U.K. Gov’t To Invest $250M In Cyber Security Startups To Help Spooks

Despite on-going belt-tightening of the U.K.’s public finances, there’s going to be more taxpayer cash and support up for grabs for cyber security startups starting from early 2016.

Yesterday Chancellor George Osborne named the tech sector as a priority area, setting out a plan to boost related government spending over the next five years — with the aim of bolstering domestic intelligence capabilities and defending U.K. critical infrastructure and ecommerce activity from hackers.

The government also wants to explore ways to work more closely with ISPs to try to divert malware attacks and block known malicious URLs.

Bolstering the regulation framework around critical national infrastructure is another government priority in this area, he said.

Giving a speech at the GCHQ intelligence agency, Osborne announced a plan to nearly double spending on cyber security investment — with £1.9 billion to be spent by 2020 (although total government cyber security spending, so also adding core capabilities to protect its own infrastructure and networks, brings the total to more than £3.2 billion).

He dubbed it “a bold, comprehensive programme that will give Britain the next generation of cyber security, and make Britain one of the safest places to do business on line”.

The spending increase will specifically go towards adding 1,900 new staff across the U.K.’s three intelligence agencies, and setting up a new National Cyber Centre, which will report to the director of GCHQ — allowing the new Centre to tap into classified expertise.

Osborne said the aim with the Centre is to create a one-stop-shop for cyber security “advice and support”, staffed by a “dedicated ‘cyber force'”, replacing the current “array of bodies” with a single point of contact to make it easier for industry to get government support on cyber security matters and vice versa.

“It will give us a unified platform to handle incidents as they arise, ensuring a faster and more effective response to major attacks. And we will build in the National Cyber Centre a series of teams, expert in the cyber security of their own sectors, from banking to aviation, but able to draw on the deep expertise here, and advise companies, regulators, and government departments,” he added.

As part of the security funding bump — and partly funded by it, along with funding from the Defence budget — he also detailed a new £165 million Defence and Cyber Innovation Fund specifically aimed at widening  government procurement when it comes to security technologies by bringing startups into the mix.

“We will create a £165 million Defence and Cyber Innovation Fund, to support innovative procurement across both defence and cyber security,” he said. “It will mean that we support our cyber sector at the same time as investing in solutions to the hardest cyber problems that government faces.”

A Treasury spokesman confirmed this pot of money will be specifically for investing in startups building cyber security technologies that are of interest to the government and its intelligence agencies.

“It’s to invest in startups that are working in areas that overlap with and are in line with what the government and the intelligence agencies believe are the important areas to strengthen in our innovation,” the spokesman told TechCrunch. “So when they see areas of overlap they will invest.”

The government is not revealing which specific security tech priority areas it’s most interested in at this stage — albeit presumably startups offering robust end-to-end encryption need not apply (given ongoing criticism of companies’ use of this tech by senior government ministers, the Prime Minister and U.K. intelligence chiefs).

It’s also not clear how the £165 million will be assigned and divided between startups that are building technologies that align with government surveillance and cyber security priorities. Nor whether startups have to be founded in the U.K.

The spokesman said more details will be provided about how the fund will operate by early next year.

Government-backed Passion Capital founding Partner Eileen Burbidge, who is also Chair of Tech City UK and an active investor in security startups as well as an advisory board member of the recently launched London-based cyber security incubator CyLon, said the fund is “loosely inspired” by In-Q-Tel — aka the CIA’s VC arm.

Does Burbidge see any contradiction in the U.K. government pushing an anti-encryption message, on the one hand, yet banging the drum for improved cyber security on the other?

“I do not find the announcement of a Fund to support the cyber security industry in Britain at all in any kind of conflict about other statements or rhetoric regarding what law enforcement might need/want for national security,” she told TechCrunch.

“I think increasing Britain’s capability to lead in cybersecurity defense (and offense which Chancellor also mentioned yesterday) is very good… And will even go to help foster and create other solutions and means for reassuring citizens about safety of systems online… Which maybe helps to quell unhelpful or technically inarticulate statements about encryption for example.”

“Bottom line we need to get smarter/better about security in general; that’s how we get away from making blanket statements or implications out of reaction — which lead to confusion and concern,” she added.

Giving one hint of tech areas the government is interested in, Osborne said it intends to ramp up both cyber security defence and offence — the latter via an existing partnership between GCHQ and the Ministry of Defence, called the National Offensive Cyber Programme.

“We are building our own offensive cyber capability — a dedicated ability to counter-attack in cyberspace,” he said. “And we will now commit the resources to develop and improve this capability over the next five years.”

Osborne said the government will also be establishing two cyber security co-working spaces for early stage startups — apparently taking a leaf out of the startup incubator playbook. Albeit it’s not clear how these government “cyber innovation centres” will operate as yet.

Osborne said these will be “places where cyber start-ups can base themselves in their crucial early months, and which can become platforms for giving those start-ups the best possible support”.

On working more closely with ISPs to try to cut off access to malware, Osborne added: “Internet service providers already divert their customers from known bad addresses, to prevent them from being infected with malware. We will explore whether they can work together – with our help – to provide this protection on a national level.

“We cannot create a hermetic seal around the country – indeed it wouldn’t be in our interests to have one – but with the right systems and tools our private internet service providers could kick out a high proportion of the malware in the UK internet, and block the addresses which we know are doing nothing but scamming, tricking and attacking British internet users.

“Let us try to get to the point where all the internet service providers will as a matter of routine divert known bad addresses.”

The government has previously leant on ISPs to do more to help tackle extremism online — securing agreement from four major U.K. ISPs to host a public reporting button for extremist and terrorist material online this time last year.

More recently, ISPs are also at the core of government plans to overhaul surveillance legislation and plug what it terms “capability gaps” in intelligence gathering in the digital era. The draft Investigatory Powers Bill requires that ISPs capture and retain details of U.K. web users’ browsing habits for 12 months so the data can be available to intelligence and law enforcement agencies.

Another focus for the government’s increased spending on cyber security is spending to try to boost tech skills, with Osborne announcing a plan to run a £20 million competition to open a new Institute of Coding to plug what he conceded is still a gap in higher education around “high level digital and computer science skills”.

There will also be a push to create higher and degree level apprenticeships in “key sectors” — starting with finance and energy; a government funded retraining program for “highly skilled workers” wanting to move into the cyber security sector; and a program modeled on an Israeli scheme that aims to foster cyber skills in 14- to 17-year-olds.