Andrew Cormack is Chief Regulatory Adviser at JANET (UK) and is responsible for keeping the network and its customer universities, colleges and schools informed about the regulatory, policy and security requirements of running networks and networked services. He recently took time out of his busy schedule to talk to Justin Richards about all things security and network related and to promote his upcoming Real-Time Club talk.

Part 1 | Part 2

I guess this is always going to be a problem with people wanting to open up communication channels with each other, for example, smart jewellery where users want to pass personal information to each other without really trying and without much thought for security... 

I think the decision is the tricky bit - we’re not good at actually formulating what our intuitive rules are. We all have rules for ‘am I in a safe place, is this a safe action, is this somebody I trust’?

But actually writing them down, in a way they can be implemented by a machine, is very difficult. For example, the endless difficulties that Facebook have had in order to produce a set of privacy tools that matches with what people want.

And it’s not just Facebook - recently TalkTalk got into trouble over its network security because they were keeping a record of the websites visited by their user community.

My understanding is that there’s no link back to which user visited which website - they’ve just got a long list of all the websites visited by their users and they’re scanning those to see if there’s any malware on them - an excellent security initiative by the network, but they get into trouble for privacy.

I can see how that idea got through all the checks as a wonderful enhancement to customer security and the customers then turn around and say ‘Oi, you’re monitoring my web browsing’. They’re not, but they get beaten up for it. It’s a Catch 22 situation.

So in relation to the project management question, I’d say beware of these types of things lurking to bite you; your users might actually be irrational and might work on feelings every now and then.

You’ll always get a very vocal minority who’ll complain about pretty much anything...

Yes, that’s true, but the problem is you don’t know what the silent majority are thinking. Are they with the complainers or are they silent because they can’t be bothered, or because they haven’t noticed, or because they’re happy? That’s always hard to ascertain.

In your proposal for the Real-Time Club talk you mention incident detection tools - could these help mobile and cloud security in the long run?

Yes, but only if you can understand what they are - what an incident looks like. Originally they were a bit like antivirus, there were patterns which helped to identify when a particular pattern represented an incident; that’s fairly accurate, but by definition it could be something else too, so a new incident goes straight past it. But now we’re trying to look at mechanisms that will detect patterns that are probably incidents, but then what do you do - do you block it, in which case you might not have blocked an incident but someone playing with the next Skype. How do you make a decision on what you don’t fully understand?

There’s some stuff on the internet and we know exactly what it is and it’s fine, there’s some other stuff we know exactly what it is and it’s not fine and then a whole host of stuff in the middle. What do you do with that - do you stop it until you know it’s safe, in which case you’re back at the old telephone system level (until this has been approved it can’t run on my network), or do you say, well, we don’t know it’s hostile, but we’ll keep an eye on it and run some new stuff ourselves and explore it, but then you’re leaving a window of vulnerability open. Again it’s this question of who do you want regulating it, and how heavy do you want the regulation to be?

Do you think the government should get more involved in regulating the internet?

I think I’d prefer them to have a look at the regulations they’ve already got and work out whether pre-existing regulations are helpful or unhelpful. At the moment there are some really rather unhelpful regulations, which concern ISPs and hosting providers, and these are unhelpful probably because the related liability laws come through mostly from Europe.

There was a case recently where, if you’re a host, and you’re hosting a blogger on a website, any information which is provided to you by third parties, you as the host, are not liable for unless you edit or have been notified that the blog was defamatory, or in breach of copyright, discriminatory, or whatever. The problem with that is that it provides you with a huge disincentive to go and look.

The case was where someone had corrected a spelling mistake in somebody’s blog posting and they were thereby held to have edited it and liable for what it contained. Ok, so don’t fix spelling mistakes, but if you are setting up a service aimed at children, under current law I think you are taking a risk if you go through it and say something is not suitable. The law is very unclear and it would be helpful if government could clarify some of these laws.

The incentives across a lot of the industry are just not there or are getting worse because in the old days if your PC was compromised what happened was that your financial information went away, so acting as a user there’s a reasonably strong incentive because having my PC compromised is bad for me.

