In the pretty countryside surrounding Selby in North Yorkshire, it roars and rumbles and heaves. It is a giant storehouse of vibrations, from the high frequency of the turbines – 3,000 revolutions per minute, the same frequency as the 50Hz electricity it delivers – to the low, pulverising roll of the mills that grind the coal. It tastes of dust and iron filings. Blasts of hot, dry air from the six 4,000-tonne boilers bake the upper levels and steam hisses around lower gangways; warm yellow light casts shadows throughout. Rhomboid steel structures loom several storeys high, and metal pipes curve elegantly among the gaps. Drax is a megalith made from metal, but for all that power, it is vulnerable.
Martin Sloan, head of security at Drax, shows how. "That's the control unit," he says, pointing to a small grey box that feeds biomass into the mill. "If we weren't properly protected it would be vulnerable to cyberattack and could reduce the electricity output." Sloan is a powerfully built man with large brown eyes who used to run agents in Northern Ireland – often hiding them in his car boot – as a military intelligence officer. He shouts over the din, saying that he's "deaf from too many guns fired inside cars." After the Army, he spent eight years at MI5. "If we weren't properly protected, anyone in the world could theoretically get on that."
The central control room is quiet and pristine. It's full of bright plasma screens giving real-time read-outs of every pump and control unit in the power plant. The station can put out 3,960 MW, enough to boil more than two million kettles simultaneously. Another screen feeds in the demands from the national grid. Cameras show the fiery insides of the boiler. With its avocado carpet, the central control room has a 70s Bond-villain vibe. "All of the signals for measuring and controlling the plant are connected to PLCs [programmable logic controls]; whether it is a mill or turbine, the information comes in here," Sloan says. "Everything out there is connected."
Drax supplies eight per cent of the UK' s electricity and is one of the most advanced plants in the world. It is defined as part of our critical national infrastructure, which makes it attractive to hackers. "It's safe to say that the power industry as a whole has been the target of state-sponsored attacks," Sloan says. Industrial control systems are old hardware with old operating systems – sometimes a quarter of a century old. You can't patch them and you can't run antivirus on them. But they need to be connected to the outside world, whether that's the national grid sending its demands, or talking back to it to sell electricity at the right rates and to buy fuel at the right times. "The more that we connect the industrial control systems to the business IT, the more vulnerable we become," Sloan says.
The damage from an attack could be extremely serious. In 2014, malware shut down a German steel plant and wrecked its blast furnace. Stuxnet, which pushed back the Iranian nuclear programme by several years, was a digital weapon that entered through the enterprise side of the plant, made its way to the industrial side and caused centrifuges to run too quickly. HAVEX and BlackEnergy are two other pieces of malware dedicated to industrial control systems. "Loss of a PLC could result in serious damage to any operational process – even increasing the speed of a turbine; so systems are designed with hard-wired protection. However, this is our last line of defence and we would much rather be confident that our PLCs are secure," Sloan says. US Homeland Security says that industrial control systems were attacked 245 times in 2014. Admiral Michael Rogers, head of the US National Security Agency (NSA), in November 2014 warned that it was already possible for someone to shut down the entire US national grid via cyberattack.
Sloan is not alone as he walks through the turbines of Drax; he's accompanied by Dave Palmer, another former spook who spent more than a decade at GCHQ. Urbane and well spoken, with a quick smile, he is now director of technology at Darktrace, a cybersecurity startup that combines two things – advanced mathematics from Cambridge University and an operational staff drawn from the UK and US intelligence agencies. It's backed by Mike Lynch, the founder of Autonomy. Darktrace has been protecting Drax's enterprise networks since 2013; right now, Palmer and Sloan are developing a beta product to protect Drax's industrial control systems. Its job is not to keep attackers out. Because, according to Palmer, "they're already inside."
Early one morning in March, Mike Lynch is giving WIRED a history lesson in the offices of Invoke Capital, his venture-capital firm. Lynch looks like a bruiser made good: he has a big frame and bald head, but is today dressed as if he might be off to the Riviera, in a pressed white shirt, blue jacket and white trousers. He speaks with a slight lisp and with the zeal of a disciple. "Nothing is true," he proclaims. "Everything is probability."
