Nominet cyber security chief Cath Goulding on cyber threats, Huawei and 5G

Goulding, who is often called on to speak about her role, has a clear idea about how it should be performed. “For me, the chief information security officer is the neutral person who talks about security, because it is high risk. It’s about translating the risks to the board in language they can understand. I ask all the questions around the business but as I can’t know everything, it’s about building security in from the start, and engaging the whole of the business, so that it’s everybody’s business and not just one person’s responsibility.”

Cath Goulding, far left, receiving a Women in IT award in 2015. Pic supplied

A mathematics graduate from Edinburgh University, Goulding spotted the rapid growth of the IT industry and went on to do a masters in computing, focusing on human-computer interaction. This led to her being recruited to GCHQ, where she was involved in a number of internet security projects, including a spell at the UK embassy in Washington liaising with the US security services.

In 2012, ICANN (the Internet Corporation for Assigned Names and Numbers), the organisation responsible for worldwide coordination of the internet’s DNS (Domain Name Server) root suffixes, agreed to allow another 1,200 top level domains to be made available. In the period that followed, Nominet, which is responsible for 12 million dot.uk domains, committed to a diversification strategy that included cyber security.

Goulding’s background in internet security and contacts with the government made her the ideal person to support this new activity. Nominet’s researchers developed algorithms and analysis techniques to aid their understanding of the two billion or so interactions it has every day with dot.uk domains. 

This capability gives Nominet unique insight into internet activity and enables it to identify what Goulding calls ‘bad actors,’ the authors of malware, viruses, phishing scams and state-sponsored cyber warfare.

These skills, experience and tools have evolved into a product offering called NTX. Nominet also works closely with the National Cyber Security Centre (NCSC) as part of its Active Cyber Defence programme in delivering the Protective DNS service. In 2018, the Protective DNS service detected and blocked attempts to access more than 57 million malicious websites.

Cath Goulding, chief information security officer at Nominet. Pic: Antony David

Nominet works closely with the UK government and NTX is used in a number of larger organisations including GWR, RS Components and the Haas FI team. Unlike security at the end-point, ie on your computer, NTX sits upstream at the DNS servers that mediate the connections. Users have found it provides other useful information about their networks, sometimes revealing previously unrecognised assets.

Nominet’s NTX cyber security platform. Pic: supplied.

Given Goulding’s previous contacts with US internet security people and the current focus on the controversy, I ask why she thinks the US has taken a tougher position than the UK on Huawei’s infrastructure systems, she says: 

“It comes down to how you assess risk and what you think the benefits are. 5G is going to bring enormous benefits to this country and if you encrypt your traffic well enough, your data should remain protected.

“It’s more about availability; if the UK gets into conflict with China, theoretically they could flick a switch and our internet availability goes. If you’re responsible for UK security, you should never rely on a single supplier. One of the problems is that other suppliers in this field don’t have the same capability as Huawei.”

When asked what other issues are coming up, Goulding explains that the advent of encrypted DNS over HTTPS, also known as DoH, creates challenges for those using DNS to prevent bad actors. “With DoH, the ISP can’t provide the services that require knowledge of where your DNS is directed, such as parental controls, malware filtering or blocking child pornographers. The proponents of DoH are saying that you need to provide those kind of services another way – they want to make privacy an absolute right for everybody.”

This brings us onto the future of control over the internet. The ‘Great Firewall of China’ demonstrates how state control can be exercised using DNS management. Does she think the internet will go the way of previous nationally important critical infrastructure such as telephony, electricity distribution, railways and roads, and become if not state-owned, at least state-controlled. “It’s unlikely to go down the state-controlled route but certainly the government and law enforcement are increasing their oversight of the Internet.”

It’s clear that Cath Goulding and Nominet will have plenty to deal with over the coming years.

Further reading: visit Nominetcyber.com where there are a number of reports published.

About the Author

Antony David

A chemistry graduate, Antony spent most of his career using and then making equipment for the music and broadcast industries. He was managing director of Oxford-based electronics and software company, Solid State Logic.