In February of 1997, I provided testimony to a Congressional committee about the state of cyber security education. I noted that there were only four major academic programs, with limited resources, in information security at that time. I outlined some steps that could be taken to improve our national posture in the field. Subsequently, I was involved in discussions with staffers of some Congressional committees, with staff at NSF, with National Security Council staff (notably, Richard Clarke), and people at the Department of Defense. These discussions eventually helped produce1 the Scholarship for Service program at NSF, the NSF CyberTrust program (now known as Secure and Trustworthy Cyberspace, SaTC), and the Centers of Academic Excellence program.
On 11 May 1999, 20 years ago, Purdue University 2 was recognized by the NSA as one of the initial Centers of Academic Excellence (CAE).3 There were some notable advocates of enhanced cyber security at each institution, and they had taken steps to institute courses and research to improve the field—notably including Corey Schou (recently inducted into the Cybersecurity Hall of Fame), Matt Bishop, Deborah Frincke, and Doug Jacobson, to name a few.4 As I recall, Dick Clarke was one of the prime movers to get the CAE program established under PDD-63; Dr, Vic Maconachy (then) at NSA became the director of the CAE program.
Over the years, the CAE program has continued to expand, to now encompass several hundred institutions around the US. DHS has become involved as a co-sponsor with the NSA. The main certification has bifurcated into a designation for cyber defense research (CAE-R) and a designation for cyber defense education (CAE-CDE). There ia also a designation for Centers of Academic Excellence in Cyber Operations. The NSA, as a member of the US intelligence community (IC) also helps support a program for IC Centers of Academic Excellence. In addition to the formal external evaluation process to be designated as a CAE, the program has resulted in creation of curricular guidelines and recommended best practices for educational programs. A number of leaders in education in the field have also grown out of this process, creating various resources for the community (some of which are hosted at the CLARK website for public use).
I have been critical of the overall CAE program in the past (cf. here and here). I believe most of the criticisms I made are still valid, particularly the ones concerning the designation of "excellence" and the burden of the application process. Nonetheless, there is no denying that the listed insitutitions have made strides to improve and standardize their programs towards much-needed common goals. There is also continuing (and growing) synergy with efforts such as the NIST National Initiative for Cybersecurity Education (NICE) program and the National Colloquium on Information Systems Security Education (NISSE). Additionally, there has been real progress towards establishing standardized undergraduate curricula in the field, which now includes the potential for ABET accreditation.
Those of us at Purdue recently received notice that Purdue has been recertified as a CAE-R through 2024. This is a result—in large part—of efforts by Dr. James Lerums , one of our recent Ph.D. grads. He volunteered his time to sift through all the documentsation, gathered the necessary information, and completed the application process. It was a significant effort and kudos to Jim for taking it on soon after completing a Ph.D. dissertation!
Despite some of my "grumpy old dude" criticisms, I am glad to see Purdue continue to be recognized for the continued excellence of its programs. CERIAS continues to be a focal point for the "R" aspect of the CAE-R as Purdue's designated research institute in the field: that's the "R" in CERIAS. However, it has also been Purdue's center for education for most of its existence: the "E" in CERIAS is for Education. That history includes the establishment of the first designated degree in information security in 2000, still offered as an interdisciplinary MS and PhD (which is the program Jim Lerums completed, btw).
As for the CAE program itself, and for the 5 (out of 6) other programs receiving that initial CAE designation that are still listed as CAEs, congratulations: we've come a long way, but there is still a long way to go!
[Update May 1: The CSHOF pages have been updated with bios on the 2019 inductees.{
The 2019 inductees into the CSHOF were announced last week.
The Hall of Fame was created as a way to honor and memorialize individuals who have had a particularly notable impact on cyber security as a field.
There are five criteria when considering potential honorees: Technology, Policy, Public Awareness, Education and Business. Nominated individuals can reside and work anywhere in the United States. A senior board reviews all submissions made to a public call for nominations after they have been compiled and ranked to select each year’s honorees.
This years’s honorees are:
Inducted in memorium:
The formal induction will be held at an event on April 25, at the annual Hall of Fame Dinner at the Hotel at Arundel Preserve.
