CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University
Center for Education and Research in Information Assurance and Security


Page Content

It Was A Good Monday


Mondays. There are many reasons Monday have a bad reputation. Few of us would claim to like Mondays.

My Monday earlier this week got off to a poor start. I was traveling to attend a workshop (a good one, on ethics in cyber) and staying, yet again, at a hotel. As sometimes happen when I travel, I wasn’t sleeping well. I awoke shortly after 3am and couldn’t get back to sleep. Being the compulsive gadget user I am, I checked my email on my cellphone. There, I saw a new message posted from Europe that made my Monday quite a bit better. (Unfortunately, it didn’t help me get back to sleep.) Actually, as I write this on Wednesday, I’m still pretty happy, as well as better rested.

The email informed me that I am the 2017 IFIP TC-11 recipient of the Kristian Beckman Award. IFIP is the International Federation of Information Processing Societies, and the Beckman Award is one of the top recognitions in the field. Many of the previous recipients of this honor have been mentors and heroes of mine.

As noted on their WWW site, IFIP is recognized by the UN, and it represents IT societies from 56 countries/regions, covering five continents with a total membership of over half a million. TC-11 is the subgroup (technical committee) devoted to security and privacy protection in information processing systems.

The Kristian Beckman Award is presented annually, starting in 1993. According to the web site, "The objective of the award is to publicly recognize an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective." The letter noted my achievements in research, education, and service; my creation and leadership of CERIAS; my guidance and mentorship of students developing security tools in widespread use; and my work as Academic Editor then Editor-in-Chief of Computers & Security, the oldest journal in the field of information security.

The award will be formally presented at 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2017) in Rome, in May 2017. I will be presenting an invited plenary address as part of the award.

I am honored to be named as a recipient of this award. I have worked with IFIP TC-11 on various things over the last 25 years, including as a subcommittee chair (TC 11.4), as a member of several other groups, and serving as editor of Computers & Security, which is recognized as the official journal for TC-11. Along with ACM, ISSA, (ISC)2, IFIP is a significant force in research and education in cyber security.

I have been quite fortunate in my career. With the Beckman Award, I believe I have now been recognized with every major cyber security award, including the National Computer System Security Award; ISSA Hall of Fame; Harold F. Tipton Award; Cyber Security Hall of Fame; SANS Lifetime Achievement Award; Outstanding Contribution Award from ACM SIGSAC; the Joseph Wasserman Award from ISACA. I haven’t done all this on my own — I have been fortunate enough to work with some outstanding students, colleagues, and staff. I will always be grateful for their collegial support.

I would also like to note that many of these awards can be seen as "lifetime" awards. Although the administrators and some of my colleagues at Purdue think I’m no longer functional, I want to assure everyone else that I’m not done yet — I still have some ideas to pursue, possibly another book or two to write, and more students to teach and advise!

Now, if only I could get enough sleep on a regular basis…but I’m willing to wake up for news like this! And no, I still don’t particularly like Mondays.

Passing of a Cyber Securty Pioneer


Stephen T. Walker recently died. He was the founder of the pioneering Trusted Information Systems, a prime force behind the establishment of the NCSC (now the Commericial Solutions Center, but also the producer of the Rainbow Series), and he was the recipient of the first National Computer Security Systems Award  His obituary lists his many notable accomplishments and awards. Steve was a major influencer (and mentor) in the field of cyber security for decades.

I only recall meeting Steve once, and I am poorer for not having had more contact with him.

If you work in cyber security, you should read his obituary and ponder the contributions that have led to the current state of the field, and how little we have credited people like Steve with having had a lasting influence.

Changes for CERIAS…and Spaf


Today (June 30) is my last day as CERIAS Executive Director. This marks the end of a process that began about 15 months ago, when it was unexpectedly announced that my appointment was not being renewed. Last week, the dean responsible announced the appointment of Professor Dongyan Xu as interim executive director as of July 1. He also announced, to our surprise, that Professor Elisa Bertiino would not be reappointed as CERIAS Director of Research. I wish to express my deep gratitude to Elisa for her support and her participation in the growth of CERIAS; I very much value having Elisa as a colleague.

I will not make any other public comments at this time about this transition other than to voice my unequivocal support of Dongyan, and of the wonderful CERIAS staff. Dongyan is an outstanding scholar and colleague, and he has a long history of active involvement with CERIAS. I helped recruit him to Purdue in 2001 as a new assistant professor working in security, so I am very familiar with his background. He has worked with CERIAS as he has advanced through the academic ranks, so he has the experience — both professional and personal — to handle the job in this time of transition.

Looking back, I have had the honor of working with some incredible people over the last 25 years, first as leader of the COAST Laboratory, and then as the founder and (executive) director of CERIAS. CERIAS participants have set an example of “thinking differently” to effect a profound and lasting set of changes — many of which are not recognized nor appreciated locally; As with most things in academia, the further away one gets from one’s home institution in space and time, the more the value of contributions are understood! It is widely acknowledged outside that our faculty, staff, and students have made a huge contribution to establishing cyber security as an academic discipline.

When CERIAS was founded in 1998, there were only four small academic groups in the world that were devoted to cyber security, and they were all quite small. CERIAS was established to help build the field, establish leadership, and investigate new ideas, all while embracing the spirit of the land-grant university to perform research in the public good. In the years since then, our local community has:

  • grown our participating faculty to over 100, with visitors and senior grads of at least as many again
  • assisted over a dozen other universities, and dozens more smaller institutions, develop curricula and degrees in the area
  • initiated research into hundreds of new topic areas, bringing in over $100 million in externally funded research
  • supported several dozen companies and government agencies in our partner program, with research, policy, and hiring

What is more, we helped show that the whole field of cyber protection is really multidisciplinary — it is more than computer science or engineering, but a rich area of study that includes a range of disciplines. Over the last 18 years, we have had faculty from 20 different academic departments participate in CERIAS activities…and still do.

Also back in 1998, there were few programs producing graduates with concentrations in cyber security. I did a survey for some Congressional testimony at the time, and found that only about 3 PhDs a year were being produced in all of the US (and almost none elsewhere) in the field (excluding cryptography). Although not explicitly part of CERIAS, which is a research-only entity, CERIAS participants also:

  • helped produced 250 new PhDs in cyber security, cyber forensics, and privacy, and many more hundreds with MS degrees
  • established the first graduate program with an explicit information security degree
  • established a graduate certificate in public policy and cyber security
  • established an academic program in cyber forensics

As the (in parallel) head of the Interdisciplinary Information Security (INSC) graduate program, I have seen the synergy between CERIAS and INSC, and pleased to be a part of both.

Looking back, it has been wonderful to see these results, and to work with such a wonderful collection of faculty, staff, and students. Unlike efforts at some other institutions of higher education, our primary goal has not been to generate “buzz” for faculty to start up their own companies, or to see how much funding we could rake in for bragging rights. Instead, we have sought to do the “right thing” by our students and the public: produce innovative ideas and well-educated graduates who could go out to make the world a better place for everyone. By any measure, we have done so.

Coincidentally, not only am I ending my time as Executive Director of CERIAS today, I am also finishing 20 years of service as the chair or co-chair of ACM’s US Public Policy Council. Coupled with some recent personal changes, this has been a very event-filled few months.

Those of you who know me know that I try to look forward more than look back. So, what am I looking forward to?

To start with, I will be assuming the role (and title) of Executive Director Emeritus. In that role, I will be helping Dongyan, Joel, and Jerry with whatever next steps seem right for CERIAS. I will continue to be the head of the INSC Interdisciplinary Graduate program here at Purdue. I have a few PhD students in progress who I will continue to work with. I may restart the COAST Lab with my own set of projects, if I can find some external partners willing to help fund that effort. I will continue to work with USACM as Immediate Past Chair, and serve as an at-large member of the ACM Council.   I will continue to be Editor-in-Chief of the journal Computers & Security (the oldest journal in the field). Thus, I won’t lack for things to do!

Being forced to make changes often encourages us to consider more than we might have, had status quo remained. Times of change are often the best times to make other, possibly major, changes, so some of the above may be subject to change, too! (Ideas -- and offers -- welcomed.)

In closing, my huge thanks to those who have engaged positively with me in my CERIAS role over the last 18 years. And please join me in wishing Dongyan good fortune in his new, interim role.

Nominations solicitied for the CSHOF


The nomination cycle for the 2016 induction into the Cyber Security Hall of Fame is now open.

Details on the nomination procedure are available online.

Nominations are due by July 20.

Another year, another RSAC


I have attended 10 of the last 15 RSA conferences. I do this to see what’s new in the market, meet up with friends and colleagues I don’t get to see too often, listen to some technical talks, and enjoy a few interesting restaurants and taverns in SF. Thereafter, I usually blog about my impressions (see 2015 and 2014, for example).I think I could reuse my 2015 comments almost unchanged…

There have been some clear trends over the years:

  • The technical talks each year seem more focused on superficial approaches and issues: there seemed to be less technical content, at least in the few I observed. This goes with the rather bizarre featured talks by cast members of CSI: Cyber and Sean Penn — well known experts on cyber. Not. (Several others told me they thought the same about the sessions.) Talks a decade ago seemed to me to be deeper.
  • This matches some of what I observed at booths. The engineers and sales reps at the booths have little deep knowledge about the field. They know the latest buzzwords and market-speak, but can’t answer some simple questions about security technologies. They don’t know people, terms, or history. More on this later.
  • There is still an evident level of cynicism among booth personnel that surprised me, but less than last year.
  • There seemed to be more companies exhibiting (both sides of Moscone were full). There also seemed to be more that weren’t there last year and are unlikely to be around next year; I estimate that as many as 20% may be one-time wonders.

This year showed some evidence of effectiveness of new policies against “booth babes.” I talked to a number of women engineers who were more comfortable this year working at the booths. A couple indicated they could dress up a little without being mistaken for “the help.” That is a great step forward, but it needs reinforcement and consistency. At least one tried to come close to the edge and sparked some backlash.

As I noted above, the majority of people I talked to at vendor booths didn’t seem to have any real background in security beyond a few years of experience with the current market. This is a longer-term trend. The market has been tending more towards patching and remediation of bad software rather than strong design and really secure posture. It is almost as if they have given up trying to fix root causes because few end-users are willing to make the tough (and more expensive) choices. Thus, the solutions are after-the-fact, or intended to wrap broken software rather than fix it. Employees don’t need to actually study the theory and history of security if they’re not going to use it! Of course, not everyone is in that category. There are a number of really strong experts who have extensive background in the field, but it seems to me (subjectively) that the number attending decreases every year.

Related to that, a number of senior people in the field that I normally try to meet with skipped the conference this year. Many of them told me that the conference (and lodging and…) is not worth what they get from attending.

(As a data point, the Turing Award was announced during the first day of the conference. I asked several young people, and they had no idea who Diffie and Hellman were or what they had done. They also didn’t know what the Turing Award was. Needless to say, they also had no idea who I was, which is more or less what I expect, but a change from a decade ago.)

As far as buzzwords, this year didn’t really have one. Prior years have highlighted “the cloud,” “big data,”, and “threat intelligence” (to recap a few). This year I thought there would be more focus on Internet of Things (IoT), but it wasn’t. If anything, there seemed to be more with “endpoint protection” as the theme. Anti-virus, IDS, and firewalls were not emphasized much on the exhibit floor. Authentication of users and apps were. Phishng is a huge problem but the solutions presented are either privacy invasive or involve simulated phishing to (allegedly) train end users. Overall, I didn’t see much that I would consider really novel.

There was one big topic of conversation — the FBI vs. Apple encryption debate. There were panels on it. Presenters mentioned it. It was a topic of conversation at receptions, on the exhibit floor, and more. The overwhelming sentiment that I heard was on Apple’s side of the case. (Interestingly, I recently wrote an editorial in CACM on this general topic — written before the lawsuit was filed.)

Overall, I spent 4 days in SF. My schedule was fairly full, but I left this time with the sense that I hadn’t really spent all that time usefully. I did get to see some friends and former students. I got a fresh supply of T-shirts. I picked up literature for our campus CISO. And I have a few leads for companies that may be interested in donating product to CERIAS — or joining our partner consortium. If a few of those come through then I may change my mind.

If you attended the conference this year, leave a comment with your impressions.