Cybersecurity is a rapidly evolving field, with digital transformation efforts and heavy reliance on technology exacerbating the threat landscape. Typically viewed as a modern field, examining the deeper historical roots of cybersecurity can be of enormous relevance today – helping us understand the current environment and providing learnings from the achievements and mistakes of our forebears.
With cybersecurity in its infancy compared to other industries, we are in a privileged position to be able to learn from those who began working in IT at its early stages of development. It is vital this opportunity is seized.
Infosecurity has had the pleasure of facilitating a discussion between three individuals in the industry who represent different generations and experiences. First, British Army Colonel (Retd) John Doody, who has held numerous high-profile roles in the cybersecurity industry, including as Head of Information Assurance Customer Services at CESG/GCHQ. At the age of 80, he is still extensively involved in the sector, particularly speaking engagements.
At the other end of the age spectrum was Tamzin Greenfield, a 19-year-old cyber junior threat analyst apprentice at Cyber Security Associates, who is undertaking a Cyber Security Technical Professional Standard degree at the University of Gloucestershire in the UK. Greenfield also undertakes a number of advisory and mentoring activities, representing the future of cybersecurity.
In the middle of the age ranges was Professor John Goodacre, director of UKRI’s Digital Security by Design (DSbD) program and Professor of computer architectures at the University of Manchester. Goodacre studied computer science in the mid-1980s and therefore has been at the forefront of cybersecurity challenges as the role of computers has expanded in society.
The discussion encompassed a number of important areas; in particular, the evolution of cyber-attacks and security, why we are facing the issues we experience today, and how the new generation of cyber professionals can create a secure future.
Infosecurity Magazine: How did you begin in coding/security?
John Doody: My first exposure to coding was way back in 1973 on my degree course, where I started to gain a minor understanding of machine code programming; however, it was clunky and I never warmed to it. In those days, security was not an issue.
It wasn’t until 1979/80 that I got involved with coding again when I worked at the Royal Armament Research and Development Establishment (RARDE). There, I ran an electronic warfare simulation that required a lot of software, but was a bounded system, so wasn’t connected to anything. The only security was protecting the boundary of the computers, which were big batch computers with punch hole cards were inserted. That was the birth of big coding.
My next real exposure to coding was when I joined GCHQ and their protective security branch, the National Technical Authority for Information Assurance (CESG). They were responsible for all the high grade cryptography products used to defend UK government secrets. Today, that organization is known as the National Cyber Security Centre (NCSC). From around 1993 onwards, software security was becoming a big issue in defense – we were introducing a lot of software systems for command and control and office systems, and it required security.
In those days, it was assumed that you could add security on as systems were developing but of course we all know today that it has to be built in on day one. My first experience of security by design was with the Ministry of Defence’s Corporate Headquarters Office Technology System (CHOTS), which was connected to a lot of other networks, so security was paramount. This was really effective.
Tamzin Greenfield: When I was a young teenager, there were a lot of terrorist attacks going on, and that drew my attention to national security. This led to me picking a computer science course for GCSE and also did GCHQ’s CyberFirst Girls course, which introduced me to the history of coding and people like Alan Turing and Ada Lovelace. I just kept going with it – I’m a very creative person outside of work, so this was a way to be both creative and technical.
Cybersecurity is integral as we’ve reached a point where our day-to-day lives are being affected by technologies, including critical infrastructures like the NHS. Once you’ve made technology a requirement for people’s lives, you can’t leave you can’t leave them without security because it can have devastating consequences.
When I was studying computer science for my GCSEs and A-Levels, we were taught about failsafes, so what to do if the user’s putting in something you don’t expect. And what we learn now is how to code securely from the start, so it’s definitely something that’s being considered more. However, I still don’t think it’s taught enough, especially as it’s in the public eye and non-technical people are going to be thinking about it. Therefore, we must make sure we are clear about our security measures because otherwise the day-to-day users are going to assume the worst.
John Goodacre: Listening to John and Tamzin, the thing that stood out to me was that John spoke about looking at the person that’s running the system, whereas Tamzin spoke about protecting others. So there’s a fundamental change here of viewing security – from the historical way of ‘I need to protect myself’ to ‘it’s part of society, I want to there to be a more secure world, protecting others.’
One of the challenges with the Digital Security by Design (DSbD) program is that the cybersecurity business today is all about how protecting myself at point of use. Whereas DSbD is about what can I do with the fundamental technology to protect everybody from themselves and others, so it’s closer to Tamzin’s perspective.
IM: What are currently the biggest challenges in coding and security?
JD: I think it’s making cybersecurity and coding the profession to be in. Cybersecurity is one of the highest growth professions in the UK, and the money involved is phenomenal – a pen tester can command £100,000 a year. In the past, cybersecurity used to be the privilege of a few, but is now in everything we do. We’ve got to do more education and training and making the industry more attractive to bring bright young people in.
Another issue is diversity. For many years I have chaired cybersecurity conferences – many years ago I’d stand up in front of an audience and they were all dark-suited men with briefcases and not a woman in sight. Now, there’s a lot more women in the audience and we’ve got to encourage more of that. The more women we get into the profession, the better publicity there will be for the industry and we will be more secure.
TG: Often being a young woman in cybersecurity is terrifying. Frequently, I’ve been the only woman in my office for two years and everyone else are men 10 years older than me. There are a lot of goalposts that seemed unachievable when coming into the industry, because as someone in a minority group in cyber I have to be standing a couple of heads above the average person to get over other people’s biases they might have against me originally.
Anyone in the industry can have issues around mental health and stress – it’s an industry that emphasizes you need to be working all the time, you can’t switch off from it. I believe stress is one of the biggest challenges because there’s a lot of pressure, especially for young people.
I also agree with John’s point about the need to advertise cyber careers better. I used to hate computers when I was younger but my friends nicknamed me ‘Q’ after the James Bond character. When I watched James Bond I thought that’s really cool. I think we need to lean into the ‘cool hacker’ idea, and this is something I’m very aware of when I do outreach programs and mentor younger students. Hopefully by the time these younger students enter the industry they will have more people they can look up to, like women and people of color.
To attract the average person, we’ve got to emphasize this is a cool career which pays good money and that there’s a bright future in technology.
"To attract the average person, we’ve got to emphasize this is a cool career which pays good money and that there’s a bright future in technology"
JG: When I look back at computers when I first started, they were exciting, and we felt we could be creative and productive with them. But what we’re hearing here is that ability to be creative is challenged at the moment. We’re having to constantly review everything to make sure we haven’t made a mistake. If we do make a mistake, that could collapse the company – the level of stress that’s been placed on people today to be secure probably means it’s not the most attractive place to have a career. So how do we bring the attractiveness back?
We’re heading in a direction of cybersecurity that’s not sustainable. In essence, humans are building these systems, so there will be mistakes. At the moment, one error is enough to breach your system if the attacker finds it, and the only solution we have today is for security professionals to work weekends and rush out a patch that the whole world has to put in their systems the next day. It’s not a fun place. That’s where DSbD is trying to help – that if there is a mistake, it’s not exploitable, at least in 70% of cases.
IM: How can younger and older cyber workers learn from one another?
JD: The most important thing is maintaining visibility of today’s youth in this area and having a more intellectual appreciation of their skills and outlook. Cybersecurity is not just about the technical or software element, there’s also a human element. It’s very important to focus on the social aspects of cybersecurity and the environment we’re bringing these people into. There should be an integrated approach from young to old in this business, and it is beholden on all of us to understand and nurture the youth of today. They are very talented and will be our champions in the future.
TG: I’d love to hear the older generation in the industry speak as openly as they can. Speaking about the pure creativity they had when they began working in the industry. What inspired me to enter the sector was things like Bletchley Park and Alan Turing. I’d love to hear more positive stories from the older generation because they come from that ‘golden age’ of computing.
I’d like to ask what we can do to make this future that you guys dreamed of when you were starting off? It’s a bit like passing the baton down. If we can learn from the older generation about what they saw the perfect future as and how they think we can achieve it, we can take that insight in. We have such a privileged spot to be in because that generation didn’t have an older technical generation to look up to, whereas we do – why not capitalize on that and make the industry stronger?
JD: If it’s any consolation, I’m in my 80th year and can’t let go of this subject! I’m an evangelist and I mentor youngsters, indoctrinating them into the real cyber world. My generation are beholden to make sure we are engaged with younger generation, highlighting the opportunities that are ahead of you and the national importance of your contribution.
JG: I think the question Tamzin should ask is ‘do I have to inherit what I’ve got.’ That’s particularly key in cyber because if you ask someone a bit older than her, in their 30s and 40s, have you ever thought about changing what the computer does to solve your cyber problems, it’s just not on their radar to say ‘that computer is insecure.’ They talk about hardware agnostic software and portability, they won’t say ‘that computer’s broken, let’s go and fix it.’
Looking to the future, we have to implement the new technologies coming through, like quantum, in a way that’s not insecure. Let’s make cybersecurity one of the questions that’s asked against the new technologies.