While preparing to introduce today’s keynote (Dr. David McGrew) at the 23rd CERIAS Symposium, I was reminded of an exercise in crystal ball gazing. Every December we have various people publish a list of their top predictions for the coming year. Some are thoughtful, and others simply risable. The track record is often quickly forgotten.
However, what of an effort by real experts and visionaries to make some bold predictions for a decade hence? Many people have repeatedly claimed that such a thing is impossible for cybersecurity – the field moves too quickly, innovation disrupts truisms, and biases complicate the mix.
Here, I present at least one worked example that proves that it could be done – and was.
In 1992, the COAST Laboratory was started. Around 1996, Cisco became a corporate partner with COAST, providing equipment and funds for student scholarships. When CERIAS emerged from COAST in May 1998, Cisco stepped up as a founding sponsor. This included not only continuing financial support, but increasing some researcher involvement.
In 2000, another CERIAS partner at the time, Accenture, agreed to cosponsor a workshop at their St. Charles conference center. The workshop would be organized by CERIAS and was to focus on making some “bold” predictions for the next decade. We were supposed to identify some “visionaries” who could participate and discuss the future.
I (Spaf) identified some personnel I knew were deep thinkers, some of whom were not yet quite widely known in cybersecurity. I invited them, and Accenture added a few of their own senior staff. These people went on to build significant reputations in the field. (I’d like to claim it was because they participated in the workshop.)
The visionaries who attended, and their affiliations at the time:
An impressive group, in hindsight; fairly impressive in 2000, too!
I won’t recapitulate the whole workshop report, which you can read if you wish. However, I will summarize what we saw as the top 10 trends for cybersecurity in 2000:
I remember when the report came out it was dismissed by some in industry as “too pesimistic.” Perhaps because the “visionaries” weren’t all well known, the conclusions were largely ignored.
Looking back on the list, I’d say we scored at least 90%, especially for the decade that followed. Both #3, and #10 took a little longer to manifest, but we were on target with all ten.
You can apply some hindsight bias now to say they were all obvious, but that really wasn’t the case in fall 2000. The iPhone was 6 years away from introduction and the Motorola StarTac CDMA phone was effectively the state-of-the-art. Wireless was basically defined by the recent release of 802.11a/b. Internet penetration was less than 6% of the world’s population (it is over 66% now, in early 2022). At the time of the workshop, Facebook and Twitter were years away from creation, and Google was a small search engine company less than 3 years old. Ransomware had been described theoretically, but would not become prominent for several years.
Interestingly, the action items the group defined are still relevant, and notable perhaps in how they are still not practiced widely enough:
One of the workshop participants informs me that the workshop was held in late September 2000. The report is copyrighted 2001, which is why I thought that is when it was held that year. Unfortunately, I no longer have my appointments calendar from that time so my initial posting indicated 2001. His recollection of this is strong, and is likely correct. I have corrected the dates in the entry above to reflect this correction.
In 1975, the illustrious Dorothy Denning received her Ph.D. from Purdue’s CS Department. Thereafter, she became an assistant professor, and then associate professor in 1981. Her most notable advisee was Matt Bishop, who graduated with his Ph.D. in 1984.
Dorothy initiated a graduate class in cryptography, CS 555, using her book Cryptography and Data Security, around 1980. That class is still taught today (with regular updates), perhaps making it the longest-running cybersecurity class in academia.
In 1983, Sam Wagstaff, Jr. (now a professor emeritus) joined the Purdue CS faculty as an expert in cryptography and algorithms. In 1988, Eugene Spafford joined the Purdue CS faculty with expertise in software engineering and distributed systems; Spaf also had a long-standing interest in information security, but not as an academic concentration. (Both Sam and Spaf have taught CS 555 over the years.)
Most of the academic research around the world in the 1970s and 1980s into what later became known as “cybersecurity” was focused on formal methods, authentication models, and cryptography. Some security research was secondary to OS security, database, and architecture, but it was not a particularly distinct topic area in classes or academic research. There were only 2 or 3 universities with any identifiable expertise in the overall topic area, outside of cryptography and formal methods of software development.
The Cuckoo’s Egg incident in 1986, and the Internet Worm in 1988 helped generate a great deal of interest in more applied security. Spaf had involvement in both, and especially notable in the Worm incident. Subsequent growth of instances of hacking and malware brought increased interest including some funding for research.
Early Purdue successes included release of COPS (developed by Dan Farmer under Spaf’s direction), and the publication of Practical Unix Security, co-authored by Spaf and Simson Garfinkel. Both brought attention to Purdue.
Increased student interest in computing security coursework and external funding from companies and government agencies led to Spaf and Sam establishing the COAST Laboratory within the CS department in the fall semester of 1991. The CS department provided a room for the lab and student office spaces. Four companies made generous donations to equip the lab initially: Sun Microsystems, Bell Northern Research, Schlumberger, and Hughes Laboratories.
The name COAST was suggested by Steve Chapin, one of Spaf’s Ph.D. students. It is an acronym for “Computer Operations, Audit, and Security Tools,” reflecting the more applied focus of the group. Steve was the first Ph.D. graduate from the lab, in 1993.
In the next few years, COAST became notable for a number of innovative and groundbreaking projects, including the Tripwire tool, the IDIOT intrusion detection system by Kumar, vulnerability classification work by Aslam and Krsul, the first-ever papers describing software forensics by (individually and as a group) Krsul, Spafford, and Weeber, discovery of the lurking Kerberos 4 encryption flaw by Dole and Lodin, the firewall reference model by Schuba, and the first online (ftp, gopher, and www) repository of cybersecurity tools; a remnant of that repository with many historical artifacts is available online. Many other people also contributed to notable successes, some of whom are noted below.
In 1992, COAST began to host a regular seminar series of local and invited speakers. That seminar series continues to this day; there is an archive of talk descriptions (from 1994 onwards) and videos (from late 1999 onwards). The series has featured a veritable “Who’s Who” of people in cybersecurity research, industry, and government. The series continues to attract viewers worldwide, and the entire collection is available for free viewing.
Despite the growing interest, in 1997, when Spaf testified before the House Science Committee, there were only three identified academic centers other than at Purdue. Shortly thereafter, continued growth and faculty involvement led to the transformation of COAST into the campus-wide institute CERIAS, in May of 1998. That will be the topic of a later post.
As of now, however, congrats to all the people who contributed to the founding and growth of COAST – celebrating its 30th anniversary this academic year!
A number of students completed their degrees and worked in COAST, most under the direction of Professor Spafford. Here are a few of them: