Top GCHQ director calls security industry "witchcraft"

Dr Ian Levy accuses the industry of creating a climate of fear

The National Cyber Security Center's technical director Ian Levy has slammed commonly-accepted cyber security advice, equating the security industry to "witchcraft" and accusing it of deliberately creating unnecessary fear around cyber threats.

Speaking at Future Decoded 2016, Microsoft's annual digital transformation conference, Levy argued that cyber security is not transparent and that the industry is "blaming the user for designing the system wrong".

Advertisement - Article continues below

"We have to make [security] much more user-centric - stop blaming the user, give them information, let them make decisions," he said.

He also argued that traditional security wisdom regarding email attachments and passwords is too complex and difficult for users to follow. According to his team's research, maintaining secure, regularly changed passwords for the average number of online sites and services equates to memorising a different 660-digit number every month.

Another target of his ire was the level of hyperbole surrounding the security industry. He took particular issue with the portrayal of hackers, which are commonly labelled 'advanced persistent threats', or APTs.

Instead, he argued that it should stand for 'adequate pernicious toerags', based on the fact that many attackers use older exploits and vulnerabilities with patches that are available, but not installed. By presenting hackers as super-skilled experts, however, he states that security companies are creating a climate of fear.

Advertisement - Article continues below
Advertisement - Article continues below

"Everything that we do as an industry is about making it sound really, really bad; because then you can't possibly defend yourself," he told attendees. "There's no other part of public policy that I'm aware of that allows this to happen. Nowhere else in public policy do you allow fear to rule."

The sentiment clashed somewhat with a statement from chancellor Phillip Hammond, who stated that the UK needed to develop offensive cyber weapons in order to prepare the country for retaliation in case of a cyber attack from a foreign nation.

Levy argued for greater transparency within the secure industry, and the creation of a climate in which the UK can have an informed national conversation about the threats facing both private citizens and companies operating in Britain. To that end, the National Cyber Security Centre will be publishing information and documents through their website in order to inform the public.

"I want to get to a point where we have data, we have metrics, and we can start to explain to the public how we're defending the UK," he said.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now


cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
cyber security

Microsoft gobbles up domain to keep it from hackers

8 Apr 2020