Top GCHQ director calls security industry "witchcraft"

Dr Ian Levy accuses the industry of creating a climate of fear

The National Cyber Security Center's technical director Ian Levy has slammed commonly-accepted cyber security advice, equating the security industry to "witchcraft" and accusing it of deliberately creating unnecessary fear around cyber threats.

Speaking at Future Decoded 2016, Microsoft's annual digital transformation conference, Levy argued that cyber security is not transparent and that the industry is "blaming the user for designing the system wrong".

"We have to make [security] much more user-centric - stop blaming the user, give them information, let them make decisions," he said.

He also argued that traditional security wisdom regarding email attachments and passwords is too complex and difficult for users to follow. According to his team's research, maintaining secure, regularly changed passwords for the average number of online sites and services equates to memorising a different 660-digit number every month.

Advertisement - Article continues below
Advertisement - Article continues below

Another target of his ire was the level of hyperbole surrounding the security industry. He took particular issue with the portrayal of hackers, which are commonly labelled 'advanced persistent threats', or APTs.

Instead, he argued that it should stand for 'adequate pernicious toerags', based on the fact that many attackers use older exploits and vulnerabilities with patches that are available, but not installed. By presenting hackers as super-skilled experts, however, he states that security companies are creating a climate of fear.

"Everything that we do as an industry is about making it sound really, really bad; because then you can't possibly defend yourself," he told attendees. "There's no other part of public policy that I'm aware of that allows this to happen. Nowhere else in public policy do you allow fear to rule."

The sentiment clashed somewhat with a statement from chancellor Phillip Hammond, who stated that the UK needed to develop offensive cyber weapons in order to prepare the country for retaliation in case of a cyber attack from a foreign nation.

Levy argued for greater transparency within the secure industry, and the creation of a climate in which the UK can have an informed national conversation about the threats facing both private citizens and companies operating in Britain. To that end, the National Cyber Security Centre will be publishing information and documents through their website in order to inform the public.

"I want to get to a point where we have data, we have metrics, and we can start to explain to the public how we're defending the UK," he said.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


cyber security

GCHQ boss says UK must be vigilant againt Chinese tech firms

25 Feb 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020