Security

Firms that force you to change your password are clueless says cyber security chief

Security expert rails against the bad advice that everybody follows and the industry's addiction to hyperbole.

ian-levy.jpg

Dr Ian Levy, technical director of the UK National Cyber Security Centre

Image: UK government

Does your firm make you change your password each month and warn you not to open suspicious email attachments? Then they haven't got a clue about IT security.

So says Dr Ian Levy, technical director for the UK National Cyber Security Centre.

Levy was scathing in his assessment of the "stupid" and user-unfriendly security advice habitually doled out.

Top of his list was the perennial warning not to open attachments or click on links in an email unless you trust the sender.

The number of users capable of delving into the technical detail of an email to spot the difference between a well-crafted spoof banking message sent by a hacker and the genuine article is vanishingly small, he said.

"That is the most stupid piece of advice I have ever heard," he told the Microsoft Future Decoded conference in London.

"How many people in this room [of business people] could read email headers on the internet? I reckon maybe five. How many could consistently understand it? Maybe two.

"We're blaming the user for designing the system wrong, we're trying to get the user to compensate for bad system design. That's stupid, let's fix it."

SEE: Aerohive's new IoT security solution could have blocked Dyn DDoS attacks, company claims (TechRepublic)

Just as hopeless is the stipulation that users not only create complex passwords for every service they use, but that they change each password every month, he said.

When you take into account the number of services people use, that advice amounts to telling people "please go away and remember a different 660 digit number every single month", he said.

"Who reckons they could do that then?" he asked the room.

"This kind of advice has to go, we have to make it much more user-centric, stop blaming the user, give them information and let them make decisions."

Earlier this year, the US Federal Trade Commission's chief technologist Lorrie Cranor made a similar point, arguing that forcing regular changes can result in people choosing weaker passwords and "may actually do more harm than good".

Guidance about the nature and scale of threats faced online is little better, Levy said, describing most as being mumbo jumbo designed to scare the average user.

"Everything we do as an industry is about making it sound really, really bad, because then you can't possibly defend yourself and the thing you do is buy the magic amulet."

Emblematic of that hyperbole-heavy and fact-light approach is the oft-repeated estimate that cyber crime costs UK businesses £27bn each year, he said, a claim he described as having no evidence to support it.

That hype is embedded into commonly used terms in the security industry, according to Levy, who said that APTs or Advanced Persistent Threats — a term for cyber attacks where hackers stay undetected long after breaching a system — would be better characterised as 'Adequate, Persistent, Toerags', in reference to the rather underwhelming reality.

"They're adequate, because, on average, they use vulnerabilities that were patched one, two, three years ago," he said.

"They're pernicious because, let's be honest, they are, and toerags is the least sweary word I could come up with beginning with a 'T'."

Calling on the IT security industry to offer advice and warnings backed by fact, he said that the UK's recently launched National Cyber Security Centre would lead the way in providing this data-driven guidance.

"My job, as part of the National Cyber Security Centre, is to change that fear into evidence, driven by data.

"Transparency in cybersecurity is unheard of as far as I can tell. We've never had national-scale data generation and understanding about what the national threat picture actually looks like.

"Who are these people attacking us, why are they doing it and how successful are they, what does it mean to you and my granny.

"Until we can have that kind of conversation, where people make sensible, value-based risk management decisions every day about using technology, we'll never reap the benefits of all the new stuff that's coming.

"People will be too scared to get an autonomous vehicle because hackers can break it, people will be too scared to have their insurance premiums calculated by a machine based on their Fitbit data because hackers can break it.

"We have to get underneath the hyperbole."

Levy's comments coincided with the launch of the UK's new National Cyber Security Strategy. Under that strategy, supported by £1.9bn in funding over five years, the UK chancellor Philip Hammond pledged the UK would bolster its ability to mount cyber attacks, saying it was important the UK could "strike back when we are attacked".

"If we do not have the ability to respond in cyberspace, to an attack that takes down our power networks leaving us in darkness or hits our air traffic control system grounding our planes, we would be left with the impossible choice of turning the other cheek and ignoring the devastating consequences or resorting to a military response,"he told the conference.

"That is a choice we don't want to face or to leave as a legacy to our successors. That is why we need to develop a fully operational cyber counterattack capability."

Also see

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox