NCSC’s Levy steps down after 20-year intelligence career

Ian Levy, the longstanding technical director of the UK’s National Cyber Security Centre (NCSC) and Hitchhikers’ Guide to the Galaxy fan, is to step down from his post after a 22-year career in the intelligence services.

A graduate of the University of Warwick, from where he also holds a PhD in computer science, Levy joined GCHQ in 2000 and rose to become technical director of cyber security at the Cheltenham-based agency.

He transferred into the NCSC on its creation in 2016, where he has remained ever since, working through major cyber incidents including WannaCry, the rise and rise of ransomware gangs and, most recently, the cyber impacts of Covid-19 and Russia’s war on Ukraine.

“It’s with a heavy heart that I’m announcing that I’m leaving the NCSC, GCHQ and Crown Service,” said Levy. “Being technical director of the NCSC has been the best job in the world, and truly an honour.

“I’ve met and worked with some of the most amazing people, including some of the brightest people on the planet, and learned an awful lot. I’ve got to give a special mention to everyone in the NCSC and wider GCHQ because they’re just awesome.

“And I’ve also had the pleasure of working with vendors, regulators, wider industry, academia, international partners and a whole bunch of others. I like to think I’ve done some good in this role, and I know I couldn’t have accomplished half as much without them.

“I know that the people in the NCSC will continue to work tirelessly to make the UK the safest place to live and work online, and to do their best to implement the national strategy. I know that whoever takes over as NCSC technical director will have the best team on the planet to help them.”

In a lengthy essay peppered with references to Douglas Adams, Star Wars and the B-17 bomber, Levy reflected on his time at the NCSC, and spoke of some of the cognitive dissonance that still surrounds the cyber security world, urging cyber professionals to maybe ease up on some of the groupthink by putting themselves into the shoes of those they are protecting, being slower to blame non-technical folk when things go wrong, and building things that work for everyone, even if that is not always the easiest thing to do.

He also spoke of a tendency for the security community, and one that is shared by many cyber experts, to not learn from past incidents and wind up in Groundhog Day-like situations

Log4Shell, he said, was just such a situation, having a remarkably similar genesis to Heartbleed back in 2014, in that both resulted from a technological solution developed in good faith having gone out into the wider world without proper attention being paid to its maintenance and security.

Similar parallels exist between supply chain attacks such as the 2020 Russian hit on SolarWinds and other incidents dating back to the turn of the century, he said.

Levy went on to propose what he termed a “grand unified theory of the cyberz” by which defenders might be better able to protect their charges, make security a more repeatable exercise, and get ahead of the bad guys.

He wrote of a tendency to record cyber incidents in narrative form, which, while interesting, does not allow people to do “really useful things with the data”. If there was to be a global, machine-readable standard for recording incidents, he suggested, it would become possible to quickly work out, for example, that a particular product or vulnerability mitigation was causing problems because it was too hard for most people to configure, and perhaps even spot new zero-days before they become widely exploited.

Using some degree of automation, said Levy, such an approach might resemble some kind of combination of CVSS, CVE, CWE and MITRE ATT&CK paths, and could enable security practitioners and bodies such as the NCSC to collaborate much more effectively with their peers while preserving victim privacy.

Levy concluded: “I know that the people in the NCSC will continue to work tirelessly to make the UK the safest place to live and work online, and to do their best to implement the national strategy. I know that whoever takes over as NCSC technical director will have the best team on the planet to help them. I really hope that everyone outside the NCSC that has supported or challenged me will continue to do that for my successor.

“It really has been a privilege and an honour to do this job, but it’s time for me to move on. So, I’ll finish with a tweak to the genius of Douglas Adams: so long, and thanks for all the bits.”