GCHQ Review, Part 2 - GCHQ and the Tech Industry

OK, so some more on Aldrich's GCHQ. Obviously, technology is at the centre of this story. I've said that the signals intelligence world is special among spooks because it guarantees results - they may not be the right results, they may not be helpful, but you can usually depend on it producing something to whack on the PM's desk, that he or she can spring on cabinet ministers later. One of the things that makes it special is its industrial nature; unlike most forms of intelligence, it needs machines, great buildings, thousands of technical staff working shifts, and its performance is heavily dependent on engineering.

From a budget-politics point of view, there's a symbiosis here. Back in 1941, the permanent secretary of the Foreign Office got into the habit of bringing top officials from London to be dazzled by the brilliance on display at Bletchley and terrorised by its security officers. It worked. On the other hand, getting the resources necessary to build the crypto industry required the direct intervention of a group of top scientists around Turing and Gordon Welchman with Churchill. Of course, as someone regularly dosed with their product, he didn't find it hard to give them what they needed, which was money and lots of it. By mid-1942 and the introduction of the third rotor on the Enigma machine, it became very obvious indeed that signals intelligence was now an industrial enterprise. This led directly to the decision to let the US Navy build its own Ultra capability, and hence to the founding treaties of the special relationship.

As soon as the Holden agreement let the Americans get hold of the Ultra secret, however, Bletchley was frantically building up new technology that would maintain a bargaining edge. The huge effort to crack the German on-line cipher known as FISH, for example, which led to the COLOSSUS computers, has to be seen partly in this light. This combination of a sort of fatalism - the Americans would eventually triumph - and a hunt for an edge would colour GCHQ's role in the history of technology from then onwards. Despite its founding achievements in computing, and those of the post-war diaspora of scientists, they were always suspicious of British technology. Post-COLOSSUS, GCHQ joined the long, long queue for IBM 360s and then, oddly enough, veered off to get all its computers from Honeywell into the 1980s.

On the other hand, a number of key research projects were pressed ahead, notably a range of exotic over-the-horizon radars, agent equipment, the Nimrod R-1, and the never-completed Zircon satellite. This combination of cringe and competition was mirrored by the SIGINT tribe's attitude to technology in general; starting in the 1960s, they were both keen to spread good cryptography among NATO and other friends, but also to prevent the development of independent crypto. On the one hand, "free licensing" was meant to let second- and third-tier agencies and Western non-governmental systems get access to effective security; on the other hand, rather like the bundling of MS Internet Explorer, it was meant to secure a monopoly. This put the UK in a difficult position - it strongly intended to develop its own crypto, thanks, and export it, but the companies involved very much wanted to claim royalties on their patents.

This eventually ended up with the incredible effort to subvert Crypto AG of Switzerland's high-end cipher machines (CAG, by the way, owned the intellectual property of Hagelin, the makers of what became the Enigma...), under which the NSA and GCHQ persuaded them to fix certain cryptographic problems, but to leave other security bugs unfixed in order that they could continue to spy on their users. The exploit in question referred to TEMPEST, the now-well known problem where some electronic devices leak information in the clear as radio interference, which strongly suggests that the point was to protect some of the many embassy spying operations.

This couldn't, and didn't, last - by the 1980s, as with general policy, the monopoly of security technology was crumbling as the Europeans (mostly) got better at it. There were efforts to change this - GCHQ was given a special responsibility to keep an eye on Nokia, while other allied agencies got tasked with Ericsson, Siemens, Olivetti, etc (but notably not Alcatel). Another important factor, eventually decisive, was that it was moving from hardware to software. In the light of this, the 1990s crypto wars seem a lot more radical than a bunch of geeks playing at spies; something very important did change back there. On a critical note, I did think Aldrich's book could have done with a good technical reader on software, Internetworking, and related issues - the focus is a bit off here, and he seems to depend more heavily on the civil servants.

Did GCHQ hold back or promote technical progress in the UK? There are various views on this. One is that it's part of a huge cluster of PhDs in the Severn valley that must be having some sort of spin-off benefit to the country - even if it's only that when Thatcher offended them to the extent everyone in the computer division of HEO rank or above quit, a lot of other tech companies filled their boots. Another is that it's a sort of shadow of the British Google that didn't happen, because the potential founders were wasting their time sucking up to the intelligence-administrative complex.

Of course, it's true that they invented public-key cryptography in 1971 and didn't tell anyone for 35 years. But this was largely because nobody could think of a use for it back then. (Apparently, they thought of using it to authenticate nuclear launch orders, until it was pointed out that they didn't have to be sent in real time any more because the nukes were submarine-launched.) On the other hand, much of its purpose in life is to provide a source of clue for the wider government (a sort of infosec Shi'ism, a marja e-taqlid for system administrators and government ministers), and who can say British governments have suffered from too much competence?