Last week was our 23rd CERIAS Symposium. It was a great event, thanks to great speakers and lots of behind-the-scenes work by the wonderful staff. We have developed a history of some outstanding presentations and interactions. Next year we will be celebrating the 25th anniversary of the founding of CERIAS (it will be the 24th symposium because we didn't have one the first year). I hope we can continue the streak of great presentations and events, but given the tremendous community we have, I'm sure that will be the case.

During the breaks, I ran into several former students, including one who graduated 28 years ago. I heard wonderful stories about what they've been doing in their lives since then, and how their experience at Purdue with COAST and CERIAS helped set them up for success. That is really gratifying to hear; teachers always like some affirmation that they didn't screw up too badly!

I was going to write up a blog post here about that -- no doubt prompted by my last post about the workshop 22 years ago -- then I vaguely recalled having written something like that a while back. After some looking, I found it in my personal blog (it was before we established this blog): Some Thoughts on Lifetime Achievement. That has mostly aged well, and I could make most of the same general comments today. I continue to be pleased that my former students are happy and productive. And although I am still sure I will be forgotten in 100 years (heck, a lot of people try mightily to forget me today), I am confident that what I helped start as education and awareness in this space will continue to make a difference through the good works of those whose lives we touched here at Purdue.

Also, I'm still not done yet. I have 5 Ph.D. students in various phases of completion plus two books underway with ideas for more, and I hope to get all those things finished before I think seriously about voluntary retirement. However, given the state of reality and current events, voluntary may not be the only route....

I may have to spend more time looking through things I wrote over the last 30 years to see how/if some of my thinking has evolved. This makes two items from the archives I had dimly remembered that seem to be relevant now. But I will note that in 11 years I have never found a use for my AARP card that my AAA membership didn't also provide (e.g., hotel discounts).

While preparing to introduce today’s keynote (Dr. David McGrew) at the 23rd CERIAS Symposium, I was reminded of an exercise in crystal ball gazing. Every December we have various people publish a list of their top predictions for the coming year. Some are thoughtful, and others simply risable. The track record is often quickly forgotten.

However, what of an effort by real experts and visionaries to make some bold predictions for a decade hence? Many people have repeatedly claimed that such a thing is impossible for cybersecurity – the field moves too quickly, innovation disrupts truisms, and biases complicate the mix.

Here, I present at least one worked example that proves that it could be done – and was.

In 1992, the COAST Laboratory was started. Around 1996, Cisco became a corporate partner with COAST, providing equipment and funds for student scholarships. When CERIAS emerged from COAST in May 1998, Cisco stepped up as a founding sponsor. This included not only continuing financial support, but increasing some researcher involvement.

In 2000, another CERIAS partner at the time, Accenture, agreed to cosponsor a workshop at their St. Charles conference center. The workshop would be organized by CERIAS and was to focus on making some “bold” predictions for the next decade. We were supposed to identify some “visionaries” who could participate and discuss the future.

I (Spaf) identified some personnel I knew were deep thinkers, some of whom were not yet quite widely known in cybersecurity. I invited them, and Accenture added a few of their own senior staff. These people went on to build significant reputations in the field. (I’d like to claim it was because they participated in the workshop.)

The visionaries who attended, and their affiliations at the time:

• Whit Diffie (Sun Microsystems)
• Becky Bace (Infidel)
• Howard Schmidt (Microsoft)
• Phil Venables (Goldman Sachs)
• David McGrew (Cisco)
• Dan Geer (@Stake)
• John Clark (Accenture)
• Dan Deganutti (Avanade)
• Glover Ferguson (Accenture)
• Anatole Gershman (Accenture)
• Mike Jacobs (NSA)
• Fred Piper (University of London/Royal Holloway)
• John Richardson (Intel)
• Marv Schaefer (BWAP)
• Spaf (Purdue CERIAS)

An impressive group, in hindsight; fairly impressive in 2000, too!

I won’t recapitulate the whole workshop report, which you can read if you wish. However, I will summarize what we saw as the top 10 trends for cybersecurity in 2000:

1. The EverNet: Billions of devices proliferate that are always on and always connected.
2. Virtual Business: Complex outsourcing relationships extend trust boundaries beyond recognition.
3. Rules of the Game: Government regulation increases as lawmakers react to real losses that hurt.
4. Wild Wild West: International criminals exploit lack of cooperation and compatibility in international laws.
5. No More Secrets: Privacy concerns will continue to compete with convenience and desire for features.
6. Haste Makes Waste: “Time to Market” increases pressure to sacrifice security and quality of software.
7. Talent Wars: Lack of security skills will compound weaknesses of delivered solutions.
8. Yours, Mine or Ours: Identifying intellectual property and information ownership will become key areas of debate.
9. Web of Trust: Standard security architectures and improved trust will spur eCommerce growth.
10. Information Pollution: Information exploitation becomes more lucrative than hacking.

I remember when the report came out it was dismissed by some in industry as “too pesimistic.” Perhaps because the “visionaries” weren’t all well known, the conclusions were largely ignored.

Looking back on the list, I’d say we scored at least 90%, especially for the decade that followed. Both #3, and #10 took a little longer to manifest, but we were on target with all ten.

You can apply some hindsight bias now to say they were all obvious, but that really wasn’t the case in fall 2000. The iPhone was 6 years away from introduction and the Motorola StarTac CDMA phone was effectively the state-of-the-art. Wireless was basically defined by the recent release of 802.11a/b. Internet penetration was less than 6% of the world’s population (it is over 66% now, in early 2022). At the time of the workshop, Facebook and Twitter were years away from creation, and Google was a small search engine company less than 3 years old. Ransomware had been described theoretically, but would not become prominent for several years.

Interestingly, the action items the group defined are still relevant, and notable perhaps in how they are still not practiced widely enough:

• Improve Software Quality Focus on improving the quality and assurance of software. Prevent distribution of weak software with security exposures. Conduct research to find better methods for designing and developing higher quality software.
• Invest in Training and Awareness Develop a sound educational program that focuses on security and ethics. Focus resources throughout the educational spectrum. Teach respect for electronic boundaries. Develop comprehensive curriculum to educate our next generation.
• Implement Best Practices Incorporate baseline safeguards and practices. Use best practices to ensure security is done right in development, implementation, testing, business processes, and consumer practices.
• Initiate Public Debate Initiate public debate on identification, ownership protection, use of personal information, and responsible use of computing.
• Advocate Holistic Approach Advocate and pursue a well-rounded and pro- active approach to the overall problems: business, social, technical, and government.
• Package Security Architectures Encourage packaging of a basic security architectures with standard services that integrate with applications and infrastructure.

Update

One of the workshop participants informs me that the workshop was held in late September 2000. The report is copyrighted 2001, which is why I thought that is when it was held that year. Unfortunately, I no longer have my appointments calendar from that time so my initial posting indicated 2001. His recollection of this is strong, and is likely correct. I have corrected the dates in the entry above to reflect this correction.

Prolog

In 1975, the illustrious Dorothy Denning received her Ph.D. from Purdue’s CS Department. Thereafter, she became an assistant professor, and then associate professor in 1981. Her most notable advisee was Matt Bishop, who graduated with his Ph.D. in 1984.

Dorothy initiated a graduate class in cryptography, CS 555, using her book Cryptography and Data Security, around 1980. That class is still taught today (with regular updates), perhaps making it the longest-running cybersecurity class in academia.

In 1983, Sam Wagstaff, Jr. (now a professor emeritus) joined the Purdue CS faculty as an expert in cryptography and algorithms. In 1988, Eugene Spafford joined the Purdue CS faculty with expertise in software engineering and distributed systems; Spaf also had a long-standing interest in information security, but not as an academic concentration. (Both Sam and Spaf have taught CS 555 over the years.)

Most of the academic research around the world in the 1970s and 1980s into what later became known as “cybersecurity” was focused on formal methods, authentication models, and cryptography. Some security research was secondary to OS security, database, and architecture, but it was not a particularly distinct topic area in classes or academic research. There were only 2 or 3 universities with any identifiable expertise in the overall topic area, outside of cryptography and formal methods of software development.

COAST

The Cuckoo’s Egg incident in 1986, and the Internet Worm in 1988 helped generate a great deal of interest in more applied security. Spaf had involvement in both, and especially notable in the Worm incident. Subsequent growth of instances of hacking and malware brought increased interest including some funding for research.

Early Purdue successes included release of COPS (developed by Dan Farmer under Spaf’s direction), and the publication of Practical Unix Security, co-authored by Spaf and Simson Garfinkel. Both brought attention to Purdue.

Increased student interest in computing security coursework and external funding from companies and government agencies led to Spaf and Sam establishing the COAST Laboratory within the CS department in the fall semester of 1991. The CS department provided a room for the lab and student office spaces. Four companies made generous donations to equip the lab initially: Sun Microsystems, Bell Northern Research, Schlumberger, and Hughes Laboratories.

The name COAST was suggested by Steve Chapin, one of Spaf’s Ph.D. students. It is an acronym for “Computer Operations, Audit, and Security Tools,” reflecting the more applied focus of the group. Steve was the first Ph.D. graduate from the lab, in 1993.

In the next few years, COAST became notable for a number of innovative and groundbreaking projects, including the Tripwire tool, the IDIOT intrusion detection system by Kumar, vulnerability classification work by Aslam and Krsul, the first-ever papers describing software forensics by (individually and as a group) Krsul, Spafford, and Weeber, discovery of the lurking Kerberos 4 encryption flaw by Dole and Lodin, the firewall reference model by Schuba, and the first online (ftp, gopher, and www) repository of cybersecurity tools; a remnant of that repository with many historical artifacts is available online. Many other people also contributed to notable successes, some of whom are noted below.

In 1992, COAST began to host a regular seminar series of local and invited speakers. That seminar series continues to this day; there is an archive of talk descriptions (from 1994 onwards) and videos (from late 1999 onwards). The series has featured a veritable “Who’s Who” of people in cybersecurity research, industry, and government. The series continues to attract viewers worldwide, and the entire collection is available for free viewing.

Despite the growing interest, in 1997, when Spaf testified before the House Science Committee, there were only three identified academic centers other than at Purdue. Shortly thereafter, continued growth and faculty involvement led to the transformation of COAST into the campus-wide institute CERIAS, in May of 1998. That will be the topic of a later post.

As of now, however, congrats to all the people who contributed to the founding and growth of COAST – celebrating its 30th anniversary this academic year!

Where are they now?

A number of students completed their degrees and worked in COAST, most under the direction of Professor Spafford. Here are a few of them:

• Steve J. Chapin; PhD; Lead Cyber Security Researcher, Lawrence Livermore National Laboratories.
• Sandeep Kumar; PhD; Staff Engineer, VMware, CA.
• Christoph Schuba; PhD; Senior Security Architect, Apple Computer.
• Ivan Krsul; PhD; President, Arte Xacta (La Paz, Bolivia).
• Sofie Nystrom; MS; Director General at Norwegian National Security Authority.
• Saumil Shah; MS; CEO and Founder, Net Square.
• Aurobindo Sundaram; MS; Head of Information Assurance & Data Protection at RELX.
• Taimu Aslam; MS; CTO at Broadstone Technologies.
• Steve Weeber; MS; IP Architect at Windstream Communications.
• Bryn Dole; MS; Self-employed, and co-founder of both Topix and Blekko.
• Steve Lodin; MS; Senior Director, IAM and Cybersecurity Operations at Sallie Mae.
• Mark Crosbie; MS; Dropbox Data Protection Officer.
• Jai Balasubramaniyan; MS; ColorTokens, Inc. Director of Product Management.
• Katherine Schikore; MS; Software Developer SAS Institute.
• Gene Kim; BS; Author, Researcher, Speaker, and co-founder of Tripwire, Inc.
• Todd O'Boyle; BS; AWS Consultant.
• Keith Watson; BS; Director of Threat Management. Optiv, Inc.
• Lucas Nelson; BS; Partner at Lytical Ventures, LLC.
• Tanya Crosbie; BS; Owner, Giggles & Smiles Photgraphy.

One of my students sent me a weblink (in the story, below). It caused me to reflect a little on the past. Here is some text I shared on a few social media feeds.

30 years ago, when I started COAST (which became CERIAS) at Purdue, we identified a need for personnel trained in information security. There was no academic degree program at the time so we started one. We reached out to over a dozen other universities to help build their programs.

Today, many of the existing programs in the US (and some elsewhere) trace back to what we started; they have Purdue grads as their prime movers.

Now, a quarter of a century later, look at the #1 best job according to US News.

We still have a huge shortfall of people working in the field, but that is a result of many factors, including a "leaky pipeline," not nearly enough support of students from underrepresented groups (including women), and market failure for secure-by-default systems.

I am sure my self of 3 decades ago would be astonished by the growth of the field, yet disappointed that we still have some of these problems. And I would definitely be surprised that CERIAS now has over 120 associated faculty and many hundreds of students involved in research, and a half-dozen degree programs in this space.

This is the 30th anniversary of the founding of COAST. I hope I'm around to see what the 50th and beyond hold!

We lost a pioneer in cybersecurity last week: Donn B. Parker died at the age of 91.

Donn's name may not be immediately familiar to current practitioners in the field. That's because Donn was working in the area before some of them were born; Donn's first books on cybercrime were published in 1976 and 1983!

Donn had a profound moral compass that guided his work. He wrote some of the earliest work on applied computing ethics, with an article in Communications of the ACM in 1968. This also informed his scholarly work in security, especially his study of computer crime. This led to his book "Crime by Computer," published in 1976. Thereafter, he published several more books (seven in total) and reports on computer security and computing ethics, all informed by his deep research into computer crime and his conviction to do what was right.

Among other things, Donn is remembered for his creation of a model for describing cybersecurity properties, known in some circles (and Wikipedia) as "The Parkerian Hexad." Donn also was the founder of the I4 -- the International Information Integrity Institute -- the first global organization of information security leaders.

Mr. Parker was a Fellow of the ACM, a Distinguished Fellow of the ISSA, a recipient of the National Computer System Security Award from U.S. NIST/NCSC, and the Harold F. Tipton Lifetime Achievement Award. He was named to the SRI Hall of Fame and the ISSA Hall of Fame. He served as Secretary of ACM from 1966-1970 and as a member of the ACM Council from 1964-1974.

Donn was a giant in the field and in real life -- he was the tallest person I have ever met working in cyber. Those who knew Donn (and I was fortunate to be one of those people) knew him as a kind, generous, and scholarly individual with a gentle sense of humor. He was jokingly referred to as "The Great Bald Eagle of Information Security," something which he accepted with good humor.

Enclosed is a formal obituary, provided by his family. For other information on Donn, it is worthwhile to consult some of his written works, the Shoulders of Infosec entry on Donn, and his oral history at the Babbage Institute. Earlier this year, Donn completed a book that contains material about his work as well as his life that provides insight into his personality.

Formal Obituary: Donn Blanchard Parker

Donn B Parker died peacefully in his sleep September 16, 2021, in Sunnyvale California, at age 91. He was born October 9, 1929, in his grandparents' home in San Jose, the son of Donald William and Miriam Estelle (Blanchard) Parker.

Donn deeply loved God, his wife Lorna, children Diane and Dave, and extended family. He served as an elder at Trinity Lutheran Church, Palo Alto, for many years. He enjoyed downhill skiing in the Sierra and Rocky Mountains, water skiing in San Diego, sailing, daily running in Los Altos, and hiking. Donn also enjoyed world travel with wife Lorna, ocean cruises with his children and grandchildren, researching his family history, and performing (any chance he got) a comedy monologue of his favorite stories and jokes. Donn was loved by the staff and his fellow residents at Belmont Village Assisted Living for his kindness, engaging personality, and dedicated care of his wife Lorna in her final years.

Donn received a Master of Arts degree in mathematics from the University of California Berkeley in 1954. His career began with General Dynamics in San Diego, continued at Control Data Corporation in Palo Alto, and concluded at SRI International and its spin-offs in Menlo Park, California. In his professional career, Donn was among the first to recognize, research, and document computer crime. He dedicated his professional life to the safe and sane use of information technology for the good of mankind. He was a consultant, writer, lecturer, and researcher on computer crime and information security as a senior consultant for 35 years at SRI International and afterwards in his retirement.

Donn served many years as member, officer, and Fellow of the Association for Computing Machinery (ACM), Distinguished Fellow of the Information Systems Security Association (ISSA), and trustee of the Charles Babbage Foundation for the History of Information Technology, working to achieve the safe and crime-free use of information technology. He enjoyed his reputation as a contrarian in his concepts of information security.

During his many years of research on computer crime funded by the U.S. National Science Foundation and Department of Justice, Donn interviewed more than 200 computer criminals and collected information on thousands of criminal cases, now stored among his papers in the archives of the Charles Babbage Institute on the History of Information Technology at the University of Minnesota Anderson Library.

Donn wrote seven books during his sixty year career in information technology. His first two books on computer crime and security were published in 1976 and 1983, were New York Times best sellers, and formed the definitive literature on computer crime. Donn wrote the first computer security and computer crime articles for the Computer Science, Encarta, Grolier, and Britannica Encyclopedias.

Donn was interviewed on CBS 60 Minutes by Dan Rather, ABC 20/20 by Geraldo Rivera, NBC Today by Tom Brokaw, and ABC Good Morning by Joan Lungren. People Magazine published two profiles of him, and he was widely quoted in many news and trade publications. Donn testified before several U.S. Congressional committees and assisted in developing the first computer crime statutes for the U.S. federal government, several U.S. states, and the United Kingdom. He trained the first computer crime detectives for New Scotland Yard, Finland, Norway, and Japan. As an information security consultant, he performed security reviews for more than 250 of the largest businesses worldwide, and formed the International Information Integrity Institute (I-4) at SRI in 1986. I-4 continues today to provide confidential information security advisory services.

Donn's professional awards include: the 1992 Award for Outstanding Individual Achievement from the Information Systems Security Association; the 1994 National Computer System Security Award from U.S. NIST/NCSC; The Aerospace Computer Security Associates 1994 Distinguished Lecturer award; and the MIS Training Institute Infosecurity News 1996 Lifetime Achievement Award. In 1999, the Information Security Magazine recognized Donn as one of the five top Infosecurity Pioneers. He was inducted into the Information Systems Security Association's Hall of Fame in 2000, and the SRI International Hall of Fame in 2002. He was recognized as a Certified Information Systems Security Professional (CISSP). In 2003, the International Information Systems Security Certification Consortium (ISC)2 presented him with the Harold F. Tipton Lifetime Achievement Award in ”recognition of his sustained excellence throughout his Information Security career and his contributions to the industry and support of (ISC)².”

Donn is survived by his daughter Diane Wisdom and husband; two daughters-in-law, six grandchildren; three great-grandchildren; nephew and niece and their families; and brothers- and sister-in-law and their spouses and children. In addition to his parents, he was predeceased by his loving wife Lorna R Parker, brother Richard Parker, nephew Bob Parker, and son David S Parker.

A memorial service will be held 11am, Saturday, October 16, at St Paul Lutheran Church, 1075 El Monte Avenue, Mountain View, CA. Those wishing to remember Donn may make gifts in his son's name, David S. Parker, to the ALS Association (donate.als.org).