[Note: update added March 15]
2017 has gotten off to a bad start for the security community…and to me, personally.
First, we lost Kevin Ziese. I met Kevin over two decades ago, when he was involved in computer investigations with the Air Force. I got involved with a couple of investigations, as it was a new field and I had some connections with the Air Force at the time. Kevin later served as a UN Weapons Inspector in Iraq after the first Gulf War. He was at the Pentagon on 9/11. He served in our military with distinction. Later, he was involved with intrusion detection research, and became one of the principals in Wheelgroup, which was acquired by Cisco. He had a significant career in cyber, and made a number of seminal contributions to the field that most current practitioners have never heard about.
Kevin was very creative and an able investigator, but what I remember most about him was his incredible enthusiasm and sense of humor. In all our interactions, I can’t recall him being anything other than upbeat, and with great insight. I regularly crossed paths with him at IDS and computer crime workshops, and in activities for the Air Force. He was also generous with his time, and he found ways to visit Purdue several times to give talks to my students.
I hadn’t seen Kevin for a few years, and was vaguely planning on visiting him in the next year or so. We were overdue to catch up. We had been keeping in touch electronically, and his death was a huge — and sad — surprise to me.
Kevin introduced me, electronically, to Howard Schmidt in the early 1990s, after Howard joined AFOSI. We exchanged email and phone calls for several years until we spoke on a conference panel together and finally met in person. Early on, we discovered we were in sync on a number of things, and continued to enjoy our correspondence and occasional meetings through his time at Microsoft. When he moved to his position at the White House (the first time) in 2002, I visited several times to join in conversations on how to fix some of the cyber security problems of the country. One time, he hosted my family for a Saturday morning breakfast in the West Wing staff dining room, and was so very kind to my young daughter — answering her questions with tremendous patience. Thereafter, we continued to interact in his various roles, and on through his time at the Obama White House. Whenever I’d get to Washington, we’d get together for a conversation, and sometimes a beer.
Twice, Howard came to Purdue to speak in our annual CERIAS Security Symposium. Each time, he told me in confidence that he had decided to leave his position at the White House, and his visit to me each time had cemented his decision. (Thereafter, I got a note from someone who worked with Howard suggesting that I stop inviting critical personnel to speak at Purdue!)
I have so many stories about my times with Howard and they are all good. He was always supportive and positive, and he was always trying to find a way to make things better for others. He also never let his seniority and distinctions get in the way of helping others. For instance, I fondly recall when the EWF was starting its Women of Influence awards, and they asked Howard and me serve as judges for the first awards. However, to keep with the spirit of the awards (and the restriction on judges), we had to be declared as “honorary women.” Howard and I agreed, even when told that we might need to show up at the awards in skirts and heels as part of the process! We laughed about that in later years — that the reason the awards made it into subsequent years was because we weren’t asked to do that! (And we did view it as an honor.)
The last time I saw Howard was in late 2015, when we both appeared on a panel at a meeting at a government agency. For the last 2 years we kept up with occasional social media and email — sort of the reverse of how we met. Howard’s passing last month was untimely and a shock to any of us, especially so close to Kevin’s.
I attended Howard’s funeral and memorial service last Friday. It was important to many of us to see off an old friend. While there, I got to spend time with one of my oldest and dearest friends, Becky Bace, the “Den Mother of Cyber Security.” Becky was an old friend of Howard’s, too, having met him slightly before I did. (Becky was also a friend of Kevin.) I first met Becky in 1991, at one of the old (now defunct) National Security Conferences. We immediately hit it off, with discussion about mutual interests in security and crazy humor. Becky was the person who got me to move my primary research focus to security, and provided funding for my first security research project in intrusion detection. She involved me in the intrusion detection “guru” workshops she held, and introduced me to others in the field — Becky knew everybody, it seemed.
Over the course of the next 25+ years, Becky and I became good friends, and colleagues in a number of cybersec activities. We served on boards and panels together. We consulted for some of the same companies. She also made sure to introduce some of my students to people working in the field, both to help them enhance their research, and to get researchers to learn about some of the cutting-edge things we were doing in the university. We often called each other to share notes and occasionally gossip that we didn’t want to put in email. Becky regularly visited CERIAS to speak and mentor students. She was especially helpful in mentoring some of our women students and faculty. “Infomom” was bright, funny, and incredibly networked.
I have so many stories about Becky. There was never a time together where we didn’t laugh about something…many things…but also develop some new insight or connection that one of us could use. And every time we were together, we were spinning ideas for how I could find something new to do to break out of the rut I’m often in at the university, and for her to explore as a new career path: I wanted to do more in the commercial world, and she wanted to have an impact in the academic space.
Becky and I both were quite devastated by Howard’s passing, and the funeral was both a very sad time, and a chance to share more laughs with each other with stories about our times with Howard. Thus, it was all the more shock to learn, less than 4 days after I last saw her, that Becky had died suddenly.
In the space of six weeks, I have lost three friends and colleagues, each of whom I have known for over two decades, and one of whom was one of my closest friends. Time passes, and we all have finite time here. Nonetheless, it is always too soon for the people we care about. And it is too soon to lose the people who have spent so much time and effort trying to make the world better for the rest of us.
It is also sobering that these three were people my age. It reminds me that time is passing rather than some entity purposely making the stairs steeper for me each year.
It also reminds me of one of the reasons I have spent my career to date in higher education — it is one of the few vocations where there is some real hope of replacing ourselves, and doing so with better quality than what we are ourselves. But as much as we may try, we will not see any like Kevin, Howard, and Becky again. To paraphrase a mutual friend, if there is a heaven it is going to be much more secure and much more fun than it was before.
Update: March 15, 2017
I have learned that some people had not yet heard of Kevin’s passing, although they knew him. If you want to make a donation in his memory, please send it to one or more of:
If you wish to make a donation in the memory of Howard Schmidt, send it to:
Brain Tumor Research Program
℅ Dr. Connelly
9200 W. Wisconsin Ave
Milwaukee, WI 53226
There will be a memorial service for Becky in Shelby Hall at the University of South Alabama in Mobile, AL on Saturday, March 25th at 1PM. Information on attending and travel are posted here. A memorial webpage will be posted on Becky’s infidel.net website sometime in the next week or so.
A memorial service will also be held in San Jose on April 21. I will post additional details here if I get them.
ACSA's top scholarship in the Scholarship for Women Studying Information Security (SWSIS.org) has been renamed as the Rebecca Gurley Bace Scholarship. Contributions to help support this scholarship are welcomed by sending a check (sorry, no online contributions) to:
Applied Computer Security Associates, Inc
2906 Covington Road
Silver Spring, MD 20910
Checks should be made payable to Applied Computer Security Associates, and note SWSIS Rebecca Gurley Bace Scholarship on the memo line.
All of the above are non-profit, charitable organizations, and your contributions will likely be tax-deductible, depending on your tax circumstances.
2016 has been a year of setbacks and challenges for me, including being ousted as executive director of CERIAS. Rather than dwell on those issues, I have tried to stay focused on the future and move forward. Thankfully, some good things have come along and the year is going to close out on several positive notes. My last blog post noted recounted being informed that I am to receive the 2017 IFIP Kristian Beckman Award as one such positive item.
Today was the announcement of another pleasant surprise — I have been named as a Sagamore of the Wabash. This is the most significant civilian award from the state of Indiana. The award is in recognition of three decades of leadership in cyber security, and service to organizations in the state, including my leadership at CERIAS, work with local companies, and support of government and law enforcement.
As noted in the Purdue press release,I want to thank all the colleagues and students, past and present, who have worked with me over those many years. What we have accomplished only occurred because of our collective efforts; one individual can usually effect only a small amount of change. It is as a group that we have had a tremendous impact. It is gratifying to see their individual successes, too — some of my most gratifying experiences have been when former students tell me that what I helped them to learn was an important component of their success.
Some of my friends may be amused by an irony present in my now having two certificates on my office wall, one signed by George W. Bush and one by Mike Pence, but none from anyone in the Clinton or Obama administrations. (If you don’t understand that irony, move along.) However, irony is not new to me — I’ve repeatedly been recognized internationally for my research and leadership, but actually penalized by some at the university — including within my own department — for those same activities. I haven’t done any of what I do for recognition, though. My goal is to help ensure that the world is a better, safer place as a result of my actions. Even if no one notices, I will continue to do so. For years I had a sign above my desk with a quote by Mark Twain: Always do right. This will gratify some people and surprise the rest. I no longer have the sign, but I still live the words.
I also want to note (as I have several times recently) that as I get these “lifetime achievement” types of recognitions, I don’t want people to think that the problems are solved, or that I am planning on retiring. Far from it! The problem space has gotten larger and more complex, and the threats are more severe and imminent. I certainly am not bored with what I do, and I think I have some good experience and ideas to apply. I’m not sure what I’ll do next (or where) but, I don’t intend to step to the sidelines! Another of my favorite aphorisms was stated by Archimedes: Give me a lever long enough and a place to stand, and I will move the Earth. If I can find the resources (offers?) and the right place to work (suggestions?), I plan on continuing to move things a bit.
Best wishes to you all for a wonderful holiday season, and a great start to 2017!
Mondays. There are many reasons Monday have a bad reputation. Few of us would claim to like Mondays.
My Monday earlier this week got off to a poor start. I was traveling to attend a workshop (a good one, on ethics in cyber) and staying, yet again, at a hotel. As sometimes happen when I travel, I wasn’t sleeping well. I awoke shortly after 3am and couldn’t get back to sleep. Being the compulsive gadget user I am, I checked my email on my cellphone. There, I saw a new message posted from Europe that made my Monday quite a bit better. (Unfortunately, it didn’t help me get back to sleep.) Actually, as I write this on Wednesday, I’m still pretty happy, as well as better rested.
The email informed me that I am the 2017 IFIP TC-11 recipient of the Kristian Beckman Award. IFIP is the International Federation of Information Processing Societies, and the Beckman Award is one of the top recognitions in the field. Many of the previous recipients of this honor have been mentors and heroes of mine.
As noted on their WWW site, IFIP is recognized by the UN, and it represents IT societies from 56 countries/regions, covering five continents with a total membership of over half a million. TC-11 is the subgroup (technical committee) devoted to security and privacy protection in information processing systems.
The Kristian Beckman Award is presented annually, starting in 1993. According to the web site, "The objective of the award is to publicly recognize an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective." The letter noted my achievements in research, education, and service; my creation and leadership of CERIAS; my guidance and mentorship of students developing security tools in widespread use; and my work as Academic Editor then Editor-in-Chief of Computers & Security, the oldest journal in the field of information security.
The award will be formally presented at 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2017) in Rome, in May 2017. I will be presenting an invited plenary address as part of the award.
I am honored to be named as a recipient of this award. I have worked with IFIP TC-11 on various things over the last 25 years, including as a subcommittee chair (TC 11.4), as a member of several other groups, and serving as editor of Computers & Security, which is recognized as the official journal for TC-11. Along with ACM, ISSA, (ISC)2, IFIP is a significant force in research and education in cyber security.
I have been quite fortunate in my career. With the Beckman Award, I believe I have now been recognized with every major cyber security award, including the National Computer System Security Award; ISSA Hall of Fame; Harold F. Tipton Award; Cyber Security Hall of Fame; SANS Lifetime Achievement Award; Outstanding Contribution Award from ACM SIGSAC; the Joseph Wasserman Award from ISACA. I haven’t done all this on my own — I have been fortunate enough to work with some outstanding students, colleagues, and staff. I will always be grateful for their collegial support.
I would also like to note that many of these awards can be seen as "lifetime" awards. Although the administrators and some of my colleagues at Purdue think I’m no longer functional, I want to assure everyone else that I’m not done yet — I still have some ideas to pursue, possibly another book or two to write, and more students to teach and advise!
Now, if only I could get enough sleep on a regular basis…but I’m willing to wake up for news like this! And no, I still don’t particularly like Mondays.
Stephen T. Walker recently died. He was the founder of the pioneering Trusted Information Systems, a prime force behind the establishment of the NCSC (now the Commericial Solutions Center, but also the producer of the Rainbow Series), and he was the recipient of the first National Computer Security Systems Award His obituary lists his many notable accomplishments and awards. Steve was a major influencer (and mentor) in the field of cyber security for decades.
I only recall meeting Steve once, and I am poorer for not having had more contact with him.
If you work in cyber security, you should read his obituary and ponder the contributions that have led to the current state of the field, and how little we have credited people like Steve with having had a lasting influence.
Today (June 30) is my last day as CERIAS Executive Director. This marks the end of a process that began about 15 months ago, when it was unexpectedly announced that my appointment was not being renewed. Last week, the dean responsible announced the appointment of Professor Dongyan Xu as interim executive director as of July 1. He also announced, to our surprise, that Professor Elisa Bertiino would not be reappointed as CERIAS Director of Research. I wish to express my deep gratitude to Elisa for her support and her participation in the growth of CERIAS; I very much value having Elisa as a colleague.
I will not make any other public comments at this time about this transition other than to voice my unequivocal support of Dongyan, and of the wonderful CERIAS staff. Dongyan is an outstanding scholar and colleague, and he has a long history of active involvement with CERIAS. I helped recruit him to Purdue in 2001 as a new assistant professor working in security, so I am very familiar with his background. He has worked with CERIAS as he has advanced through the academic ranks, so he has the experience — both professional and personal — to handle the job in this time of transition.
Looking back, I have had the honor of working with some incredible people over the last 25 years, first as leader of the COAST Laboratory, and then as the founder and (executive) director of CERIAS. CERIAS participants have set an example of “thinking differently” to effect a profound and lasting set of changes — many of which are not recognized nor appreciated locally; As with most things in academia, the further away one gets from one’s home institution in space and time, the more the value of contributions are understood! It is widely acknowledged outside that our faculty, staff, and students have made a huge contribution to establishing cyber security as an academic discipline.
When CERIAS was founded in 1998, there were only four small academic groups in the world that were devoted to cyber security, and they were all quite small. CERIAS was established to help build the field, establish leadership, and investigate new ideas, all while embracing the spirit of the land-grant university to perform research in the public good. In the years since then, our local community has:
- grown our participating faculty to over 100, with visitors and senior grads of at least as many again
- assisted over a dozen other universities, and dozens more smaller institutions, develop curricula and degrees in the area
- initiated research into hundreds of new topic areas, bringing in over $100 million in externally funded research
- supported several dozen companies and government agencies in our partner program, with research, policy, and hiring
What is more, we helped show that the whole field of cyber protection is really multidisciplinary — it is more than computer science or engineering, but a rich area of study that includes a range of disciplines. Over the last 18 years, we have had faculty from 20 different academic departments participate in CERIAS activities…and still do.
Also back in 1998, there were few programs producing graduates with concentrations in cyber security. I did a survey for some Congressional testimony at the time, and found that only about 3 PhDs a year were being produced in all of the US (and almost none elsewhere) in the field (excluding cryptography). Although not explicitly part of CERIAS, which is a research-only entity, CERIAS participants also:
- helped produced 250 new PhDs in cyber security, cyber forensics, and privacy, and many more hundreds with MS degrees
- established the first graduate program with an explicit information security degree
- established a graduate certificate in public policy and cyber security
- established an academic program in cyber forensics
As the (in parallel) head of the Interdisciplinary Information Security (INSC) graduate program, I have seen the synergy between CERIAS and INSC, and pleased to be a part of both.
Looking back, it has been wonderful to see these results, and to work with such a wonderful collection of faculty, staff, and students. Unlike efforts at some other institutions of higher education, our primary goal has not been to generate “buzz” for faculty to start up their own companies, or to see how much funding we could rake in for bragging rights. Instead, we have sought to do the “right thing” by our students and the public: produce innovative ideas and well-educated graduates who could go out to make the world a better place for everyone. By any measure, we have done so.
Coincidentally, not only am I ending my time as Executive Director of CERIAS today, I am also finishing 20 years of service as the chair or co-chair of ACM’s US Public Policy Council. Coupled with some recent personal changes, this has been a very event-filled few months.
Those of you who know me know that I try to look forward more than look back. So, what am I looking forward to?
To start with, I will be assuming the role (and title) of Executive Director Emeritus. In that role, I will be helping Dongyan, Joel, and Jerry with whatever next steps seem right for CERIAS. I will continue to be the head of the INSC Interdisciplinary Graduate program here at Purdue. I have a few PhD students in progress who I will continue to work with. I may restart the COAST Lab with my own set of projects, if I can find some external partners willing to help fund that effort. I will continue to work with USACM as Immediate Past Chair, and serve as an at-large member of the ACM Council. I will continue to be Editor-in-Chief of the journal Computers & Security (the oldest journal in the field). Thus, I won’t lack for things to do!
Being forced to make changes often encourages us to consider more than we might have, had status quo remained. Times of change are often the best times to make other, possibly major, changes, so some of the above may be subject to change, too! (Ideas -- and offers -- welcomed.)
In closing, my huge thanks to those who have engaged positively with me in my CERIAS role over the last 18 years. And please join me in wishing Dongyan good fortune in his new, interim role.
- January, 2018
- October, 2017
- August, 2017
- April, 2017
- March, 2017
- November, 2016
- October, 2016
- July, 2016
- June, 2016
- March, 2016
- December, 2015
- October, 2015
- August, 2015
- June, 2015
- May, 2015
- April, 2015
- September, 2014
- July, 2014
- May, 2014
- April, 2014
- March, 2014
- February, 2014
- January, 2014
- November, 2013
- October, 2013
- September, 2013
- June, 2013
- April, 2013
- February, 2013
- January, 2013
- December, 2012
- April, 2012
- February, 2012
- October, 2011
- July, 2011
- June, 2011
- May, 2011
- April, 2011
- March, 2011
- September, 2010
- June, 2010
- April, 2010
- March, 2010
- February, 2010
- December, 2009
- November, 2009
- October, 2009
- September, 2009
- August, 2009
- July, 2009