment for this article, but none responded.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.