Ian Levy, technical director of the government’s brand new National Cyber Security Centre and keynote speaker at today's Jisc security conference, explains how the centre will open up cybersecurity and work with the education and research sector to help it protect itself better.
What’s the structure and focus of the National Cyber Security Centre and how does it improve on what’s gone before?
"The National Cyber Security Centre (NCSC) brings together, in a single new organisation, significant chunks of government that deal with cyber; from CESG, the information security part of GCHQ, to CERT-UK, our computer emergency response team. For large swathes of cyber advice and transaction, the NCSU will now be your first port of call.
There are two things that make the NCSC fundamentally different. Firstly, our focus on the customer. In the past, like all governments, we’ve sat in our ivory doughnuts and proclaimed that we know everything and pronounced on what people should do. And, of course, it turns out it’s not that simple. There are always constraints that we don’t understand.
The NCSC is going to work much more closely with our customers so that we really understand their constraints and their environment and can be a much better partner for them."
"As a corollary of that, we’re going to be much more open. We want to generate data. We want to publish it online. We want everything that we do in the NCSC to be online, by default.
Learn more about the NCSC in their introductory video
We should be saying, here’s what we think the problem was, here’s what we’ve done to try to address it and here’s what the effect was – and do that whether it worked or not, and in a way that people can understand. That way, you start to get people to understand how cybersecurity affects them and how they can participate in their own protection.
The second big change is that we’re becoming more active in our protection of the UK, more interventionist. The full details of that will come out when the national strategy is published. But the general idea is that we’ll build automated systems that get rid of a significant amount of the commodity attacks that affect the UK: we want to make spam go away for people, we want to make the banking attacks go away for people, we want to make it very difficult for anybody to impersonate the government brands."
Looking specifically at the education and research sector, how are you going to work with the sector to do that?
"We want to work with the education and research sector in two ways. Firstly, by working with them on research and helping people to get into STEM (science, technology, engineering and mathematics) subjects.
In terms of how we help the sector protect itself, we’ve traditionally had a hard time talking to academics and universities. That’s because, usually, government comes along and says, ‘we think you should be filtering these sorts of things’. And they say, ‘No. Academic freedom’. So that’s one of the reasons we want to talk to Jisc.
We want to say, look - here’s what we do for the rest of the country. We don’t want to do this for you. We want you to do it in a way that works for you, that you’re happy with as a community. Let us help you do that."
"Protecting the sector is critical because it’s where the future of the economy lies. We don’t want to interfere in academic freedoms but we do want to partner with organisations like Jisc to help the academic sector protect itself better."
That involves listening as well?
"Of course. We want the NCSC to be much more open.
To contrast, GCHQ is a top secret organisation and it’s very difficult to get into our buildings, it’s very difficult to talk to us. The NCSC building is an unclassified building and about 20% of its space will be reserved for collaboration."
"I want to get people from various sectors to come and sit in there and a) teach us, and b) let us work with them to help them understand the threat better so that we don’t end up with this artificial divide between cybersecurity people and people who understand the sectors.
We also want to deploy people out in the various sectors so we really understand how our customers work."
What do you think are the particular cybersecurity threats faced by education and research?
"In terms of research, it’s intellectual property theft on a massive scale. That’s our differentiator in the world, and there’s going to be disruption at some point."
What about the things that are, perhaps, lower level but very annoying and disruptive such as phishing and DDoS attacks?
"We want to tackle those at national scale.
One of the things we are doing is making it very hard for somebody to spoof a gov.uk address. Until six weeks ago you could fake some @gov.uk addresses, such as taxrefund @gov.uk, and there were thousands being sent every day. We’ve stopped it. It’s a relatively simple thing to do. And I’d like all the universities to do that so that university addresses can’t be spoofed."
What else would you like institutions to do?
"DNS filtering. We’re going to do it for government first, to prove it works and prove you can manage all the privacy issues, and then we want the ISPs to do it for the public at large so, by default, you get protected from bad sites (bad meaning they’re trying to send you malware or steal your credentials or get you in a phishing campaign).
We think it would be sensible for institutions to do that for their staff and students."
"But there is always a balance around academic freedom and it’s not for us to say what the balance is, it’s for us to say ‘here’s what we’re doing for government, here’s the data that shows what benefit it brings’. If you want help to do this filtering stuff, you can have it, that’s absolutely fine. If you do take it, I’d really like high level stats back about how you stopped 10,000 phishing attacks today or 25,000 malware attacks today so that we can start to build a national threat picture - but that’s all I want back."
Is there going to be a fear that there may be an element of compulsion involved?
"There will not be any element of compulsion from government. That’s not how we want to do this."
In the past you’ve said some interesting things about language and how that impacts on risk management. Tell me a bit more about that.
"Take the names of the financial instrument that caused the 2008 crash. You start off with ‘mortgaged-backed securities’. They sound good, they’ve got the word secure in them and they’re backed by a mortgage. You go through until you get to ‘toxic debt’ and you say, you can be forgiven for investing in mortgage-backed securities but you’d be an idiot to invest in toxic debt. But they’re all the same thing."
"The way you talk about something fundamentally changes how you view the risk of it. The way we talk about cybersecurity today is all very scary and doesn’t aid good risk management.
We need to get evidence, we need to get data and we need to be realistic about what the threats actually are."
Is there a risk that you may heighten people’s fear rather than assuaging it by being so much more open, ie by publicising the amount of phishing?
"No I don’t think so. If you read the technical press today or even the tabloids, it’s all codified in words that sound scary, such as cyberwar and cyberterrorism.
What I’m hoping we’ll be able to show in the next six to nine months is that we can take away a good amount of phishing, scamming, credential stealing malware for people at scale. We can make email trust mean something again. We can make it harder to launch DDoS attacks against the UK."
"The question then is, how do you generate the data and the evidence to show people that it works or doesn’t work and be honest about that? What will happen is that the attackers will evolve as our defences evolve? So this isn’t a one-stop shop."
One of NCSC’s objectives is to nurture and grow the UK’s cybersecurity capability. How will you do that? Is there a cybersecurity skills gap?
"There definitely is one. I think it probably starts back at school. We’re not good at keeping enough people in STEM subjects, generally, and we’re not good at making cybersecurity an interesting subject for them at the moment. We need to try to fix that over the next few years. "
"We’ve got CyberFirst, which talks about how we intend to do stuff in schools. We’ve got sponsored MScs, we’ve got an apprentice scheme, cyber apprentices.
Over the next few years we’re trying to build a pipeline of people who have a sustainable set of skills. I think the key thing for me is how you get everybody who is involved in technology - of whatever kind - to understand cybersecurity. They don’t have to be experts but they have to be cognisant of it.
Getting it into the right curricula across the space is really important. The final bit is getting it into MBAs, because it’s business who generally do the risk management. They have to manage cyber risk and they’re doing it differently to the way they manage any other business risk at the moment and that doesn’t seem right. I think that’s because it’s not well taught in MBAs at the moment."
So, it needs to be a leadership issue?
"In a business it absolutely should be a board-level issue. It’s just another business risk.
As an example, every business must have a financial control policy, which is audited and presented to the board every three months. But ask them if they have a patching policy for their system and they’ll say yes, of course, our IT guys patch our systems, according to our patching policy. Then ask when it was last taken as an audit item, and the answer, generally speaking, is “never”. Because they push it down to the IT guys, because it’s “weird techy stuff”. You’d never do that with a financial liability, so why do you do it with a cybersecurity liability?
There’s a dissonance between the different business risks and we need to try to corral them together."