Interviews 06.06.2023
Professor Alan Woodward’s CV is impressive, to say the least. Equally as impressive as his straight-talking, no-nonsense and highly articulate way of communicating cyber risk. Ladies and Gents, meet Professor Alan Woodward
Communication is a recurring theme in Alan Woodward’s life. Over an all-too-brief hour-long conversation, we journey from his early days as a physicist and Cold War intelligence officer to his current role as visiting professor at the University of Surrey. Whether in conversation with journalists, politicians, business colleagues or students, Alan’s key to success has always been understanding the audience and speaking to them in a language they can grasp.
“Part of what I try to do these days is to engage with a broader audience and explain things in a way that isn’t closed off and [does not] immediately descend into techno-babble,” he says. “It’s not always easy to do, but I really like it because you have to prove to yourself whether you understand the material.”
The challenge is particularly acute when speaking to lawmakers who often seem to willfully misunderstand or misrepresent the expert opinions of Alan and fellow academics. A softly-spoken but articulate and passionate interviewee, Alan’s disdain for government attempts to undermine end-to-end encryption (E2EE) becomes clear early on.
“It’s very easy for people who want for political purposes to throw out an emotive headline and say to the technology community ‘just nerd harder, there must be a solution,’” he argues. “But you have to say, ‘no, it’s very binary: it’s security and privacy for all, including the bad guys, or security and privacy for none.”
Alan’s frustrations are borne out of “endless discussions with politicians”, which usually result in his expert opinion being ignored for politically expedient reasons. For years, governments and law enforcement agencies like the FBI have been trying to force tech firms to provide de facto encryption backdoors to enable them to snoop more easily on the communications of suspects or perpetrators of serious crimes. But each time, the technology vendors and independent subject matter experts like Alan, Bruce Schneier and Ross Anderson explain that it’s impossible without undermining security and privacy for all users.
According to Alan, the disingenuity circus has rolled into town in the UK, most recently in the form of the Online Safety Bill. Its Clause 110 appears to open the door to another ‘solution’ widely criticised by cryptography and technical experts: client-side scanning. Assured Intelligence reported that this would require providers to place software on all users’ devices, enabling them to scan messages before they’re encrypted and sent. Such software would scan for content and check it against a database of known child sexual exploitation and abuse (CSEA) content. Apple quietly shelved a similar proposal for client-side scanning in 2021 after highly critical feedback from the tech community.
“I’m very much against the Online Safety Bill. It seems good on the surface, but the implications for how it could be misused are enormous,” Alan argues. “All that will happen is companies like WhatsApp and Signal will withdraw from the country. That would mean that the majority of people in the UK would have their security weakened. How can that be a good idea?”
While the UK authorities already have the power to hack individual suspects’ devices, there are several checks on this power, such as the need to get judicial sign-off each time, he explains. Alan’s big fear about undermining E2EE is its potential to usher in a new era of mass surveillance.
“One year it’ll be about drugs, the next about terrorism,” he argues. “At the moment, it’s child protection. Every child matters, and just one being abused is one too many. But there are other ways of tackling it.”
Aside from targeted equipment interference, Alan cites the success of an international law enforcement operation that targeted the encrypted chat network EncroChat, which was used by tens of thousands of criminals.
After police cracked it, hundreds of arrests followed, and criminal gangs are still being brought to justice on evidence gleaned from those unencrypted chats. Similar services like Anom and Sky ECC were also brought down with positive results for law enforcement. Other successful police initiatives have involved asking the public to identify objects or background scenery in child abuse content, says Alan.
“That, to me, is a more sensible use of resources than saying to Alphabet and Meta, ‘you must do this’ because they’ll just stick two fingers up,” he continues. The Online Safety Bill prompts “an appalling situation where the government is trying yet again to get a route into E2EE, and we’ve explained endlessly why that won’t work.”
This is all a far cry from Alan’s early years as a physics and astronomy student. His first computing experience came during his final year of university research into gamma-ray bursts. Alan wrote signal processing code for devices designed to test for nuclear activity during the Cold War. Following his tutor Tony Hey to Southampton University’s Institute of Sound and Vibration Research (ISVR), Alan studied as a post-graduate, writing research papers on recovering corrupted signals and noise cancellation.
“I was on station in April 1986 when Chernobyl went up, and the pictures were crap, but we managed to recover them”
Effectively head-hunted by the government, Alan ended up at Defence Intelligence, where he worked on recovering overhead images.
