‘Nothing is foolproof’

British cyber security expert CHARLES BROOKSON shares his views with BWSC, on a recent visit to New Delhi

Charles 4

Having spent two decades in British Telecom and another in the UK government, CHARLES BROOKSON’s expertise and insights span both worlds with ease. BWSC caught up with him on a recent visit to New Delhi and was surprised to learn that nothing surprises him anymore! He shares his views on what it means to be still watching people make the same old mistakes after 40 years in the business of security.   How do you balance openness with the limits to that openness? Keeping open data secure is a crucial issue and the trouble is that though you can think of technical ways of protecting it, you have to take the top-down approach to see why it needs protecting in the first Voicesplace. Too often we rush into technical measures first. What we’re trying to do is best described as “privacy by design”. Obviously, as a citizen, you have to give up a certain level of privacy but does giving up information compromise me as a person? It’s a question of trust. How far do you trust people to look after your privacy? Who do you trust – a commercial company or a government?   What will be the role of governments when it comes to security and privacy concerns, going forward? It will have to be a very delicate balancing act, for sure. It’s excellent if they can standardise services to make them cheaper and easier to access, but they’ve also got to think about privacy issues. Again, it’s a matter of trust, as it takes a long time for legal frameworks to catch up in a constantly-changing environment. Training is another thing. We may have laws against, say, spreading computer viruses but how do you actually use them? Imagine going to a police station to report a computer virus. The only answer is to set up specialist units. If you look at the degree of se­curity you need to put at all levels, you’re asking for a commercial system to meet all those requirements. It’s been said by people greater than me that the most secure computer is one that’s turned off and the most secure mobile phone is the one turned off with the battery taken out! It’s a matter of risks and bal­ancing them. You can never develop a system that’s totally secure.   You’ve been doing this for a long time. So, just off the cuff, what scares you? I’ve been around so long that nothing really scares me anymore. I know it’s going to happen and I’m quite happy because things will always go wrong and I’ll always have a job.   We often say that the when it comes to big data and its applications, the limits are the imagination itself. Is it the same with threats from cyberspace? That’s true, actually. I used to have a document that described different ways of breaking mobile phone systems, which we kept with the GSM Association. Yet, when people found a mistake in it, it was something we hadn’t recognised because the system is so big and complex and depends on so many factors. It’s like the human organism where you can’t predict everything. You can only make the best effort to put it right. The important thing is to make sure you can measure and see what’s going on to ensure that when something does go wrong, you recognise what it is and can get the right expert to respond. That’s what people usually fail to do.   What would you say have been a few positive developments in the field over the past few years to change the thinking on cyber security? I’ve been involved now since 1974, over 40 years, and I guess the big change is that we now have a lot more people interested in it, asking the right questions, as well as a lot more money being spent on it. Other things include legislation, data privacy, ethical operations and the pressure from consumers to keep data secure. When I started in the late 70s in the UK, all you had were a few experts sitting around a round table. You can’t do that anymore.   What would be your threat predictions for 2016? I’m not going to make any predictions because I know all the threats will be things I’ve seen before. It’s amazing how people don’t learn from what’s happened in the past and a lot of the security instances are things I’ve seen in a slightly different form before. People are prepared to put in a great deal of investment into finding ways around things! Nothing is foolproof. If you really want to be secure, keep a card index system, lock it up and don’t look at it. What I’d like to see is standardi­sation to make sure that security works seamlessly. Standards can help create a secure environment, with equipment that behaves the same way wherever you get it be­cause you’re often buying stuff that is not necessarily produced in your country.   Are we moving towards the end of proprietary standards, in favour of open ones? I think we will get a mix as there are examples of both that have worked. Your mobile phone is an example of a non-proprietary standard that has clearly worked, although there were proprietary standards before it. Proprietary standards produced by groups of companies or specialised interests also have their place. It’s always a dilemma, really. There are so many standards bodies and so few security experts. You have to back the winning ones, like in a race, that are going to work. If I’d been able to predict which standards work, I would have patented them and been a rich man!