Congratulations to all the new inductees!March is a month of changes. We see winter beginning to recede (we hope!) and spring begins to show. The vernal equinox is around March 20 and heralds a return to more light than dark.
March is the month I was born (or hatched, depending on your mythos). My wonderful sister was also born in March. So were several dear friends. March is a month of beginnings.
Unfortunately, March is also a month of endings. Two years ago, I blogged about the untimely passing of three security pioneers, all good friends of mine: Kevin Ziese, Howard Schmidt, and Becky Bace. As I noted, Becky’s passing was a particularly cruel shock, as her death unexpectedly occurred only a few days after spending time with her.
I was reminded of the three of them (and my friends Ken and Wyatt and Gene, to name a few more) as I attended this year’s RSA Conference. As I walked the exhibit floor, I had a sense that I might look up and see one of them, as I did nearly every year, walking between sessions or stopping at booths. We’d compare notes about what we thought was particularly good or particularly awful — our comparisons were usually fairly well in sync. We would have had a lot to compare this year!
I don’t mean to be maudlin; I long ago did my grieving. Plus, I still have too many things to do, including burning the rest of my sabbatical, and getting some papers finished. However, I am reminded that the friends and families of those dear friends set up memorials for them. Rather than having spent the money attending this year's RSAC, I wish I had put those funds into these worthwhile causes, to which I normally contribute each year.
If you remember any of them, below are reminders of how you can do some good in their memories, and maybe help bring a little springlike cheer to others. And if you don’t remember them, maybe you should investigate a little — too many people working in cyber security have no grasp of the rich history of the field.
BTW, and on another topic entirely, I hope to see some of you at the 20th annual CERIAS Symposium in early April. It’s a great transition into spring, and a wonderful celebration of education and research. As the emeritus director, I don’t have anything to do this year other than mingle and enjoy the presentations. That’s some change after 20 years! Please consider mingling along with me, and enjoying the hospitality of the great group at CERIAS!
If you want to make a donation in his memory, please send it to one or more of:
If you wish to make a donation in the memory of Howard Schmidt, send it to:
Brain Tumor Research Program
℅ Dr. Connelly
9200 W. Wisconsin Ave
Milwaukee, WI 53226
ACSA's top scholarship in the Scholarship for Women Studying Information Security (SWSIS.org) has been renamed as the Rebecca Gurley Bace Scholarship. Contributions to help support this scholarship are welcomed by sending a check (sorry, no online contributions) to:
Applied Computer Security Associates, Inc
2906 Covington Road
Silver Spring, MD 20910
Checks should be made payable to Applied Computer Security Associates, and note SWSIS Rebecca Gurley Bace Scholarship on the memo line.
The ISSA Foundation has a scholarship fund in Gene's honor. Donate to:
E, Eugene Schultz Scholarship Fund
c/o Steve Haydostian
President, ISSAEF
18770 Maplewood Lane
Porter Ranch, CA 91326
All of the above are non-profit, charitable organizations, and your contributions will likely be tax-deductible, depending on your tax circumstances.
I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.
As I’ve noted from previous years, the deep content simply isn’t here. I no longer attend to learn about anything new and innovative — if I encounter such a thing, I view it as a pleasant surprise. Instead, this is basically a time and place where I can catch up with many friends and former students, see some industry trends, and maybe score a few new T-shirts. It also is a good intro to my spring workout schedule — I do about 20 miles of walking over 5 days, and I don’t eat many full meals.
Here are some of my random takes on this year’s conference:
The Program
The Exhibitors
The Moscone Center was packed again. It took well over 2 days to walk all the booths, asking questions at some and skipping others. Overall, I was not impressed.
More generally
I had a few people recognize me and say hello. That happens less each year. I am not so vain that I expect people to recognize me, but I do feel somewhat the dinosaur to be wandering the aisles when people don’t know my name even with prompting. My wife (who wandered the floor with me) found it particularly amusing when they tried to argue security concepts with me, or teach me history. One fun example was when a couple of people tried to explain the history and operation of the Internet Worm to me. Another fun time was had at a booth when a sales guy tried to dismiss my comments about his product with my “The only secure computer is one encased in concrete…” meme without knowing it was my original quote or who I was; I first uttered that years before he was born! (See #8 here.) He was annoyed I started laughing.
