NCSC CTO: UK tech sector not incentivising companies to build secure software
Calls for market reform to usher in secure future tech
The National Cyber Security Centre's (NCSC) CTO, Ollie Whitehouse, has told delegates at CyberUK 2024 that the current market fails to incentivise the development of truly secure technology.
In his keynote speech on the second day of the conference, Whitehouse said the UK's tech industry is not actively taking steps to deliver on its security promises. He called for a major shakeup of the technology market.
"We know how to design and build resilient, secure technology. We just need a market that supports and rewards it," Whitehouse said, outlining several key issues.
First, there has been an increase in disclosed vulnerabilities, a trend he believes malicious actors are exploiting by creating a record of these weaknesses.
In the last four years, the NCSC has observed a 14% rise in disclosed security bugs, totalling 29,000, alongside 40,000 registered vulnerabilities, marking another 14% rise.
Whitehouse said the burden of technical debt continues to plague modern software.
"We have security products which contain vulnerability classes that we have known about for over 70 years or 24 years, depending on how you count them, being discovered and exploited in our edge perimeters in 2024."
The NCSC CTO criticised the so-called "Thousand Band-Aid" approach to cybersecurity, where organisations attempt to patch security flaws incrementally rather than addressing the root cause.
The crux of the problem, he said, is a lack of vendor accountability. He argued that current practices allow companies to escape responsibility for security failings through disclaimers in their terms and conditions.
Whitehouse proposed a two-pronged approach to address the issue: penalties and incentives.
Vendors who fail to prioritise security should face financial repercussions, while those who embrace secure development practices should be rewarded.
"Value and cost are still the primary drivers in the market and that is the enemy of cybersecurity," he said.
Whitehouse also criticised the short-sightedness of decision-makers who seek a one-time solution to security concerns.
He acknowledged the challenges of implementing reform, particularly the slow pace of legislation compared to the rapid evolution of technology.
Whitehouse concluded by addressing the possibilities of future technologies like human-machine interfaces. He cautioned, however, that the security industry needs a paradigm shift to ensure these advancements are welcomed safely.
Since assuming the CTO role in October 2023, Whitehouse has identified several key priorities for UK cyber. One is "Active Cyber Defence 2.0," a suite of services designed to disrupt, weaken and deter attackers.
"That will buy us some time against certain classes of actors whilst we go after the big parts," he said.
Another priority is gathering evidence for the real-world effectiveness of security technology and defensive practices.
Whitehouse acknowledged the availability of limited cybersecurity budgets, saying it is essential those budgets are used wisely.