The Wicked Problems and Opportunities of Cyber - Ollie Whitehouse

Right. Thanks very much everyone. We got the final keynote of today. I'm very glad and pleased to welcome uh Ollie White House from the National Cyber Security Center. Um everyone give him a warm welcome. >> Thank you. Okay. Uh so good afternoon everyone. Lovely to see you all. Thank you for having me. Uh obviously what do you do at the end of a long day? uh you get to be quite frank and candid about the challenge but then also outline some of the opportunities that we all have to go after over the next period. So I'm going to be quite direct and I'm going to be quite um open about actually the challenges that we face but it's not to

terrify or feel that it's a lost cause. It is more to motivate and engage. So some of this is very technical that will go down to what some of the technical challenges are but then there will be some kind of high level themes for those not familiar with the national cyber security center we're the national technical authority for cyber security part of GCHQ and our mission is to make the UK the safest place to live and work online and that means that our responsibility covers from the citizen and the individual all the way up through to the most classified communications and sensitive systems in the UK. Okay, very good. Okay, so if you only take three things from this talk,

one is it is our collective mission to impose greater cost on our adversaries. They are having too much fun and it is far too easy for them in 2025. The second is we need to build greater resilience in the United Kingdom um than we have today. And the third is we need to prepare for consequential events and to make that real. So this was an incident um about three years ago um in Iran by we'll say an unattributed actor um against a a manufacturing facility that was a cyber operation that led to a physical malfunction shall we say of some of the heavy plant machinery and the purpose of showing this is again not to terrify make it Hollywood and all of

that but it's to show it's Holly fact that there are certain actors around the globe that see that this type of operation is part of what one does in the contemporary world in order to pursue their endeavors. And there's been kind of a litany of other press coverage around other adversaries prepositioning on infrastructure around the globe. And so I think, you know, the onus is on us to recognize that the world is quite unstable and is probably not going to stabilize for some period and is is the most unstable that it has been um since World War II. And cyber is the new dimension there. um and and we need to be ready for it. So if we take a counter

through um some of our adversaries uh and the asymmetric nature of which we have to contend with them. So I think the first is is that a number of our adversaries are not constrained. So they don't observe international norms. They don't observe laws more generally um and they feel that if they get caught it's a badge of honor rather than a deterrent and that pro provides or creates a number of challenges inherently for us by virtue of that. So there is a world where we are always going to have adversaries. We are going to have very brazen adversaries um on on the various spectrums here and we should recognize that as I mentioned they are brazen so

they will take opportunity and that's both state and criminal and and that's again a challenge that we've got uh you know at the criminal end they will just go after and will be highly opportunistic. We are also similarly seeing in the state adversary space arguably a degree of um broad activity rather than focused activity in order to pursue their strategic endeavors. Um the next is they are technically capable. there is this sometimes this uh there are tropes which are rolled out about how technical adversaries are and I think you know there's a proliferation of knowledge and capability be it commercial or in open source and that leads to very effective operations which are actually detected often far too late

by an awful lot of organizations um and so we should recognize that and respect that you know we shouldn't kind of idolize them and and celebrate them but we should recognize that they are technically capable um in in a lot of guyses and and advance advanced if it's ever used should be a very high bar for advanced given that because there's an awful lot of information out there which um some people will say advanced but arguably is common um knowledge. Uh there is also a degree of soph uh operational sophistication. So I think we've seen a number of criminal and state actors conduct supply chain operations uh which have gone undetected um to to great effect and that does show a degree

of premeditated planning and ability to execute and again you know we should recognize that that exists and it is not um a couple of people in a se a secret squirrel office somewhere overseas. Increasingly it is a number of actors uh at various points on the on the landscape that are able to conduct these. Uh we also have uh a unique challenge which is there are those that wish to do um tactical gain and those with strategic intent. So there are those that will literally just quick spin zero days plus one days and see what they get with them at scale for tactical gain. There are also those who are willing to preposition strategically on infrastructure around the globe for a

variety of reasons be that intelligence gain to be able to hold countries uh at risk at point of crisis or conflict or similar and we need to recognize that all of that exists. This is a very turbulent and and kind of free flowing environment. So, we're faced with with this challenge, which is, you know, do we want to fight one kind of horse-sized duck or 500 uh duck- sized horses? And the reality is we don't get to choose. We have to contend with all ends of the spectrum, with all levels of sophistication, with all levels of intent. And that makes it a very kind of busy busy busy place. So, that's hopefully kind of level set in terms of

the environment in which we're operating. when we look at the technology environment or the technological environment as a technologist it is probably one of the most exciting times to to be alive you know and I've gone through the arguably the advent of the internet in the mid90s in terms of becoming pervasive mobile communications cloud all of that but as you'll see you know we've got some amazing things happening but they also present a number of unique cyber security challenges so one is satification and the numbers on the slide speak to it and you can read them but what this means in reality is that we have some kind of concepts of this perimeter of an organization and I would

suggest that this slide and these this these numbers suggest that that perimeter doesn't exist in the contemporary world actually it's diffused over lots of organizations running software as a service platform as a service infrastructure as a service with very complex supply chains of software open source closed source and personnel all across the globe so we need to kind of break out that we can create these wall gardens I think is probably the point that I'm trying to make here in in part because of this and these numbers are only going up. The second is is that we're seeing a radical transformation in telecommunications. So by 2030 uh the 6G standard will likely be ratified that will basically

say that handset to satellite is common that would be basically kind of baked into the standard and then that satellite to satellite laser interconnects will become a thing. So some of the terrestrial networks that we've relied on which have provided us ability to do cyber defense operations are potentially going to become less important and less b uh less burdened.

There we go. They knew I was coming. Um uh so we're going to have you know potentially we're going to have to change how we do some of the things because these technology evolutions and then let alone kind of our we're going to have new suppliers come in into the field and so on the right hand side of this slide is an Indian technology where they've produced the first 5G native um cellular core. Um we're also seeing radical transformation in critical national infrastructure as it moves to cloud. Again, you can read the slides, but basically what this says is things that we're used to having in buildings, which we can touch and turn levers on,

is increasingly dissipating and going away and becoming software in cloud that can control key parts of our national uh critical critical national infrastructure. that presents wonderful opportunity but obviously massive massive challenges when it comes to cyber security for all of the obvious reasons like we use air gaps quite a lot at the moment in order to ensure certain things can't be knobbled um the next is systems are becoming so hyper complex so if I told you that a single um kind of uh CPU now will have intellectual property embedded in it from multiple design partners so it may have a trusted western brand on the side, but it also may have intellectual property as part

of the die from a country we may not entirely trust. And that is a real real challenge. Now, we talk about supply chains. We think about companies and maybe what's in the software. We have yet to get to the level of maturity and understanding on how we go to subcomponent level, but we're going to have to kind of get there at some point. We're also seeing this massive fusing uh across domains of science and technology. And so as a cyber security person, when I had in my second month a company come in who basically grow synthetic brain cells with an FPJ underneath and you code that in Python to do kind of computer operations, you

go, "Huh, we're not in Kansas anymore, are we?" you know, but we are seeing, you know, a a a march towards this and the brain computer interface stuff. The fact that it is going two-way. So, it won't merely being able to unlock those with disabilities, being able to conduct speech or dry computers. There is also the feedback loop in obviously creates massive kind of societal opportunity, but there are cyber security challenges which we have never had to contend with that we're going to have to get comfortable with. And so for organizations like mine, it's how do we think about the skills that we need, the relationships we have with academia and with industry in order to inevitably

provide the assurance that we actually understand the risks and that we can protect these systems to a level when it becomes kind of life consequential. Um we are also seeing a massive massive interest in non-traditional compute. You know I think siliconbased computing we've obviously understand you know obviously the race to quantum computing sure but there are a whole kind of range of other programmable systems which when you look at them through a certain lens present cyber security opportunities and challenges and again fascinating time for science for technology for cyber security but leads to lots of unanswered questions um at the moment and it's something that we're going to have to get after or we repeat the doom loop.

So when we go into the challenges, they are, I think it is fair to say, numerous. And again, I could probably do a whole afternoon on on just challenges. I want to get through some challenges to get into the sunny uplands of the opportunities, but hopefully this will highlight some of some of what we see. Um, we have to be kind to ourselves first. Cyber security as a profession hasn't existed very long. So I think if it was in architectural terms, we're probably at the kind of a few sticks and some leaves territory rather than skyscrapers kind of architectural patterns. So I think you know we have to be a little bit kind to ourselves that

we are in the foothills of understanding. We are also an industry driven by an awful lot of hyperbolia marketing claims. Um but we are still learning our trade and our science of what works in practice and building those evidence bases. Um the second is I think we should all recognize in a lot of cases security isn't valued. Security is seen as a cost and as such it is seen as an optional cost at points of other crisis or other competition. Um and we see this at times with uh the cyclical nature of insecurity in in certain companies but then also you know with workforce reduction security will be impacted. is not seen as an enduring

requirement always and and naturally we have to be sensitive to what business is trying to achieve but it also does create some monumental headwinds when you're trying to deal with something on an enduring basis. Um we had this fundamental challenge that we can't actually see in all the dark corners of of our digital estates. Um and that inability to introspect and actually understand and monitor really is hurting. It's creating a an advantage for our adversaries because they understand this. So when they're popping printers to dwell there because they don't want to sit on the Windows endpoint because there's EDR solutions there, it probably tells you something in terms of what some of the challenges are. And we could go on about what have

we seen around edge security devices being the cause of security intrusions over the last three years by classes of vulnerability that we teach teenagers to find and that we've known about for a quarter of a decade and yet we couldn't see inside the little black boxes. Um but this is a real real fundamental challenge and it's something that we we're going after with some vigor. Um I think we have to recognize as well you know I started in in this kind of field technology 30 years ago arguably then we could understand it right there were only about three operating system providers and you know computing was ra relatively simple I think we're past the point of understanding um because the

volume of technology and so there's this thing where a lot of what we have done historically in cyber security supposes we fully understand and there's a point at which we have to accept that we will not understand and develop our cyber defense strategies based on that thesis as opposed to we can understand everything and manage all the risk out which is fundamentally not true. Um others will have heard me talk about this before. We have some perverse behaviors on the supply side where if you want access to the quality of logs or you want to turn on security features you have to pay more than the base service. That's a fundamental challenge. And our our position is if um you're

letting me buy a service, all the security should come baked into the ba into the base. I shouldn't be paying more to understand if I was done over or to turn on multiffactor authentication. But these are some of these kind of quite predatory behaviors by the commercial sector that we arguably do need to to kind of get after. um we have a huge issue with data sharing between parties to understand um and so if I go and speak to kind of academic colleagues they struggle to get data from actual people that actually run technology and actually suffer intrusions in order to inform their academic we see challenges cross sectors where lawyers get involved and say you

can't share that or you know and all of these types of things and if we can't get over that we are not going to be able to build the evidence basis is to really identify the 1 2 9 20 things that actually work in the majority of cases. And so it's something we do need to to kind of challenge ourselves on. Um we have massive scaling challenges. So the NCSC produces an awful lot of guidance. I would suggest that a lot of that guidance can be consumed and acted on by let's be charitable and say 20% of the business population of the United Kingdom. Um obviously it's far far less if at all in the consumer space. So this

is why we've had to do things like protective DNS right configure DNS service magic happens active cyber defense happens you don't have to worry about this is why we have to do share and defend where we're releasing indicators to the telos who block at a telco level to provide some of these kind of scalable answers. So I think one of the challenges I'll lay down to you is think about how practicable the solution is beyond the 1%. I see lots of solutions which will work really well if you have the best people in the country to kind of care and feed for it. I do not see many solutions that will work for the someone that has a fractional IT

person that turns up the second Thursday of every month that maybe kicks a server in a corner and kind of applies some patches and and we need to be able to have answers that can kind of deal with all ends of of that. Um I've labored this before in other forums but at the moment there is no cost really on adversaries. You know we focus on IoC's a lot. We don't focus on eradicating TTPs. So we're not forcing material cost on on an awful lot of adversaries. We need to think about how we introduce some peril. So this is why for example we are doing experimentation with cyber deception at the moment in order to kind

of try and introduce that and burn some of the operations at far quicker quicker rate. Um and then before I think we're almost at the end of the challenges we also have to recognize I've talked about future technology. We're living today's technology. We also have technology from 35 years ago still that we need to maintain and that's not uncommon. So you go into any organization of any kind of requisite size and the number of end of life operating systems um you know that don't that aren't even supported by EDR vendors in 2025 is is pretty pervasive. Yeah. And so we have to recognize we also have almost the unprotectable the undefensible technology base and unless we come up

with a way of uh paying that down getting rid of it is always going to be the millstone around our neck. um evidence of solution efficacy. The number of times people will tell me this stops APS, this stops all of your cyber security problems. And then I go, okay, show me the evidence base against whom, in what situations, with what caveats, and when does efficacy degrade? Uh and then you get kind of that that that pause. And so there's a thing here around claims at the moment are allowed to be made uncontested. How do we move to evidence of efficacy in real world scenarios at consequential scale? Not it worked in my lab in my test kind of test

range and and similar. Um one of the last ones this is the last one actually in fact is we often still focus on treating symptoms or bits of a system. We aren't as a community often very good at doing systems thinking and I mean that both in the kind of the digital sense but then also the system in which we are operating be it business or government or similar and then the inherent complexity that brings and then how what we do in that to be as effective as possible and I do that because sometimes I have to catch myself whereas I'm focusing on like you know with a team how do we design that mic

that microchip to be secure and then I have to think about as we have learned with cherry which is a CPU which is uh addresses memory safety challenges. You can have the best technology but if no vendor is going to integrate it because it adds 4 pound20 to the bill of materials then arguably you've failed. So we then work out actually what we need to be successful. Okay. So that's um mildly depressing to get us there. So what's the opportunity for the sunny uplands? Uh rest assured there are many. I can't do them all justice but I can give you a sense of what some of them are on on this merry journey. So um we

do really need to think about incentives. I would suggest that uh not many of those security vendors who have deployed edge security products have had SQL injection in or default passwords or memory corruption without any mitigations have felt a material level of uh revenue pain that you know there's only one thing that really drives business right revenue and profit. revenue and profit, revenue profit liability revenue profit, liability. Right? They're quite simple bears. Um, and so there's a thing here which is uh what is the incentive to produce secure technology? Then we do also need to recognize that people have bought lots of that and are buying more despite all of those vulnerabilities. So what is the incentive to buy secure

technology? Because if the buyers are just going for price and are not going for the secure technology, then there's no incentive to produce secure technology because I can just sell crap, right? And so there's there is a thing here around incentives that we do really need to get after. If we do not fix that, nothing will change. We will all be here in 30 years and we'll still have SQL injection. Um we cannot quantify technical debt easily. And why that matters is executives are generally numbers driven. If we cannot quantify if you know if we only use risk and rag status lovely we need to start quantifying it and giving them some measure so they can measure with

competitors they can see whether or not they're comfortable with it and the like. So thinking about so one of the proxies that that we tease about here is um for those that of you that that like me have never done Alevel accounting but you've basically read a book um if used depreciated assets on a balance sheet. So this is it that's been bought capitalized out over a number of years. So when you buy an IT asset you spread the cost over usable life five seven years and you've advertised it back in. you could use that as a measure of um of technical debt and that would be something that the CFO would understand, the CEO would understand and the

non-exec directors would understand. But this is the type of thing that we're going to need to do if we're going to be successful in terms of driving some of the change. Um we do need uh further transparency by all parties. It it goes without saying, but I have to say it. you know, we have, you know, software bill of materials on the technology supply side is not gradea transparency, right? That that tells me, you know, maybe the ingredients you put in the sausage, it doesn't actually tell me what the sausage how the sausage is made. And I and and we all need to know that. Um, as I've mentioned kind of previously, but it's worth laboring, we're going to

need to get more scientific about this if we want to to actually do we don't have limitless cash. So we need to do like what works. So what works is what things like the home office does. So when they do policing interventions or other societal interventions, they have strong evidence bases that they actually know that actually works in practice. They're not throwing darts blindly at the dart board. Cyber's still not quite there yet. And and that's the massive opportunity for us. The other is as we go on this AI hype curve, which is terribly exhilarating for us all. um if you touch a legacy system, you can't just slap AI around it. You have to fix

the legacy system as well. So, so all of this investment that's coming in from AI, how do we use that as a tool to pay down some of some of this technical debt? So, the you touch it, you fix it, um mantra becoming common um as buyers, the buyers in the room of technology, demand better. Get together with your competitors in your sector, demand better together. just demand better from those who provide us technology and services. They keep telling me customers aren't asking for it. I don't believe that. They need to hear the cohered voice. They need to understand that it's demanding and not the optional clause that will be carved out by the commercial negotiation team

because they'll get an 8% uh um discount on on the price. Um we are going to eradicate fishable authentication in the UK. So pass keys is our strategic move here. Um we will we are rolling that out across government. I think our OKR you can tell ours originally from the private sector but I think our OKR is something like 70% of government authentications will happen fishable resistant authentication by something like 2030 something you know so we've set pretty high OKRs on this but we also need the private sector to adopt them and not provide backup non still fishable solutions to that um and then the last one is we have to surprise our adversaries so the creativity in

this room in the other room. Do things that they're not expecting. Just don't turn the handle. Turn up. Be creative. Find new ways that we can do cyber defense, build cyber resilience, and do the unexpected and arguably at some pace. Um, so in closing, uh, if we don't get our foundations right, this is technical debt. It's all of the things that we do know work. Multiffactor authentication we know will would address about 60% of the breaches that we see. If we don't get these things in place, you people don't understand what their estate is, IT asset management, they're not patching it, we lose. It doesn't matter what kind of wizzywoo we put on the top. We've got

to get the we've got to get the foundations so they are um there. We also have to prepare for that when so if we look at a lot of organizations, they still think that they can keep all the bad people out. They don't actually prepare for the consequential loss event and actually have a strategy of recovery. They don't know how they would communicate if they lost all of their email. They don't know how they would kind of what where where are the run books on isolated iPads. All of these things we do need to do. Yes, let's let's kind of plan for success, but we've got to prepare for the worst. And that's building true resilience in, you

know, and this goes down to certain sectors that we're working with. How do you have distinct software that's able to execute the same critical business function that's entirely different? You know, in order to build some of that level of resilience, um, we don't get charged for seat belts for a reason. We should not expect the same in the cyber domain, right? Multiffactor authentication, comprehensive logging in the base product even if it's a premium offer, right? That time has to be done now. uh our adversaries are capable and they are unconstrained. And so there's no position or no place for arrogance here. You know, we need to not idolize them, not make them rock stars, but we do need

to be respectful. And that's why it's going to need us as a community to kind of go after this with with some vigor. Um so the so what uh firstly is how do we uh collectively address this illusion of control that somehow we can know everything and be precogs and all of that rather than we're packing a surfboard through the kind of the next 20 years and we're going to have to be kind of quite resilient and adaptable for that. Uh how do we achieve resilience in systems that we don't understand? I don't think anyone knows how you do that, right? And so, how do we actually kind of get comfortable that we can do it and it will work when we

need to? Um, and then given international supply chains, foreign workers from maybe not an entirely friendly state kind of abusing remote working to get into companies all over the globe. How do we deliver assurance in our contemporary way of working? And that will also come to generative AI and code it generates, right? How do we get confidence and assurance over it? So just kind of closing out last points uh and we're almost on time with about 60 seconds to go. So this slide is from 2023. Uh what it says is about uh something like 74% of the IPv6 internet scanning came from two data centers in China. Why would that be? Don't know. Um, this slide

says, uh, long-term plays work. So, Finland, next door to Russia, realized it had a disinformation problem. In 2018, I think it was, they started training their kids in high schools. They come out at the top of the ranking now in terms of being able to spot and not be susceptible to the influences of disinformation. So, plant seeds now. Everyone looks like a hero in about 5 to eight years, but you got to make the first move. So closing out, we do need to impose cost on our adversaries. If we don't, it's just going to be too easy for them. They're going to walk us up and down the pitch. The second is we do need to build kind of evidence

resilience. We need to build it, have confidence it will work, prove it does work when we actually need to. And then we need to prepare for when. And with that, thank you very much.

One question, maybe two, I don't know. >> Any questions for Ollie? >> I have one question. >> Go on, please. >> Um, so not sure if you saw, but the CISO of I think it was JP Morgan put out a really good blog about the resiliency and and architecture of the SAS the SAS supply chain. Yeah. what do what do you think of vendors or organizations doing that and demanding better of that >> that's what we need more of right and I actually contacted him afterwards and we had a conversation and and so we'd only celebrate it right I think there is this almost learned helplessness on the customer side that you can't challenge those who are providing technology and I

think that that that drew some very clear lines in the sand of what was acceptable and you imagine that happened across energy telecommunications D, you know, I think that would put everyone that provides us technology and services on watch rather than they think it's a point of negotiation in a commercial agreement. >> Thanks for JP Morgan. No, >> I think there's one question at the back. Is there one question at the back? No. >> What are your thoughts on Intel management engine? >> Uh well uh in what context? you talking about foreign actors being able to design >> the Americ's

point I made more generally we have lots of these systems be they embedded devices be that management engines be that uh other kind of suboperating system hypervisors etc etc et etc. We need to get it all out. We need to be able to do introspection in these in order to understand if they've been exploited and misused. And I think that's a that's a position that that we've hold. And indeed in February we published guidance for embedded device manufacturers on minimum levels of streaming telemetry and forensic uh collection that we would expect in such systems today. But great question. Thank you. I'll I'm looking to you to govern time. >> One small one. >> Not a small one. Oh, there we go.

>> Um, policy, especially international policy. >> Everything's international supply chain. >> Yes. >> We've got rules coming in from >> the FDA. I work in the medical device. You sell into the US. Great. So, you need to do this thing. fill in this form via this thick client that runs a very old um Java. Yeah, >> it's going to be Java. You know, it's going to be Java. >> Um NCSC essentials >> says you really need to get the stuff off your network. >> Sure. Sure. How what's your view on how intergovernment policy can actually really have an influence at the deep level? >> Yeah. So, so obviously we're not a policym department but we do support

those who do. I think what we would rec so uh we we support UK policym so hopefully it's technically credible. If you don't feel it's not come and speak to me. I think what you're alluding to a little bit which I'll also kind of scratch at is we do recognize that there's lots of policy being made across the globe and it's not always aligned and there's a point where some of that will need to converge but I think there's a debate on what that forum is today because this is a United Nations is it something else discuss