The UK government has had enough of clichd cyber dementor imagery, scary-sounding industry rhetoric and impossiblesecurity advice that the average consumer has no hope of following.

And its hoping that by taking a less hyperbolic, data-drivenapproachto tackling cyber security it canencourage industry to follow suit and focus on persistent and prolific security problems with the overarching aim of reducing harm at scale and boosting consumer trust in the digital economy.

The philosophybehind the UKs new National Cyber Security Centre (NCSC) was set out by the centres technical director, Dr Ian Levy, speaking at the Wired Security conference in London yesterday.

A full National Cyber Security Strategy is due to be published imminently, according to Levy, but he gave a taster of how the government is thinking here. Levy hasmoved from his role as technical director of cyber security at UK intelligence agency GCHQ to take up the same post at the NCSC, which formally opens its doors this month.

Puttingthesecurity threatin context

The biggest future threat we have is keeping talking about cyber security the way we do today, he argued. There is no other piece of public policy where the narrative is set by a massively misincentivized set of people.

He said the core idea for the centre is to provide a one-stop-shop for consistent, coherent advice, and do so inpublic, transparently a freedom clearly not afforded the spy agency where he used to work (in the ivory donut as he dubbed it, riffing on academics in their ivory towers). The NSCS will, for example, be publishing data on its learnings. Although it will also report to GCHQ, so clearly not all its discussions willbe open to thepublic.

One place to go for everything, said Levy, describing what the centre will offer. At the start when you want threat information and understand about how to design a system, through building it, operating it, to when you get pwned how do we help.

In a straight talking presentation, which threw more than a few sardonic barbs at the current practices of thesecurity industry, he attackedsome of the language and media attention paid to critical and zero day security flaws such as the Heartbleed cryptography flaw that emerged in 2014arguing this sort of doomsday scenario reportage engenders confusion and panic in the public, and isshifting attention (and resources)away from tacklingmore mundane yet persistent security threats whichcause ongoingproblems for web users.

Buffer overflows today are still one of the most prevalent software defects that lead to security exploitation, he said. Forty-odd years of buffer overflows. We have to start remembering that software vulnerabilities are axiomatic. Youre always going to have them because softwares written by people the question is how you manage them.

Fifty-four zero days in 2015. Lets put it into context In the same year [searching the National Vulnerability Database] there were 6,488 other vulnerabilities. I should probably care a bit more about those because theres a shed load more of them, he added.

The UK government announced its intention to drawtogether cyber security expertise under one rooflast yearwhen it named cyber security a priority area, saying it wouldnearly double spending on the area to1.9 billion by 2020.

Last month, givinghis first public speech at a security conference in Washington, NCSC CEO Ciaran Martin also told delegates the aim with the centre is for governmentto play a leadership role in developing pro-active security measures, and via that push to aim to encourage industry to up its game.

Something is not quite working yet in the marketplace in terms of cyber security, heargued. There are great companies, great people, theres great innovation, and barriers to information sharing are being broken down. But given the record of the past few years its hard to say that weve got ahead of the threat.

If were to maintain confidence in the digital economy, weve got to tackle this end of the problem.I believe theres a legitimate role for the government in taking a lead at least temporarily. This is the thinking behind our strategy.

Yesterday Levy went further by couching the cyber security problem as partially one of contextual perception.

The way you talk about something fundamentally changes the way you evaluate risk about it, he said. The context in which you judge something also determines how you interpret it. So if youre told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it youre going to have a fear response. And thats where we are today.

Hispremise is that afear response is overriding a more rational analysis of securityproblems and leading to ineffective or misdirected solutions. The governments hope, therefore,is to reset the security narrative to something closer to reality.

The security companies are incentivized to make it sound as scary as possible because they want you buy their magic amulets.

The security companies are incentivizedto make it sound as scary as possiblebecause they wantyou buy their magic amulets, Levy added.This is what were doing today. You buy a cyber security product and you throw it at the problem because youve not idea what the problem actually is anymore.

If we talk about things as they really are, we have a different set of responses to them.

Tacklingthe tediously persistentproblems

Discussingone of the early projects the NCSChas beenworking on triallingaDMARC policy on UK government email to stop emails from the wrong IP sets or with the wrong key from being delivered he said that the first day itwas switched on for the gov.uk domain, diverting spoofemails to the NCSC (instead of their intended victims), around 50,000 were received.

But afew days later the emails had stopped for good after the attacker presumably realized their phishing attempts were being cut off at the root.

Every single cyber attack whether its crime, whether its defacement, or whether its a national state, is run on a return on investment calculation. A risk calculation. But by doing things like this we can screw around with the attackers ROI, said Levy.

Following this trial, hesaidthe NCSC now intends to putDMARC on every government domain all ~5,700 of them to endphishers ability to spoof emails from any gov.uk address in future.

Thestep after that will be to apply pressure to industry by way of example focusing onother high value domains in the commercial sector to get them to follow the governments lead.

Im going to point and laugh at everybody who doesnt do the same publicly, said Levy. Because there is no excuse not to do DMARC on a high value domain any more.

So when you get an email from gov.uk it will be from gov.uk. When you get one from, [UK retailer] John Lewis say, I want it to be sure its come from John Lewis. And then well have receptive domains as well.

Add to that, because the NCSC is now in receipt of a wealth of phishing email data Levy noted itcan also analyze the domains that attackers are trying to send people to and plans to make use of this cache of phishing site intel to builda massive scale recursive DNS server for public sector.

Im going to become the DNS provider for public sector. So central government, local government, maybe health, maybe education well see, he continued.So again, do it for government first and then go and talk to the ISPs and say hey guys, its probably not okay for you to allow your customers to be harmed without knowing. How about you do something similar, by default, for the citizens of the UK?

By default I want the ISPs to take some responsibility and not allow their customers to go and hurt themselves without knowing.

By default I want the ISPs to take some responsibility and not allow their customers to go and hurt themselves without knowing.

Security researchers would be able toopt out of the DNS filtering, according to Levys plan, but the idea is that the general public which typically suffers the most at the hands of phishers would be better protected as a result of ISPs taking similar, pro-active action to block access todata-stealing sites.

By default lets protect people. Because my grannie doesnt know what the hells going on and I want to protect her, he added.

Other areas where Levy saidprogress has already being made by his team is in shortening the window of time a phishing site can be online by the NCSC contacting ISPs to get them to take down phishing sites using, in his words, a very complex cyber method of asking the hosting company to remove it.

Any phishing anywhere in the world that pretends to be UK gov brand has gone down from 49 hours to 5 hours, he added.

He also hit out at stupid advicegiven to web users such as telling them they should be reading the full length email header in order to determine whether an email is genuine or not; or asking them to remember the equivalent of a 600 digit number every month because of password requirements to create a unique, multi-character, multi-string password for every service they useand change them allfrequently as ludicrously unfit for the average web user.

We tell people to do something they cannot possiblydo, he argued, adding that thecentre would be outing stupid advice andaiming to change the system so its better for people, rather thangeeks.

Lets do this in public, lets do this transparently, lets publish data, lets publish what we have done, what effect its had, and the cost, he added.I want people to really, really understand what the cyber security threat picture looks like. What their risks really are, and how better to protect themselves.

Read more: