News

Learn from your mistakes, departing cyber security expert tells industry

Ian Levy NCSC.jpg

The technical director of the UK’s cyber security agency has announced his departure with a thought-provoking blog criticising software design.

Ian Levy (pictured), technical director of the National Cyber Security Centre (NCSC) since 2000, is understood to be awaiting approval to move to a new role outside the UK government.

NCSC is part of Government Communications Headquarters (GCHQ), the UK’s signals intelligence agency, analogous to the US National Security Agency (NSA).

In his parting blog, Levy compares some cyber security design flaws to errors in the World War Two B-17 bomber, which had controls for flaps and landing gear next to each other.

Many exhausted pilots pushed the wrong one on their return, he writes. “You reach over to throw the switch that engages the landing gear and suddenly, with a lurch, your aircraft stalls and smashes into the ground, killing everyone.”

Levy writes: “There’s no amount of training in the world that could compensate for this design flaw. There’s nothing to stop the most obvious error turning into the catastrophic outcome.”

He notes: “The aircraft world has learned from its mistakes,” but add that cyber security people “continue to place ridiculous demands on users … implicitly expect arbitrarily complex implementations of technology to be perfect and vulnerability-free in the long term, and then berate those who build the stuff we use when they fail to properly defend themselves from everything a hostile state can throw at them”.

He lists four goals for the cyber security community: talk to people who aren’t like them “and actually listen to them”; stop blaming people … when something goes wrong; “build stuff that works for most people, most of the time”; and put themselves “in the shoes of our users and ask if we’re really being sensible in our expectations”.

Levy also warns about “big global standards like 5G”, where, he says, “many companies from around the world own the patents in the standard, and you need a licence from them to build a product. That includes Chinese companies, and this gives us a weird interdependency (and not an insignificant amount of national security risk) when you actually try to implement.”

He says “standards bodies are becoming a tool of great power competition – control the standards and you can stack the deck to make your technology more likely to be implemented”.

Sometimes it’s “just about money, but sometimes there could be other reasons”.

Levy says “it’s interesting that Chinese people or Chinese companies hold leadership positions in more than 80% of key working groups in the main telecoms SDOs [standards development organisations]. Just saying.”

A number of people in the industry paid tribute to Levy’s work in NCSC. One, Ibrahim Gedeon, CTO of Telus in Canada, said: “A great loss to the UK and global public cyber policies.”

NCSC has not yet announced who will take over from Levy.