In order to get the best of new and advanced technologies in the future, cybersecurity needs a fresh transparency beyond the realm of fear.
Speaking at Microsoft Future Decoded in London, Dr Ian Levy, technical director of the National Cyber Security Centre, said that he did not believe that society could benefit from new technologies like artificial intelligence, machine learning and Big Data “unless we fundamentally fix the narrative around cybersecurity”.
Pointing at the 1972 paper on Computer Security Technology Planning Study and 2014 Heartbleed bug, Levy said that the impact from that OpenSSL vulnerability was not as bad as everyone made out, yet for almost 45 years the same programming error exists.
“As we become more and more dependent on machines, and rely on machines to do things for us, we have to change the narrative,” he said.
Levy said that modern cybersecurity replicates the witch doctor concept, where belief is placed in a magic amulet, “and we need to start talking about this as a lot of the attacks that we see on the internet today are not purported by religious icons”.
Levy went on to say that advice on not opening attachments or click links unless you trust them “was the most stupid advice I have ever heard”, as what is my granny going to do to determine untrusted email? “We are blaming the user...we are trying to get the user to compensate for the system design, that is stupid and we need to fix it.”
He said that the second most stupid piece of advice was around changing passwords every 30 or 60 days. “We did some research and we saw the average number of passwords people use on a day to day basis, and the average complexity and average change window – I can tell you that the answer is not to go away and remember a different 660 digit number every single month. Who reckons they could do that? Well my granny cannot.”
“We are trying to make the UK a more safe and secure place, so this sort of advice has to go; we have to make it more user-centric and stop blaming the user and give them information and let them make decisions.”
Levy claimed that cybersecurity runs on fear, and everything is focused on making it sound really bad, and then you have to buy the magic amulet. “There is no policy that I am aware of that allows this to happen, no public policy where you allow fear to rule in the public’s perception,” he said.
“So my job is to change that fear into evidence using data – how to change cybersecurity from a magic amulet into a data-based discipline where you can have a strategic effect on the security of the country. How do you do it – read the National Cyber Security Strategy. That’s a novelty in cybersecurity.
“How many times have we been told that cybercrime costs £27 billion a year to the UK economy? Once. How many times has there been evidence underneath that to prove it? Never as far as I can tell. I want to generate real data so that we can have metrics, metrics that mean something to the average person on the street.”
He claimed that until value-based, risk management decisions can be made about technology, we will never reap the benefits of all of the new stuff that is coming.
He said: “People will be too scared to get into an autonomous vehicle as hackers can get in. people will be too scared to have a machine calculate their premiums based on their Fitbit data because hackers can break in. Let’s bring some transparency to cybersecurity as only through transparency do you build trust, and only through trust can you build transparencies in the technology we will use in the future.”