The secret to being a great spy agency in the 21st century: Incubating startups

What happens when a top secret intelligence agency turns to entrepreneurs to help build new tools to protect a nation from cyberattacks? GCHQ found out.
Written by Danny Palmer, Senior Writer

This article was originally published as a TechRepublic cover story.

Intelligence agencies are good at finding and keeping secrets, and at working patiently in the shadows. Startups are good at promoting themselves, moving fast, and breaking things--in an effort to build the next big technology. It's hard to think of two mindsets that are further apart.

But in a world of constantly evolving cybersecurity threats, Britain's GCHQ spy agency decided to open a startup accelerator to bridge the gap between the two: to see, if it was a little more open, it could help the private sector build tools to prevent future cyberattacks.

Britain's Government Communications Headquarters (GCHQ) has a century-long history of helping to protect the country from threats, both international and domestic.

Although it wouldn't be known as GCHQ for decades to come, its work began during World War I when a number of intercept stations were established to seize and decrypt messages sent by Germany and its allies. Its most famous incident came in early 1917 when analysts were able to intercept and decrypt a telegram sent by the German foreign minister Count Zimmermann, which revealed that Germany planned to reward Mexico with US territory if it joined the war. The release of the message was one of the factors which brought the United States' firepower into the war.

Download this article as a PDF (free registration required).

During World War II, the organisation, then called the Government Code and Cypher School (GC&CS), was located at Bletchley Park where it tirelessly undertook to decrypt Hitler's "unbreakable" ciphers--work credited with shortening the war significantly.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (TechRepublic cover story)

Following the war and having outgrown its previous site, GC&CS was renamed GCHQ. Its headquarters were moved just outside of Cheltenham, Gloucestershire, in the west of England, where it remains today.

It now has 6,000 staff and an annual budget of £2.6bn, while still being tasked to keep Britain safe from a variety of threats including terrorism, serious crime, espionage, and cyberattacks, as well as providing support to law enforcement and the military when required.

But its work is not without controversy. In 2013, whistleblower Edward Snowden lifted the lid on PRISM, an expansive online surveillance programme by GCHQ, along with the US National Security Agency. The programme collected data on all online and telephone communications made inside the UK.

But while the agency is best known for snooping, it also has a secondary role in providing security advice.

"We're a security organisation. If you drive past us you see a lot of razor wire and that can sometimes create an internal, introverted culture," said Chris Ensor, deputy director of cyber skills and growth at the National Cyber Security Centre (also known as NCSC, the cybersecurity arm of GCHQ).

"For the last 100 years, GCHQ has had an intelligence mission and a security mission. It's the intelligence which is portrayed in the news or in films like James Bond and we're always the spy centre. But actually we've had a security mission for a long, long time," said Ensor.

Threats to national security evolve over time and today cyberattacks are considered to be among the biggest risks to the country--alongside terrorism, espionage, and weapons of mass destruction.

That means GCHQ's security mission has extended to protecting the UK from cyberattacks and hackers, particularly those targeting critical national infrastructure. Indeed, the NCSC was set up to tackle cyberthreats, replacing three separate cybersecurity organisations: the Centre for Cyber Assessment, Computer Emergency Response Team UK, and GCHQ's information security arm.

"It's all about how do we help other organisations secure themselves, be it government organisations, industrial systems, or even down to the citizens and small businesses. It's all about raising awareness of cybersecurity, improving the number of products out there, and also improving the talent pipeline," Ensor said.

But as big as GCHQ is, it can't do the job of protecting the UK alone. And over the years, government organisations have developed a reputation from not being as agile or innovative as their private sector counterparts. GCHQ set out to change that by bringing in cybersecurity companies to offer a fresh perspective.

Rather than looking to work with large, established security firms, GCHQ decided to set up a startup accelerator with the dual goals of developing new ways of keeping the country safe from cyberattacks and aiding some of the smallest, but most innovative, firms in the sector to establish themselves.

GCHQ, for its part, benefits by working with the cutting-edge companies. "If we bring our problem set together with private sector innovation, ingenuity, and entrepreneurship, we can come up with new capabilities the UK needs to protect itself," said Ensor.

Over 70 startups applied to be a part of the first GCHQ cybersecurity accelerator, which offered firms the chance to work alongside the agency near its Cheltenham headquarters, along with private sector mentors and a grant of £5,000. The package comes with no strings attached. The startups involved don't need to give up ownership of their work to GCHQ.

SEE: Cyberwar and the Future of Cybersecurity (a ZDNet/TechRepublic special report)

After completing paper exercises and technical assessments, applicants to the accelerator were invited to London to take part in a set of Dragons' Den-style pitches to narrow down the applicants to a handful of promising young companies.

"We were really encouraged by the number of people who came forward who wanted to get engaged with us. It was an indication that we were going in the right direction," said Ensor.

