Bob Nowill has had a career as an IT security expert at the Government Communications Head Quarters (GCHQ) and at BT. He helped respond to the change of stance of GCHQ from combating the USSR in the cold war to the more asymmetric challenges faced today. He now works to try to bridge the skills gap between the pool of talent available to combat cyber security issues and the need for more expertise to achieve higher security
Robert Nowill was born in Headingley, Leeds in 1955. After serving as a Captain in the Army briefly during and after the second world war, his father retrained and became a chartered mechanical engineer; he then went on to work in power stations and for the CEGB. Rob’s mother was a WREN during the later stages of WW2 and worked at Bletchley Park as a Bombe and Teleprinter operator.
Bob attended Ecclesall County Primary School in Sheffield, and with a parental move of house and having passed his eleven plus, he then went on to Leeds Grammar School. He was an academic child and enjoyed science subjects and mathematics and opted for chess, metal work, computing and bridge rather than traditional mainstream sports for his extramural activities.
In 1974, Bob gained a place on the Student Engineer Sandwich Course scheme run by the Ministry of Defence, (MoD), and won an entrance scholarship to read for a degree in Natural Sciences Pt 1 and Electrical Science Pt 2 at Trinity College, Cambridge.
As part of his sandwich course in 1974, Bob worked at The Royal Aircarft Establishment, RAE Farnborough, he explains: “It was all about being on the shop floor, learning how to get on in an engineering environment. By engineering, I don’t mean electrical engineering, I mean, milling, grinding machines, welding, bending metal, noise, oil, you know, the general hubbub of a workshop.”
Bob also spent parts of his sandwich course at the Royal Radar Establishment, RRE later RSRE, in Malvern where amongst many other activities he learned to ‘pull crystals’. He explains: “This part of RSRE caught my interest, it was in the more physics-oriented part of the Establishment, rather than the radar part of the Establishment, where they did some pioneering work on lasers. In those days to create a laser, one of the things you would need would be a piece of ruby like a cylinder with highly polished ends, about the size of a small pencil. To create a ruby, there was the technique called the Czochralski method. This essentially used a kiln to make an exceptionally hot mix of precursor chemicals and then turn it round quite slowly with a little seed core in the middle, then pull that out slowly and out would come a single crystal of ruby, which you could then shape and polish and use as a basis for the reflecting and partly reflecting component your laser.”
Having gained a BA in Electrical Sciences in 1977, (MA 1979), he spent the following two years completing his training as part of the Student Engineer Scheme by working for the MoD in the Procurement Executive, based in a building in New Oxford Street, London. The Directorate he was attached to produced and bought though industry secure equipment including crypto machines for speech or for data, often based on designed pioneered at the then CESG and other sensitive parts of HMG.
In 1979, he returned to Cambridge to study for his PhD sponsored by BT’s research lab at Martlesham. Bob was working on a project to explore whether twisted pair cable, the standard cable that went into everyone’s home in the country to carry analogue telephone lines, could be used to carry the equivalent of today’s broadband. He explains: “Broadband wasn’t a term that was used at the time. We were looking at whether it was commercially possible to get two megabits down a twisted pair line so that providers did not have to dig up all the roads and replace them with coaxial cable, or even fibre optic, though that hadn’t really been dreamt of for consumers, at that time. The trick was to find the best way of selecting an optimum twisted pair out of the many available in large cables that would support digital transmission, ”
Bob saw his first analogue and digital computers in his sixth form having joined the schools after school computer club. He explains: “We went down to Leeds University, who had an Elliott 903. And we all learnt very, very basic ALGOL as the programming language, and did things such as programming to print out a list of cube roots or just a bit of maths. It was more like arithmetic really.” He says his first desktop, self-contained computer, was from that very early era of Commodore PETs, which he used to do automate some of the research work at university – as well as the University mainframes. He adds: “Things like programming in assembler for microprocessors and high level languages were taught, such as FORTRAN. This was before that days of C and Objects. Not everyone took the modules, nor found it very interesting. I didn’t find it particularly interesting at the time. But you soon got into it once the obvious advantages of computing and programming to aid research became evident.”
In 1982, after completing his PhD, Rob moved to GCHQ (which was also avowed in 1982) where he joined the Engineering Organisation as a project manager working in a satellite communications team. He says of the move: “It was interesting, because it was a place that was increasingly taking on graduates and postgraduates to look into complex subjects. Previously they had largely focused on maths, science and basic engineering, but it was beginning to move into the era of digital communications and satellites and other difficult things where they needed different sorts of engineers from those they had had before.”
After three years at GCHQ, Bob took a three-year posting at the Supreme Headquarters Allied Powers Europe (SHAPE) Technical Centre, at the Hague in Holland. In 1996 that was merged with NACISA to form NC3A.. Bob explains: “I took a post as a senior scientist in what was called the Radio Branch, which was all about looking at the sort of systems that should be deployed by SHAPE, (and by NATO), across the theatre. It proved to be a good introduction to Frequency Hopping, and other evasive measures”
Return to GCHQ
In 1988, Bob returned to GCHQ. He says: “I was given a role in the branch that was responsible for computer project management; the procurement and installation of the sort of diverse computer systems that a place like GCHQ needs. No detail possible, other than, it is obvious that a GCHQ needs powerful computers, supercomputers and, as they emerged on the scene, desktop computers. The whole spectrum of computing, embedded computers and other systems.”
GCHQ purchased inter-alia American Cray supercomputers, Bob explains: “The UK had no significant capability to scale-up its own ideas into production, so America was the obvious choice. The interesting part of the job, at the computing end of it was the transition between, do we want to make something that is unique for the Brits, albeit made in America, or do we want to buy something that’s not quite off-the-shelf but is more in production than not? The early days of Cray was certainly in that latter space, and still are. Seymour Cray was still around in those days, and Cray was a big name.” As well as being immensely powerful at the time, Bob says they were also beautifully designed: “Just boxes of wires, copper, coolants and chips, but they were made to look beautiful.”
The late Eighties saw GCHQ begin to introduce desktop workstations (IBM PCs) and start to experiment with local area networks. This created many technical challenges as Bob explains: “Local area networks were done in lots of places, not just in the defence and intel sector, but it was beginning to take off. The technical challenges were a lot to do with standards, which one the world is going to adopt? So, the very difficult and quite intellectual discussions between the merits of one protocol or another were important. Obviously, different organisations would go one way, others the other, and eventually it all standardises, but making those choices was hard.”
As the technology landscape changed through the eighties and nineties, so too did the challenges that GCHQ faced for example from the lack of built in security in the internet and operating systems of the time, to the introduction of fibre optic communication cables which started to replace satcoms as the principal mechanism for international communications.
In 2000 Bob became Director of Technology. Bob says it was a great role with new challenges. He explains: “The real challenges were more about workforce, rewarding people properly. It is always an issue in the Civil Service, because pay is never going to be as high as it would be in small niche companies even though the interest and academic content is exceptional. On the other hand, there are lots of non-cash benefits, and later-life benefits like pensions, but they sound a bit boring if you are young. There are lots of other non-remunerative benefits, like the interest of the work, cutting-edge things, security and clearances; some people find all that interesting – the James Bond factor if you like. So, you put all those together and recruitment was always a slight challenge. Getting that right, getting the right sort of clever people in, with good enough pay, and very good non-pay was always tricky.”
As well as technological changes, GCHQ was also seeing a change in the threat environment with a shift to asymmetric warfare and processes. Speaking about the attack on the Twin Towers in the US in 2001, Bob says: “9/11 was the first significant major incident after I took over as the Director of Technology. I recall we were hosting an international IT conference at the time and obviously the air space between the UK and the US, and other places, was closed down for a period, so overseas guests were stranded in the UK. The major shock to the system understates it, but the sheer scale of what had happened, the enormity as we all know, was overwhelming at the time.”
He continues: “My world was then dealing with the aftermath of the crisis through technical eyes. With the end of the Soviet Union and the rise of other actors, non-state or difficult state, but certainly non-Russian or non-Soviet, that represented a great deal of activity.”
