DEVELOPING THE UK’S CYBER SECURITY ECOSYSTEM THROUGH ACCELERATING INNOVATIVE START-UPS

The GCHQ Cyber Accelerator is a collaboration between the UK Government Department for Digital, Culture, Media and Sport (DCMS), the Government Communications Headquarters (GCHQ), Wayra UK, part of Telefónica Open Future_, and the National Cyber Security Centre (NCSC).

Part of the Government’s £1.9bn National Cyber Security Programme, it drives innovation in the cyber security sector and helps keep British businesses and consumers safe from online attacks and threats.

Successful applicants will gain access to GCHQ’s world-class personnel and technological expertise to allow them to expand capability, improve ideas and devise cutting-edge products to outpace current and emerging threats.

The partnership will help teams develop their businesses and secure the investment needed to take their companies to the next level. A roster of best-in-class coaches and mentors from GCHQ and the wider Telefónica Group – including O2 and ElevenPaths – will provide support. Start-ups will also receive a financial grant, and access to work space.

GCHQ Cyber Accelerator Start-ups

Our challenge to the start-up community

We are looking for companies who are using novel techniques to solve real problems, and whose products could be applied in a cyber security context – for any customers, from individuals at home to the world’s biggest companies.

We also want next-generation solutions that are faster, better and cheaper than existing products. However, they must solve a known problem – we are not looking for research proposals, but ideas that make a difference now.

We have provided some indicative challenges to aid understanding of the things we are looking for – but this is not an exhaustive list – and we have roughly categorised them into three overlapping strands: Data, People, Technology.

GCHQ has a specific set of objectives around minimising the risk of child sexual exploitation and we ask that you also consider this specific context when considering the challenges below.

Data

Develop next generation data mining tools based on behavioural analytics, mathematical modelling or other techniques.

The tools should enable the analysis of network activity to detect, monitor, investigate and respond to cyber attacks, including tracing their origin and determining the tools and methods used to enact them.

They should provide simple visual representations that operate over entire networks, allowing people to rapidly and interactively perform investigations, share knowledge gained, and work with others in the community.

The topic includes generic approaches to the study of and detection of malware or other indicators of compromise, as well as mechanisms to predict attacks. It also includes knowledge management and visualisation.

1. Data processing

As with detection methods, there are numerous mature products in existence. We are interested in innovative, simplified, more efficient ways to stream, store, mine, and visualise heterogeneous network data, while retaining necessary security policy and auditing requirements, to enable the greatest capacity of analysts.

This could include the automation of routine procedures around data landing, linkage, sematic assignment, formatting, identity resolution, aggregated feature construction, imputation, and interpretation of missing data, anomaly detection and correction.

2. Enterprise data discovery

A big challenge in securing a large organisation is keeping track of where sensitive information actually is, against where the user thinks it is. This may be because of inadvertent data replication of data, or by users taking copies of data, or starting to use new processes and solutions outside of the visibility of the enterprise.

Tooling to help an organisation discover exactly where its data is, and provide indications of its relative value and the information and services that it relies upon, is valuable in helping to prioritising focus, and also to identify compliance issues in regulated sectors.

3. Audit and monitoring

Not ‘total cyber awareness’ but some simple straightforward tools/techniques and capabilities to make it easy to monitor the network of systems. Today, most people pipe the logs to disk and only review them post-incident.

Software agents that provide a monitoring capability are of interest; those which are agnostic of operating system would be most valuable. However, all operating system manufacturers want their system to operate in a controlled way (for example to prevent malware from obtaining the kind of privileges that AV products enjoy) and they typically provide system functionality to enable this.

Tooling that makes use of enterprise audit, monitoring or other existing functionality to identify anomalies or make improvement – eg spotting system crashes and working how many lost business hours there are – is preferred.

4. Data sharing

Making threat intelligence actionable for small companies in an automated fashion is of value.

Conversely, there are some use cases where data aggregation can be a problem. A specific example here would be in Building Information Management where, for example, every person involved in the design of a building gets access to the totality of information, resulting in the entire design (complete with vulnerabilities) being – effectively – publically available.

5. Beyond anti-virus

Anti-virus companies are well-versed in identifying cyber attacks and iterate their response as attacks evolve. Cutting-edge, disruptive techniques that would identify attacks are of interest, especially those that can anticipate early stages of process – preparation, information gathering, reconnaissance, and build-up. An attacker will generally assemble an infrastructure and utilise a number of methods to anonymise themselves. Next-generation tools to help characterise this are also welcome.

Tools that take account of real time threat and vulnerability information and allow a manager to change their operational posture in an agile way are also of interest. We acknowledge that it is difficult to keep track of vulnerabilities in real time – and that the vigilant will be patching as they go – but tools that assist in this regard are considered helpful.

6. Import transformation and verification

Existing solutions tend to consider cross-domain technology as meeting a high-assurance need. We are interested in similar capabilities, but developed with more of a commodity threat model in mind.

Following on from this, MSPs, for example, manage in a ‘Browse-up’ manner. Solutions that achieve segregations such that an infection in one device does not infect others are important in this regard.

People

Develop tools to make it easy for anyone to be secure online, whilst minimising opportunities for cyber attackers.

This could include ways to assist software developers and network designers to produce highly secure solutions even when re-using the work of others, or to improve the take-up of Cyber Essentials.

Mechanisms to reduce the effectiveness of attackers with significant resources are also welcome, as are tools that will reduce the risk that people face from the aggregation of all of their internet activity.

This topic also includes training packages.

1. Improved take up of Cyber Essentials and incremental improvements

We would like to see many more small companies meeting the Cyber Essentials benchmark. Any tools that can assist in this regard would be of interest.

We want companies both to achieve Cyber Essentials, but also to maintain their security posture so, for example, automated vulnerability assessment may also feature here, as would any products and services that helped companies who had already achieved cyber essentials to take affordable next steps. As the objective relates to small companies, a low-cost solution is preferable.

2. GDPR readiness

Whilst large corporates are alive to the issues, organisations such as SMEs, charities and other non-profits are yet to fully understand the implications of GDPR, which require companies to prove they have taken adequate steps to properly manage personal data.

Charities in particular are focused on their front-line delivery and, as a rule, spend little on IT security. They believe that their mission – to do good – is enough to prevent any accusation of poor practice.

An ICO fine is likely to have a disproportionate effect on the survivability of organisations like these. Low cost, easily implemented solutions to this problem are required if we are to make a difference here.

Note that awareness raising alone is insufficient; we ae looking for products or services that improve security.

3. Identifying ‘the good’

Tools that have a capability to ’learn’ what normal looks like (noting and accommodating the fact that the norm is not always the good) in terms of system/user access to sensitive sets of data in order to allow system owners to produce profiles (or other artefacts) from which anomalous behaviour can be identified and acted upon.

Related to this, an ability to profile user behaviour would assist us in awareness campaigns and to highlight areas where greater awareness may be necessary (or where no intervention is required).

4. Making it easier to be secure

Tools that enable mobile phone users to be aware of and manage the activities and privileges of the apps they run are of interest, as are those that enable users to more easily use white/black lists for apps.

In addition, tools that make it easier for app users to manage the risks they face when they click “yes” to highly complex and voluminous terms and conditions, or how much identity and other information they are giving away, would be of value. Low-cost solutions are preferred.

Easy to digest, modern, high-quality training packages that are suitable for the lay person (and could potentially be NCSC approved) are currently in short supply and would be of interest.

Having said that, attempts to train users on ways to avoid phishing attacks do not work for everyone; humans are not best placed to make these decisions. Tools that enable the computer to determine whether an e-mail is trustworthy could help with this problem.

5. Getting the board to ‘get it’

Board members generally have limited time, limited understanding of cyber risks, limited money and a set of other pressing problems to solve. In this challenging environment, we are looking for mechanisms that help boards take the cyber risk more seriously, where information is presented in a way that is both compelling and digestible to that specific audience.

This same issue is prevalent more generally. Mechanisms that will allow a cyber conversation in a way that is accessible and persuasive to different audiences are of interest.

6. Not all animals are equal

Some users can be classed as VVIPs and require bespoke support. Tools that enable such individuals to understand their digital footprint and which can easily offer advice and guidance – or ‘canned’ environments – dependant on the situation are of interest. Enterprise versions of such tooling – which expose the digital footprint of an organisation – are also valuable.

