Getting innovative cyber security ideas to market in a “sensible way” is important but challenging in a crowded market crammed with buzzwords that make it difficult for organisations to make informed purchasing decisions, according to NCSC technical director Ian Levy.
“Many organisations still don’t understand what the core problem is [when it comes to cyber security] and therefore they don’t really know what the solution should be,” he told Computer Weekly.
Despite the fact that there is a lot of cyber security innovation around because the UK is particularly good at it, Levy said: “But we are missing a trick in helping people to get into the market and in helping the market identify good solutions to real problems.”
This is one of the key aims of the GCHQ Cyber Accelerator programme, but Levy said this operation is relatively small, with only nine participants in the current round.
“This latest round was massively over-subscribed,” said Levy. “We only have limited resources we can put into this. We need to find a way to scale this so that it is self-supporting and does not always require government intervention.”
However, is not only about scaling up accelerator programmes, but also about creating a standard way of talking about and rating security products so that people can make better buying decisions.
“When you go to buy a car, a complicated set of safety tests are presented through a simple five-star NCAP rating system that is easy to understand,” said Levy. “We need to do the same when it comes to information security products. We need to create a vocabulary that everyone can understand so they can make better buying decisions. Then you build a market demand, and innovative companies can work to meet that demand.”
The NCSC does have a lab at its offices in London that is dedicated to enabling security developers to demonstrate the capability of their products, but again there is an issue of scale. “This is only one lab with limited bandwidth,” said Levy.
Top areas that cyber security innovators should be seeking to tackle, he said, include identity and authentication, providing easy to understand security-related information, and creating better user interfaces.
“We have got to get rid of passwords,” said Levy. “They don’t work and they don’t do what people think they do. They don’t work for people, let alone security. We need better ways of authenticating.”
He would also like to see the emergence of technologies that are able to describe the state of something in a way that is easy for people who are not experts to understand. “Something that indicates to people whether their mobile devices are patched up to date, for example, so they can make better-informed security decisions,” he said.
Another key area is better user interface development. “We need interfaces that present complex security information in a way that is easy to understand,” said Levy. An example of this, he said, would be an email interface that flags any emails that do not come from the sources the claim to be from.
“In this field, any idea is worth exploring, but it is important to know the problem you are trying to solve and to have data to back up your assertions. You also need to be willing to fail fast, and I think faster than any other field because the thing you are trying to fix isn’t static, with people actively innovating on the attack side.”
Transparency in the cyber security market
In general, Levy believes there is a need to move to a transparent, evidence-based cyber security market. “People would never buy other products the way they currently buy cyber security products based on unsubstantiated supplier claims. We have to change that so that people understand what problem each product is solving, how that problem affects them, and how the product can benefit them.”
Levy said that government has a role to play in describing the problem in a way that people can understand and helping companies describe their products and services in terms of recognised problems in a consistent way.
“At the moment people are not even comparing apples and oranges, they are comparing apples and aardvarks, which are completely different things because they don’t understand what individual products really do,” he said.
According to the NCSC, the three most important ones to focus on are: whether devices can be updated securely and how long suppliers will continue to do that, whether suppliers have a vulnerability disclosure process, and that there are no default credentials.
“Those are three simple, objective things to focus on,” said Levy. “As we get industry to adopt that, we can use government buying power to differentiate on that. We will buy stuff only from suppliers that answer these questions truthfully and comply with best practice, and in that way government and other industries can help to shape the market around some objective security principles.”
Addressing the scaremongering incentive
Commenting on the current state of the cyber security market, he said: “I have said it before and I will say it again that I think the incentive model in cyber security is broken because the companies that talk about threat are generally trying to sell you products to defend against that threat, so they are incentivised to make the threat sound scary. But that has to change and that’s why I think a much more objective vocabulary around what something does, is important.
The company selected as the winner of the Cyber Den challenge at CyberUK was digital forensics startup Awen Collective, and Cyber risk firm DynaRisk and Cambridge Authentication received “notable mentions” for coming “very close” to winning with “very good” products, according to Levy.
The Awen Collective pitch in the Cyber Den was made by CEO and director Daniel Lewis, who explained that the company is a spin out from the University of South Wales and produces software that handles the digital forensics and incident response process.
The product is specifically aimed at helping suppliers of critical infrastructure and advanced manufacturing plants reduce the impact and cost of cyber attacks.
In 2018, he said Awen Collective is focusing on helping infrastructure suppliers to comply with the EU’s Network and Information Systems (NIS) Directive, which is due to be implemented in UK law from May 2018, by developing a compliance-checking system. “That will feed into the rest of our system which handles pre-incident response planning all the way through to post-incident analysis and the case reporting.
“We are focussing specifically on industrial control systems [ICS], which is where we are different from other digital forensics software companies that tend to focus on hard drives and mobile phones,” he said.
Lewis said Awen Collective is seeking partners in the critical infrastructure and advanced manufacturing industries as well as service providers to those sectors to better understand their needs.
Chris Ensor, deputy director for cyber skills and growth is optimistic about cyber security innovation in the UK, saying the NCSC itself tries to “push the boundaries” wherever it can.
An example of this, he said, it is the NCSC’s Active Cyber Defence programme. “This is something that is not really being done anywhere else. We are prepared to do something different and try something new,” he told Computer Weekly.
For the first time in the UK, Ensor said a cyber security innovation ecosystem or pipeline is starting to emerge, where entrepreneurs can start off in an incubator and move on to an accelerator, eventually partnering with a venture capitalist.
There is a growing number of initiatives aimed at fostering cyber security innovation, said Ensor, from government, the NCSC, and the private sector.
“There is an interesting ecosystem starting to develop for cyber innovation in the UK, from Hut Zero and Cylon for people just starting off to the GCHQ Cyber Accelerator, to the government’s London Cyber Innovation Centre.
“There is a lot of activity around cyber innovation and a lot of opportunity, and now we are starting to see all these elements link ‘together.
“We are starting to see the beginnings of a ‘machine’ where startups are moving through the various cogs towards having a fully-fledged product the can be certified and promoted both at home and abroad,” he said.