A day out with ISSG in Boudica territory

Andy Farnell

Posted on Apr 29, 2024.

A day out with ISSG in Boudica territory

Figure 1: Adastral reception

Into Boudica's lands

We had a lovely time at Adastral Park yesterday when BT invited the British Computer Society's (BCS) special interest group on security (ISSG) to a showcase day.

Ipswich is a bit of a schlep for us, so after a long drive we camped out under the stars at Low Farm. It was bloody freezing. We went poorly prepared for an unusually cold April night, packing lightweight sleeping bags. In the morning there was ice and we had to decamp in a hail shower. Moments later warm sun came out. Very moody April weather. The campsite is a 5 minute drive from Adastral Park, so we were bright and early after a 6am dawn chorus.

Figure 2: Field Work

Adastral is on former Martlesham Heath Royal Air Force Station. It's an impressive sight on approach, with obvious old barrack buildings when you get up close guarding the entrance to a multi-acre expanse of glass sheltering a dozens of British technology companies.

Figure 3: Approach to park


Zero trust

After introductions by Rob Wilson of BT and ISSG chair Steve Sands we heard about a "Telco Approach to Zero Trust" from Dave Harcourt.

We kept hearing Dave say that Zero Trust is a cultural transition more than a technical one. That's something we very much agree on and it was enlightening to see the practical approach within BT to slowly dismantle old implicit and network-centric trust and compartmentalise such a large organisation.

We raised the questions of maintaining efficiency and the problems of Zero Trust with traditionally big hierarchies and asymmetrical power relations. Is the locus of trust is simply displaced to the "Trust Intermediaries" and "Trust Issuers"?

Alice and Bob need to establish ad-hoc ephemeral trust relations in order to get work done. When someone else gets to say "who may trust who", how is this better than implicit trust? That wasn't a question anyone could expect Dave to answer and he was graceful about it.

Figure 4: Main Event

Another interesting point arose. Dave is quite religiously a "post password" apostle. It seems like BT's ZT philosophy is identity based, with a strong biometric component (as opposed to roles, capabilities, reputations and knowledge which are the other vital, but oft ignored, aspects of trust systems).

By contrast some of us are acolytes of the old religion of humanist computing, still highly skilled in the use of things like keyboards and the password (another way of to say 'knowledge' ) an elegant weapon for a more civilised age.

This strongly-bound identity is something we do not agree with at Boudica. For systematic, technical and ethical reasons, human identity is a small container for something as big as trust.

Also equating human identity with endpoint devices is a slippery slope, as is chasing monitoring into endpoints which creates a totalitarian property grab. These and many other points around the weaknesses of "zero trust" philosophy were on our minds, but we didn't really get the chance to explore that side, and it would probably not have been appropriate given Dave's focus on solving ZT transition as a practical, organisational challenge.


AI and Cybersecurity

The next speaker was Alfie Beard, telling us about "AI and Security"

It's lovely to see a researcher who is boiling over with enthusiasm about their subject area. Alfie waxed lyrical about all sides of "AI", with proper scepticism about hype, recognition of sociological concerns, but also without any jaded baggage. That made the talk feel lively and optimistic and playful - confirmed by Helens recon of his slide-deck with screenshots showing tabs for kids games :)

When it came to "AI in security", the focus was on a symmetrical arms race, with as much attention given to the possibility of generative and adaptive malware as to anomaly detection for intrusion detection etcetera. Human-in-the-loop came up as a sacred do-not-cross line, as it does in all defence contexts.

In the end the talk was too broad to really hit home on any specific application, but Alfie left the crowd with an unmistakable feeling that the security landscape is changing forever, and very fast.


From checklists to compassion

Then Dean Taylor spoke about "Practical Security by Design". For some reason we greatly enjoyed Dean's talk. Everyone from Boudica was nodding along animatedly in agreement.

Dean resonated some of our very strongly held values, such as psychological safety, obtaining buy-in, security as a shared responsibility, overcoming ego and silos. Commonsense psychology well mixed with commonsense engineering was evident throughout, but served with a huge dollop of emotional intelligence, sound business sense and human factors.

Figure 5: Dean Being Practical

His experience from years of practice plus fresh ideas and Deans plain way of saying things was super valuable for our own consulting ideas. Dean put a lot of emphasis on reproducible process, templates and checklists, but also on highly adaptive culturally and psychologically informed work that we see as "security" must-haves and treat as human systems analysis" akin to the old-style Meadows/Forrester type of system analysis.


Post quantum

After lunch we heard about "Future-Proofing the Internet in a Post-Quantum Cryptography Landscape" from Dr Ali Sajjad

All discussions about quantum computing hover on the border of magic and madness. Ali has an enjoyable presence and made talking about it good humoured with a note of fallibility around a subject we all know is a paradigm shift, but still not upon us.

From a security perspective it felt like standing on the deck of an old ship looking through a wobbly telescope at a shape looming on the horizon. Is it friendly? How long till they get here? What's their range?

We went a little through a cryptology history and did the usual time plots of technology growth in codebreaking against mathematical estimates of strength of various ciphers, symmetrical and asymmetrical, streams and blocks, alongside the robustness of the common primitives for hashing and signing, key exchange, and so on.

We dissed NIST. Ali was quick to emphasise open frameworks as the proper solution. Post-quantum requires agility to switch as and when trusted ciphers fail, and so regulations shold never mandate specific implementations nor should standards bodies push specific wares - no matter how enthusiastically the NSA 'approves' them. There are plenty of diverse, open post-quantum solutions out there and still more in research that can be pluggable.

Then the dreaded question of "what is quantum computing, exactly?" came up, and the immortal words "…so then, weird things happen" were spoken.

Questions about temperature and scale were interesting. It's nice to talk about computing subjects with one foot still in physics, where silicon, electrons, light and thermodynamics still matter.


Gathering tribes

And finally Dr Ruhma Tahir told us about an ambitious project to build a "Security Innovation Hub" at BT. She gave what felt like a difficult and courageous talk on one of the enduring problems in computing… coordination.

BT hope to build a Cybersecurity Research Hub. Ruhma's mission seems to be to diversify the makeup of that group in recognition of several important insights:

  • It's time for shared responsibility of all social stakeholders
  • Changing dynamics of cybersecurity threats is escaping us
  • The now obvious failure of monoliths at the current threshold of complexity.

Ruhma spoke vigilantly on the need to move from siloed cultures to more coordinated and inter-operable national cyber security, and that we must re-synthesise the security mindset. There was an implicit if not studied appreciation of hybrid vigour of the Rebel Ideas variety.

While not venturing into game theoretical territory or expanding on attacker-advantage, Blotto front-analysis and so on, she gave an appropriately bleak summary of what an isolated and discoordinated strategy looks looks like against what, under "AI" conditions of acceleration, now appears as a surrounding horde. There was nothing left to sell to us at this point.

But we were a bit disappointed as the talk went on, that "academia", "industry" and "vendors" were mentioned many times, but nothing more, nothing well… diverse. For Andy, he felt what had been in mind as national security looked a lot more like just more business security, or as we call it "More guards for the castles".

Obviously, that's where the the money comes from, which is our major weakness in civil cybersecurity. We deal with that most deliciously sophisticated bit of the pie, like mental health, social security, and democracy that nobody wants to pay for. There was no mention of health trusts or hospitals, schools, nor charities, rights groups, or cultural groups.

Worried about the makeup of the proposed group as a "gentleman's business club for cybersecurity", Andy spotted a potential blind-spot. Feeling bad that the question, "Where are the people in this?" might have seemed aggressive and ambushed Ruhma, we caught up with her at coffee break. Anyway she invited us to join them for something in September.


Jolly in the countryside

Other than the great company, amazing talks and chats, some highlights for the Boudica/Cybershow team were listening to a beautiful nightingale that serenaded our encampment, and some relaxing views of Suffolk.

Figure 6: Space to think

Low Farm comes highly recommended because it's basically a little nature reserve but with awesome facilities in the nearby farm buildings. We saw rabbits and voles scurrying from kestrels or hawks, and the dawn chorus of birds was overwhelming.

Figure 7: Low Farm at twilight (with nightingale)

After a freezing night under canvas there's a most welcome long hot shower awaiting in the very clean, well stocked and heated facilities block - not quite glamping but the next best thing. It was also inspirational to be on the soil of Boudica's Icini, within chariot striking range of Colchester and Londinium.

Figure 8: Boudica's Lands

Posted on Apr 29, 2024.