7. Out-of-the-box solutions for the vulnerable

Whilst it is true that there is a kids’ version of, for example Youtube or Itunes, it is difficult for the responsible adult to configure a machine to be child-friendly (or vulnerable person-friendly). An out-of-the-box solution that makes it safe for vulnerable people to interact on line would be a welcome addition to the marketplace. This includes making it harder to become the victim of grooming activities or visiting unsuitable websites.

8. Authentication

People find it very hard to generate and remember different and complex passwords for the range of devices and services they use. They also find it tiresome to enter them manually.

We are looking for approaches that reduce the burden of passwords without compromising security. Ideally solutions should adopt existing standards, and make use of hardware security features built into commercially available devices.

Existing products use a range of biometrics and physical tokens, with variations in the level of protection offered to credentials. We believe there is room to improve the state of the art in terms of the options available, the protection of critical components, and also novel combinations of techniques (such as multi-factor or continuous authentication).

Technology

Develop new tools and prototypes that enhance or enable security on existing devices, including those containing potentially insecure third-party applications. A specific and pressing need here is tools that enable (trusted) understanding of the totality of devices that are present on the entire network.

Solutions might include mechanisms that enable the use of cloud technology for highly secure data storage or processing. Secure document readers would fall into this category, as would tools that reliably automate resource intensive or complex processes.

1. Believable attestation

An increasingly important challenge in securing a large organisation is being able to confidently identify every device on the network, including some or all of desktop systems, servers, mobile devices, IoT devices, and Industrial Control Systems. Tooling to assist with this will help to solve one of the most common problems seen today.

Even if that problem were solved, a secondary challenge lies in trusting the integrity of the information being reported back. We are specifically interested in hardware-backed attestation, and its use to rapidly provision new devices. Solutions that use existing standards (e.g. TCG) where available are preferred.

A next step is to identify, understand and manage unplanned changes across the estate. How can managers extract configuration information and identify unplanned changes (either as a result of a hack or through sysadmin action)

2. Confidence in cloud services

Many people find it difficult to establish which cloud services offer the right kind of security for their application. Products or services that provide objective advice and guidance on the security posture of different cloud services in a way that enables a user to make the right decision are of interest.

Once started, a big challenge in securely using cloud services is in maintaining an understanding of status, particularly as more and more services are available at a free entry level. Something to help risk owners understand what they’ve actually got, how it is configured, how services are communicating / sharing data in the cloud, and where points of interest might be, would be of value.

3. Managing third-party dependencies / continuous integration pipelines

Organisations developing software solutions often end up incorporating third-party components, either knowingly or unknowingly. These introduce a security challenge – as the dependencies are patched, these updates need to be assessed and incorporated into the main solution, or security problems can be exposed. But doing this reliably and knowing that good coverage has been achieved is difficult. Tooling to provide confidence in this respect is of interest.

Whilst there are many tools that exist to do post-coding checks, there is a need to be able to validate software – to do basic checks – during coding and not after. Developer-centric tools and service that more generally enable secure coding would be valuable..

4. Next generation management of ‘secrets’

We are interested in solutions that provide greater agility or finer grain solutions – for example, novel ways of adequately addressing the security issues that would cause us to use a VPN. Solutions that allow sysadmin privileges – but for a short time only, or which provide certificates to web services in an automated way would fall into this category.

5. Last generation management

Sometime it is not possible to quickly replace unsupported operating systems, for example. Practical solutions that enable the management of legacy systems are of interest.

6. Embedded device forensics

Whilst post-incident forensics of Windows and Linux systems is an established discipline, there are few tools and little training available for analysis of embedded systems. This includes IoT devices, network infrastructure, and industrial control systems.

The lack of available tools and knowledge leads to very little root-cause analysis of failure in these devices, with the “fix” for any odd behaviour being to re-flash. We would value proposals that improve both in the generic case, or particular sub-sets of importance due to their ubiquity or critical roles.

7. Faster forensics

Methods for speeding up forensic analysis, without destroying the evidential chain are also sought.

WHAT WE OFFER

If you’re developing an innovative solution that meets the challenges outlined, the GCHQ Cyber Accelerator is the place to make it grow.

