I call to order today’s House of Commons Defence Committee evidence session on the Afghan data breach and resettlement schemes. I am very grateful to Sir Ben Wallace, the former Secretary of State for Defence, not just for his service but for agreeing to come and give evidence to our inquiry. Thank you very much, Sir Ben. This is only a short 45-minute session of questioning on the Afghan data breach and resettlement schemes. I want you to set the scene for us. When and how did you find out about the data breach?

The first briefing was a verbal briefing. Something had appeared on Facebook and alerted the Department, or officials, that there was something afoot—something wrong. I was given a verbal briefing by officials on 15 August 2021. They came to me and said that this had happened. They gave a quick verbal briefing and then prepared a submission for 19 August with the details of what we knew at that stage. If you recall, what had happened was that an individual had approached, or effectively tried to approach, I think, the Department, but also a journalist with a selection of a leak rather than the full scale, so no one really knew what was out there. In those brief few days—the 15th to the 19th—we were getting our head around it, wanting to know the scale of it and trying to ascertain the threat level in Afghanistan to the people there. What people sometimes forget in all this is that, until the Taliban took over, it was always possible to engage with the Ministries of Afghanistan to verify that people were who they said they were and get access to records on who they were. With the two schemes, you were able to verify all the applicants. There was the one that had started under Philip Hammond, which was the EGS—the ex gratia scheme—and that formed into the ARAP scheme back in April 2021, when it was actually implemented. But, post the Taliban taking over, the challenge for the Department was how you vet these people. To vet them, you have to find a way to verify who they were and who was applying. That was the background to why people from the Ministry of Defence were reaching out into Afghanistan. Because they could not pick up the phone to the local Taliban Ministry any more, they had to find a way of vetting what had become a challenge of thousands of applicants, of which most were bogus, multiple or duplicate.

This is not one of the most challenging questions I have ever asked you, compared with when you have sat there in the past, but it is one that we need to get a handle on. I want to understand the thinking behind why you went down the path you did. What alternatives to an injunction did you consider when deciding to respond to this breach?

The three main options were no injunction at all, a D-notice from the D-notice committee and a time-bound or indefinite injunction. It was discussed with me on 21 August, when there was a meeting about the submission that had been given to me.

Who was in that meeting?

Myself, my private secretaries, the chief executive of the Department, Nina Cope, the chief operating officer, as she was then entitled, the second permanent secretary, and then officials from legal and a number of other officials from the private office, including people dealing with ARAP, media and data handling. Again, that will be in the submission. I asked how many people we thought there were at the time. The initial figure was 763 ARAP people, but we recognise that that was out of date. I was asked about a specific type of injunction, and I said—this is the quote—“At the time we go to court, we would need to have the numbers… We are not covering up our mistakes. The priority is to protect the people in Afghanistan and then open it up to the public. We need to say a certain amount that are out of danger.” That was my direction. It is why I did not go for an indefinite injunction and, as I said clearly, we are not going to cover up our mistakes. That was written by officials in the record of my meeting. I did not think it was the right thing to do; I did not think it was necessary. When it came to the discussion about the time binding, I had directed that it was only as long as it would take for us to quantify the people.

What role did the Prime Minister of the day have in your decision?

None at all.

None whatsoever?

None whatsoever.

Not the Prime Minister’s Office, not No. 10—it was all delegated to yourself.

Notoriously, I felt that the job of a Secretary of State was to run his or her own Department, and that the twerps in No. 10 could do what they usually do—the spinning around and making life difficult for Ministers, as you know—so I just got on and did my job.

You got on, and there was no intervention at any point during the whole decision making?

Well, I cannot answer for the COBR(M)s that then took place with the Minister for the Armed Forces, where the wider part of Government came to sit round the table to discuss it. Ultimately, this was about the initial decision to have an injunction. There was no—

So it was your decision.

It was my decision and, as I said, we are not going to cover up our mistakes.

Fair enough—thank you. Lincoln Jopp is next.