Nowadays that still happens, but the main problem of compromised PCs is that they will start attacking other people too. So the major problem if my computer gets compromised might not be for me and that’s a tricky situation. We can’t just talk about giving users the tools to improve security; we also need to give them the incentive to get it right.

Would you say that’s one of the main challenges your sector faces over the next few years?

Yes, in my job it is about trying to keep regulation steered in a direction which enables people to have the expected results and desired results and flag up, as early as possible, if we spot things going wrong.

With the best intentions you create a law, a policy or technology that you think will have result X and it turns out to have result Y. There’s a lot of suggestions around the idea of forcing service providers to block access to stuff that we don’t think is socially desirable. That works fine as long as users are in agreement that they don’t want to see it either.

The moment you try to block something that users do want to see - e.g. the French have recently forced ISPs to block access to offshore gambling sites - doesn’t that give the users a strong incentive to get around the block, and the moment they work out how to get around it, they’re going to be exposing themselves to all the stuff that was blocked, which is the stuff they didn’t want to see, the stuff that was threatening their computers.

The blocks may well be blocking phishing sites, dodgy ISPs (these get blocked from time-to-time quietly), so if you give people the incentive to get around the blocks, and you can’t get round the one without getting around the other, you will defeat them as a security tool. I’m trying to point this problem out, more and more strongly to the powers that be, saying that we will be encouraging people to evade the security measures, which is not good.

What do you think have been the most important changes in the IT industry during the last three or four years?

I think the continuing development of the mobile device, from laptops through to mobile phones. The incredible functionality that we now have - always on, always with us, and us getting connectivity wherever it can find it, I think that’s a huge social change.

I don’t understand many of the things that people are using socially, they’re often not particularly useful for my job, they’re just different, but trying to understand how much of it is ok, what the possible risks might be and then express it in a way where individuals can make their own rational choices - ‘this is something I want to do, this is something I don’t.’

What’s your take on professionalism in the IT industry?

IT is part of the bedrock of modern life; IT isn’t just for geeks any more, and it hasn’t been for a long time - it’s for everybody. So it’s increasingly important that it doesn’t just work for geeks, that it’s usable for everybody in society - that’s a different set of design goals. On the other hand, we also need to be helping everyone in society; I know BCS, for one, does a lot at graduate level. But it’s not just graduates that use computers, it’s everybody.

I heard a lovely comment recently from someone who works in the schools sector: they said ‘there are no motor cars in schools, but we still teach children how to cross the road safely.’ And I think we need to do that sort of thing for the internet as well, to be honest. By the age of 10 I think we need to be able to handle the internet now, because you’re going to be on it.

Is this something the government should be getting involved in more?

I would hope that industry could regulate itself, but I guess government’s role could be to improve many standards because it is a very large purchaser. I’m not sure that particular lever is being used effectively at the moment, but I’d rather see that idea being used before using the top-down approach. There are, after all, plenty of things for which it actually doesn’t matter.

How do you think the IT industry could address its geeky, nerdy image - is this something that should be addressed at school / college level?

It would be good for people to understand how computers are put together and how they are needed. Perhaps some of the questions that I’ve raised actually help? I don’t think many of those questions can be answered by geeks and nerds. I think it needs to be sociologists and psychologists and people who understand people.

CPUs and networks and stuff will carry on getting faster and faster, but the stuff we, at the moment, don’t know how to do, does still need input from people who understand people. So there’s a need to get everyone involved and I would hope that out of the proportion of people who could do this there would be a portion who would want to.

Women still make up only about 12 per cent of the IT workforce. Do you think this is down to a lack of interest, or a lack of confidence on behalf of women, or do you think the opportunities just haven’t be there for them?

I doubt it’s a lack of confidence and I don’t see any gender distinction, for example, sitting on a train, when it comes to who uses technology, everybody seems to be using the stuff. Again it might be due to them needing an explanation that there’s a broader set of skills needed rather than just techie skills.

During the 80s and 90s I think the industry chose to portray itself as a software development and ‘all-night programming’ sort of industry, where workers were served flat foods so they’d fit under the cubicle door.

Going back to yourself - do you have any IT role models? Who inspired you to get into maths and the technological side of things?

