UK National Cyber Security Centre (NCSC) and GCHQ veteran Dr Ian Levy is leaving public service. His decision and absence will be felt keenly by many in the cybersecurity community, who speak highly of the Technical Director, who has been an engaged and forthright bridge with business and other industry stakeholders.
Dr Levy, who has been working for the government for over 22 years, signed off this week with a thought-provoking 6,000-word blog. In it, he took blunt aim at ineffective assurance schemes; the way in which the national security estate too often “implicitly expect[s]... companies to manage our national security risk by proxy, often without even telling them” and a call to nurture technology that is critical for national security.
Dr Ian Levy became Technical Director of the NCSC in October 2016. He was previously Technical Director of Cyber Security and Resilience at GCHQ. He leads on developing defences to manage cyber threats. This included fostering technical innovation to find solutions that can protect the UK from large-scale cyber attacks.
Dr Levy will be on “enforced gardening leave for a few months” he said in his blog.
He told The Stack: “[I] Haven't quite decided what's next yet, but I'm sure it'll be fun!”
During his time in government GCHQ has gone from operating almost entirely in the shadows to, via the NCSC, supporting businesses and engaging in public debates and education openly via a range of programmes that Dr Levy has been heavily involved in, including the 2017 launch of Active Cyber Defence.
His departure comes as HMG continues to struggle to retain talented staff, particularly in the IT and technology space, where private sector salaries are compelling multiples of what the government can offer. Whilst public service is, for many, a strong draw of its own irrespective of salary, many civil servants have over the past year also lamented the ministerial churn and political infighting that has caused policy paralysis on key issues.
Dr Ian Levy leaves NCSC: Some Assurance...
Dr Levy put the boot into inadequate risk assurance schemes on his way out, saying bluntly: “In the general case, these schemes… actually end up reducing overall system security. This is because system owners feel they no longer need to think about security because they have some ‘certificate of goodness’.
He added: "One of the worst examples of this is the GSMA’s NESAS scheme, which intends to give governments confidence that the telecoms products they’re allowing to be used in their national networks are appropriately secure. It does this by giving us 21 letters describing whether 21 categories of stuff have been assessed as compliant or not. It provides no useful information to end users of the equipment to make risk management decisions.”
"Doing more awesome research isn't going to cut it"
Pointing to China’s dominance in much electronic manufacturing, meanwhile, he noted: “If we are to achieve the ambition set out in the Integrated Review [which aims to “firmly establish the UK as a global science and technology and responsible cyber power]... if we are going to lead in technologies that are critical for our security, then just ‘doing more awesome research’ isn’t going to cut it. We need to get into market shaping, and that’s uncomfortable. We need the global market to demand the things we’re going to produce, and we need to protect them as they are developed and make sure people can’t just come and buy or steal them.”
“Also, if we build small groups of interdependent companies, we can make them into ‘sticky ecosystems’ that are harder to copy and more easily provide good gearing into the global market. We don’t need to control everything we rely on, but we need to have enough skin in the game to be a player on the world stage…”
SolarWinds: Private equity as well as Russians to blame
Pointing to the devastating SolarWinds supply chain attack in 2021, he said: “If you ask anyone in the intelligence community who was responsible for the SolarWinds attack I referenced earlier, they’ll say it was the Russian Foreign Intelligence Service, the SVR. But Matt Stoller makes an interesting argument in his article that it’s actually the ownership model for the company that’s really the underlying issue. The private equity house that owns SolarWinds acted like an entity that wanted to make money, rather than one that wanted to promote secure software development and operations… we implicitly expect these companies to manage our national security risk by proxy, often without even telling them. Even in the best case, their commercial risk model is not the same as a national security risk model, and their commercial incentives are definitely not aligned with managing long-term national security. In the likely case, it’s worse. So, I think we need to stop just shouting “DO MORE SECURITY!” at companies and help incentivise them to do what we need long term.”
Sometimes that will be regulation, like the Telecoms Security Act, but not always. Sometimes we’re going to have to (shock, horror!) pay them to do what we need when it’s paranoid lunatic national security stuff…Trying to manage cyber security completely devoid of the vendors’ commercial contexts doesn’t seem sensible.”
Dr Levy's refreshing directness shines through in one recent discussion at the Royal United Services Institute (RUSI) during which he emphasised some of the risks around legacy technology, pointing to the SS7 protocol underpinning international telecommunications and saying: "Literally the people who understand how it's working are dying because they're old -- that keeps the entire world connected."
FTSE 100 Avast’s CISO Jaya Baloo told The Stack: “He’s a lovely human – even though I disagreed with him often, he was always awesome to talk to, and genuinely listened. His contributions to security in the UK were significant. I can’t imagine that he’s easy to replace”. Intruder Founder Chris Wallis added that Dr Levy had been a strong supporter within government of startups, “often to be found on judging panels lending his support to well-chosen causes to highlight, which I appreciated” and security professional Ed Tucker described him as a "legend".
Stephen Murdoch, Professor of Security Engineering Royal Society Research Fellow commented on NCSC's announcement to say: "Ian Levy will leave some big shoes to fill. While I’m sure money isn’t the main consideration for such a role it is ridiculous that technical lead for such an important high-tech organisation gets less than £150k.Government might not be able to match private sector salaries and can make up for some difference in other ways, but there gets to be a point where the mismatch isn’t tenable. They seem to have recognised this for management roles (£250k+ is not uncommon) but not for technical. If the UK wants to be a high tech powerhouse there must be a cultural change where technical expertise is valued just as much as business knowledge. It’s as important in the public sector as in the private. I look forward to more NCSC jobs appearing here" he said, pointing to a Cabinet Office spreadsheet of "high earners" in government roles.
Dr Levy’s goodbye blog deserves a closer read than our synopsis. You can find it here.