Your last remarks remind me of the great bit of advice that the higher headquarters is always an ass, and sometimes you have to know when to stroke the ass’s ears. It sounds to me like your officials had massively underestimated the gravity of the situation. As a result, you took quite a time-limited approach, wanting to be open: “We’re not going to cover up our mistakes” was your quotation. So when you put it in, you clearly had no idea that it was going to be in place for years to come. That was because your own officials had, basically, framed the problem in such a way that 763 people sounded like not very many. Is that the right characterisation, given what happened subsequently?

The first thing was trying to get to grips with what exactly had happened. Going back to the environment we found ourselves in, the other scheme was the Home Office Atlas scheme, which was the much broader asylum seekers scheme for up to 20,000—I think that was the figure, but you would have to get the details from the Home Office. There were multiple applications, especially at a time when effectively the Government collapsed, where people would apply to every scheme. You were dealing with a massive hopper. I think we had 30,000 people applying for the ARAP. It was about 30,000 at the time of the leak; overall, approximately 90,000 people applied for ARAP, if memory serves me right, and I think we took 5,000. The problem was that buried in the stack of applications were people who had genuinely helped us and people who were in genuine danger. We owed it to them to go through the whole list and try to vet people. We were determined to do that—imagine if we had just said, “We don’t care,” and the people who had actually helped us were just abandoned because that was easier to deal with. In reality, it became much harder to quantify and to keep tabs on what was going on in Afghanistan when the Taliban took over. We had to use lots of unconventional methods and routes, many of which are very sensitive, in order to pipeline people out of the country. We had to work with the Pakistanis, who were hosting many over their border. I would certainly say it was confusing. At the very beginning, when Op Pitting happened, and ARAP suddenly exploded and everyone started applying, the Ministry of Defence effectively had to design and make immigration databases from scratch. I was determined that ARAP was separate from Atlas. ARAP was for our people who had helped us and saved lives, and ARAP people were allowed to work. The Home Office was always very keen to blur the two, and I did not want to blur the two. We had a duty on behalf of our veterans and our people to protect those people, so I kept it. Maybe, in retrospect, I should have just handed it over and let the Home Office run its own immigration system. But I think none of us in this room is always, or ever, impressed with the Home Office immigration system under any Government, so I think it was rather better just to run it ourselves. But that meant having to design and make a system as we went, and the vectors into it came from everything from veterans to serving personnel, people in the Afghan Government, the Foreign Office and then the Sulha Alliance and people like that, who were bringing lists of people. We had to check them all. It was during that vetting where I think this process happened, but it is not true that we let in a whole load of people we never checked. The process of checking caused the leak, if you know what I mean, rather than it being a free-for-all.

We may come to this later but, on balance—given the numbers of people who were subsequently allowed in, the vetting, and the difficulty you had of getting ground truth—do you think that we probably did let some Taliban in? As you know, having been there and having served there, being “in the Taliban” is a pretty vague term. They do not give you a card.

For some, we had pretty good records. Again, people forget that there were a lot of champions of this. I remember Richard Tice from Reform saying, “No questions—we’ve got to get more people in; we have a duty.” The Daily Mail ran its campaign very successfully; the transition from the ex gratia scheme to the ARAP was because of campaigns, like the one run by the Daily Mail, saying that we owe these people a duty. I would often get grief for rejecting someone who had been an ARAP, but where we had intelligence to say that they had been helping the Taliban on the other side. We did take a precautious position. What I cannot talk about is the ARR, when the ARAP morphed after I had left, and what they did under the pressure of that leak or whether people dropped the bar. I think it would be helpful to all of us to know the statistics, because there is a lot of negativity being spread about Afghans in this country, especially by the hard right—you only have to look at the Twitter feeds saying, “Anyone who let them in are traitors, and these people are all sex offenders.” I would like, from the Home Office, the statistics of Afghans, but also how many who are ARAP, because when I see a few cases in the media, they are not ARAP. There are a lot of success stories of ARAP, Triples and people who came here who did not hang around in hotels; they got a job, they worked, and they have been a great success in society. We should celebrate that, but no one is talking about it. I think it would be really helpful if we got some statistics from the Government about that, so we can make the decision: did we let in some wrong ’uns or not? I am sure that, in a large-scale evacuation, we did not get everything right but, ultimately, we tried to vet and we did as much as we could, and that is where we got the leak.

When you originally applied to the High Court, you asked for an ordinary injunction—that is, you were happy for the existence of the injunction to be made public. Did officials advise, or did you consider, a super-injunction, whereby the existence of the injunction itself was made secret? Did you consider that?

The injunction was applied for on the day I left. I am not trying to wriggle out of it, but in that meeting I had on 19 August the options were discussed. That is where I said, “We’re not doing that. We need to, basically, hold off on it being public until we get to the bottom of the threat that these people are under and, as I said, we won’t cover up our mistakes.”

That does sound—even though you formally requested a normal injunction—a bit like saying, “We need to keep this private until we’ve got to the bottom of the problem.” It actually sounds like you were asking officials for a super-injunction, no?

No. First of all, I am not a lawyer, so I would not know the difference between a time-bound super-injunction—as in what actually defines one—as opposed to an injunction. You can have an injunction, I think, without reporting the contents: you can say, “There is an injunction in place, so I can’t talk about something.” With a super-injunction, my understanding is that you cannot even say that there is an injunction.

Correct.

I would never have been in that space. Public bodies are accountable; you have a D-notice committee, and if necessary you could even ring up the journalist and say, “Could you please hold off? People are at risk.” Most journalists do not want to put people at risk.

I am just trying to get to the bottom of this. You asked for an ordinary injunction, where the contents of what the notice covers is to be kept secret, but the existence of the injunction itself is not. That is what you asked for, but is it fair to say that the judge looked at the reasoning in your submission—

I had gone by then, so I do not know what went on in the hearing. I think that is a matter for—

You signed off that submission, though.

Yes, which was just to go to the court for a time-bound injunction. It was not to go to the court for whatever. I can only tell you what I read in the media: that the judge converted it to a super-injunction.

Have you any idea why that might be?

I wish parliamentary Committees could ask judges to explain their judgments; it would be very interesting, but I do not think we can. I really don’t know; either the officials or papers post my leaving would be able to answer that question.

Sir Ben, in November 2021 you told the House of Commons, following a series of other serious breaches within the Afghan relocations team, that you had “much greater assurance of data handling within the ARAP team”. What are your reflections on the information security systems and culture at the MoD, and how, in your view, was the 2022 data breach able to occur, despite the direction you had set publicly several months before?

Well, someone did not do their job. After the data breach that happened on 20 September 2021, where there were 265 eligible people in a leak, I put in place pretty robust checks, so that before data was released externally, it had to be checked by two people. I think it was, by rank—one-star and two-star—but it might have just been two supervisors. That clearly did not happen on this occasion; someone definitely did not do their job. After the data leak of 20 September, by 15 November, we had learned some lessons and put in actions. We also ensured that we had better people putting together the database. We were constantly improving the database and the procedures around it—I think it was called the DARR. We started to build a much better and robust database. But of course, to go back to the other point, eventually somebody was going to have to reach out into a Taliban-controlled Afghanistan to touch, feel and find their way through. Always, in classified information, there is one side of the firewall and the other. Whenever you have to lean out or get out of that, there is a risk because ultimately you are touching the outside world. Very, very secret information is usually kept in an air-locked, entirely isolated database; both physically and procedurally, we always protect it that way. But if you are a frontline individual—a soldier, a diplomat or an intelligence officer around the world—in the end you are going to have to speak to an agent, and that is where you always need to be extra careful. I think that is why we put in place those types of checks, which did not happen. Overall, on the culture of information, I was a Security Minister before, and I think I was the only person in Government who had done something called the classified documents handling course. Lincoln, I think you might have done it. When I was training to be a Northern Ireland intelligence officer, you had to do that course. To this day, I remember nearly all of it, including the type of lock you have for a different type of cupboard. When I was a Security Minister, I was pretty horrified by information security across Government. We had established the National Cyber Security Centre and—I cannot say in this public hearing what I did in the MoD—I took a number of significant steps to try and improve data security from my own experiences, that I could see were putting us in a very vulnerable position. I think that part of it is how we now train our civil servants. In the old days, you did a course. We had computers, but not in the same way as now. You were locked in a room for a day, and you had to do this course, and it was all part of a formal module. Now, a lot of civil servants will take modules bit by bit. They will log in and do their self-training. The problem with that is that it does not necessarily give them a priority in terms of what is really important. They might do their health and safety module alongside their information security module, followed by whatever other module. I would be constantly finding private offices where people had not really done the courses they should have. I think that, overall, our information security is still not as good as it should be. I think that how we train our civil service needs to improve. We also need to train our Ministers. It is ridiculous that we run highly complex Governments nowadays and the first thing you know about it as a Minister, unless you accidentally have done the classified documents handling course, is that no one will tell you what to do.

