Top GCHQ director calls security industry "witchcraft"

Dr Ian Levy accuses the industry of creating a climate of fear

The National Cyber Security Center's technical director Ian Levy has slammed commonly-accepted cyber security advice, equating the security industry to "witchcraft" and accusing it of deliberately creating unnecessary fear around cyber threats.

Speaking at Future Decoded 2016, Microsoft's annual digital transformation conference, Levy argued that cyber security is not transparent and that the industry is "blaming the user for designing the system wrong".

"We have to make [security] much more user-centric - stop blaming the user, give them information, let them make decisions," he said.

He also argued that traditional security wisdom regarding email attachments and passwords is too complex and difficult for users to follow. According to his team's research, maintaining secure, regularly changed passwords for the average number of online sites and services equates to memorising a different 660-digit number every month.

Another target of his ire was the level of hyperbole surrounding the security industry. He took particular issue with the portrayal of hackers, which are commonly labelled 'advanced persistent threats', or APTs.

Instead, he argued that it should stand for 'adequate pernicious toerags', based on the fact that many attackers use older exploits and vulnerabilities with patches that are available, but not installed. By presenting hackers as super-skilled experts, however, he states that security companies are creating a climate of fear.

"Everything that we do as an industry is about making it sound really, really bad; because then you can't possibly defend yourself," he told attendees. "There's no other part of public policy that I'm aware of that allows this to happen. Nowhere else in public policy do you allow fear to rule."

The sentiment clashed somewhat with a statement from chancellor Phillip Hammond, who stated that the UK needed to develop offensive cyber weapons in order to prepare the country for retaliation in case of a cyber attack from a foreign nation.

Levy argued for greater transparency within the secure industry, and the creation of a climate in which the UK can have an informed national conversation about the threats facing both private citizens and companies operating in Britain. To that end, the National Cyber Security Centre will be publishing information and documents through their website in order to inform the public.

"I want to get to a point where we have data, we have metrics, and we can start to explain to the public how we're defending the UK," he said.

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download

Recommended

HPE inks $2 billion high-performance computing deal with the NSA
high-performance computing (HPC)

HPE inks $2 billion high-performance computing deal with the NSA

1 Sep 2021
White House launches tech fellowship program to tackle key issues
Policy & legislation

White House launches tech fellowship program to tackle key issues

31 Aug 2021
Department of Health and Human Services must improve cyber security info sharing
Security

Department of Health and Human Services must improve cyber security info sharing

30 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021