​GCHQ 'over-achieved' in hunt for exploits and cyber weapons

Video: Nine security startups join fresh intake for UK intelligence's accelerator

Two years after launching a programme to build up its cyber-attack capabilities, the UK's spy agency GCHQ claims to have "over-achieved" in its mission to build its cyber-arsenal.

In 2015, the UK government outlined its ambition to boost its spy agency's offensive cyber capabilities, which it defined as the ability to "disrupt, deny, degrade or destroy computer networks and internet-connected devices".

The UK's Intelligence and Security Committee this week revealed in its annual report that GCHQ had "over-achieved" its mission, having delivered twice the number of "capabilities" it was aiming for.

GCHQ officials reported this to the committee in January after completing the first of three phases in the seven-year National Offensive Cyber Programme (NOCP), which is run by GCHQ and the Ministry of Defence.

The NOCP aims to give the UK cyber-attack capabilities "on a different scale", ranging from tactical tools to "high-end" offensive capabilities that may never be used, but could act as a deterrent.

Last year, the UK said it wanted to have the ability for its armed forces to "deploy offensive cyber capabilities as an integrated part of operations" and maintain political control over cryptography.

GCHQ is planning a major hiring spree to boost its headcount by 14 percent by 2020, increasing staff numbers from 5,800 today to over 6,600 by the end of the decade. However, the agency admits that "intense competition" from the private sector poses a major challenge.

Around a quarter of GCHQ's staff work on "capability exploitation", which involves "finding and exploiting both secret and open source information" to enhance its tradecraft and technology.

Skills shortages have created a problem for a GCHQ programme called Foxtrot, which aims to counter the "growth of ubiquitous encryption". A GCHQ official said Foxtrot was "really, really difficult" not because of technical hurdles but because "the skills aren't there".

The agency admits that it "couldn't possibly compete" with pay offers from tech firms that can fork out four to five times what GCHQ can, but contends it can offer more interesting work.

See also: The secret to being a great spy agency in the 21st century: Incubating startups

The agency is also working to improve its supercomputing capacity under a 10-year project called Golf. Thanks to help from the US, it expects Golf to come online in early 2018.

Other key intelligence projects include Alpha, which aims to improve exploitation and retrieval of MI5's information, and Charlie, a project to modernize MI5's surveillance capabilities.

Related coverage

Windows 10: UK's GCHQ found out how to hack Windows Defender to own your PC

And it didn't keep the vulnerability to itself.

Bigger than WannaCry: A giant cyber attack will happen unless we rethink security, says GCHQ

A huge attack which makes WannaCry look like small fry will occur in the not to distant future -- unless something changes.

GCHQ encourages teenage girls to become cybersecurity professionals of the future

Competition aims to inspire girls aged 13 to 15 to take up a role in protecting the UK from cyberattacks.

Read more on security

• Security warning: Don't use Russian antivirus on secret government systems, says cyber-agency
• NATO just added cyber weapons to its armoury
• White House elevates status of US Cyber Command
• Cyber attribution isn't so important, even for nation states
• Government launches first of AU$47m Joint Cyber Security Centres in Brisbane
• Trump's cybersecurity order: Out with 'antiquated systems' (CNET)
• The current state of government cybersecurity is 'grim,' report says (TechRepublic)