You mentioned DARR. As of December 2023, DARR continued to report a high number of personal data incidents—18 more personal data security incidents had been reported to the data protection officer’s team. The deputy data protection officer stated to the permanent secretary: “Given the size of DARR, and the sensitivity of the data they handle, this is concerning.” Sir Ben, you answered an urgent question on 21 September 2021 on a data breach that had taken place the previous day involving 245 ARAP applicants whose email addresses had been placed in a cc field rather than a bcc. Subsequently, the Information Commissioner’s Office fined the MoD £350,000 for that breach. Given all that, and to the latter part of your answer to the previous question, do you have any reflections on the culture or working practices of the specific team in the MoD that was responsible for the data breach?

What I would reflect on is that one of my generals that we worked with described Op Pitting as Dunkirk by WhatsApp. In a very fast-moving, globally connected world, data is accessed incredibly easily and thrown about easily. Trying to maintain information security in that environment is a challenge and will always be a challenge, because of how you are gathering your data; it is going to come from everywhere. Sometimes it is not going to come from a very controlled environment. Nowadays, you often have to blend very sensitive data with open data. You might have secret data, but you have to blend it with commercially available data, for example, and that can set up challenges. Having taken the decision to run ARAP out of the MoD, there was a risk that building databases as you go was going to lead to either poor procedures or poor architecture. After that first leak, we started to improve that. What I do not know, because I had left by then, is whether the November ’23 18 incidents are detected incidents or incidents that ended up leaking. If an IT department detects you not following the procedures, that is an incident. It does not necessarily mean it is a reportable incident to the Information Commissioner. So of those incidents, I do not know how many were because the system worked and picked them up, as opposed to they actually breached out into the area. I think we can always improve, but the Ministry of Defence is always quasi-operational and fast moving. Right now, with what we see with Mr Trump and Greenland, think about our information and how utterly linked, overlapped and entwined we are. Who knows what will happen, but I hope someone is thinking across Government about all the scenarios in terms of what happens to data—never mind what happens in the world of politics—in that environment. It is just so interlinked that it is difficult. I do not regret that we did what we did as a policy, to welcome those people who helped saved British lives in Afghanistan. I think there were lots of misjudgments about how quickly the Government fell in Afghanistan, and that created Op Pitting, where we had to deploy 16 Air Assault Brigade and the other brave men of the armed forces to get people out. It was also a very chaotic time; there were thousands of people. On the point about the WhatsApp, I remember a serving officer—I think he was an ops officer—in Kabul airport trying to run the operation. He was being inundated with WhatsApps from fellow officers who had served in Afghanistan lobbying for X, Y and Z to get out. That was one of the lessons. Of course, those names are just bandied around. They are just on his phone and coming in from a WhatsApp. We are all confident about WhatsApp, but I think that is what happens.

I have a very short question: did you ever entertain the idea that the Afghan data breach might have been done deliberately?

No, not from the individual concerned.

Do you want to discuss anything else about the team that was involved? Would you put it down to one individual, or to more of a cultural issue within that team?

When you command a formation or unit, half the job is the boring bit; it is the admin. It is not the jumping out of aeroplanes, storming the buildings or driving the warship; it is the day-to-day admin of implementing policies and checks. The policies were clear after that initial breach—that when you exit that data into there, they are checked. I don’t think that someone did that boring bit of the job, which is just to get the data right and get that work done right.

There is obviously a lot of speculation about the working practices of that particular team. Some individuals have described how they are a law unto themselves, and do not actually follow many of the procedures and protocols set out within the Ministry of Defence. Would you agree with that?

There is always a danger with that organisation that they confuse elitism with exceptionalism. Ultimately, there are things that just have to be done by everybody—it does not matter who you are or what part of the armed forces you are in. But I also know that they live in a world of greater risk than most, and they are often unsupported. They hold relationships with people who you and I would sometimes not come across, but who are the ones that help to save our lives. So it is a difficult path that they tread, but when you are dealing with other people’s lives, you have to follow the procedures and processes. I did not put them in place to be a pain in the neck; I put them in place to protect people’s lives. On the other side, I would give a compliment to Johnny Mercer here, who was tenacious in getting some of the people from one of the Afghan communities included and making sure they came to this country, despite initial assurances that there were not any records or anything else. Record keeping over what was a 20-year deployment—that is what people forget—is probably not always the best. How many information security regimes have we gone through ourselves in those 20 years? Ultimately, no one is above the process and policy.

I cannot tell you that.

We now know that the breach involved risk to life for thousands of Afghans and cost the UK public purse hundreds of millions, if not billions, of pounds. Continuing on my colleagues’ theme, how were you assured during your time in office that the Department genuinely got it, understood the impact of the breach and had taken reasonable measures to mitigate it?

In terms of the next stage, after the initial, “Something has happened,” and getting to the bottom of the whole thing, the overall scale of it—about how much—was after my time. In retrospect, if I look back on it, you are absolutely right to highlight the funding issue. Ultimately, I think that some changes to the ARAP scheme were probably too broad; a category 4 started to come in. With the ARAP scheme and many other schemes, we see that the pull-through effect of the wider family is what really grows the numbers. You bring in the core family, and then it is suddenly much bigger than you and I. I am not sure that we have ever thought about how, across most immigration policy, the impact of pull-through immigration is the biggest in terms of scale in all of it. It is very easy to sit around a table saying that we have to help the people who helped the British soldiers—“That guy helped him,” “That family helped him,” “They gave cover,” “They worked for us as agents”—but there is a tail behind that. That is not to say that we do not look after those people, but I suspect that the true cost is never put in front of anyone until after the fact.

I have lots of constituents who still do not know whether their wider family are alive or not. That haunts me. Do you think the Department actually understands that? I know that you left not long after the breach became known, but was the culture there that people understood the wider implications of all that? Did people actually get it, or was it just too chaotic?

Lincoln and James Heappey both served in Afghanistan. The only people who really understand the depth of the community and how the community works are veterans who have been there; it would not me or many of my civil servants. Veterans who have been there understand how the community works. Lincoln said in his opening question that the Taliban are not a group of people standing around in uniform. Some of them were at school with each other. In different parts of the country, they were the community, to some extent. In others, people like the Haqqani network were slightly different. I think those voices are probably not solicited. Their experience probably is not asked for by the people doing the numbers. I do not think that the people making the decisions in Lunar House in Croydon—well, they do not call it Lunar House any more, but the people in immigration—ask people who know about this in detail. That is what I would say. Who is and is not in danger right now in Afghanistan? The people who really know that are people who have spent a lot of time there themselves, from our community of military veterans, serving people, diplomats and so on. They will know. For some areas, it will be perfectly fine—people will be absolutely safe. In other areas, they might be. The reality is that we had to sift through people who had all applied to every scheme, no matter what.