“Everyone’s heard of SIS, MI5 and GCHQ, but I don’t think people realise that Defence Intelligence is there and is bigger than all of them put together,” he explains. “I was on station in April 1986 when Chernobyl went up, and the pictures were crap, but we managed to recover them, and then thought ‘shit.’”
Further work for the intelligence services included a stint with the navy on underwater communications, where Alan was involved with intercepting signals from underwater cabling. When the Russians got wise and started encrypting these signals, Alan’s career as an internationally renowned cybersecurity expert began to take shape.
“It was more about cryptoanalysis: ‘How do we get into this thing?’ I’m a useless builder, but I’m much better at taking things apart and trying to work out how they function. I like puzzles,” he says. “Then I started working with GCHQ. Increasingly I was involved in understanding how [adversaries] had got into something of ours or how we could get into something of theirs.”
After a lengthy stint with the government, Alan followed his commanding officer into the private sector to a role at UK IT services giant Logica. He helped to spin out a new business: Charteris. Here, he continued “basically doing the same thing” as at GCHQ, on both cyber-attack and defence, eventually helping the firm to float on the London Stock Exchange.
This experience in the private sector helped to foment Alan’s understanding of the intersection between business and cybersecurity and the importance of good communication in preventing silos from building between the two. It’s something Alan is clearly passionate about as he talks about the courses he now teaches.
“We’re constantly encouraging the students to present their findings and reports. It’s a soft skill, but it teaches them they can’t just put up the code. They have to explain it in words of one syllable,” he says. “It’s what we really need [in the industry], so we’re always trying to build on this idea of communication via workshops and lab sessions.”
He adds that one thing that’s harder to teach is an interest in “taking things apart and seeing how they work”—a highly sought-after skill in the cybersecurity sector.
“You need the right mindset, and you can quickly work out whether someone has it or not,” Alan continues. “We need architects rather than bricklayers. A lot of people are great at building things, but one thing they don’t do is look at how something could be misused and therefore broken.”
The university immerses undergraduate students in the “real world” by offering professional training placements in various sectors. Alan claims that this has made it one of the most successful in bridging the gap between academia and the world of work by getting a high percentage of graduates into jobs.
Unfortunately, however, the pipeline of talent sorely needed by the cybersecurity sector is still far from full. As of 2022, there was a shortfall of 57,000 industry professionals in the UK alone, a 73% year-on-year increase. Alan argues that encouraging more school leavers to try their hand at IT/cyber will be critical to the future prosperity of the sector and UK PLC as a whole.
“The problem is not going away; we’re desperately short of people with cybersecurity skills,” he says. “The number of attacks, the amount of money being made by the bad guys, and the disruption just to UK firms, is enormous.”
Not only are skills in short supply, but they need to be used more efficiently. As an advisor to Europol’s European Centre for Cyber Crime (EC3), Alan bemoans UK law enforcers’ lack of industry engagement on cyber.
“In my experience, police forces here aren’t using alternative sources of expertise like they are in Europe. And I really don’t know why,” he says. “There are an awful lot of skills out there they’re just not tapping into.”
At one point in our interview, Alan apologises for the appearance of his nose, which lost a fight with a couple of bees the day before.
“My father taught me to keep bees. I find it very therapeutic…apart from when they sting me,” he explains. “But I like the idea of bees. They’re so important to the environment, and when you become a beekeeper, you realise how scary the number of colonies dying is.”
A slightly calmer pastime Alan enjoys is collecting and restoring antique clocks, although they must be set at different times to avoid a deafening cacophony every hour, he admits. Expecting a list of similarly serene hobbies, I’m surprised to hear Alan can also drive a tank, goes clay pigeon shooting when “in a bad mood”, and has a pilot’s license—enabling several ad hoc adventures across the Channel.
“When you get up there, it’s a completely new perspective on the world. Seeing things from above like that takes me back to my imagery days,” he concludes. “That first solo flight teaches you a lot about yourself.”
Reflecting on these achievements, it’s hard to think of a figure better suited to inspiring the next generation of cyber professionals.
Features 14.05.2024
Education was the most attacked sector in the UK in the last six months
Features 09.05.2024
Top security leaders share their three biggest cybersecurity concerns
Features 07.05.2024
We used AI to clone the voices of myself and our CEO to launch a targeted phishing attack on an Assured team member!