The subject of today's lesson and the reason for these philosophic musings is the Reverend Thomas Bayes, a pious man who, in the 1730s, set out to prove the existence of God mathematically. Bayes's route to God was through probability, known then as "the doctrine of chances". "Bayes will probably turn out to be to the information age what Einstein was to physics," Lynch says.
In a paper published after his death in 1761, Bayes imagined a man "just brought forth into this world" and left to infer from his observations what was going on. He said that the Sun would probably engage his attention, but after it set on the first night, "he would be entirely ignorant whether he should ever see it again". But once it rose the next day, he might reasonably expect it to return a second time – maybe giving odds of three to one, Bayes wrote. When it did that, he would think the chances of a third sunrise even higher. Each sunrise is a new piece of information.
And information changes the odds. "The important thing about perception is it's totally subjective," Lynch says. "And so what you need is a mathematical bridge between all the methods that are objective we've developed and this subjective world, and Bayes's theorem gives you that."
Lynch is something of a Bayes enthusiast; he built a £7.4 billion business on his theorem. That statement is in itself a neat exercise in Bayesian probability: £7.4 billion is the price that HP paid for Autonomy in October 2011. HP later alleged that, because of fraudulent accounting, the business was worth nowhere near this and wrote billions off its value. It's now suing Lynch for £3.4 billion in the UK courts; Lynch is countersuing HP for £100 million. The story is a fast-moving one and each visit to the lawyers adjusts the probability of what Autonomy was worth. As for HP, Lynch says: "I don't like them very much, I can tell you that."
Autonomy, which Lynch cofounded in 1996 in Cambridge, uses Bayesian techniques to analyse big data sets. "Bayes's theorem has been of interest to mathematicians for 250 years, but about ten years ago people realised that this was like a secret door in the wall," Lynch says. "The problem with Bayes is that you would need a supercomputer to do the calculations." Recursive Bayesian estimation – or a Bayes filter – is a mathematical short cut to perform those calculations. Many of these shortcuts were found by mathematicians at Cambridge University, and Lynch applied those equations to software. When data is messy and profuse, a Bayes filter offers a way of inferring what it probably means.
Autonomy is a Bayesian search engine. Regardless of how messy the business side of Autonomy has become, it was a pioneering business in machine learning – as Lynch puts it, "all the stuff you read about robots killing us all". Then he looks mock nervously to one side: "Any moment now, the Terminator is going to bash through the door and take us out."
For Lynch, machine learning is "the third revolution". The first was the replacement of muscle by machine in the industrial revolution. Then, in the mid-20th century, repetitive tasks such as payroll were replaced by computers (the word computer originally referred to the humans who calculated these problems). "Now you've got this revolution, which is replacing thoughtful tasks," Lynch says. IBM Watson is helping doctors diagnose disease; Google's cars are logging hundreds of thousands of kilometres by learning how to navigate in the real world; Netflix's algorithms learn your taste in films; City firms are using it to predict market movements and execute trades; Google's neural networks are learning what a cat is just by watching YouTube clips; Amazon, Microsoft and Google all have cloud-based machine-learning platforms that they offer to the world. Machine learning is the defining industry of the early 21st century.
After leaving HP acrimoniously (even before the various lawsuits), Lynch raised a $1 billion (£600 million) VC fund with an emphasis on operations – many of the partners at Invoke were part of the management team at Autonomy – and machine learning. Invoke's other companies are all in that category: Featurespace, which analyses behaviour to prevent fraud; Sophia Genetics, making sense of huge volumes of genetic data; and Neurence, a cloud-based machine-learning platform for object recognition ("Actually, that's the nearest thing to Skynet we're doing," Lynch grins). "With Invoke, first, we always like to bring a gun to a knife fight," Lynch says. "You always want the unfair advantage that the technology gives you. Second, we're only interested in things that can be really big and change the world."
Darktrace was Invoke's first investment – £12 million. To start with, it had little to do with cybersecurity. A spin-off from Cambridge University's Signal Processing and Communications Laboratory, which did ground breaking work on Bayesian statistical modelling, the idea was simple: use machines to learn about a company. The team then looked at where that approach could best be applied and settled on cybersecurity.
