Levy (pictured) will now be distinguished engineer and VP at Amazon, he has announced, after 23 years with the National Cyber Security Centre (NCSC).
He left NCSC in October, saying it was “with a heavy heart”, but making it clear that he was waiting for clearance for his next job – and turning down requests for interviews in the mean time.
NCSC is part of Government Communications Headquarters (GCHQ), the UK’s signals intelligence agency, analogous to the US National Security Agency (NSA). GCHQ is a lineal descendant of Bletchley Park, the code-breaking centre in World War Two that allowed the allies to read Nazis’ signals.
In a parting blog, posted on the NCSC website, he criticised the tendency of “Blaming users for not being able to operate a terrible design safely”.
He wrote: “In cyber security, we come up with exquisite solutions to incredibly hard problems, manage risks that would make most people’s toes curl and get computers to do things nobody thought was possible (or in some cases desirable). But we also continue to place ridiculous demands on users (deep breath: must not mention clicking links in emails or password policies), implicitly expect arbitrarily complex implementations of technology to be perfect and vulnerability-free in the long term, and then berate those who build the stuff we use when they fail to properly defend themselves from everything a hostile state can throw at them.”
He added, in a list of things the security community should do: “Stop blaming people who don’t have our l33t skillz when something goes wrong”.