That was in total desperation.

It was in desperation, but we had taken a decision in the Cabinet, or the National Security Council, that we did not want the whole Afghan army coming. We wanted the Afghan army to stand and defend its nation. We had spent 20 years training and equipping it. The people who had a right to come here were the ones who had specifically helped the British forces and put themselves at risk in doing so. That is not as broad as the many people who applied. I understand that people’s desire to leave a Taliban takeover would have been vast, but I do not think that as many people were or are in danger as they claimed in their applications. We did have a process of vetting, and we are back to the point of why we did it. I am not going to say it; I was about to say “pets and animals”. In the first Taliban takeover, the petting zoo was never closed down, because it is not against Islam to have a petting zoo. It is not viewed as something bad. I am never quite sure why we had to evacuate a petting zoo.

There was a lot of anger about that.

Well, I can tell you that there is more anger than that. Sadly, there was more anger about pets than there was about humans.

I meant that there was anger about the pets getting out.

Well, you and me both.

Yes, I know—I just did not say it. I am not saying that he did not.

I think everyone was after the same thing, which was the protection of life. People wanted to protect people who were potentially at risk. That is what was behind it. The decision about having an injunction, a super-injunction or an indefinite injunction was a matter for a mixture of the courts and the Department. Ultimately, this injunction ran much longer—long after I was gone. In fact, the first time I knew that it was in place and that it was going to be lifted was when the story broke in July.

I am not going to second-guess judges. As you say, I think that some people genuinely made a mistake and were genuinely trying to do the right thing. I think that judges were trying to do the right thing as well.

Looking at what happens across the Atlantic, I fundamentally believe in the separation of powers and the independence of our judiciary. That is what makes us an extraordinarily good country, and we need to ensure that we invest in quality judges more than anything and that Ministers are held to account by Parliament. It is frustrating in Government when you get a ruling against you. Judges hold huge power. There is the public inquiry into the special forces in Afghanistan going on at the moment, and that judge holds huge amounts of responsibility and power in whatever he decides at the end of his inquest. I definitely think that it is important that we have a separation. But if you want to educate the public, the more the public and Committees get to see the workings of a Department, the better. I do not think there is anything to lose from that. I spoke to the Clerk of the Committee before this session to ask if you had had the bundle yet. There is nothing in it that tells you anything that is very secret. I do not understand why you cannot, more and more, have copies of submissions. I understand if there has been legal advice on security.

Yes. When the Ukraine thing was happening, I made sure that nearly every week, Keir Starmer, as the Leader of the Opposition, John Healey, and the leaders of the SNP and Liberal Democrats got a “highly sensitive” briefing. I did not have anything to lose from that, and if you want to bring Parliament with you, you do it. I do not think that most Ministers deliberately seek to keep information; I think the system is in a panic about anyone seeing anything about anything, and the default position needs to slightly change. It also helps to educate parliamentarians about how it works for when they are Ministers one day. No one trained any of us. It is a bizarre position to be in that we will suddenly appoint 100 people to run a country, of which, if you are lucky, 20 have been a Minister beforehand. That is one of the challenges, and what you suggest would definitely help. In terms of the Committee’s business, the annual budget cycle paper that the Department does is a key paper that you should all see—no matter how embarrassing it is to any Government. It is where the Government make their decisions to delay spending or to cut spending, and they keep it all secret. You do not know what has been decided this year; you will find out in the accounts when suddenly the helicopters cost 10 times as much because the Government have delayed for two years. It is a really important document, and it is called the annual budget cycle. I would be asking for it; if this Committee isn't asking for it, the Public Accounts Committee should ask for it.

Agreed. We have been pressing on that, Sir Ben.

A former Deputy Prime Minister of the UK described to me the MoD’s approach to information security as “Stalinist”. Do you agree with that characterisation—as we have been discussing—and why do you think that is?