The result is literally a black box that is plugged into a company's network. The device then just watches, looking at how data flows around an organisation, mapping the network. That in itself is often useful. "You'll go to a customer and ask them how many devices they have on their network. They'll say, 7,000, maybe," says Nicole Eagan, CEO of Darktrace. "We'll put Darktrace in and we'll find 21,000 devices." The UI of Darktrace maps those data flows as beams of white light. "For many companies, this is the first time they actually see what happens inside their networks."
Darktrace doesn't look out for threats; it looks in. Eagan says: "Darktrace was this idea that cybersecurity needed to change." Its assumption is that every network is already compromised. "Our model is: you're not going to be fine. Now manage it," Lynch says. He adds that of the FTSE 100 companies that are clients, 80 per cent have found that someone else was in control of some aspect of their network. Darktrace doesn't think this is a problem. "The idea is that you build some kind of wall," Lynch says, "and as long as you build it carefully enough, and you put a lock on every door and every window, you'll be safe."
Even the most technologically advanced wall has a flaw: the humans who guard it. "Last year's favourite one: take a CD-ROM, you write '2013 salary review' on it and you leave it in the car park," Lynch says. "That has a greater than 90 per cent chance of getting installed on to the network." Jim Penrose, a former NSA staffer and the executive vice president of cyber intelligence at Darktrace, wistfully describes it as "the frailty of humans trying to get their job done".
Lynch borrows an analogy from the immune system. "You have about two kilos of bacteria in you, and your DNA has lots of bits of viral DNA in it," he says. "Your bacteria in your throat, as long as they don't do anything they shouldn't, that's cool. As soon as they do something bad, your immune system goes for it." The "central genius" of the immune system, according to Lynch, is that, in the womb, it learns what is you. So when something else does something that isn't you, it spots it. "Being infiltrated is business as usual," Lynch says. "And just like we walk around and catch colds, the issue is not catching colds, the issue is not dying of flu."
In practice, it means this: if a company computer is connecting to one in Kyrgyzstan, or shipping a four-gigabyte file internally, that could be suspicious. It could also be because a salesperson has a contact in Kyrgyzstan, or a video editor is moving a film over the network. According to the company, Darktrace can tell the difference. When it notices something suspicious, the streams of white light on the UI turn yellow or red. A human can then ask the machine why the behaviour is a concern.
During a demo in Pall Mall, Palmer and Penrose show an example. "So this computer is talking to significantly more devices at once than it normally does. It's attempting to talk to a number of devices that are refusing to talk back, suggesting it's not meant to be talking to them at all. And there's been a surge in the amount of internal data that it's drawing down from the rest of the network."
That alert popped up after 40 seconds of unusual activity and is a relatively blunt attack. A skilled hacker might keep quiet for months, slowly scoping the network for weaknesses. But Darktrace says it can detect that too. "Even though someone's trying to hide themselves in your network, they have to try and do something," Penrose says. "Just chilling there and doing nothing isn't helping them. They have to strike to get to their objective. And as soon as they strike, it's: hey, what's that?"
The word activity is important. The way much antivirus software works is by matching malware against known descriptions of it, or signatures. The piece of malware that Palmer has found has no signature, because it was created as a bespoke test. It got through the test bed antivirus software, but Darktrace spotted it. It can look for problems you can't think of and which haven't even been identified before. "Some of the major stuff that goes on in some of the biggest companies in the world – just jaw-dropping," Palmer says. Installed on a large bank's network, Darktrace says it discovered a huge Bitcoin mining rig running on the bank's servers. Elsewhere there was an underground Asian internet gambling group embedded inside a US company. In another company, Darktrace discovered an error in the backup server which meant that anyone could read the archived emails of any other employee – and lots of people were taking the chance to do so. Palmer found that the passwords protecting some parts of the UK's privately owned critical national infrastructure were the company's name, followed by "uk1". Penrose claims that Darktrace would have spotted Edward Snowden before he leaked. "Nobody's really, I think, using the same kind of unsupervised machine-learning techniques we're using in combination with their Bayesian estimations," Penrose says. "We're substantially ahead of the pack."
In UK technology, spies are the earliest adopters. We've never had a cybersecurity industry to compare with those of the US or Israel (or even Italy, for that matter, which for some reason has a nice line in creepy spyware companies such as Area SpA, Hacking Team and IPS), but government agencies have been world leaders since the invention of the telegraph. The British Empire controlled global signal traffic through the All Red Line, a worldwide network of electrical telegraphs, even annexing a random island in the middle of the Pacific in 1888 for total coverage. That forced other nations to start encrypting their traffic, so codebreaking became a focus.
During the first world war, Room 40 of the Old Admiralty Building in Whitehall was the home of British cryptanalysis, decoding around 15,000 German messages, including telegraph traffic. After the war, the government established the Government Code and Cypher School to track and decipher diplomatic cables. In August 1939, just before the German invasion of Poland, it moved to Bletchley Park, expanding its staff to 10,000 by recruiting lecturers from Cambridge and Oxford, and changed its name to Government Communications Headquarters. Winston Churchill called GCHQ the "geese that laid the golden eggs but never cackled". The organisation maintained that tradition of technological savvy and secrecy – public key cryptography was invented by a GCHQ employee in 1970, but this fact was kept secret until 1997 – right up to the Snowden leaks. "The fact is we've got a long heritage of strong capability in cybersecurity in the UK, dating from the first world war," says Alex van Someren, a partner at Amadeus Capital and the author of a classified report on cybersecurity commissioned by the UK government. "We've been developing codes and ciphers for secret communications in the UK for a very long time. But the same techniques that can be used to defend our national infrastructure or protect our national secrets are just as relevant to mom-and-pop stores on the internet or big financial services institutions in Canary Wharf."
Darktrace started working with GCHQ and MI5 very early on. Lynch's very first company, Cambridge Neurodynamics, had done work for the British intelligence agencies; as Lynch told WIRED US in 2002, "they have the most interesting problems". Steve Huxter, an ex-MI5 man, was a Darktrace co-founder. Andrew France, deputy director for cyberdefence at GCHQ, was poached as CEO. Sir Jonathan Evans (now Lord Evans of Weardale), a former director general of MI5 who memorably argued that intelligence obtained through torture "had to be seen in the context of the times", became an adviser to the board. There were other hires from GCHQ, MI5 and the NSA; Darktrace was building some impeccable cyberspook credentials. "A combination of maths from Cambridge with the credibility of GCHQ and MI5 is unmatched," says Eagan, who took over from France as CEO of Darktrace.
Names such as Evans's certainly helped, but whispers about Darktrace's technology were the biggest enticement for security officials. Jim Penrose joined the NSA in 1997 – "when it was in low-profile mode" – and worked in cyberexploitation, that is, supporting counterterrorism operations with digital espionage. He heard about Darktrace through contacts at GCHQ and started to try and find out if the product did everything it promised. "And I convinced myself that, yeah, it does, and that's pretty cool," he says. "I thought, this is going to be a game changer for the cybersecurity industry."
"It's not radical and it's not new," Ross Anderson says. "The idea that you do data mining on network traces is an old one." Anderson is professor of security engineering at Cambridge University, a fellow of the Royal Society and was a friend of the late Bill Fitzgerald, out of whose lab Darktrace emerged; they played Irish pipes together. "If what's happened is a startup that's trying to produce a British dog in this fight, then good luck to them. But this is an established business." Mark Hughes is head of security for BT, which is a (happy) Darktrace customer. But even he says that "using Bayesian logic is not anything brand new". Bruce Schneier, who is probably the leading security commentator in the world, says: "This whole notion of behavioural detection is something that a lot of research has been put into, there's a lot of stuff out there, there's a lot of people doing a lot of things. There's a lot of snake oil around; be really careful. "This is the kind of thing where you need a PhD in the field and you might have to spend 80 to 100 hours figuring out how new it is, how important it is... This is the problem. There's nothing you can ask. How do you know if they're lying?"
Writing about cybersecurity is a very unmathematical exercise in Bayesian estimation; weighing up various pieces of information to come up with a probabilistic – and always uncertain – verdict on a technology.
