“Let’s make cyber sec an evidence-based science,” says NCSC’s new CTO

Ollie Whitehouse the new chief technology officer of the UK government’s NCSC, pulled no punches in laying out what he required from the world’s tech vendors in 2024, during annual cyber security event, Black Hat Europe.

At the early December conference — a favourite among pen-testers, software developers, and those who work at the coalface of cyber sec — Whitehouse stressed the need for vendors to take a more evidence-based approach to the systems and tools they sell to enterprises, “rather than just relying on what Terry says”.

Whitehouse, a former CTO of cyber security consultancy NCC, also called out software companies for not being more transparent about the systems they create and for charging customers extra for software to be made more secure.

Foothills of cyber

Whitehouse, who joined the GCHQ’s body designed to protect business and the general public in October, is tasked with shaping and delivering the UK’s national cyber security mission, helping to combat the myriad threats facing the country at scale, and building collective resilience.

Putting the ever-evolving landscape into context, Whitehouse said that the world was in “Eighteenth Century medicine territory” in terms of where it was with cyber.

He added: “The industry is awash with quackery and opinion. ‘Buy Dr Smith’s magic elixir and it will solve all your cyber problems’ without any evidence that it works. We are only in the foothills of cyber.”

The cyber head also challenged vendors to make more transparent systems so that, at the very least, adversaries would not exist in closed wall systems with impunity.

“We have an inability to get telemetry out and introspection in,” he added.

“This is wonderful for vendors because they create closed systems with walled gardens — but it creates dwell for our adversaries once they have penetrated these systems and exist with impunity. That is a fundamental challenge,” he said.

Perhaps wise to the private sector’s foibles — besides NCC, Whitehouse has held senior roles in security research at both BlackBerry and Symantec — he told delegates that it was “inexcusable in 2023” to have vendors who were willing to sell a service and charge extra to keep it secure.

“I’ve run in private sector businesses I know how it works. These costs aren’t warranted. So, I can buy a service that will take the money but then if I get breached, I must pay more to get access to the logs to understand the ramifications of what those breaches were. That’s something we need to address as a community,” he added.

There’s also a real opportunity for more transparency among vendors when it comes to the SaaS versions of their product offerings, he said.

Vendors are currently obliged to disclose all vulnerabilities they have patched with on-premise versions but, Whitehouse hinted: “I would suggest that they are not always entirely transparent on whether or how that affects their SaaS version.”

Efficacy

Whitehouse also urged companies operating in sectors such as critical infrastructure, for instance, to band together and refuse to buy software until the vendors can prove that their products do what they say on the tin. “That would be such a strong signal to vendors, and they would be remiss to ignore it,” he added.

“We need to know the thing is going to yield the results we want — we have in other sectors where there’s been a threat to health and the like. What is the accepted minimum in these systems now? I think we have a long way to go but we don’t want to be in a place where we’re forced to fall back on regulation. That is a very blunt hammer,” he added.

The truth is, Whitehouse claimed, vendors are shaped by a natural market desire for “simple carbs”.

He explained: “Customers want to be able to purchase that one thing that is going to take the pain away and I don’t think that they exist. They may exist for some specific problems. But we must play to an iterative game here. One that builds up resilience in a concerted way.”

Setting the standards

Whitehouse argued that the community needed to make cyber “an evidence-based science” and suggested one positive step would be to become more involved with standards-making bodies.

“Our community is underrepresented in those groups. And our adversaries know it. As a community, I would encourage you to go along and participate in a standards body. Bring the requirements of the cyber defence community into those rooms. Point out the dangers before it becomes a standard.”

Among the challenges facing the community, he urged organisations to make 2024 the year they get a handle on their technical debt mountains.

“We are great at focussing on new and shiny but how do we secure legacy tech in a way that doesn’t require 15 Band-Aids and a plastercast?” he challenged.

“If you go to some of the largest companies, it’s almost an open secret that they don’t know how much infrastructure they have or how much of it is unpatched. There is a massive mountain that we do not understand and quantify.

“While it’s not as in-your-face a problem as ransomware, all of that technical debt is an opportunity for our adversaries to dwell, to exploit, to do whatever they wish.”

Another challenge the UK and its global allies are facing is an evolution in the world’s supply chains and the fact that nobody can afford to ignore the might of the Chinese industry.

“We can’t expect some parts to come from countries that are always aligned with our ideals. So, the challenge is: how do we build systems we trust when we can’t trust any of the individual components within them? Because that’s what we’re going to have to do, be it at a silicon level, a software level, or services level as we go into certain territories.”

For more stories on cyber security click here