National Cyber Security Centre chief Dr Ian Levy wants an empirical, transparent approach to cybersecurity policy – not hysteria
The head of the government’s new National Cyber Security Centre (NCSC) says the country will be unable to harness the power of new technologies like the Internet of Things (IoT) and Artificial Intelligence (AI) until cybersecurity fearmongering is replaced by a statistical and rational approach.
Dr Ian Levy said the public perception of a hoodie-clad hacker (see below) was damaging and that a lack of actionable data meant it was impossible for businesses and public sector organisations to undertake effective risk assessment of new innovations.
Without this, people will be too scared to use connected cars, or upload information to cloud services because they’re terrified hackers might gain access, Levy argued.
Stop cybersecurity ‘project fear’
“Cybersecurity runs on fear,” he said at Microsoft Future Decoded. “The entire industry runs on fear. It’s about making [the threats] sound really bad and make you buy a mythical magical amulet [to protect yourself]. In no other part of public policy do you allow fear to rule public perception.
Levy said common security advice such as ‘don’t open an email attachment from an untrusted sender’ as “stupid” as it made the user compensate for poor system design.
Similarly, he said that if everyone used a different password with a combination of upper case, lower case, numerical and special character for every service, you’d have to remember a ridiculous number of credentials.
“How many times have we been told cybersecurity breaches cost 27 million gazillion pounds to the UK economy?” he asked the audience rhetorically. “Where is the evidence? I want to generate real data on this so we can have metrics that actually mean something to people on the street.”
He liked the situation to alcohol. When the chief medical officer said that there was ‘no safe alcohol limit’ and reduced the guidance to between 21 (men) and 14 (women) units a week, it was suggested this level would lead to a 1 percent risk of alcohol-related death.
This, Levy, said was less risk of death as eating two bacon sandwiches a week or “watching Downton Abbey.”
The NCSC, based in central London, opened its doors last month and will be fully operational next month. The government claims it’s the first time British businesses will have access to an “outward facing authority” for security issues.
“I want to get to the point where we have data and metrics so we can tell the UK how we are protecting them and bring some transparency to cybersecurity [policy],” continued Levy. “Only with transparency can you bring trust.
“Transparency is unheard of [in terms of national policy].”
Chancellor Phillip Hammond used the same event to announce plans for a £1.9 billion national cybersecurity plan that would protect the UK from cyber threats and allow it to retaliate against digital enemies.