The application process was gruelling, requiring the invited startups to make a three-minute pitch, followed by seven minutes of close questioning from GCHQ analysts and industry experts to ensure they had solutions to real problems.

"It was good at weeding out companies which didn't have it figured out," said Gary Stewart, director of Wayra UK and Telefónica Open Future UK, the startup accelerator that helped GCHQ organize and run the scheme.

"When someone comes with a cybersecurity startup, if they haven't actually deployed it in a large organisation, it's hard to figure out if they're onto something or delusional," said Stewart.

The finalists

By the time the programme got underway in January 2017, the startups had been whittled down to just seven finalists:

  • CounterCraft
  • CyberOwl
  • CyberSmart
  • Futurescaper
  • Spherical Defence
  • StatusToday
  • Verimuchme

But what attracted them to join the accelerator in the first place?

"GCHQ are experts in intelligence," said Daniel Brett, founder and CSO of CounterCraft, which offers cyber-deception and counterintelligence products to detect and respond to targeted cyberattacks.

Founded in 2015, CounterCraft was one of the larger, more established startups chosen to be part of the scheme, having successfully raised over $1m in funding during 2016 alone.

"Basically, they're the best in the business, so if they think there's some merit in your idea and using it to protect companies, that's huge," said Brett. "We were really honoured to get a place."

CounterCraft startup team

CounterCraft was one of the seven startups selected to take part in the scheme.

Image: CounterCraft

With 10 employees and having also previously secured over $1m in funding, StatusToday offers an artificial intelligence-based platform designed to understand "normal" human behaviour patterns and use that knowledge to uncover threats.

"For the work we're doing, one of the best partners we could possibly have was looking for startups for help, so it was a no-brainer when we heard about the accelerator," said Ankur Modi, CEO of StatusToday, and a former Microsoft software engineer.

"We're talking about security threats that most people don't even know about, that they face on a daily basis," said Modi. "They can help us adapt the product to even handle those."

Other organisations accepted to the scheme were less established, but nonetheless were judged to be among the best, most exciting cybersecurity startups in the UK. One of the smallest firms accepted to be part of the accelerator was Verimuchme, a digital wallet and exchange platform for verified personal information and documentation.

The firm was founded in December 2015 by a team who shared its experience of contracting in the finance sector and set out to solve the issues associated with data sharing in short-term roles.

SEE: Hacking the Nazis: The women who broke Hitler's codes (TechRepublic cover story)

"The majority of contractors feel the pain of going through these screening checks, handing over all your personal information in this really unsafe manner," said Olga Saliba, CEO and co-founder of Verimuchme, who built the entire platform with her co-founder Rehman Zafar.

In fact, the platform--a secure cloud portal where the user uploads information and grants specific enterprises access to their data--had only just finished being built when Saliba was made aware of the accelerator in an email from a friend. Nonetheless, Verimuchme made it through to be a part of the accelerator.

"I was thrilled," she said. "It validated there's a clear need for something like this, that it's got commercial viability."

The feeling that selection by GCHQ was a vindication of their business model was shared by many involved.

"There were many companies, so getting selected was fantastic," said Dr. Siraj Shaikh, co-founder of CyberOwl, an early warning and threat intelligence system that was spun out of cybersecurity research at Coventry University.

"It gives us a message that what we're trying to do is something of high value, because there's a positive message from Telefonica that, yes, this a good technology and one from GCHQ that our security work is good," said Shaikh. "It's very helpful for us as a company that's just starting out."

But selection was just the beginning of the journey. The real challenge--working in the accelerator for three months--was yet to come, and Wayra had to design a hub with an atmosphere that was suitable for the startups, the entrepreneurs, and GCHQ itself.

Download this article as a PDF (free registration required).

Collaborating with GCHQ

While the accelerator workshop is in the town of Cheltenham, it's not housed in GCHQ's headquarters. As much as the agency wants to emerge from the shadows, it wasn't considered appropriate to have members of the cybersecurity startups simply walking in and out of the top secret building.

Like many similar schemes, the accelerator hub is designed to foster innovation using open office plans and collaborative spaces. It brought a taste of an East London tech hub to Cheltenham.

"The accelerator is actually quite bean-baggy, so that's nice," said CounterCraft's Brett.

It was a race against time to get the workspace ready before the first day of the accelerator on January 9, 2017, but it was completed--just about.

"It's a completely new office--there was the smell of fresh paint on the walls," said Giorgos Georgopoulos, CEO and co-founder of Futurescaper, which ended up spinning off into a new company called Elemendar during the course of the programme.

The company uses artificial intelligence to read cyberthreat reports by humans and turn them into industry-standard structured information. The original team was set up in 2011, based around its three founders' research at MIT and the University of Oxford.

Elemendar and the other startups quickly got into the spirit of the scheme.