Access to GCHQ and Telefónica cyber experts

Mentoring from the country’s leading cyber experts

Extensive acceleration services

Access to Wayra UK’s network and knowhow, and training in entrepreneurship and business skills

Telefónica business development

Access to Telefónica’s network of 300m customers across 17 countries

Our investor network

Wayra’s investor network will help businesses scale

Access to a dedicated accelerator facility

Access to state-of-the-art, modern facility for start-ups

£25,000 grant

Financial assistance throughout the programme

FAQS

Why is GCHQ running an Accelerator?

The accelerator is a key component of one of two cyber innovation centres announced by the Government in 2015. Both innovation centres are intended to support the growth and development of the next generation of cyber security companies, growing capacity and capability nationally, supporting GCHQ’s core activity as well as contributing to Government ambitions to promote prosperity.

How are the companies chosen?

Companies are invited to apply through an open competition. The start-ups will be chosen by an expert panel of GCHQ, NCSC, Wayra and Telefónica staff, alongside a panel of investors.

Why is the programme nine months, when the first programme was only three months in duration?

After the successful first phase of the programme, we believe we can develop the start-ups even further via a longer programme, ensuring the companies gain maximum advantage of this opportunity.

What funding do companies receive through the programme?

The companies will receive financial support of £25k per company.

Will GCHQ and/or Wayra UK take any equity in the companies?

Neither GCHQ, the NCSC or DCMS will be taking equity in any of the companies. However, our accelerator partner and other companies supporting the start-ups are welcome to invest if they wish and the companies agree to this, but this is not a requirement for entry to the programme.

Are the companies required to licence or transfer any of their Intellectual Property to GCHQ or Wayra?

No. By participating in the programme the companies are not required to give away any rights to their IP whatsoever.

Are there any restrictions on the type of companies who can apply?

The companies are required to have a presence in the UK and those staff working in the accelerator will be expected to submit to Government security clearance if required.

Are the companies effectively working for GCHQ/NCSC?

No. Those companies entering the accelerator will be developing products and solutions for wider commercial distribution.

What facilities are made available within the accelerator facility?

The companies are given desk space in a high-specification dedicated accelerator facility, with internet access, meeting rooms, event space and kitchen.

What happens after the programme ends?

Wayra UK has an active Alumni community, who return each month to provide updates and take full advantage of the networking opportunities available at many of Wayra’s events. They too utilise the academy in Central London to run their own events and hold meetings. We are also exploring the possibility of a dedicated alumni network for the GCHQ Accelerator programme specifically.

What will GCHQ offer after the programme in terms of support?

This will depend on the individual companies.

Will the companies be invited to work with GCHQ?

We do not comment on our relationship with any of our suppliers. All of the companies who participate in the accelerator programme will be afforded access to GCHQ and the NCSC’s technical expertise to support them in developing their products, solutions and businesses.

Who is Wayra?

Wayra UK is part of Telefónica Open Future, the open programme that integrates the different initiatives of the whole Telefónica Group related to entrepreneurship and innovation.

Wayra UK gives direct funding, acceleration and pre-acceleration services (such as co-working space, connectivity services, mentoring, access to Wayra UK’s network and knowhow, training in entrepreneurship and business skills) to selected start-ups. Since its launch in 2012, Wayra UK start-ups have raised close to $150M in third-party investment.

How was Wayra selected?

A procurement competition, run in accordance with normal GCHQ procurement procedure, considered a number of high quality submissions, with Wayra being the eventual winner.

How does the accelerator relate to the work of the National Cyber Security Centre?

The National Cyber Security Centre is a part of GCHQ and is integral to the UK’s efforts on cyber security. NCSC personnel will be involved in the day-to-day running of the accelerator as well as providing mentoring to some of the start-ups.

Why is Wayra Uk suited to help GCHQ?

As well as being part of Telefónica Open Future_ – the world-leading accelerator programme, which has 11 academies in 10 countries, and is part of the wider Telefónica network – Wayra UK has partnerships with major corporates including pharmaceutical company Merck Sharpe & Dohme (MSD) and fashion retailer ASOS. As a result, Wayra UK is especially well placed to work with start-ups to help them understand the challenges faced by larger corporate and government entities, and how to work with them successfully.

Register your interest

The 2017 call for companies is closed. If you have applied, you will be contacted shortly. You can register your interest in future involvement in the GCHQ programme here: