Driving into Cheltenham from the west, it is hard to miss the offices of Government Communications Headquarters, or GCHQ, the United Kingdom’s surveillance agency. The large, doughnut-shaped building sits behind high-perimeter fencing with barbed wire and many levels of security. The facility – used to eavesdrop on global emails and phone calls – is located on the edge of the sleepy Gloucestershire town, which feels like an incongruous location for one of the world’s most aggressive spy agencies.
Cheltenham has a population of just 117,000 people, and GCHQ’s presence has turned the area into one of Europe’s central hubs for companies working in the fields of cybersecurity and surveillance. GCHQ says it employs almost 6,000 people in Cheltenham and at some smaller bases around the U.K., although the agency has in recent years secretly expanded its workforce, reportedly employing thousands more staff.
People in the area are now talking of a cyber “corridor” that stretches for 50 miles from Malvern, just north of Cheltenham, all the way to Bristol, where the Ministry of Defence has its equipment and support headquarters at Abbey Wood. Many quaint English towns, known for their farming and country pubs, have seen an influx of companies dealing in cybersecurity and electronic spying. Even office space on former farms is being used for this burgeoning industry.
Chris Dunning-Walton, the founder of a nonprofit called Cyber Cheltenham, or Cynam, organizes quarterly events in the town attended by politicians and entrepreneurs. “Historically, there has been a need for the companies that are working here to be very off the radar with their relationships with GCHQ and to some extent, that does exist,” says Dunning-Walton. But since Edward Snowden leaked information in 2013 about GCHQ’s sweeping surveillance activities, the agency has been forced to come out of the shadows and embrace greater transparency. One consequence of this, according to Dunning-Walton, is that GCHQ is now more open to partnering with private companies, which has helped fuel the cyber industry around the Cheltenham area.
Northrop Grumman, the world’s fifth-largest arms manufacturer, has located its European cyber and intelligence operations in Cheltenham, where it has two offices in the center of the town. In the nearby city of Gloucester, a 20-minute drive west of Cheltenham, Raytheon, the world’s third-largest arms company, in 2015 opened a Cyber Innovation Centre that it says is focused on “big data, analytics and network defense.” BAE Systems Applied Intelligence, the cyber arm of the world’s fourth-largest arms company, also has offices in Gloucester, where it says it “delivers information intelligence solutions to government and commercial customers.”
Many of these companies are secretive about the work they do – especially when it concerns surveillance technology – and refuse to speak to the media. But L3 TRL Technology – which is based in Tewkesbury at the northern tip of this new cyber corridor – does grant an interview via email.
L3 says it provides “electronic warfare” equipment that can jam communication signals and gather intelligence. A spokesperson for the company says it plays “a crucial role in counter terrorism and the protection of military forces with our electronic warfare solutions.” He declines to provide any information about any of the company’s customers. But a video posted on YouTube by a Middle Eastern news agency reveals one potential client: It documents a recent meeting between L3’s parent company and Mohammed bin Zayed, the crown prince of Abu Dhabi and deputy commander of the UAE military.
According to government records, the U.K. has sold weapons and other equipment worth £7.3 billion ($9.9 billion) to the UAE in the past decade, including components for telecommunications eavesdropping technology and “intrusion software,” which is used to hack into targeted phones and computers.
Another Cheltenham-based company is CommsAudit, whose flagship product is a surveillance system called Spectra Black, a portable device that can monitor cellphone calls and other wireless communications. CommsAudit did not respond to a request for comment and does not publicly disclose the identities of its customers. The company was, however, showcasing its products at the 2017 DSEI arms fair in London, which was attended by government delegations from across the world.
Latching onto this wave of innovation, last year, the British government pledged £22 million ($30 million) in funding for a new cyber business park on a patch of land close to GCHQ’s headquarters. “It will act as a ‘honeypot’ for cyber security and high tech supply chain businesses,” the promotional literature said, creating 7,000 jobs, while boosting the number of private companies in the area that can then potentially become GCHQ’s clients. There is a lot of largesse to go around. GCHQ takes the majority of the share of the roughly £2.8 billion ($3.8 billion) budget for Britain’s intelligence services and has twice the number of personnel of MI5 and MI6 combined.
David Woodfine, a former head of the Ministry of Defence’s Security Operations Centre, worked inside GCHQ’s Cheltenham headquarters for two years. He left in September 2013 to found Cyber Security Associates, a Gloucestershire-based company providing cyber consultancy services to the public and private sector.
Woodfine says toward the end of his tenure at GCHQ, there was a realization that the agency needed to partner more with private industry. “From a GCHQ perspective, I think their whole attitude has changed from quite a hard approach – ‘we’ll keep everything in-house’ – to ‘actually, we need to open up.’ They changed their recruiting, their apprenticeship schemes, so they are attracting more young talent into their organization.”
The National Cyber Security Centre – which opened in 2016 under the remit of GCHQ – is currently piloting new “Cyber Schools Hubs” in Gloucestershire. The idea is to send staff into local schools to “encourage a diverse range of students into taking up computer science,” in effect grooming the next generation of cyber-competent spies.
GCHQ offers meager salaries compared to the private sector, but the agency can offer prospective employees the chance to work with technologies that they could not use anywhere else – because if they did, they would be breaking the law. “That’s a good way of retaining people on public sector pay,” says Woodfine. “So you can argue that they don’t join for the money, they join for the ability to learn and to test their techniques and their abilities.”
A GCHQ employee can work with the agency for a few years, learn about its tools and methods, and then take that knowledge with them to a job in the more lucrative private sector, where there are plenty opportunities for surveillance innovation. According to the London-based advocacy group Privacy International, the U.K. has 104 companies producing surveillance equipment for export to foreign governments and corporations. Only the United States – with 122 companies – has more.
Since 2013, sales of surveillance and hacking technology have been controlled under the Wassenaar Arrangement, which was signed by 42 countries, including the U.S. and most of Europe. The arrangement is intended to prevent authoritarian regimes from obtaining arms and sophisticated spy tools that could be used to commit human rights violations. However, it is not legally binding. And the U.K. has continued to sell eavesdropping equipment to a number of countries with questionable human rights records, such as Honduras, Bahrain, Saudi Arabia, China, and Qatar.
Inside the bustling Victoria train station in central London, Digital Barriers, the world’s premier video analytics company, has its offices. Video analytics sounds like an arcane branch of the high-tech industry, but in terms of surveillance technology, it is a field that has rapidly advanced in recent years. Zak Doffman, chief executive at Digital Barriers, founded the company in 2010 after recognizing that in the area of video intelligence, there was a gap in the international market. Digital Barriers’s technology is designed to analyze video – and identify people’s faces – in real time, where the cameras are placed, rather than having to rely on retrospective analysis.
In its London offices, the company demonstrates to this reporter how even with a scarf wrapped around a person’s face, its software can successfully identify them within a few seconds using a standard surveillance camera. Facial-recognition technology is notoriously inaccurate and can produce false positives, but Digital Barriers claims its software can pick out obscured and blurred faces in crowds and match them with photographs that are held on databases or published on the internet. It is, the company says, most useful for counterterrorism operations. But in the wrong hands, wired up to a nationwide camera network, the technology could potentially be used to trace the movements of millions of people in real time. “We built the business primarily in the public sector working for government agencies,” says Doffman. “We are now working increasingly in the private sector with the commercial customers.”
Digital Barriers’s website boasts that it has clients in more than 50 countries. Doffman won’t reveal the names of his customers, and when questioned about the export licensing process, he says the company’s products are exempt. “It’s not export control per se,” he says, “so there’s no formal restrictions on the technology.” What would he do if countries with authoritarian governments wanted to buy the system? Doffman says only that Digital Barriers has a “moral code on this stuff.”
People within this industry want the technology to remain uncontrolled; they argue that countries with authoritarian governments don’t want this type of video surveillance anyway. “Countries where you have a lot of corruption, the last thing they want is facial recognition,” says one industry source, because of elite factionalism. But that seems scant reassurance for dissidents living in dictatorships that can now freely access this technology at the right price.
Support for this article was provided by the Pulitzer Center on Crisis Reporting.