As a result of the technical and political changes taking place in the world, GCHQ built a new building to bring much of the workforce under one roof and to increase effectiveness – a visible and demonstrable major change to working practices. Bob explains: “There were some huge challenges in creating a new building. … The challenges of moving technology from where it was to where it needed to be were huge. The modernisation challenge, obviously there’s the technical one, but there’s a workforce one as well, a different mindset for a different mission. All of that was happening around that early part of 2000 and it was extremely interesting to be involved in.”
Questioned about the document called ‘Issues for Congress’ which was issued by the National Security Agency in 2001, and which raised concern and criticism of organisations like the NSA and GCHQ, about ‘snooping’ inappropriately on individuals, Bob says: “I think for people who are looking from the outside in, postulating that some of the work may be illegal or disproportionate, that was just demonstrating lack of knowledge due in part to a lack of transparency and accountability which has greatly improved. There was always proper, legal cover for the activities, and oversight with processes to deal with drop-offs – but I don’t need to develop that here.”
In recent years, legislation has changed, and the Interception of Communications Act was replaced by the Regulation of Investigative Powers Act, RIPA, which in turn became the Investigatory Powers (IP) Act. Rob was invited to be a technical adviser in a review of some of the things within the proposed IP Act including the balance of where the surveillance state ought to be. He explains: “There were, I think one or two newspapers and critics that said, how can you do this, how can you have someone reviewing the balance who was from the organisation under review as it were? I suppose it’s fair comment from the outside looking in, and obviously it went to the top to decide how these things ought to be done. In order to be trusted to have access to all those pieces of evidence within, not just GCHQ but the other security and intelligence services, the legal team needed access somebody technical who knew the words, knew the technical vocabulary, was trusted with clearances for all that sort of stuff, to sit alongside the judge and the other legal people on the team.”
The review included researching and speaking to many different organisations to find the balance. David Anderson QC (now Baron Anderson of Ipswich) led the review and Bob says: “I would say that in the UK we probably do have that position of the needle about right. There’s a little bit of wriggle room on it to move it one way or the other according to public opinion, but it isn’t hard over to the worst excesses of surveillance state, and it isn’t hard over either to the complete freedom of information, with no surveillance whatsoever. There are still bulk powers, and one of the things Anderson and his team looked into was whether those bulk powers are pitched in the right place. Some of those things have been taken to the European Court of Human Rights, and there have been one or two judgements made as to whether the UK’s position is OK or not. Some MPs and some of the NGOs took specific points to the court to challenge them. So, having come out the other end of those, some changes were, and are still being made. As I say, I think it’s probably about right. It’s been hugely well tested. Other people will argue differently. But, but that’s fine in a democracy, we can have the argument, but we’re certainly not a surveillance state in the way that an Orwellian view of life would look at it.”
In 2005, Rob left GCHQ and moved to BT to take up the role of Cyber Director within BT Security. He says: “The sort of challenges BT was having included protecting its own networks, as well as the networks and communications of its customers – commercial organisations and consumers. That manifests itself in a number of ways including for example privacy, confidentiality and other risks say to consumer broadband, and ditto to commercial services. Other activitiess would include for example supply chain risks – very topical at the moment.”
With BT interacting with organisations across the globe, Bob spent a lot of time travelling throughout the UK and other parts of the world. He says: “The sheer scale of a job in a company which touches every country in the world, but also has a huge base in the United Kingdom of many thousands of buildings, plus a non-trivially sized team of security people, means that anyone involved in the management and delivery of BT Security is immensely busy. So, I had great fun. It was very tiring, and I know the person I handed over to, who is a friend, also after five or six years, is in exactly the same place of loving it, but being immensely busy all at once. I have no doubt that BT do a splendid job in securing its customers information.”
