Willis H. Ware, a highly respected and admired pioneer in the fields of computing security and privacy, passed away on November 22nd, 2013, aged 93.Born August 31,1920, Mr. Ware received a BSEE from the University of Pennsylvania (1941), and an SM in EE from MIT (1942). He worked on classified radar and IFF (identify friend or foe) electronic systems during WWII. After the war he received his Ph.D. in EE from Princeton University (1951) while working at the Institute for Advanced Studies for John von Neumann, building an early computer system.
Upon receiving his Ph.D., Dr. Ware took a position with North American Aviation (now part of Boeing Corporation). After a year, he joined the RAND Corporation (in 1952) where he stayed for the remainder of his career -- 40 more years — and thereafter as an emeritus computer scientist. His first task at RAND was helping to build the "Johnniac," an early computer system. During his career at RAND he advanced to senior leadership positions, eventually becoming the chairman of the Computer Science Department.
Willis was influential in many aspects of computing. As an educator, he initiated and taught one of the first computing courses, at UCLA, and wrote some of the field's first textbooks. In professional activities, he was involved in early activities of the ACM, and was the founding president of AFIPS (American Federation of Information Processing Societies). From 1958-1959 he served as chairman of the IRE Group on computers, a forerunner of the current Computer Society of the IEEE. He served as the Vice Chair of IFIP TC 11 from 1985-1994. At the time of his death he was still serving as a member of the EPIC Advisory Board.
Dr. Ware chaired several influential studies, including one in 1967 that produced a groundbreaking and transformational report for ARPA (now DARPA) that was known thereafter as "The Ware Report." To this day, some of the material in that report could be applied to better understand and protect computing systems security. The follow-on work to that study eventually led, albeit somewhat indirectly, to the development of the NCSC "Rainbow Series" of publications. (The NCSC, National Computer Security Center, was a public-facing portion of the NSA ,serving as an office for improving security in commercial products.)
In 1972, Dr. Ware was tapped to chair the Advisory Committee on Automated Personal Data Systems for the HEW (now HHS) Secretary. That report, and Willis's subsequent paper,"Records, Computers, and the Rights of Citizens," established the first version of the Code of Fair Information Practices. That, in turn, significantly influenced the Privacy Act of 1974, and many subsequent versions of fair information practices. The Privacy Act mandated the creation of the Privacy Protection Study Commission, of which Dr. Ware was vice chair.
Willis was the first chairman of the Information System and Privacy Advisory Board, created by the Computer Security Act of 1987. He remained chairman of that board for 11 years following its establishment. Over the years, Dr. Ware served on many other advisory boards, including the US Air Force Scientific Advisory Board, the NSA Scientific Advisory Board, and over 30 National Research Council boards and committees.
Willis Ware was one of the most honored professionals in computing. He was a Member of the National Academy of Engineering, and was a Fellow of the AAAS, of the IEEE, and of the ACM — perhaps the first person to accrue all four honors. He was a recipient of the IEEE Centennial Medal in 1984, the IEEE Computer Pioneer Award in 1993, and a USAF Exceptional Civilian Service Medal in 1979. He was the recipient of the NIST/NSA National Computer System Security Award in 1989, the IFIP Kristian Beckman Award in 1999, a lifetime achievement award from the Electronic Privacy Information Center (2012), and was inducted into the Cyber Security Hall of Fame in 2013.
Dr. Willis H. Ware was truly a pioneer computer scientist, an early innovator in computing education, one of the founders of the field of computer security, and an early proponent of the need to understand appropriate use of computing and the importance of privacy. His dedication to the field and the public interest was both exceptional and seminal.
The Rand Corporation posted an in memorium piece on their website.
(Any updates or corrections will be posted here as they become available.)
Update 10/26: included acronym expansions of IFF and NCSC, along with links for NCSC and HHS. Added small grammatical corrections.
Update 10/29: added the note and link to the Rand Corporation in memorium piece.
On October 9th, 2013, I delivered one of the keynote addresses at the ISSA International Conference. I included a number of observations on computing, security, education, hacking, malware, women in computing, and the future of cyber security.
You can see a recording of my talk on YouTube or view it here. You might find it somewhat amusing. See the old guy with the bow tie ramble on.
(If you work in cyber security, you should think about joining the ISSA.)
(Also, if you didn't know, I have two other blogs. One blog is a Tumblr blog feed of various media stories about security, privacy and cybercrime. The other blog is about various personal items that aren't really related to CERIAS, or even necessarily to cyber security — some serious, some not so much.)
