October 21, 2016
The UK government has had enough of clichéd cyber dementor imagery, scary-sounding industry rhetoric and impossible security advice that the average consumer has no hope of following.
And it’s hoping that by taking a less hyperbolic, data-driven approach to tackling cyber security it can encourage industry to follow suit and focus on persistent and prolific security problems — with the overarching aim of reducing harm at scale and boosting consumer trust in the digital economy.
The philosophy behind the UK’s new National Cyber Security Centre (NCSC) was set out by the centre’s technical director, Dr Ian Levy, speaking at the Wired Security conference in London yesterday.
A full National Cyber Security Strategy is due to be published imminently, according to Levy, but he gave a taster of how the government is thinking here. Levy has moved from his role as technical director of cyber security at UK intelligence agency GCHQ to take up the same post at the NCSC, which formally opens its doors this month.
“The biggest future threat we have is keeping talking about cyber security the way we do today,” he argued. “There is no other piece of public policy where the narrative is set by a massively misincentivized set of people.”
He said the core idea for the centre is to provide a one-stop-shop for “consistent, coherent advice”, and do so “in public, transparently” — a freedom clearly not afforded the spy agency where he used to work (in the “ivory donut” as he dubbed it, riffing on academics in their ‘ivory towers’). The NSCS will, for example, be publishing data on its learnings. Although it will also report to GCHQ, so clearly not all its discussions will be open to the public.
“One place to go for everything,” said Levy, describing what the centre will offer. “At the start when you want threat information and understand about how to design a system, through building it, operating it, to when you get pwned how do we help.”
In a straight talking presentation, which threw more than a few sardonic barbs at the current practices of the security industry, he attacked some of the language and media attention paid to critical and zero day security flaws — such as the Heartbleed cryptography flaw that emerged in 2014 — arguing this sort of ‘doomsday scenario’ reportage engenders confusion and panic in the public, and is shifting attention (and resources) away from tackling more mundane yet persistent security threats which cause ongoing problems for web users.