Top Secret Surveillance
Agency For Hire To Industry
And Public
GCHQ Hires Out Its Hackers To Industry
By Andrew Gilligan and Rob Evans
Electronic Telegraph - London

GCHQ, the top secret Government agency which taps communications and collects data from spy satellites, has set up a team to market its services to industry and the public sector.
GCHQ's Communications-Electronics Security Group (CESG) has advertised in the trade press, set up stands at exhibitions and produced several glossy brochures to attract customers. Services offered include access to the expertise of CESG's professional computer "hackers", who can carry out "hits" on clients' systems to identify any weaknesses which might be exploited by infiltrators.
John Doody, the CESG's head of customer services, said: "We've come out of the dark. We shouldn't be seen as part of the secret state. Our business is overt. How we do some of it is covert, but we have thrown open the curtains. Our public profile is as high as it's ever been. People are knocking on our door."
CESG, based at GCHQ's Cheltenham site, helps to produce ultra-secret cryptographic products which protect sensitive Government computer and telecommunications systems. Much of its work is for the Ministry of Defence. It also assists other agencies in fighting computer viruses and data espionage. Its most secret work will remain highly classified, but the organisation has formed partnerships with the private sector to offer advice.
The move is partly intended to help cover the agency's costs, but it also reflects the fact that many critical national services, such as public utilities, are now provided by the private sector. Mr Doody said: "Government no longer sits within a nice white picket fence. It has connections to all sorts of other utilities, and if we and they haven't got our acts together, the national interest is at risk."
The agency uses a team of about a dozen "superhackers". Mr Doody said: "Let's say that they are good lateral thinkers - they don't necessarily follow the predicted paths through a system." They are "very carefully vetted" and - unlike in the United States - the Government refuses to use "turned" ex-hackers for the job. With the consent of their "victims", they test systems by trying to break in and obtain information.
From October, they will be available to instruct commercial customers and do some inspections of sensitive commercial systems with the launch of the CESG's "IT Healthcheck" service. Other services already available from CESG include risk assessment, advice on cryptographic equipment and training for private computer security consultants. Mr Doody said: "It's been a big cultural change for us. We're trying to get past the picture of security as men who only say no."
The change has been made more urgent by Tony Blair's recently-stated wish to have at least a quarter of all Government business undertaken electronically within the next decade. Mr Doody said: "We're at a watershed. The more we do things electronically, the greater our vulnerability is if we don't grasp the problem of security up front. It may come to a point where it takes a major incident to get us to take the issue seriously."