Ollie Whitehouse is the first-ever chief technical officer (CTO) the UK’s National Cyber Security Centre (NCSC) has appointed. Whitehouse formally began his role in October 2023 following the initial appointment in September.
Speaking exclusively to Infosecurity following his keynote speech at the Black Hat Europe 2023 conference, Whitehouse shared what his new role with the NCSC entails, how he wants prepare UK organizations for looming cyber-attacks and what keeps him up at night.
Infosecurity Magazine: You are NCSC’s first-ever CTO. Why does the agency need a CTO and what are your missions?
Ollie Whitehouse: As the technical authority for cybersecurity in the UK, the NCSC has a cohort of over 250 researchers. The CTO's responsibility is to ensure that we have the skills and capabilities to conduct that research and work with our academic and commercial partners.
A third of my time will be focused on making sure our researchers have the direction they need and are executing their missions, another third will consist of representing the organization as its most senior technologist, and the last third will be dedicated to working with partners.
I’ve been in the role for a few weeks now, and I’m giving myself three to four months to learn about the organization. Then, I will have two priorities:
- Active Cyber Defense 2.0, the upcoming second phase of the NCSC program offering free security services and interventions for organizations.
- How we give clearer market signaling to the problems that we don’t think are being addressed by the free market, so private equity actors, entrepreneurs and industry more generally can step up and help us develop solutions that address these problems.
IM: Which cyber research areas excite you the most?
OW: One that I think could lead to ground-breaking discoveries is the US Defense Advanced Research Projects Agency (DARPA) challenge around the automatic discovery of vulnerabilities and their resolution. This is a way that we could eradicate technical debt at pace.
Also, some awesome papers were published during the 2023 Internet Measurement Conference (IMC) in October 2023. Being able to measure every router manufacturer on the hop is exquisite. For example, it allows me to understand what the most important vendors in the UK are.
IM: You have said that software vendors should stop selling security as an extra feature, but also that regulation shouldn’t be the first solution. How do we ensure secure products without regulation?
OW: That’s correct – I said that seatbelts are not a premium feature, and we should no longer tolerate vendors who sell them as such.
“Regulation can be quite constrained and not adapt as technology evolves.”
We should use regulation, but it shouldn’t be the first step. We should also recognize that, since many countries are currently regulating cybersecurity, and they do not always align, there’s a significant compliance cost to organizations, which creates friction.
Additionally, regulation can be quite constrained and not adapt as technology evolves.
In the UK, we would first come up with guidance, then issue codes of practice, and then, only if we still see shortcomings, would we move to legislation and regulation. But why would you jump to that if we can get there through discussions and agreement?
IM: Does this approach work?
OW: I think we have great examples of times where it has worked in the past.
Take the Secure by Design and Secure by Default initiative. Some vendors will adopt these principles wholeheartedly, and others will only adopt them if their customers are pushing them, but overall, I think such industry-led efforts are the right approach.
IM: You have also said that “making phishing a thing of the past” was the most critical challenge the cybersecurity community should tackle. Why do you think that is?
OW: Because it touches everyone, from very large organizations, where it causes massive data breaches and financial losses, to our families and friends.
It’s so effective because it exploits human traits, whether it is fear of scarcity, fear of loss, or fear of authority, which are used with great effects by those conducting phishing campaigns.
I don’t have the answer to resolving this huge and hard problem, but I wanted to insist on that in front of the hundreds of cybersecurity professionals who came from around the world for [BlackHat Europe]. They, collectively, have the answers.
IM: Where is the cybersecurity community good at collaborating and where does it need to improve in working together?
OW: If we look at the guidelines for secure AI system development that [the NCSC] launched in November, following the AI Safety Summit in October, it was the first time ever that 21 national cybersecurity agencies signed the same cybersecurity document.
It’s pretty clear now that cybersecurity is no longer something governments can do alone.
In academia as well, there are so many incredible collaborations between researchers from multiple universities and different countries working together on their research and publishing papers together.
Finally, yes, the incident response and threat intelligence communities sometimes work in nearly secret trust groups, but I can also see they’re increasingly collaborating and sharing intelligence.
However, there could indeed be more collaboration on governmental, regulatory, and vendor levels. We’re starting to see more cooperation from some of the hyperscalers, who are looking to collaborate more on certain fundamental technologies they rely on. But it could be done more transparently.
IM: What in cybersecurity keeps you up at night?
I’m not sure we’re fully prepared for the ‘when’. When the big event happens – and one will happen in our lifetime – do we have enough capacity and capability to be able to respond on an enduring basis that goes beyond weeks?
If I look at the UK’s private sector, there are no more than four to six companies that are able to deal with operational technology (OT) cyber-attacks at scale, for instance.
That’s why NCSC needs to develop better market signaling solutions.
We also introduced the Cyber Incident Response (CIR) Level Two scheme earlier this year. Level One was for organizations that are able to deal with threats of national importance. Level Two will be dedicated to enhancing private-sector companies’ incident response maturity to be able to deal with commodity threats at scale.
IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?
OW: Look at how diverse cybersecurity has become. Once upon a time, the industry was nearly only made of white male people. It’s no longer entirely white male, and that’s great. Diversity of people means diversity of thoughts, which our industry critically needs.
On the technological front, I’m particularly buoyed by the conversation we’re having both around quantum and AI.
And we’ve had them quite early on – we’ve not waited for those technologies to become endemic and then worried about how to secure them.
"Most AI vendors have set up internal AI red teams."
I’ll give you one example, most AI vendors have set up internal AI red teams, they’ve not waited to be outed for having systemic vulnerabilities.
It shows that we’ve broken the traditional cycle of releasing a product and only starting to secure it once it’s been broken into – and I’d say it has something to do with initiatives like Secure by Design and Secure by Default being efficient.
IM: If you could give one piece of advice to cybersecurity professionals, what would it be?
OW: Never be afraid and always continue learning. After 27 years in cybersecurity, I’ve never stopped learning. I still do three hours a week of training, every Friday afternoon. It’s essential to keep yourself sharp and on the game.
When you commit to lifelong learning in cyber, you have a greater impact.