The UK’s three spy agencies have contracted AWS, Amazon’s cloud computing arm, to host classified material in a deal aimed at boosting the use of data analytics and artificial intelligence for espionage.
The procurement of a high-security cloud system has been championed by GCHQ, the UK’s signals intelligence body, and will be used by sister services MI5 and MI6, as well as other government departments such as the Ministry of Defence during joint operations.
The contract is likely to ignite concerns over sovereignty given that a vast amount of the UK’s most secret data will be hosted by a single US tech company. The agreement, estimated by industry experts to be worth £500m to £1bn over the next decade, was signed this year, according to four people familiar with the discussions. However, the details are closely guarded and were not intended to be made public.
Although AWS is a US company, all the agencies’ data will be held in Britain, according to those with knowledge of the deal. Amazon will not have any access to information held on the cloud platform, those people said.
Jeremy Fleming, GCHQ director, has previously said that making use of AI will be “at the heart” of his agency’s transformation to keep the country safe as spying moves into a digital age.
The new cloud service — designed to host top-secret information securely — will enable spies to share data more easily from field locations overseas and power specialist applications such as speech recognition which can “spot” and translate particular voices from hours’ worth of intercept recordings. It will also allow GCHQ, MI5 and MI6 to conduct faster searches on each other’s databases.
GCHQ told the Financial Times it would not discuss its business relationships with technology suppliers. AWS declined to comment.
Ciaran Martin, who stepped down last year as head of the UK’s National Cyber Security Centre, a branch of GCHQ, said the cloud deal would allow the security services “to get information from huge amounts of data in minutes, rather than in weeks and months”.
However, he dismissed suggestions that the system would affect the amount of information held by intelligence agencies. “This is not about collecting or hoarding more data,” he said. “The obvious business case is to use existing large amounts of data more effectively.”
Gus Hosein, executive director of Privacy International and an expert in technology and human rights, said there were “many things” that parliament, regulators and the public needed to know about the deal.
“This is yet another worrying public-private partnership, agreed in secret,” he said. “If this contract goes through, Amazon will be positioned as the go-to cloud provider for the world’s intelligence agencies. Amazon has to answer for itself which countries’ security services it would be prepared to work for.”
While the agreement is a first of its kind for the UK, Britain’s security apparatus is lagging behind its US peers in use of commercial cloud services. The CIA signed its first $600m cloud contract with AWS in 2013, on behalf of all the US intelligence agencies. This cloud provision was upgraded last year under a new deal with a consortium comprising AWS, Microsoft, Google, Oracle, and IBM.
Admiral Mike Rogers, former head of the US National Security Agency, said the move to cloud storage had helped intelligence officers zero in on potential suspects. “It gives us speed, it gives us flexibility, and by being able to aggregate more data, it increases the possibility that you’re going to identify that needle in the haystack,” he said.
The UK’s move to contract a US company surprised some experts. “Sovereignty matters and there’s a reason why, historically, security technology has always been built and maintained in-house,” one security veteran said. GCHQ initially wanted to find a UK cloud provider but it became clear in recent years that domestic companies would be unable to offer either the scale or capabilities needed, said two people familiar with the deal.
Martin acknowledged that contracting an overseas vendor meant that “controlling and restricting vendor access to data is extremely important”.
“But as long as the company is from a reliable country, with technology you understand, there are ways of doing this which will enable the agencies to manage the risk,” he said.
The French government this year backed the creation of a new “sovereign cloud” which will be used by the country’s public sector to handle sensitive data using government-approved security methods. Dubbed Bleu, it is expected to join the Gaia-X project, which aims to foster a European cloud industry capable of competing with US companies such as Google and AWS.