Institute of Information Security Professionals (IISP)
Bob is a Founder Fellow of the Institute of Information Security Professionals (IISP), as well as being a Fellow of The IET and of The BCS. The IISP is a professional body for information security professionals and was recognised with the award of a Royal Charter in 2018. On the subject of diversity in the profession, Bob says: “We have to look at what the reasons are in terms of inclusion and diversity as to why there are gaps in the workforce. I think, you can almost take a step back and say, well it’s not just cyber playing catch-up. I think if we were talking about the nuclear industry or heavy power engineering, or making propellers for boats etc, you’d probably find there were issues with non-traditional workforce. And it is not just gender diversity, there are many other components of getting diversity and inclusion right too.”
On the subject of Y2K, Bob says: “It was certainly justified to be prepared. On the night itself I was on duty on the bridge, as it was called, one or two minor things cropped up, nothing of any substance, as turned out to be the case across the world. But, for people to look back and say cynically that it was all hyped up by the IT community, is completely wrong. I look at it and consider that the enormous amount of work that went in in preparation for it around the world, paid dividends. I think you can be wise after the event and say, ‘well but what would have ever happened, what could have happened would never have been catastrophic’ but we don’t know that. I think better to be prepared than not. But in any case, it provided a good incentive to upgrade and modernise applications and operating systems, and software generally, to become much more current than they would have been otherwise.”
UK and Cyber – The Cyber Security Challenge
On the subject of the UK’s capabilities to defend itself from the growing threats of cyber warfare, Bob says: “I would say, if you are placing a league table of competence in cyber, whether it’s offensive or defensive, the UK would be in the premier league. That doesn’t mean we’re the best, nor the worst, but we are premier league rather than championship or division one, two, three, four. We are as well placed as we can be to both respond to and keep up with those threats and opportunities. Having the right calibre of workforce engaged with HMG and others in dealing with the threat and the opportunity is massively important. We know there is a great shortage of people with the right level of skills in cyber, and trying to deal with that is one of the challenges of the day and it is why I personally am involved with the organisation called the Cyber Security Challenge UK (Bob Chairs The Board), which is all about trying to find and interest people to come into the profession who wouldn’t have otherwise thought about it. It is not so much aimed at people who are already involved; it’s aimed at people who have never thought of it as a career path in the first place.”
Bob recognises the need for advertising on social media platforms but suggest that there is room for improvement in the algorithmic way in which adverts are pushed to customers and users. He says: “There should be things that can be done on that front that aren’t being done, and I would hope that the penny drops. Do we need more regulation? Do we need more legislation in that space? Maybe, but I would have thought, technical people and organisations that run social media platforms ought to be able to find solutions without having to go right down the heavy rule of legislation, but it’ll happen if it doesn’t self-regulate properly.”
Looking back over his career, Bob reflects that “Either underestimating or overestimating the workforce challenges are always tricky. I would never claim to have got that entirely right. I think I’m pleased with the fact that certainly over the years, putting in place schemes to help train, educate, professionalise and do other good things for technical people, has developed some great capabilities and able people. On the other hand, I could equally argue, has it been enough?” He continues: “I’m sure we all ask ourselves did we ever do enough to make sure that people got the best possible deal? We like to think yes but it’s always a question.”
He also talks about the need to be able to provide better careers advice to ensure we continue to attract talent to tech, security and cyber, saying: “I’m sure that there must be a better way of giving people helpful advice and steerage. Obviously, there’s a personal responsibility for everyone to do what they think themselves is right. But the fact that we have a STEM skills gap, as well as right down into cyber, means that we haven’t entirely got that right, and I’m a little piece of that jigsaw too. I think, the penny dropping earlier across this space on inclusion and diversity would have been a good thing, and we all have a responsibility for pushing on with that”
When talking about his own decisions to move around the industry, Bob reflects on how in the past it was considered appropriate to stay with one company or organisation throughout your career. He says: “There was quite a lot of feeling then that if you got your head down and stayed put for forty years, got promoted and so on, then you would retire from the same organisation, as many people have done, and all would be well. These days, I wouldn’t counsel anyone to do that; life isn’t like that anymore. You need to zigzag around various employers in a career both to get on and to keep on finding rewarding roles in a fast-moving sector, not just stay put.”
Interviewed by: Richard Sharpe on the 28th January 2019 at the London office of BCS
Transcribed by: Susan Hutton
Abstracted by: Lynda Feeley