News

Top GCHQ director calls security industry "witchcraft"

Dr Ian Levy accuses the industry of creating a climate of fear

1 Nov 2016

The National Cyber Security Center's technical director Ian Levy has slammed commonly-accepted cyber security advice, equating the security industry to "witchcraft" and accusing it of deliberately creating unnecessary fear around cyber threats.

Speaking at Future Decoded 2016, Microsoft's annual digital transformation conference, Levy argued that cyber security is not transparent and that the industry is "blaming the user for designing the system wrong".

"We have to make [security] much more user-centric - stop blaming the user, give them information, let them make decisions," he said.

He also argued that traditional security wisdom regarding email attachments and passwords is too complex and difficult for users to follow. According to his team's research, maintaining secure, regularly changed passwords for the average number of online sites and services equates to memorising a different 660-digit number every month.

Another target of his ire was the level of hyperbole surrounding the security industry. He took particular issue with the portrayal of hackers, which are commonly labelled 'advanced persistent threats', or APTs.

Instead, he argued that it should stand for 'adequate pernicious toerags', based on the fact that many attackers use older exploits and vulnerabilities with patches that are available, but not installed. By presenting hackers as super-skilled experts, however, he states that security companies are creating a climate of fear.

"Everything that we do as an industry is about making it sound really, really bad; because then you can't possibly defend yourself," he told attendees. "There's no other part of public policy that I'm aware of that allows this to happen. Nowhere else in public policy do you allow fear to rule."

The sentiment clashed somewhat with a statement from chancellor Phillip Hammond, who stated that the UK needed to develop offensive cyber weapons in order to prepare the country for retaliation in case of a cyber attack from a foreign nation.

Levy argued for greater transparency within the secure industry, and the creation of a climate in which the UK can have an informed national conversation about the threats facing both private citizens and companies operating in Britain. To that end, the National Cyber Security Centre will be publishing information and documents through their website in order to inform the public.

"I want to get to a point where we have data, we have metrics, and we can start to explain to the public how we're defending the UK," he said.