Over the last month or two I have received several invitations to go speak about cyber security. Perhaps the up-tick in invitations is because of the allegations by Edward Snowden and their implications for cyber security. Or maybe it is because news of my recent awards has caught their attention. It could be it is simply to hear about something other than the (latest) puerile behavior by too many of our representatives in Congress and I'm an alternative chosen at random. Whatever the cause, I am tempted to accept many of these invitations on the theory that if I refuse too many invitations, people will stop asking, and then I wouldn't get to meet as many interesting people.
As I've been thinking about what topics I might speak about, I've been looking back though the archive of talks I've given over the last few decades. It's a reminder of how many things we, as a field, knew about a long time ago but have been ignored by the vendors and authorities. It's also depressing to realize how little impact I, personally, have had on the practice of information security during my career. But, it has also led me to reflect on some anniversaries this year (that happens to us old folk). I'll mention three in particular here, and may use others in some future blogs.
In early November of 1988 the world awoke to news of the first major, large-scale Internet incident. Some self-propagating software had spread around the nascent Internet, causing system crashes, slow-downs, and massive uncertainty. It was really big news. Dubbed the "Internet Worm," it served as an inspiration for many malware authors and vandals, and a wake-up call for security professionals. I recall very well giving talks on the topic for the next few years to many diverse audiences about how we must begin to think about structuring systems to be resistant to such attacks.
Flash forward to today. We don't see the flashy, widespread damage of worm programs any more, such as what Nimda and Code Red caused. Instead, we have more stealthy botnets that infiltrate millions of machines and use them for spam, DDOS, and harassment. The problem has gotten larger and worse, although in a manner that hides some of its magnitude from the casual observer. However, the damage is there; don't try to tell the folks at Saudi Aramaco or Qatar's Rasgas that network malware isn't a concern any more! Worrisomely, experts working with SCADA systems around the world are increasingly warning how vulnerable they might be to similar attacks in the future.
Computer viruses and malware of all sorts first notably appeared "in the wild" in 1982. By 1988 there were about a dozen in circulation. Those of us advocating for more care in design, programming and use of computers were not heeded in the head-long rush to get computing available on every desktop (and more) at the lowest possible cost. Thus, we now have (literally) tens of millions of distinct versions of malware known to security companies, with millions more appearing every year. And unsafe practices are still commonplace -- 25 years after that Internet Worm.
For the second anniversary, consider 10 years ago. The Computing Research Association, with support from the NSF, convened a workshop of experts in security to consider some Grand Challenges in information security. It took a full 3 days, but we came up with four solid Grand Challenges (it is worth reading the full report and (possibly) watching the video):
I would argue -- without much opposition from anyone knowledgeable, I daresay -- that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two.
Why is that? Largely economics, and bad understanding of what good security involves. The economics aspect is that no one really cares about security -- enough. If security was important, companies would really invest in it. However, they don't want to part with all the legacy software and systems they have, so instead they keep stumbling forward and hope someone comes up with magic fairy dust they can buy to make everything better.
The government doesn't really care about good security, either. We've seen that the government is allegedly spending quite a bit on intercepting communications and implanting backdoors into systems, which is certainly not making our systems safer. And the DOD has a history of huge investment into information warfare resources, including buying and building weapons based on unpatched, undisclosed vulnerabilities. That's offense, not defense. Funding for education and advanced research is probably two orders of magnitude below what it really should be if there was a national intent to develop a secure infrastructure.
As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment. I no longer cringe when I hear someone who is adept at crafting system exploits referred to as a "cyber security expert," but so long as that is accepted as what the field is all about there is little hope of real progress. As J.R.R. Tolkien once wrote, "He that breaks a thing to find out what it is has left the path of wisdom." So long as people think that system penetration is a necessary skill for cyber security, we will stay on that wrong path.
And that is a great segue into the last of my three anniversary recognitions. Consider this quote (one of my favorite) from 1973 -- 40 years ago -- from a USAF report, Preliminary Notes on the Design of Secure Military Computer Systems, by a then-young Roger Schell:
…From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.
That was something we knew 40 years ago. To read it today is to realize that the field of practice hasn't progressed in any appreciable way in three decades, except we are now also stressing the wrong skills in developing the next generation of expertise.
Maybe I'll rethink that whole idea of going to give a talks on security and simply send them each a video loop of me banging my head against a wall.
PS -- happy 10th annual National Cyber Security Awareness Month -- a freebie fourth anniversary! But consider: if cyber security were really important, wouldn't we be aware of that every month? The fact that we need to promote awareness of it is proof it isn't taken seriously. Thanks, DHS!
Now, where can I find I good wall that doesn't already have dents from my forehead....?