How do you mean, “Stalinist”?

Absolutely retentive and close hold, and nothing shared whatsoever. You have just been describing it.

Interestingly enough, because I had been Security Minister, I had worked with lots of secret agencies that were arm’s length or operationally independent, so there was very little direct power. The Home Office has oversight of MI5, but it doesn’t control its budget. The 43 independent police forces are independent. There is the CPS and so on. In the MoD, everything goes through the chair of the Secretary of State, in theory—every single thing. It is the last big oil tanker of a Department. That includes the chair you are sitting on, in theory—you bought it, you procured it. You are part of the chain of command through the Defence Council. You are part of the constitutional protection of the public, because of the huge power it wields. If you said to the Army, “You are operationally independent—go and stop a riot,” you need to assure the public that there is a protection in that. So everything goes through the chair of the Secretary of the State of the Department. That means that it is a big oil tanker. It is 250,000 people—uniform, civil servants and everything else—dealing with some highly sensitive information and people’s lives, and the nuclear deterrent and so on, but also line-by-line budgets.

Everyone would accept that the nuclear deterrent needs to remain confidential, but as we have discussed, there is a huge amount of other stuff that does not even make it to this Committee or parliamentarians. I note for Hansard that Mr Heappey is nodding his head behind you. This is not about particular politicians or political parties. The Department shapes those politicians when they leave the MoD. Why is it that it is so closed when it comes to information security—of things that do not need to be kept so secret?

I have a—well, I will say it is a theory; please don’t add the word “conspiracy”. I have said it, and I am afraid that it does get misquoted by the current Government: for 30 or 40 years, both Labour and Conservative Governments hollowed out defence. I know the current Government like to drop the words “both” or “Labour”, but Labour and Conservative Governments have hollowed out defence from the middle of the ’90s. You can say that. It is very easy to protect the public from the consequences of that if you own the narrative of the threat. The Government owns the threat, right? It doesn’t own the threat or the pressures on the health service. Why do the public want more money spent on health? They read about it every day. They experience it. Doctors talk about it. Trade unions talk about it. The media talk about it. You don’t get to talk about ammo stocks. You don’t get to talk about what Russia is planning to do in the next six months—because it is all secret. And if it is all secret, there is not going to be a competing public pressure on the Exchequer for money. So, of course, when you say to the public, “What is your hierarchy?”, they go, “Health and education” and defence is often further down. That is partly because they don’t know. When I was Security Minister, every week I would read the top x number of plots against this country, the organised crime—if the public knew half of that—

That is fine until you have a security crisis and then your military is exposed. Mr Heappey is nodding, again—for the benefit of Hansard. You have a white tie there—

It is true. I have a theory that it suits No. 10s not to have a competing pressure on the money.

And you get shown up. Exactly.

So they can take money from defence to fund other parts of the Government.

Yes.

Because it is the one part where the Government owns the narrative. It owns the risk and it is all dressed up in its secrets. If that is the culture, the rest of the Department’s culture matches that.

How do you crack that open?

Two ways. As a Secretary of State, you need to be a bit belligerent to No. 10 and the Treasury. I used to say to some of my civil servants that belligerence is a quality. Sometimes, No. 10s will volunteer you without funding you—a lot: “We are going to do this, we are going to do that; the coalition of the willing.” It is unfunded.

And fixes our forces in Ukraine.

So the answer for a Secretary of State is to say to the Prime Minister, “No, we are not doing it. We don’t have the money. Give us the money, or we won’t do it.” I know people say that is not very team-player-ish, but ultimately you need to be a bit robust. But you also need to lead the team as a Minister. I served under lots of Secretaries of State, and I did every rank in Government, and there are some Secretaries of State who do not lead a team at all. They do not talk to their Ministers; they do not use them and they do not trust them. The civil service love that, because—

How can you be a Secretary of State if you are not a leader?

Because we do not train anyone to be a leader, and we do not train anyone to be in government.

Mr Heappey is laughing now, for the benefit of Hansard.

But it is true! Tomorrow morning, you could be made the Chancellor.

It is a bit like becoming an MP.

If I get made the Chancellor, that is going to be a real turnaround for the Labour party—but I look forward to it.

Were you surprised at the length of time that this went on and Parliament did not know about it?

Yes, because, as you saw from my notes, my instinct was—

Knowing what you know now, are you surprised that Parliament was not involved?

Yes. I am surprised that you were not informed. You could have informed the Committee in sensitivity—I do not see any harm in that, but I do not know the legal rules. If a court directs an injunction, it affects everyone, and you cannot have any exceptions—but I do not know. Ultimately, it would have been good for everyone. Sometimes you need to man up and just say it, go to the Dispatch Box. I remember—

We were told that initially, “We were protecting lives, and that is why you were not told.” That was the original—

What I do not know is when it migrated away from the initial—I had gone by then. They were dangerous times; it was a few months after the Taliban took over. I do not know what it is like on the ground in Afghanistan.

Going back to your exchange with my colleague Mike Martin, last week we were trying to get the CDS pinned down on articulating the threat so that the public are aware and you can make those arguments that you talked about. That seemed to be what you were trying to say: that stuff needs to be kept secret, but that we need to be bolder with the public, so that they understand the threats and the impetus is there for more spending and investment. Why did you not do that when you were in office?

I think I did. I got £24 billion extra by telling the public and the Prime Minister how dangerous it was. One of the very first things I did was taking some intelligence across the street to No. 10, put it in front of him, and said, “You do realise what this is?” I spent a large part of my time telling the Prime Minister how dangerous the world was, and that he would have to pony up. That is the reality of it. You do not have to do everything in public, you can do some of it in private, but the first thing you need to do is to educate your colleagues. You know on this Committee how seriously you take defence. You probably spend some of your time saying to your colleagues, “I am on the Defence Committee, and do you know what is going on in the North sea, or the Arctic, or Greenland?” You have to educate the body of Government—and the Treasury. When Mike becomes Chancellor, it will be much better.

I am trying to bring this to a conclusion so that we can move on to the next part of our session. The data breach had a catastrophic impact on human lives, as well as a cost impact on the Government—and the British taxpayer and a lot more besides. In your opinion, have the right people been held accountable in the right ways for what happened?

I do not know what happened to the team that was processing it. There is confidentiality around the different people doing it. There are questions to be asked of some of them who are still serving or in post about why it did not happen or why there was a failure in their responsibility. Talking about ministerial responsibility, would I have resigned over it? I think if I had not done anything after the first data leak—I would have said we had not put improvements in place, and I would have considered it. But I did put in some stringent, robust reviews and processes. Within an organisation of 225,000 people, someone chose not to follow or do those. I do not think I would have resigned over it, because we were trying to do the right thing, and the motives behind what we were trying to achieve were genuine and correct.

In September 2021, you answered an urgent question in the House relating to a data breach that involved someone putting a weekly contact email into a “cc” field. In the written statement that was also tabled with the House, which was in November 2021—so this was all before the colossal data breach that we are talking about in February 2022—you said that “significant remedial actions” had been taken to prevent such incidents occurring again. But despite those supposed remedial steps that had been taken, there was still this colossal data breach. Do you think that there has been a failing in that?

There was definitely a failure to follow those remedial steps: that two people had to check before any data was released or shared. That clearly did not happen, or those people did not do their job. It happened because the steps that we put in place were not followed. Were there any other steps that we could have put in place, such as three people checking rather than two? We could debate that. Could we have redesigned the database in a different way? I am sure that there were different technical solutions, but I think it was quite robust. I would ask the Department to give you the individual steps that we took at the time. The things that I remember are accountability of the chain of command and making sure they checked.

Sir Ben Wallace, thank you so much for giving evidence to our inquiry, and for your co-operation prior to this evidence session and your contact with our Clerk.