1. REQUEST FOR CORPORATE APPOINTMENT: Professor Ciaran Martin CB, Director General of the National Center for Cybersecurity 2014 – August 2020
Professor Martin, former chief executive of the National Cyber Security Center (NCSC), part of the Government Communications Headquarters (GCHQ), sought the advice of the Professional Appointments Advisory Committee (the Committee) in under the Government Rules on Professional Appointments for Former Crown Servants (the Rules) on a position he wishes to take up with Palo Alto Networks Ltd (Palo Alto) as a member of the Public Sector Advisory Board. Important information considered by the committee is set out in Appendix A.
The purpose of the Rules is to protect the integrity of government. Under the Settlement, the Committee’s mandate is to review the risks associated with actions and decisions made while in office, as well as the information and influence that a former Crown official can offer Palo Alto.
The Rules state that servants of the Crown must comply with the advice of the Committee. It is the candidate’s personal responsibility to manage the merits of any appointment. Former Crown servants must uphold the highest standards of propriety and act in accordance with the 7 Principles of Public Life.
2. Review by the Committee of the risks presented
The committee[footnote 1] noted that Professor Martin met with Palo Alto; these interactions were consistent with his role as CEO of NCSC and he had similar interactions with other companies in that industry. Further, there is no contractual or commercial relationship between NCSC and Palo Alto. The department also confirmed that it made no decisions specific to Palo Alto. Therefore, the committee considered that the risk that he could be considered to be offered this role as a reward for decisions made or actions taken in the course of his duties was low.
The Committee noted that this proposed role overlaps with Professor Martin’s mandate. Therefore, there could be a perceived risk that he has access to relevant inside information, which could unfairly benefit Palo Alto. However, the committee gave weight to the department’s confirmation that he had no access to information that could give him an unfair advantage and that he had been absent from duty for more than 8 months. In addition, Professor Martin’s former department, the NCSC, has a goal and commitment to transparency and has an ongoing duty of confidentiality.
The Committee noted that there is a risk that Professor Martin’s influence and network of contacts within the government will unfairly benefit Palo Alto, especially since his role is focused on discussing sales strategy on global government markets. Given his seniority and influence in government, there is a risk that Professor Martin would provide an unfair advantage to Palo Alto if he sought to sell his services or products to NCSC or the UK government. However, the Committee noted that it is presented to do so by the contracts below and the restriction of offers. This restriction makes it clear that Professor Martin cannot advise on the subject or terms of any tender or contract directly related to UK Government work. In addition, he is also subject to the lobbying restriction below, preventing him from using his contacts in the UK government to the unfair advantage of Palo Alto.
The Committee further recognized that as a former head of the NCSC, there is a risk associated with his influence and contacts in other governments. Therefore, the Committee draws the attention of Professor Martin to the restriction below which clearly indicates that he must not use the contacts he has developed in other governments for the purpose of obtaining business for Palo Alto.
In light of these factors, in accordance with the Government Enterprise Appointment Rules, the Committee recommends that this appointment at Palo Alto Networks Ltd be subject to the following conditions:
he must not rely on (disclose or use for his own benefit or that of the persons or organizations to which this notice refers) inside information which he has had since he has been in the service of the Crown;
for two years from his last day of Crown service, he must not personally engage in lobbying the UK Government or its independent bodies on behalf of Palo Alto Networks Ltd (including parent companies, subsidiaries , partners and customers); nor shall he use, directly or indirectly, his government and/or Crown Service contacts to influence policy, obtain business/funding, or take unfair advantage of Palo Alto Networks Ltd (including parent companies, subsidiaries, partners and customers);
for two years from his last day of Crown service, he must not undertake any work with Palo Alto Networks Ltd (including parent companies, subsidiaries, partners and customers) that involves advising on the terms or in relation to the subject of a tender or contract directly related to the work of the UK Government or its independent agencies; and
for two years from his last day in the service of the Crown, he must not become personally involved in the lobbying contacts he has developed during his tenure and in other governments and organizations with the aim of obtaining business for PaloAlto Networks Ltd (including parent companies, subsidiaries and partners)
Professor Martin is to notify us as soon as he takes up employment with this organization(s), or if it is announced that he will and we will post this letter on our website.
Failure to do so may lead to a false assumption as to whether they have complied with the Rules.
Professor Martin must inform us if he proposes to extend or otherwise change the nature of his role as, depending on the circumstances, he may need to reapply.
Once the appointment(s) have been publicly announced or supported, we will post this letter on the Committee’s website and, where appropriate, refer to it in the annual report.
3. Appendix A – Material Information
3.1 The role
Professor Martin said Palo Alto is a California-based cybersecurity company. The website says Palo Alto is a global cybersecurity leader, innovating to enable secure digital transformation. Palo Alto’s mission “…is to be the cybersecurity partner of choice, protecting our digital way of life. [It} help[s] address the world’s greatest security challenges through continuous innovation that leverages the latest advances in artificial intelligence, analytics, automation and orchestration.” The company serves more than 70,000 organizations in more than 150 countries.
Professor Martin said Palo Alto’s advisory board for its global public sector business meets three times a year to discuss sales strategy in global government markets.
He does not expect his role to involve contact with the British government.
3.2 Business in the office
Professor Martin said that in February 2020 he attended a closed meeting of heads of cybersecurity agencies from around the democratic world at the RSA conference (the world’s largest cybersecurity conference https://www. rsaconference.com/en/about). Palo Alto organized and paid for the event. He also said that as one of the largest cybersecurity companies in the world, Palo Alto has various relationships with the NCSC. In the strictest confidence, experts working for CM spoke with Palo Alto about weaknesses in some of the company’s products and services to ensure they were corrected. He said it was standard practice for the NCSC to disclose any issues to companies. He also said the CEO of Palo Alto came to visit the NCSC because he was interested in the UK’s approach and its skilled work. He confirmed that he had similar relationships with Palo Alto competitors, but did not have access to commercially sensitive information.
Professor Martin also confirmed that he deals strategically with all major cybersecurity companies. However, he confirmed that he did not make any funding or contractual decisions affecting Palo Alto during his tenure and did not have access to sensitive information regarding Palo Alto.
3.3 Department evaluation
GCHQ has confirmed the details given in Professor Martin’s request. He confirmed that Professor Martin spoke to the company during his tenure as CEO and maintained links with former colleagues now working with Palo Alto. He said there was an informal relationship between NCSC and Palo Alto, but confirmed there was no formal business or contractual relationship that would indicate material influence.
He also said Prof Martin’s experience as CEO of the NCSC had given him access to UK cybersecurity policy, but said this was generally already publicly available. He also said Professor Martin would bring substantial experience and high public profile to the role.
GCHQ also said that, given his proposed role on the Public Sector Advisory Council, it would recommend restricting Prof Martin’s involvement in UK-related government affairs. The department had no concerns regarding this application.