Andrew Cormack is Chief Regulatory Adviser at JANET (UK) and is responsible for keeping the network and its customer universities, colleges and schools informed about the regulatory, policy and security requirements of running networks and networked services. He recently took time out of his busy schedule to talk to Justin Richards about all things security and network related and to promote his upcoming Real-Time Club talk. 

Part 1 | Part 2

Please can you give me a bit of background about yourself, perhaps from your college years onwards?

Well, my first degree is in mathematics, but after three years of doing that the subject and I separated by mutual agreement. I went into IT, doing programming and systems analysis. After a number of years of that I moved to continue programming and systems management for the National Environment Research Council (across the bridge from BCS) working on board scientific research ships, which was fun.

Then I spent five years at Cardiff University where my job description from day one was ‘we understand there’s something called a web server, we think the university should have one, can you find out what it is and make one’ and that was 16 years ago, which is a terrifying thought. I did that for five years, running a fairly high profile networked server and then I started discovering that there were bad things going on and that there was something called security and I ought to learn about it.

After five years I moved to be head of the incident response team for JANET, the UK Research and Education Network, which connects all universities, colleges and research centres together and to the internet, and I was head of the team for just under four years. During that time the questions changed from being primarily technical to being increasingly about law and policy so the organisation decided I needed to look into that full-time.

I am now looking full-time at security and legal requirements for operating large networks, for the company’s own benefit, for the benefit of the universities and colleges connected to the network and for the benefit of legislators - trying to make it clear to them that the internet isn’t quite as simple as they think it is. And I hope that we can provide a relatively unbiased opinion of what will work and what won’t work to them.

What will you be talking about for your Real-Time Club presentation in January?

Well I’ll be starting from network security because it strikes me that that’s what we’ve been doing for the last 15 years. We’ve done firewalls, we’ve done flow monitoring; everything is based upon being able to look at the network and saying that’s good, that’s bad. I was at a conference recently where one speaker basically said that they’ve now given up on the user being a player in the security side of things - the user is just not involved!

If I count up all the networks my laptop has linked to recently, the free Wi-Fi one in this café is the ninth one this week, a hotel, three conferences, home, work, a couple of other cafes and so on. Which of those networks is supposed to be looking after my security in that model, where I’m not? And even when the network is responsible it is quite difficult to work out what is good and what is bad given that the client is moving around and many of the services are moving around too.

If I’m using a cloud email provider which country should my email traffic be going to? Is it going to be the same one tomorrow? If load changes and the cloud provider moves, and they’re resilient - that’s what they do - the traffic patterns are going to change - it’s not clear to me that the model of looking at the network and saying that’s how we do security is the way we should be doing things anymore. I’m therefore looking at the Real-time Club as an opportunity for talking about the things I don’t know the answers to, so I’ll be raising issues that interest me. I think I’ll need to be provocative after two courses and some wine.

What do you think are the biggest challenges in the security field at the moment?

I think there are some big new challenges there – if we thought that networking and the web were getting rather routine, it’s about to become not routine! It’s becoming interesting again and not just in technical terms. I can’t see any way of avoiding putting some of the onus for security on the user so we’ve got to provide them with the necessary tools, because we haven’t got them at the moment.

My favourite last week was a message on my laptop that said ‘the software has a problem and cannot exit’. I don’t understand what I’m supposed to do with that and I’m supposed to be a technically competent person! We’ve got to get better at explaining security decisions to users. We still should be giving them (the user) some guidance, but I think the alternative is to end up with something that’s completely constrained; there’s been some debate as to whether certain commercial interests are now wanting to get rid of the open creative internet we have now.

I think there’s a risk that regulatory bodies with their overwhelming desire for security will inevitably push for a less flexible internet. There’s a lot of pressure now from government saying the internet must be secured (partly because of the Olympics), which will make it less flexible, so when the next application comes along (such as Skype, which just came along, didn’t need permission from a network and took off to become an amazing technical, cost-saving social application, which has enabled so many more people to keep in touch cheaply) someone is going to turn round and say that’s not secure, sorry you can’t do it – it just won’t have the freedom to take off like that again.

Do you think we’ll ever have proper security on mobile devices?

I think in general devices aren’t too bad. There’s been a colossal change in Microsoft security during the 15 years that I’ve been studying it, for example. Back when I started off people complained because Microsoft never told them about their security problems and now people complain they’re overloaded with Microsoft security updates about problems! However, I think my laptop gets less secure the moment I sit in front of it.

Do you think Wi-Fi networks need to be more secure?

Wi-Fi is just another network, and a network is just another network. The problem is if you make it too secure you risk delaying moving the packets of information around and so, as you sit in a café, what you want to do won’t work. This happens fairly regularly in hotels and in conferences centres where fewer ports are open, hence there’s a greater delay in data transfer. Some centres will use one security measure, which will then in turn prevent me from using mine.

What are your thoughts on security within the cloud; what are the main challenges?

It’s certainly a challenge for people to understand what security means in the cloud. By going into the cloud you are certainly giving up some control over security. Your data could be on a server in a different country, but the cloud people could be better at making their server more secure than you are with yours. The question must be: can you keep your systems as up-to-date and secure as they can be?

There are huge jurisdiction and record management issues surrounding the cloud. I was at a meeting yesterday where everyone was scratching their heads wondering what would happen if the public sector goes to cloud; what on Earth would a freedom of information act request involve? At the moment, in theory, I can search through the university’s entire central mail store, but with the cloud I almost certainly wouldn’t be able to, there’s no tool available.

What is your definition of acceptable risk?

I know what my definition of acceptable risk is, but I’d be very nervous if someone tried to tell me what it was.

We use a lot of infrastructures in our daily lives that aren’t perfectly safe - I mean there was a doubt that I’d make it today because the trains might have gone on strike, but if they had the world wouldn’t have come to an end. When it snows transport networks will stop working, but we don’t regard it as being a catastrophe for society. I haven’t looked at the figures recently, but I think the road network in this country kills about eight people a day, whereas the internet is really quite safe when you compare it to those sorts of numbers and yet as a society we panic about internet security.

At some point I think we’re going to have to work out what it is we actually want - do we want an imposed level of risk where somebody, perhaps the government, decides what an acceptable level of risk is - a bit like the Apple store where unless something is approved by the equipment vendor you can’t run it. You might find to get approved software will have a lot of options stripped out of it because the user can’t be trusted, on that model, to use them safely. Something as basic as email allows me to send my credit card number to somebody; at what point do you put in a point of control which says ‘no you can’t do this Mr User, I am going to deny you that option because it’s not an acceptable risk’?

We’ve been there before - the telephone network used to work like that, where you couldn’t plug in a telephone handset unless it was BT approved. Do we follow the car model where you have to go in for an MOT on your computer every year, and you have to be insured against going onto the internet without a properly secured computer. These are all models that might work, but they’re not the internet as we know it.

Perhaps we should say that we users have got to start taking more responsibility for our actions and act smarter. It used to be said that people’s personalities used to change when they got into a motorcar, but these days they change when they use a mobile phone - how many overly loud conversations do we have to listen to on an average train journey now? But I don’t know which model will work in the long-term.

Surely security will always be a compromise - outsourcing and offshoring are good examples of where organisations have to trust their vendors and partners to take security seriously.

Sure, sometimes I have to remind myself that security is all about confidentiality, integrity and availability and a system that I need to get at and I can’t is actually a security failure. It’s really easy, particularly for people from technical backgrounds, to really focus on the integrity and confidentiality areas of security to the point where the user can’t get at their information so the user starts inventing new ways to get their job done; I think we’re there in many cases.

Do you have any advice for project managers on how to avoid problems?

I guess they should try to see the whole picture of what users are going to expect. There are a series of words which are bandied about regarding user requirements, user wishes and user expectations. I suspect it’s the expectations that are the most important - you can write down the requirements and the user will still say this product doesn’t work the way their intuition tells them it ought to and it’s really hard working against people’s intuition. So my favourite approach for getting people to do things has always been to try and match up their intuitive expectations with what you want them to do. I try to avoid saying no and say ‘wouldn’t it be easier to do it this way instead?’

There used to be a common scenario at universities whereby academics requested wireless access for their offices, someone said no, so the academics would go down to the high street, buy an off-the-shelf access point and plugged it in. So now your network traffic is potentially accessible to anyone with a laptop, with wireless access, within a hundred meters (with a little tweaking of course)! So how have we improved security in that scenario?

Part 1 | Part 2