So let's add more information to the mix and see how the probability, the doctrine of chance, changes. Darktrace draws many of its employees from the ranks of the UK security services. However, the Snowden revelations about GCHQ's reach are not a guarantee of its quality. As Anderson puts it, "They've got one or two capable people but they have also produced crap in the past as well." A government insider, who works on technical issues and who wishes to remain anonymous, tells WIRED: "You have to bear in mind GCHQ is just another part of the Civil Service and so it is as competent and as good and as bad, as, for example, the Department for Work and Pensions. They certainly do have some sharp folks but the best crypto minds are often now in high-tech companies actively working to stop them snooping on their customers." GCHQ also presents another problem for a cybersecurity company: "There's an enormous conflict of interest," Schneier explains. "The NSA and GCHQ are in the business of ensuring everybody is insecure."
Even if they are technically very capable, spooks may not be suited to the private sector. Co-founder and ex-spook Huxter has been quietly scrubbed from the company's literature; he didn't survive the transition from startup to bigger company, leaving in 2014. So too Andrew France, who swapped decades of service at Cheltenham to join Darktrace, but left after less than a year. He told The Wall Street Journal: "It needs now a different kind of strategic leadership that's not me." But someone who knows France well says that he didn't enjoy the Invoke Capital experience and quickly determined to leave, playing nice to avoid the wrath of Lynch's lawyers. (France did not respond to requests for an interview.)
Nor is the idea that cybersecurity should no longer be about building walls unique to Darktrace. Alastair Paterson, the CEO of Digital Shadows, a UK threat-intelligence company, says: "Five years ago security was all about the perimeter -- keeping your data in the middle and building the walls higher and higher around the edges. Today's world is no longer like that... There are many approaches out there." Van Someren says: "It's widely accepted in the industry that the idea that one can build a robust perimeter is no longer a meaningful concept... Some of these smaller businesses have technology that is at least as interesting [as Darktrace's]."
Darktrace's black box necessarily remains a black box. But its customers can add more information to the Bayesian estimation, and they're positive about the technology. BT's Hughes says: "The things that characterise Darktrace specifically are the robustness of the algorithm. The maths behind it seems to work – from our experience it's certainly finding things that other things aren't." He wants to integrate it further into BT, which manages most of the UK's internet infrastructure. "We saw it as being complementary for the many other tools that are out there." "Irrespective of what a salesman may tell you about how good the product is, it is results that count," Sloan says. "There's no denying the benefit that Darktrace delivers. It is not about being able to shut all the doors, as someone will always leave one open – whether it is an infected USB stick or software drive-by vulnerability. What matters is your ability to identify a breach once it has happened."
Darktrace is adding more customers, with 75 so far, and is building out its sales operations worldwide, especially in Asia. In March, it raised another £12 million, from Invoke, Talis and Hoxton ventures, at a valuation of £54 million. It's tweaking its product for new sectors, including industrial control units and the internet of things. "What's unique about the maths of machine learning is that it's largely extensible," Eagan says. "You just tweak the maths models." "Darktrace is a fundamentally different thing and I think it's going to very valuable," Lynch says. "The only issue at the moment with the sector is that it's very noisy. You just have to cut through that noise."
On a wet Wednesday evening in April, WIRED attends the launch of a new startup incubator in Hammersmith. Pink Champagne is served in the co-working space, which has the affectedly tasteful homeliness of a members' club tempered with the blandness of a smart airport lounge. The crowd isn't much different from that of any other incubator launch, but there are a few people dressed neatly in smart casual and sporting crew cuts. And it's not an investor or an entrepreneur opening the space, but Iain Lobban, the former director of GCHQ, in charge from 2008 to 2014 (interesting years for the agency).
This is CyLon, the first UK incubator dedicated to cybersecurity. Set up by Alex van Someren and Epsilon Advisory Partners, it currently hosts eight companies. In a speech, Lobban good-naturedly paints a worrying picture for the invited audience in west London: "Cyber is constantly evolving, it is constantly outstripping nations' efforts... The actors are multifarious. Intelligence agencies – allegedly. Criminals who are approaching levels of sophistication and organisation that state actors would be proud of, industrial espionage, hackers for hire, hacktivists. And the threat increases where there's overlap between the groups, where we see intelligence agents conducting industrial espionage, with or without their governments' approval, cybercriminals who may be or enjoy intimate links with government intelligence actors, state-affiliated groups or patriotic hackers acting on a deniable basis to serve nefarious aims in their national interests."
