At the 25th anniversary CERIAS Symposium on March 29, we made a special awards presentation.

Unfortunately, I had lost my voice. Joel Rasmus read my remarks (included in what follows). I want to stress that these comments were heartfelt from all of us, especially me.

25 years ago, I agreed to start something new—something, unlike anything that had existed at Purdue before. I soon discovered that it was unlike any other academic center others had encountered: a multidisciplinary center built around the concept of increasing the security and safety of people by addressing problems from, and with, computing. I note that I wasn’t the only faculty member involved. Core faculty at the time were Sam Wagstaff,  Mike Atallah, and Carla Brodley, then in our School of ECE.  Sam and Mike have been steady contributors for more than 25 years (stretching back to the pre-CERIAS, COAST days); as an Emeritus Professor, Sam is still working with us.

I knew I needed help making the new entity succeed. My first step was hiring some great staff—Andra Nelson (now Martinez) and Steve Hare were the first two new hires; the late Marlene Walls was already working for me. Those three played a huge role in getting CERIAS running and helping with an initial strategic plan. We have recognized them in the past (and will feature them prominently in the history of CERIAS when I get around to writing it).

I quickly followed those hires by organizing an advisory board. Some of the members were personnel from the organizations that were committed to supporting us. Others were people in senior positions in various agencies and companies. And a few were friends who worked in related areas.

Those choices seem to have worked out pretty well. CERIAS grew from four involved faculty in April 1998 to (as of March 2023) 163. We went from four supporting companies and agencies to two dozen. We have thousands of alumni and worldwide recognition. There is considerable momentum for excellence and growth in the years to come.

CERIAS has benefited from the counsel, support, and leadership of scores of wonderful people from strategic partner organizations who served on the External Advisory Board over the years. However, some particularly stand out because they went above and beyond in their efforts to help CERIAS succeed. On this special occasion of our 25th anniversary,  we recognize six exceptional advisors who helped CERIAS succeed and be what it is today. 

(Unfortunately, due to various issues, none were present at the Symposium in person to receive the awards. This post is to share with everyone else how much we value their history with us.)

Silver Medals

We are bestowing five silver Foundation Award Medals to these individuals:

• Dr. Sidney Karin. Sid was a founder of the National Supercomputer Center program and was the founder and director of the Supercomputing Center at San Diego. He was a pioneer in that field and has received numerous recognitions for his leadership in supercomputing and networking. Sid graciously volunteered his time and tremendous expertise to sit on our advisory board for our formative years, providing insight into structuring and running an academic center.
• David Ladd.  David was (and is) with Microsoft, (then) working in university support and cybersecurity. He volunteered for our board and served as one of the rotating chairs. He also organized strong support from Microsoft, ensuring we had equipment, guest speakers, and internships for our students. He was a voice for Microsoft and industry, but more importantly, a strong voice for practical research.
• John Richardson.  John was with the Intel Corporation and an enthusiastic supporter of CERIAS. He also served as one of the rotating chairs as a member of the EAB. John went above and beyond to help secure guest speakers, equipment, student internships, and other companies’ support. He also put strong research and the welfare of the students ahead of his company’s interests.
• Dr.Robert E. (Bob) Roberts. Bob was the Chief Scientist for the Institute for Defense Analyses (IDA), an FFRDC well-known to those in government.  He provided great wisdom as a member of our EAB, including deep insights into understanding some conflicting requirements within the government. By training, he wasn’t a computer scientist, but his breadth of knowledge across many scientific disciplines helped us navigate many of our multidisciplinary issues.
• The late Emil Sarpa, the Manager of External Relations at Sun Microsystems. Emil did not serve on the board, but he was constantly present, ensuring that CERIAS had every computing resource we could need from Sun Microsystems, including many items in pre-release. He helped make introductions in the industry and got our students into fantastic opportunities. His support began pre-CERIAS with one of the initial grants that started the COAST Laboratory, and he ensured that Sun was CERIAS’s biggest founding partner.

These five people provided assistance above and beyond what we expected, and we will be forever grateful.

Gold Medal

We had one final, special award.

Timothy Grance has been a mainstay at NIST (National Institute for Standards and Technology) for decades. You can find his name on many of the reports and standards NIST has issued and other computing and cybersecurity activities. He’s not as well known as many of our advisors because he prefers to provide quiet, steady contributions. Most importantly to CERIAS, Tim has great vision and is one of the rare people who can find ways to help others work together to solve problems. He is inspirational, thoughtful, and cares deeply about the future. These qualities have undoubtedly been useful in his job at NIST, but he brought those same skills to work for CERIAS at Purdue and even before as an advisor to COAST.

For the last 25 years, Tim was (and continues to be) an honored member of the External Advisory Board. He has attended countless board meetings and events over the years — all at his personal expense. He made introductions for us across a wide variety of institutions—academic, governmental, and commercial—and hosted some of the EAB meetings. He has always provided sage advice, great direction, and quiet support for all we have done.  Despite being somewhat limited by a significant stroke a few years ago, he fought back courageously and returned to CERIAS for our Symposium and Board meeting. We reserve a chair for him even when he cannot travel to be with us. 

Tim’s commitment to the field, especially to CERIAS, make him a national treasure. We are proud also to consider him a CERIAS treasure, and thus award the Gold Foundation Award Medal to Timothy Grance.

Thank you

We conclude with sincere thanks, not only to these six wonderful people, but to all those who, over the years, have provided support, advice, time, equipment, funding, problem sets, and simply good cheer. That CERIAS has made it 25 years successfully and continues to grow and innovate is a testament to the importance of the problems and the willingness of such a large community to help address them. Time has only grown the problem set, but everyone associated with CERIAS is ready and willing to take them on. We all look forward to continuing our engagement with the community in doing so!

I recently saw an account of malicious compliance recounted in r/eddit and quoted in a Mastodon thread

Not allowed to work from home so I don't
My job recently told me that even during the snowstorm we got earlier this week, I am not allowed to work from home at all. Even though I work in IT and do everything remotely, they want me in the office.
So I deleted Teams and my email off my phone. I am no longer available after hours.
My boss tried to call me for something urgent last night and couldn't reach me. He asked why today and I explained to him what I was told.
I am not allowed to work from home.

It prompted me to think of several instances where I have engaged in behavior that might be described as malicious compliance; I prefer to think of them as instances of "security compliance education." Here's one such instance that my students see enjoy hearing about.

In 2000, we got some funding from a US federal agency (which will be unnamed) to explore for potential vulnerabilities in a commercial printer/copier combination. My technical point of contact (POC) told me that we didn't need to file any reports until we had some results. Apparently, he didn't convey this to the agency business person because the contract specified a long, convoluted monthly report. I was forcibly reminded of this requirement a week after the contract was finalized, even though it was in the midst of the winter break, and absolutely nothing had happened -- or would happen, for at least another month.

I grumbled a bit but compiled the report with basically "nothing to report" and "nothing spent" in the various sections and uploaded it via FTP to their designated site as a PDF.

Now, it is important to this story that my standard computers for use at the time were Sun workstations and Macintosh systems. Most of the research we did was on these systems, and our papers and reports were produced using LaTeX. We avoided Windows because it was usually so buggy (blue screens) and so prone to security problems. We also avoided Word because (a) it was (and is) annoying, and (b) it was a common vector for computer viruses. Thus, my monthly report was produced using LaTeX.

Two weeks into the semester, I got an email from some clerk at the sponsoring agency noting that the monthly report must be submitted as a Word document; the contract specified Word and only Word, and I must submit the report as a Word document, with no deviation allowed. I placed a call to my POC, and he indicated, apologetically, that he could not alter the terms as they were standard for the agency involved: everyone had to abide by them.

Grrrrr....

So, after a little thought,¹ I produced the next monthly report in LaTeX as before. I produced a PDF of the report and printed it. Then, I scanned each sheet individually into a graphic file (.pic, as I recall). I then rebooted one of our Windows machines² into MS-DOS and loaded up the oldest version of MS Word I could locate. After consulting the manual, I created a document where each page contained an image -- the corresponding image for that page of the report I had prepared. I saved it out to disk (it was huge), and uploaded it to the sponsor FTP site. Yes, it was basically a huge file of graphic images, but it was technically a Word file.

The next day I got an automated response noting the submission. Three days later, I got an email asking if the report was what I actually intended to upload. I responded that yes, it was. I indicated it had all the required information and was most definitely a Word document. I also alerted my POC about the upload (he was amused).

Another few days later and I got email from the original person who had complained about the PDF now complaining they were having difficulty with the file. I responded that the contract required Word, and that is what I used -- I wasn't responsible for their IT issues.

In month 3, I went through the same procedure but didn't have the email exchanges. Purdue then got an email from the agency business office stating that they were altering their standard business practices to allow all contractor reports to be submitted in Word -or- PDF. Would we mind submitting PDF henceforth? I briefly weighed the idea of continuing my production of Word versions of the report but decided that changing the business practices of a whole federal agency was enough.

---

Footnotes:
1. Someone once asked me why I didn't send them a Word document with some mischevious macros. I replied "USC 18 § 1030" (that's the Computer Fraud and Abuse Act).

2. Microsoft was a CERIAS partner at the time. When their rep visited, he saw that the lab was equipped with only Sun machines and Macintoshes. A few weeks later, we had several nice servers with Windows preinstalled delivered to the CERIAS lab. All our existing systems were named after mythical and fictional places (e.g., Amber, Oz, Dorsai, Uqbar), and we wanted to continue that scheme. We collectively decided to name the new machines Hel, Tartarus, and Niflheim. When he next visited and saw the machines, with nametags attached, he smiled a little. Two weeks later, we got another three, and they got related names; I can't recall exactly, but I think they were Underworld, Mictlan, and Jahannam). At his next visit, he remarked he could send us a lot more machines. I said we'd find a home for them, and welcome the chance to engage more of our philosophy, history, and literature faculty in the process.

All that said, we actually had a great working relationship with MS, and they hired a lot of our graduates. The machines did get a lot of use in experiments and classes.

If you haven't reached your quota yet for hearing from Santa Spaf, here are three recent podcasts where I was interviewed on a variety of topics. One common theme: The role of people in cybersecurity. A second theme: Some future trends.

• How Today’s Technology Choices Could Shape Our Future with Caroline Wong in the Cobalt.io podcast, Humans of Infosec.
• Cybersecurity Myths & Misconceptions: Avoiding The Pitfalls with Todd Fitgerald in the CIS Stories podcast.
• They’re Young, Green, and Very Hackable with David Spark and Mike Johnson in the CISO Series Podcast.

In the 100th episode of CISO Stories: Discussion with Gene Spafford on some of the common cybersecurity myths and how to better cope with the changing environment. Join here.

For those of you interested in more info on the book discussed in the podcast, see this InformIT site. If you preorder now, you can get a 35% discount with code CYBERMM.

A longer info sheet is available here.

Cybersecurity and privacy have several notable professional associations associated with them. Some, such as ACM, the IEEE Computer Society, and IFIP are more generally about computing. One of the societies specifically directed to cybersecurity is the ISSA -- the Information Systems Security Association International. ISSA promotes the development and standards of the profession, globally.

Each year, ISSA recognizes individuals who have made significant contributions to the association and to the field overall. In prior years, both Professor Elisa Bertino and Professor Eugene Spafford have been recognized by ISSA: both have been inducted into the ISSA Hall of Fame, and Spaf has been named as a Distinguished Fellow of the organization.

ISSA has announced its 2022 honorees. Our congratulations to all these people for their accomplishments and this recognition!

Of particular note, three of the honorees have spoken in CERIAS seminars and events:

• Matt Bishop was named to the ISSA Hall of Fame
• Caroline Wong was given the ISSA President’s Award for Public Service
• Dale Meyerrose was named to the ISSA Hall of Fame

We also note the ISSA Education Foundation, which supports scholarships for students in the field. Two of those scholarships are in memory of individuals who were long-time friends of CERIAS, Howard Schmidt and Gene Schultz. The recent give-away of Spaf's coffee mugs raised over $1000 for those scholarships. We encourage others to consider contributing to the foundation to support worthy students. Also, the ISSAEF is an Amazon Smile participant, so that is a painless way for you to make ongoing donations (see the ISSAEF page for a link).