"It's been a really invigorating experience, because there are half a dozen other companies doing really interesting stuff. It's very diverse; there aren't two companies working on exactly the same thing, which means that we can have a lot of conversations without feeling competitive and it gives us different perspectives," said Georgopoulos.

External mentors advised the startups in the accelerator on tasks ranging from sales to customer development.

While plenty of mentoring opportunities are available, it was up to the startups to choose which avenues they wanted to pursue, be they with GCHQ, private firms, or even one another.

"We're surrounded by six other startups all in the same process, all doing different takes on cybersecurity. There's great personalities, great people, and we're all trying to pull together to help each other," said CounterCraft's Brett.

One of the major parts of the whole process was that for at least a few days every week, all the participants were required at the accelerator. For the smaller startups, their whole teams would go, while the more established would send two or three staff down from their main offices. In most cases, the companies were based in London, 100 miles away.

Indeed, travel and accommodations were viewed as one of the key logistical challenges for almost all of those taking part: a typical train journey from London to Cheltenham takes two and a half hours and often involves changing in Bristol or Swindon. "There's a lot of time spent on the motorway and on the train moving back and forth," said Elemendar's Georgopoulos.

SEE: Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas (TechRepublic cover story)

For Mariella Thanner, co-founder of CyberSmart, which provides intelligent software for automating and streamlining compliance, there was no such thing as a "typical day" and the only constant was a "town hall" meeting on Wednesdays.

Queen visits NCSC

The National Cyber Security Centre--the new cyber arm of GCHQ--was officially opened with a visit from the Queen in February 2017.

Image: GCHQ

Her team even held parties and gatherings, including a "Pancake Day" get together, for the other startups at an Airbnb property they dubbed "The Cyber Bunker," and Thanner was confident living in Cheltenham was the best way forward. "It's charming. We had it relatively easy because of the house," she said.

The startups were also involved in other events they wouldn't have gained access to had they not been part of the scheme. Verimuchme attended the February launch of the National Cyber Security Centre in London: the building was officially opened by Queen Elizabeth, who went on a tour of the facility. Verimuchme's Saliba got to be part of it, meeting Her Royal Highness.

"When we met the Queen, I had my own Verimuchme T-shirt with me, but I wasn't allowed to wear it at a public event," she says, adding there are still plenty of elements of GCHQ that are formal and behind closed doors--something both sides had to balance.

"We're very commercially-minded, while government is protective, so that was a big learning experience," she said.

It's a view shared by many of the other startups: they're appreciative of GCHQ's message and aid, but sometimes during this first incarnation of the scheme it was obvious that the intelligence agency was still adapting to life out of the shadows. Sometimes it was hard, said StatusToday's Modi.

"GCHQ is still learning on how to collaborate. If you're a mega-enterprise working with GCHQ it's hard enough--when you're a startup, it's harder. But GCHQ is trying to break down the bureaucracy and trying to smooth the process of collaboration so that it's less formal," he said.

But as the startups' understanding grew during the 90-day programme, so did the relationship with GCHQ, according to CounterCraft's Brett, who said the usually secretive operatives became more collaborative as the scheme went on.

"At the beginning it was a bit odd, because you meet a lot of people and you can't know much about them. But over the three months we got to know people, see the human side," he explained.

"We catch GCHQ in a moment when they're changing; they're trying to be less secretive and show people their defensive mission. It's a microcosm of the change where GCHQ want to look less like a den of horrible spies and more as people doing good stuff. James Bond is a spy, but we can appreciate his finer qualities as well," said Brett. "It took time to build up these people's trust--but it went really well."

Ultimately, building up that trust between GCHQ and small private sector companies was one of the goals of the scheme, because it wasn't run just for the benefit of the startups, but for the government's cyber security arm too.

The NCSC met its own challenges in instilling change in the organisation. "Part of this is about encouraging people to get out of the building and work with the sorts of people they may not have worked with before. We work in a very high security environment, but we want to mix and engage with people outside of it," said the NCSC's Ensor.

Like any other organisations, there are different people with different personalities within GCHQ and Ensor admits when it comes to going outside the walls of the secretive building "some people will be uncomfortable and some people will love it" but "it's about giving them those opportunities to work with different people with different mindsets."

After the accelerator

As this was the first scheme of its kind for GCHQ, it's been a learning experience for all involved. While the startups are hugely positive about being a part of the scheme, there's one downside they all agree needs addressing--the relatively short length of the programme.

"It felt as if we didn't have much time. Because once we'd figured out the right people, got them in the diaries, and really drilled down into the problems, it's the sort of thing that can take some time," said Elemendar's Georgopoulos.

His view was mirrored by other startups, many of whom feel as if the three-month programme passed very quickly, especially as it took time to get properly set up and followed a move to Cheltenham.

