From the outside, the headquarters of GCHQ — the UK’s cybersecurity and intelligence agency — looks exactly how you’d expect: barbed wire fences and security checkpoints.
But once you’re inside, things start to feel a lot less James Bond and more like a giant shopping centre.
There’s a Greggs bakery (the baristas have security clearances) and, next to it, the UK’s largest top-secret garden, complete with stripey beach-style deckchairs.
GCHQ is on a mission — and has been since the Snowden leaks in 2013-14 revealed that it had been harvesting information of people the world over — to convey an increasingly open image; to try and shift its public perception away from secretive agency and towards ally of the public in the fight against cybercrime.
A key part of that: partnering with young startups and inviting them in for mentoring.
“The halo effect”
The part of GCHQ that runs the startup programme is the National Cyber Security Centre (NCSC). It opened a couple of years after the Snowden leaks and works on computer security threats.
Five companies have just joined this year’s programme, the focus of which is on ransomware. It’s a fitting theme — GCHQ’s director warned last week that countries opposing Russia will see an increase in cyber attacks after the invasion of Ukraine.
The companies include Goldilock, working on a physical air gap to disconnect critical infrastructure after an attack; SOS Intelligence, making affordable cyber intelligence tools; Validato, a SaaS tool to simulate cyber attacks; and Vault Sentinel and Cyntegra, which both help companies recover data after cyber attacks.
The startups will join for 12 weeks and receive mentorship, technical support and warm introductions to VCs in the agency’s circle.
A founder from this year’s cohort describes the programme as offering startups “the halo effect” — a sign of approval from the country’s top security experts that their tech is innovative and really works.
The number of VCs and investors with the in-depth security knowledge to judge that on their own is limited, so the GCHQ stamp can act as an influential guide for investors.
Why GCHQ wants to help startups
The programme helps the agency get its name out into the tech world and demonstrate how it supports British business — it's the only part of the agency that does active PR.
The Snowden leaks were a good example of why GCHQ wants to be more public facing, says Ciaran Martin, former head of the NCSC and now a professor of management at Oxford University.
“Snowden was a good example of this: we need to say more about what we do so the public can have confidence. That's a national security issue, because it will harm national security if we don't if we don't retain the public's confidence,” he says.
“You can't give cybersecurity advice to a nation of 66 million people from behind barbed wire.”
You can't give cybersecurity advice to a nation of 66 million people from behind barbed wire
The changing nature of threats also means they need to have closer ties to the public and tech ecosystem around them — cyberattacks can target individuals as well as government infrastructure, so pairing with startups developing tech for the public helps both parties.
“Ransomware is an excellent example of this,” says Saj Huq, CCO and head of innovation at Plexal, the innovation company GCHQ has paired with to run this year’s startup programme.
“To date there’s been limited innovation in the products coming to market to address this growing threat. It also allows GCHQ to point the energy of startups towards catering to certain groups; for example, making sure that SMEs don’t get left behind.”
Unit 8200 — Israel's GCHQ equivalent
GCHQ isn’t the first agency to seek closer ties with the tech ecosystem around it. The country with by far the blurriest line between its government agencies and its tech sector is Israel.
Its equivalent of GCHQ is Unit 8200: a high-tech intelligence agency and the largest single military unit in the Israel Defence Force.
The authors of Startup Nation, a 2009 book about Israel’s startup culture, described Unit 8200 as “the nation’s equivalent of Harvard or Yale”. Graduates leaving the programme often go on to form startups and work in top tech jobs.
Martin describes visiting an event organised by Unit 8200 in Tel Aviv. “It was called ‘speed dating’, where graduates from Unit 8200 would come out and pitch their ideas to venture capitalists,” he says.
Some of Israel’s top founders are grads from the agency. Gil Shewd, cofounder of Check Point, Israel’s largest cybersecurity company, was in Unit 8200, as was Avi Hasson, former chief scientist of Israel, whose office was in charge of dispensing loans to tech startups.
“A lot of people were very taken by the Israeli model,” explains Martin — including the UK government, when they set up NCSC. “In Israel, the scale of innovation is breathtaking.”
Israel, however, relies on universal conscription, so the number of people coming out of Unit 8200 and other military intelligence organisations is very high.
The flow from GCHQ into the UK’s tech ecosystem is picking up. Cybersecurity firm Darktrace was founded by former GCHQ employees, as was Ripjar, a startup working on using AI to tackle financial crime.
Meanwhile in Germany, Gerhard Schindler, the former president of BND (the country’s foreign intelligence service), now sits on the board of Monarch, a cybersecurity startup.
With increasingly large pay packages for tech workers in Europe — and comparatively small ones for the public sector — the stream of talent from agencies could be set to increase.
A desirable relationship?
So is it desirable for government agencies like GCHQ and the tech sector to become increasingly entangled when it comes to cybersecurity?
There have been a number of controversies around security tech startups. The largest and most notorious of those is NSO Group, an Israeli tech company accused of providing its Pegasus software — capable of zero-click surveillance of smartphones — to authoritarian governments so they could target human rights activists and journalists. A number of NSO’s staff came from Unit 8200.
If states grow and nurture private tech solutions, they have little control over where, and who, the companies go on to sell their tech to. There’s also an argument that something as sensitive as intelligence shouldn’t be handed over to private companies — harder to pin down on human rights than states themselves.
But for governments the choice isn’t necessarily between developing domestic startups or using in-house tech. Countries are increasingly turning to foreign-made intelligence technologies — often coming with their own questionable ethics.
That’s created a desire, and pressure, to create home-grown intelligence solutions — something domestic startups can help with.
France, for example, has been on a mission to replace Palantir, the American Peter Thiel-founded data analytics company. Nicolas Lerner, head of France’s intelligence unit, the DGSI, said in 2020 that he would rather the country use a French company.
“The economic stakes are very low,” he told Reuters at the time (Lerner said the Palantir-DGSI contract was worth a few million euros.) “Then there’s the question of sovereignty, autonomy, independence, and that’s a question only the state can answer.”