Oly Whitehouse is the first Chief Technology Officer (CTO) appointed by the UK’s National Cyber Security Center (NCSC). Mr. Whitehouse officially began the role in October 2023 following his initial appointment in September.
speak exclusively information security After the keynote speech at the Black Hat Europe 2023 conference, Mr Whitehouse spoke about what his new role at the NCSC means, how he wants to prepare the UK organization for looming cyber-attacks and what keeps him up at night.
Infosecurity Magazine: You are the first CTO of NCSC. Why does the agency need a CTO and what is your mission?
Olly Whitehouse: As the UK’s technical authority on cybersecurity, the NCSC has over 250 researchers. The CTO’s responsibility is to ensure that we have the skills and capabilities to conduct research and collaborate with academic and commercial partners.
One-third of my time is focused on giving researchers the direction they need and ensuring they can accomplish their mission, and the other third is representing the organization as a senior engineer. The final third is dedicated to working with partners.
I’ve been in this role for a few weeks now and I plan to spend 3-4 months learning about the organization. Next, he lists two priorities.
- Active Cyber Defense 2.0 is the upcoming second phase of the NCSC program that provides free security services and interventions to organizations.
- How can we send a clear signal to the market about issues that we feel are not being addressed in the free market, and encourage private equity players, entrepreneurs, and industry more generally to step up and address these issues? Can we help develop solutions to address this?
IM: Which cyber research area excites you the most?
OW: What I think has the potential to lead to breakthrough discoveries is the Defense Advanced Research Projects Agency (DARPA) challenge of automated vulnerability discovery and resolution. This is a quick way to eradicate technical debt.
Also, some great papers were presented during the 2023 Internet Measurement Conference (IMC) in October 2023. It’s great to be able to measure all router manufacturers on-the-hop. For example, you can understand what the most important vendors are in the UK.
IM: You said that software vendors should stop selling security as an add-on, but you also said that regulation shouldn’t be the first solution. How can you ensure product safety without regulation?
OW: That’s right. I said seat belts are not a special feature and we should no longer tolerate vendors selling it as such.
“Regulations can be very restrictive and unable to adapt to advances in technology.”
Regulation should be used, but it should not be the first step. Organizations must also recognize that many countries currently regulate cybersecurity, and they don’t always align, creating significant compliance costs and friction for organizations.
Additionally, regulations may be highly constrained and unable to adapt to technological advances.
In the UK, we first produce guidance, then issue codes of practice, and then only move to legislation and regulation if we still find shortcomings. But why jump there if you can get there through discussion and agreement?
IM: Does this approach work?
OW: I think there are great examples of it working in the past.
Please advance your “Secure by Design” and “Secure by Default” initiatives. Some vendors will adopt these principles across the board, others will only do so if their customers recommend it, but overall we think this industry-driven effort is the right approach.
IM: You’ve also said that “making phishing a thing of the past” is the most important challenge for the cybersecurity community. Why do you think that is?
OW: Because it affects everyone, from very large organizations causing massive data breaches and financial losses, to our families and friends.
This is so effective because it takes advantage of human traits that are played to great effect by those conducting phishing campaigns, such as fear of scarcity, fear of loss, and fear of authority.
I don’t have the answers to this big, difficult problem, but I wanted to make that case in front of hundreds of cybersecurity experts from around the world. [BlackHat Europe]. They collectively have the answer.
IM: Where is the cybersecurity community good at collaborating, and where does it need to improve in collaborating?
OW: Looking at the guidelines for developing secure AI systems. [the NCSC] Launched in November following the AI Safety Summit in October, it marks the first time in history that 21 national cybersecurity agencies have signed the same cybersecurity document.
It is clear that cybersecurity is no longer something that governments can do alone.
In academia, there are many wonderful collaborations in which researchers from multiple universities and different countries work together on research and publish papers together.
“Cybersecurity is no longer something governments can do alone.”
Finally, yes, the incident response and threat intelligence communities sometimes operate in near-secret trust groups, but we also see them increasingly collaborating and sharing intelligence.
However, in practice, there is likely to be more collaboration at the government, regulatory, and vendor levels. We’re starting to see more cooperation from some hyperscalers, and they’re looking to collaborate more on certain underlying technologies that they rely on. But it could also be done more transparently.
IM: What is it about cybersecurity that keeps you up at night?
I don’t know if I’ll be fully prepared for “when.” When big events happen, and they will happen in our lifetimes, do we have enough capacity and capacity to respond continuously beyond a few weeks?
If you look at the UK private sector, for example, there are only four to six companies that can deal with operational technology (OT) cyberattacks at scale.
Therefore, NCSC needs to develop better market signaling solutions.
We also introduced a Cyber Incident Response (CIR) Level 2 scheme earlier this year. Level 1 is for organizations that can respond to threats of national significance. Level 2 is dedicated to increasing the maturity of private enterprise incident response to address large-scale commodity threats.
IM: What do you think is the biggest success the cybersecurity industry is experiencing today?
OW: Look at how diverse cybersecurity has become. At one time, this industry was comprised almost exclusively of white men. I’m no longer fully white male, and that’s a great thing. Diversity of people means diversity of thought, and our industry desperately needs that.
On the technology side, I’m particularly encouraged by the conversations we’re having around both quantum and AI.
And we were implementing those technologies pretty early on. We didn’t wait for those technologies to become indigenous and then worry about how to protect them.
“Most AI vendors have an internal AI red team.”
As an example, most AI vendors have internal AI red teams and are not waiting for systemic vulnerabilities to be exposed.
This represents a break from the traditional cycle of releasing a product, receiving a breach, and then starting to secure it. I think this has something to do with the efficiency of initiatives like Secure by Design and Secure by Default.
IM: If you could give one piece of advice to cybersecurity professionals, what would it be?
OW: Never be afraid and always keep learning. He has been in cybersecurity for 27 years and I never stopped learning. I still train 3 hours a week every Friday afternoon. It is essential to keep yourself sharp and work on your game.
Engaging in lifelong learning in the cyber field will have a greater impact.