Over the years, I've gotten to know many people working in security and privacy. Too few have focused on issues relating to children and young adults. Thankfully, one of these people is Linda McCarthy. A security professional with an impressive resume that includes senior positions at Sun Microsystems and Symantec, Linda has had actual "boots-on-the-ground" experience in the practice of information protection.
Linda has written several books on security, including "Intranet Security - Stories from the Trenches," and "IT Security: Risking the Corporation." She also co-authored the recent free, quite popular, Facebook tutorial on security and privacy. I have read these, heard her speak, and worked with her on projects over the years -- Linda is thoughtful, engaging and an effective communicator on the topics of security and privacy. I'm not the only person to think so -- not too long ago she was a recipient of the prestigious Women of Influence award, presented by CSO Magazine and Alta Associates, recognizing her many achievements in security, privacy and risk management.
About a decade ago, based on some personal experiences with young adults close to her, Linda took on the cause of education about how to be safe online. Youngsters seldom have the experience (and the judgement born of experience) to make the best choices about how to protect themselves. Couple that naiveté with the lure of social contact and the lack of highly-visible controls, and toss in a dash of the opportunity to rebel against elders, and a dangerous mix results. Few people, young or old, truly grasp the extent and reach in time and space of the Internet -- postings of pictures and statements never really go away. Marketers, for one, love that depth of data to mine, but it is a nightmare that can haunt the unwary for decades to come.
Long term loss of privacy isn't the only threat, of course. Only last week news broke of yet another tragic suicide caused by cyberbullies; there is a quiet epidemic of this kind of abuse. Also, Miss Teen USA, Cassidy Wolf, spoke a few days ago about being the victim of cyberstalking and sexual extortion. These are not things kids think about when going online -- and neither do their parents. This is the complex milieu that Linda is confronting.
In 2006, Linda began to focus on writing for the younger set and produced "Own Your Space: Keep Yourself and Your Stuff Safe Online," which is a nice introduction that kids seem to appreciate. A few years ago, Linda updated it and under a Creative Commons license it is now available as a free download from Microsoft (among others). I wrote about the release of that update in this blog in 2010.
Earlier this year, Linda released a new book, "Digital Drama: Staying Safe While Being Social Online" (also available en español). This book covers a multitude of issues, including privacy, reputation, online bullying and stalking, avoiding predators, spotting scams, how to manage settings and online persona, and a wealth of other valuable insights for young people -- and therefore it is also of value to their parents, teachers, and an older audience that may not have the expertise but faces many of the same concerns. Linda's book doesn't address all the problems out there -- she doesn't address the really dark side of youth gang culture, for instance -- but this book does admirably cover many of the major issues that face kids who really want to stay out of trouble.
What makes this especially useful is a limited-time offer. In support of National Cyber Security Awareness Month, Microsoft has provided support to allow Linda to offer a free digital download of "Digital Drama" from Amazon.com (the Spanish version, too). Parents, teachers, teens, tweens, kids, and the young at heart can all get that free download from 12am on Tuesday, September 24th until 11:59pm on Friday, September 27 (2013; times are PDT). (If you are reading this blog after that week, you should still check out the book.)
To quote from the "About this book" section of Amazon:
Every day, millions of teens log on and make decisions that can compromise their safety, security, privacy, and future. If you are like most teens, you are already using social networking sites like Twitter and Facebook and have your smartphone super-glued to your hand. You tag your friends in photos, share your location and thoughts with friends, and post jokes online that later may be misunderstood. At the same time, you might not realize how that information can affect your reputation and safety, both online and offline. We’ve all heard the horror stories of stolen identities, cyber stalking, pedophiles on the Internet, and lost job, school, and personal opportunities. All teens need to learn how to protect themselves against malware, social networking scams, and cyberbullies. Learn crucial skills:
- Deal with cyberbullies
- Learn key social networking skills
- Protect your privacy
- Create a positive online reputation
-Protect yourself from phishing and malware scams
Spaf sez, "Check it out."
In the June 17, 2013 online interview with Edward Snowden, there was this exchange:
I simply thought I'd point out a statement of mine that first appeared in print in 1997 on page 9 of Web Security & Commerce (1st edition, O'Reilly, 1997, S. Garfinkel & G. Spafford):
Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.
I originally came up with an abbreviated version of this quote during an invited presentation at SuperComputing 95 (December of 1995) in San Diego. The quote at that time was everything up to the "Further...." and was in reference to using encryption, not secure WWW servers.
A great deal of what people are surprised about now should not be a surprise -- some of us have been lecturing about elements of it for decades. I think Cassandra was a cyber security professor....
[Added 9/10: This also reminded me of a post from a couple of years ago. The more things change....]