"The first month is a big adjustment period where everything was very new," said Thanner. "We needed a month to get to know everyone and get the right mentors, then month two was about progress, then month three was all about preparing for demo day. So if we'd had a couple of months in between, it would have been more beneficial," he added.

That demo day marked the culmination of the accelerator, with each of the startups presenting to government, private sector personnel, and potential investors at a special event held at Cheltenham Racecourse on March 30--the last day of the programme.

Despite having spent three months working alongside personnel from GCHQ, business, and the cybersecurity industry, for some of the startups, diluting their company's work into a three-minute pitch was challenging.

"Even though we did pitch practice, it's a different thing to be out there in front of the government, GCHQ, investors--it's pretty nerve-wracking, and you have to do a lot in three minutes," said CounterCraft's Brett. "So yes, I was nervous, but it went okay, it was good; a great end to the three months."

SEE: Governments and nation states are now officially training for cyberwarfare: An inside look (TechRepublic cover story)

For CounterCraft, the pitch went so well the company managed to attract new business on the day, fulfilling one of the goals the accelerator set out to achieve.

"There was interest from investors, and they want to talk more about what we can do. It was an awesome day. Very, very good," he said. "And there were some good cupcakes." CounterCraft's positive experience was shared by many of the startups on the demo day.

Following the conclusion of the day, many of those involved in the scheme gathered at a bar for one final send-off before they all returned to life outside the accelerator scheme.

"Although we've had our closing ceremony and psychologically it feels like a very definite ending, we had some emotional moments in the pub," said Elmendar's Georgopoulos.

It may have been the end of the accelerator, but all the startups involved feel as if they've been part of something bigger. It's the first step in a long journey they'll be on together.

"There was a lot of good feeling between the companies, I'm sure we'll get together in London and the relationships with Wayra and GCHQ will be continuing," said CounterCraft's Brett.

For some, the end of the accelerator took a bit of getting used to.

GCHQ doughnut building

The accelerator is based near GCHQ's Cheltenham headquarters, but isn't on the actual GCHQ site itself.

Image: GCHQ

"It was weird not having meetings in the first week," said Thanner, adding that life after the accelerator is going well. "We're taking all the knowledge we learned and applying it in more detail and into our daily operations" and GCHQ is still there for support.

"We're alumni; we can still be in touch. Although the programme is over, we're not being dropped, if we have questions, we can ask," she said.

StatusToday's Modi said that being able to say "we've been picked up by GCHQ" will "make a lasting impact to us going forward."

All of the startups involved reported getting opportunities that, in some cases, otherwise may never have been open to them.

"It pushed us out of a comfort zone, and it gave us an opportunity we wouldn't have been able to achieve if we were on our own and doing this. It gave us a platform and now it's up to us to use it, but it's given us a rise," said Verimuchme's Saliba.

With the three-month programme behind them, how do the startups describe working with an organisation which is often viewed by the public as secretive, even shadowy?

"Culturally it's no secret they're a closed organisation and that comes from that background and continues to be the case in other areas--there are a lot of secrets and there are good reasons to keep them, and that's not going to be changing anytime soon," said Elemendar's Georgopoulos. "But there's been a real shift in the working relationship in bringing the outside world into this world that's not used to being open," he continued, adding: "We've had the controls and security measures you'd expect, but if anyone was expecting to feel like James Bond they'd be severely disappointed!"

Thanner said, "It didn't feel like a spy agency. They were all very helpful and very down to earth and ultimately they were about how they could help. I never even thought about it that way. They're no different to any other mentors we have."

When first brought on board with the scheme, Wayra was very much aware that this was the first instance of a partnership between GCHQ and private industry in such a public way. The agency was aware that it too had something to learn from being part of it.

"They've [GHCQ] taken a humble approach, they're willing to learn and they said they understand they don't dominate the space, and part of doing this was learning how that would work," said Wayra's Stewart.

GCHQ is keen to use its expertise to help startups and private firms develop new cybersecurity products, in order to ensure that UK organisations and infrastructure are as fully protected against cyberattacks of all kind, and in the most extensive way possible.

"This is all about putting things on the shelves people can take off to secure themselves. It'd be really great if in five years' time, you saw two or three of them become household names. We want to see them become global players," said the NCSC's Ensor.

Following the success of the first cyber accelerator, GCHQ started running a second one in October 2017--and they've taken the feedback from the startups about the length of the programme, with the second scheme set to last for nine months in total.

"We were able to cram a huge amount of content into a three-month programme, and as a first effort the achievements were comprehensive, and the startups benefited hugely," said Wayra's Stewart.

"However, we think the companies would get even more out of a longer programme as they would be able to engage on an even deeper level with GCHQ, other corporates, and our parent company Telefónica," said Stewart. "With the success of the first programme, it seems like a natural evolution to do it again--but bigger, better, and more comprehensive."

Download this article as a PDF (free registration required).

Also see:

Editorial standards