Douglas Johnson-Poensgen is MD of defence and security at BT Global Services, part of the telecoms company. Except that the company is about much more than telecoms now, as he tells Mark Rowe.
Global Services brings in about half of BT turnover. The defence and security part has customers as large as the United States Department of Defense (DoD) and the British Ministry of Defence, and national security agencies. That involves for example providing ‘connectivity’ for the DoD and NATO in such places as Dijbouti and Afghanistan. So while global might not mean all over the world, it is certainly international. BT evidently is about more than telephones; about computer networks and IT services. “The services we provide are primarily around networking, connectivity, and business management systems; and one of the principal areas of my business is cyber-security, which is clearly a topical subject.” Because of the Wikileaks affair, for one thing. Where does this leave UK private security which has been used to physical security – putting locks on doors, and guarding the doors? Douglas Johnson-Poensgen spoke of the 1970s and 1980s as decades when government sought to help, for example, nuclear power stations understand their physical security vulnerabilities. And improve physical security. “The agenda has evolved from physical security to one of cyber-security being potentially a larger threat, whether an asset of critical national infrastructure (CNI), banks or power stations … most of the conversations that we have with customers now is actually about how they can protect themselves from cyber-threats. They can range from theft of ID to fraudulent behaviour by their own staff, to theft of personal information; or even at the top end, potential denial of service.” And if a DoS attack is against a power station, that can mean a threat to electricity supply.
In an ever more connected world, a cyber-threat can have a physical equivalent – such as wanting to deny access to unauthorised people through your front door, whether at home or in business. “In the more connected world we live in, it’s getting more complicated all the time.” He gave the example of utility companies in the process of rolling out smart meters into homes. An energy company’s network, potentially, will have tens of millions of Internet Protocol addresses around its network, providing an enormous potential for people to hack into systems, Douglas warned, if the systems are not appropriately designed and secured. By definition, a grid of smart meters besides sending billing information is to tell power companies how they can match supply to demand better. “They are effectively opening their networks to the whole of their user population, which creates huge security challenges.” That could be securing credit card data from criminals; or DoS attacks, for whatever motive. Just as heads of security have to get to grips with cyber, so must consultants, helping their clients to assess these threats. Besides this sense of IT opening users to threats from outside, it has to be said that organisations can be vulnerable to the people inside, whether because staff are lax – not changing their passwords as often as they ought, or not following security procedures. So: what degree of discipline do you impose on insiders, whether using data; wearing an identity badge on site; or swiping their access card at a turnstile.
We as consumers may know BT as providers of home broadband; the security threat there is that to protect home hubs against their criminal exploitation. On a wholesale level, BT provides the telephone lines – the national asset – whether for BT or other telecom providers. Yet BT faces the physical threat of theft of cable for the metals. Who then is the security person drawing the risks together? The (stereotypical) former Army or police man, head of security; or an IT guy given the security job? Douglas spoke of increasingly talking to the CIO, the chief information officer, whose worry is how to maintain the integrity of commercial information. As consumers at home, our equivalent is the responsibility for keeping current anti-virus software on our computer. Fail or fall behind on the equivalent in the workplace, and a computer worm or virus could paralyse your organisation.
I asked about the Cloud; which by definition is cloudy and intangible? Douglas described what he called the fundamental behind the concept of the Cloud: you pay for what you use – no more or less. So you do not necessarily have to possess the software, or the business systems, on your system. A personal example may be the gmail email service; you are in effect subscribing to a web-based email application. The security concern with a cloud-based application, Douglas went on, particularly if it’s the ‘public cloud’: can you maintain the integrity of the information? Large commercial organisations may choose a ‘private cloud’, as a virtual data centre. Who hosts? How do you want to access a ‘pay as you eat’ service, that you can buy more or less of depending on demand? And there’s always the sheer pace of technological change. On that, Douglas made the point that the most sophisticated cyber-security attack requires 150 lines of computer code; the most sophisticated defensive suite, as designed by BT among others, may require ten million lines of code. “It’s a very asymmetrical problem,” as Douglas says. The physical equivalent was the terrorist comment after the IRA’s 1984 Brighton hotel bombing, that sought to assassinate the then prime minister Margaret Thatcher. The terrorist or the computer hacker only has to be lucky once; the security people have to be ‘lucky’ all the time.