I got into maths because I was better at it; there wasn’t really a role model there. I think it was discovering that I could do things which other people couldn’t do. I could look at a problem in IT and the first answer I came up with often turned out to be a good one, certainly more often than it did for other people. During my pre-college days (I was educated in Scotland) my schooling was very broad and I hope that I can still understand the technical stuff, but also that I can explain it, certainly to scientists.

I’m currently waiting on my results from the Open University to see if I’m now a humanities graduate, in about three week’s time. I’m fascinated by a very wide range of topics - we do a lot of publicity about CERN and a lot of the big science projects and how networking is helping that - but I get more excited about how networking is helping the arts, humanities and the non-traditional subjects - maybe that’s the way to get others involved.

The fact that I can go onto the National Archives website, find a picture image (not a scan) of the Will of the Secretary of State for England in 1680, who was born in a little village in South Wales just along from me, transcribe that, and then send back my transcription to form part of the National Archive, that’s fantastic.

The National Archives has also been working on another project where they’ve scanned the log books of ships from the late nineteenth and early twentieth century, again just as pictures, which contain a good record of what the weather was every six hours, written in appalling handwriting. They’ve set up a website where you can download pages out of these log books and transcribe the pages and type them into the archive database.

I was particularly fascinated by some of the other stuff, including the different lengths of services, i.e. church services, in Alexandria, in 1912. I think the Catholic Church service party left earliest and the Anglicans left latest, but they all then got back on board ship at the same time. I love archives, but there’s no way I’ve got the time to go to Kew or wherever, so being able to access them online, from my hotel, when I’m away at conferences and download this stuff, and where I can put something back, is just fantastic.

In your current role, what would you say is the most rewarding part of your job, and what’s the hardest part of it?

I’m very lucky - I have a lot of fun - I do stuff that’s interesting and intellectually challenging. The most rewarding part, for me, is helping to enable people to be able to do stuff that they couldn’t previously do. For example, my work on privacy - where it was good to help people to understand that being engaged in privacy doesn’t mean you can’t do processing, you just have to think a bit and ask yourself ‘do I actually need this great long list of personal data to do my job?’

They should be asking ‘can I use some clever technical stuff and quite possibly get a better result?’ But it comes down to how everyone wants to work - you can be far less intrusive through good use of technology. You can actually massively reduce the privacy intrusion and still deliver the licence terms that the customer requires.

Not much is hard, but a lot is challenging, particularly when dealing with the law. But you have to persist and I can now point at certain bits of the law and say that is there because of me, although they’re very small sub-clauses, but getting them there takes an extraordinary large amount of effort.

Looking back is there anything you would have done differently, or are you fairly happy with your chosen career path?

I would have liked to have been a better people manager, but I’m starting to pick up on the fact that security people are rather hard to manage, for anybody. So perhaps it wasn’t entirely my fault!

Is there any advice you’d give to any students or younger professionals thinking of moving into IT, or trying to get further into the industry?

I guess I’d say always be interested. Explore - don’t just think that because this is my job that’s what I’m doing, be inquisitive.

Quick questions

Open source or proprietary?
Whichever you’re used to I think. The thing that terrified me is, when we started connecting further education colleges, there was a fairly frequent telephone call saying ‘we’re a Microsoft shop, but we think we’ll run our firewall on Unix because we’ve heard that open source is better’. That’s the one place you don’t want to experiment with a completely new mode of operation - your firewall!

Apple or PC?
I use a PC, because that’s what the company give me, and I have two fingers, so I like having two buttons on my mouse.

Blackberry or Smartphone?
Neither at the moment - I’m very old fashioned on mobile phones; sorry!

Wii, Xbox or Playstation?
I have enough fun with computers in the day job, so I prefer to be outside.

Geek or nerd?
I’m a geek that wears a suit, which confuses people. One of the funniest things I’ve seen, while on the job, was when I was talking, in a striped suit, at the Réseaux IP Européens (RIPE - French for Europena IP Networks) meeting, with people who were up to their elbows routing Europe, talking about what systems admins could learn from the law and 150 people simultaneously crossed their arms, which was absolutely simultaneously synchronised body language, which was so funny. I thought ‘you haven’t read my CV yet, have you?’

Part 1 | Part 2