But that challenge also offers possibility, Lobban argues, for innovators. Hence, CyLon, "a great example of how we can identify, nurture and apply the creativity that is exploding in the UK cybersecurity sector," he says, loftily comparing the incubator to the legendary Bletchley Park.
Afterwards, he speaks to WIRED, referencing Churchill: "I hope to see a few golden eggs laid here."
It's boom time, for the first time, for UK cybersecurity startups – not just Darktrace. Companies such as Digital Shadows, Ripjar, Cyberlytic, Intercede, Garrison Technology and Surevine make up a new wave of nimble companies challenging the new guard. According to the Department for Business, Innovation and Skills, the UK cybersecurity sector is worth £6 billion; customers worldwide spent £1 billion on UK cyberproducts in 2013, an increase of 22 per cent from the previous year; in 2016 the UK total is predicted to rise to £2 billion. In January, David Cameron accompanied those companies and others (including Darktrace) on a trade mission to Washington. "I do think that this is actually a real renaissance time for cybersecurity here in the UK," van Someren says. These companies may not replace the giants of the security world – Symantec, FireEye, Palo Alto Networks, Kaspersky Lab, Check Point, Fortinet – but startups can be more agile than these billion-dollar-plus incumbents. As Eugene Kaspersky, founder of the world's largest privately held retailer of software security products, tells WIRED: "Startups are a very good thing, and it's always essential to keep on looking for new approaches to tackling cyberthreats, simply because they evolve so fast. The market is constantly evolving, there are new companies emerging, they challenge the bigger ones, and the latter fight back."
What's behind the UK boom? Funding is certainly one aspect. High-profile hacks, such as those perpetrated against Sony and Target, mean customers are willing to spend more on cybersecurity, so in turn, investors are more willing to fund new companies to sell to them. But although that benefits the UK, it's a global trend. Eagan suggests films such as The Imitation Game and The Theory of Everything, which celebrate British code-breaking and boffinry, have helped. She also cites the Bond movies.
Really, though, what we're seeing is the self-privatisation of GCHQ. "The UK has some great talent in the cybersecurity space, many of it developed in the government agencies and their supporting industry partners before spinning out new companies," Paterson says. According to van Someren, "There has been a trend for both people and technology to transfer from the defence and intelligence world into the commercial world." If there's no such things as bad publicity, then Edward Snowden did a lot to raise the agency's profile, and staffers are cashing in. The starting salary at GCHQ is £25,500 and the rewards in the private sector are far greater, thanks to investors' money.
And that's good for GCHQ, too. "Government is absolutely reliant on the innovation and dynamism that is out in the public sector," Lobban proclaims at the CyLon launch. There, WIRED bumps into Tom Griffin, the CEO of Ripjar, which mines social media in real time, and is another GCHQ alumnus. Ripjar came out of the first joint open call for new technologies from MI5 and GCHQ. "If I was ever going to leave GCHQ it would have been to do my own thing." He says that when Andrew France left GCHQ for Darktrace, "it caused a bit of a stir". But Griffin, who spent eight years at Cheltenham, left soon after, along with four other GCHQ colleagues, in October 2013, around the same time as the Darktrace exodus. "There are people at the top of GCHQ who see the big picture, the benefits that moving technical talent to the private sector can bring," Griffin says. "They know we can develop software and push things at a very fast rate. And the sorts of technologies that we're pushing are the sorts of technologies that are always going to be useful for an organisation like that."
Darktrace is part of this and certainly one of the leading companies in the scene. Is the technology radically new? A game changer for cyber-security, as it argues? It's another security tool that increases the odds. Any definitive statement is unwise. To borrow from Lynch: nothing is true, everything is probability – the doctrine of chances.
Tom Cheshire, formerly a WIRED editor, is Sky News's technology correspondent
This article was originally published by WIRED UK
