GCHQ, the intelligence listening station, is to repackage and market some of its security technology to the private sector to help protect national infrastructure such as power stations and other utilities from online attacks.
The move, announced in the Cabinet Office’s cybersecurity strategy on Friday, is part of a wider government effort to use the agency’s “unique expertise” to boost economic growth and enhance the competitiveness of UK cyber security sector abroad.
Ministers had already set aside £650m over the next four years to build up UK defences against threats such as the Stuxnet computer virus – which hit Iran’s nuclear programme in 2010. But this is the first time they have laid out a clear plan on how the public and private sectors will collaborate.
A pilot programme to share information on cyberthreats between government and companies in the defence, telecoms, finance, pharmaceuticals and energy sectors gets under way next month. GCHQ’s emergence from the twilight world of espionage was welcomed by industry specialists, who said it represented a marked change in attitude.
“They are coming out from the shadows,” Neil Fisher, a senior security executive at Unisys, the IT company, told the Financial Times. “This is really GCHQ coming out into the open much more and saying, we need to protect the infrastructure and to do that we need to understand the vulnerabilities in the network.”
Officials were keen to emphasise that the secret technologies would only be sold to UK companies and exactly what the agency might sell had yet to be decided.
“This is not [GCHQ] flogging their intelligence,” one government official said. “The principal idea here is that they develop as part of their work little bits of engineering ... some of which, when it’s performed its use, is no longer secret.”
“What you need to do is to partner with some people who can help you spot those opportunities and bring them to market,” the official added.
Analysts said GCHQ would want to avoid repeating a mistake made in the 1970s when the agency failed to exploit its development of public key cryptography, security software which protects financial transactions online. After the agency failed to commercialise it, it was patented and commercially exploited by computer scientists in the private sector.
In the longer term, ministers are keen to see if the UK can replicate the success of In-Q-Tel – a non-profit enterprise funded by the US Central Intelligence Agency – which invests in technology start-ups working on projects to enhance national security. The strategy suggests that the government may look into sponsoring a similar venture capital model to “unlock innovation” in the UK’s cybersecurity SMEs.