Despite GDPR coming into force in the EU (and the rest of the world, for large companies), privacy was hardly mentioned at any booth. Apparently, that isn’t of interest to this crowd.
There were some really questionable decorations. One booth was highly illuminated in bright green light. It actually made me feel a little nauseous; what were they thinking? Others had bright flashing lights (distracting, annoying, and probably a trigger for people with migraines or epilepsy). Word salad was the norm on too many booths. Few appeared to be accessible to the mobility impaired, although I only saw 3 such people in the floor in 3 days.
I saw a few vendors who effectively claimed they supported customers keeping longer audit logs that could be examined to find evidence once a breach was discovered. Think about that — the assumption is that assembled products can’t protect an enterprise well enough, or respond quickly, so that a months-long record is needed to find out when and why the failure occurred. Furthermore, that idea is normalized enough that there are companies that can sell products & services around it. Crazy.
There seem to be more advertised products/services around metrics. They don’t agree with each other on what they should be measuring or how they do it, but they claim to measure “security.” In many cases, I conjecture throwing dice would be cheaper and about as useful.
I was disappointed by the expertise and horizons of some of these people. I talked to the “CTO” at more than a half-dozen of the vendors, and their knowledge of some basic terms and history seems to reach back only about 5-6 years. This contributed to the claims of “brand new!” for several of them — they had no idea what was done before. (This is a problem rampant in academia, too — if something occurred before Google was able to index it, it never happened, apparently.) After failing to find any reasonably-aware person in my first half-dozen attempts, I stopped looking.
Sadly, the lack of foundations for the people at most of the booths mirrored the lack of a solid foundation for the products. There are some good, useful products and services present on the market. But the vast majority are intended to apply bandaids (or another layer of virtualization) on top of broken software and hardware that was never adequately designed for security. Each time one of those bandaids fails, another company springs up to slap another on over the top. That then leads to acquisition and integration into security suites. No one is really attacking the poor underlying assumptions and broken architectures. (See my last two blog posts here for more on this: here and here.) This is related to why I don’t submit proposals to talk at the conference — I tried a few years ago and the message conveyed to me was that it was out of step with what the sponsors wanted presented. The industry is primarily based on selling the illusion that vendors' products can — in the right combination and with enough money spent — completely protect target systems. Someone pointing out that this is fundamentally flawed is not a welcome addition. I get that a lot — it is probably why I don’t get asked to be a company advisor, either. People would rather believe they can find a unicorn to grant them immortality rather than hear the dreary truth that they will die someday, and probably sooner than they expect. Instead of hearing that, let there be bread and circuses!I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.
Oh, and I wish those damn kids would stay off my lawn.
A recent visit and conversation with Steve Crocker prompted me to think about how little the current security landscape has really changed from the past. I started looking through some of my archives, and that was what prompted my recent post here: Things are not getting better.
I posted that and it generated a fair bit of comment over on LinkedIn, which then led to me making some comments about how the annual RSA conference doesn’t reflect some of the real problems I worry about, and wondering about attendance. That, in turn, led me to remember a presentation I started giving about 6 years ago (when I was still invited to give talks at various places). It needed one editorial correction, and it is still valid today. I think it outlines some of the current problematic aspects of security in the commercial space, and security research. Here it is: Rethinking Security. This is a set of presentation slides without speaker notes or an audio recording of me presenting them, but I think you’ll get the ideas from it.
Coincident to this, an essay I wrote in conjunction with Steven Furnell, of the University of Plymouth in the UK, appeared in the British Computing Society’s online list. It describes how some things we’ve known about for 30 years are still problems in deployed security. Here’s that column: The Morris worm at 30.
Steve and I are thinking about putting something together to provide an overview of our 80+ years combined experience with security and privacy observations. As I delve more into my archives, I may be reposting more here. You may also be interested in some videos of some of my past talks, that I wrote about in this blog last year.
In the meantime, continue to build connected home thermostats and light bulbs that spy on the residents, and network-connected shoes that fail in ways preventing owners from being able to wear them, among other abominations. I'll be here, living in the past, trying to warn you.
PS. The 20th CERIAS Symposium is approaching! Consider attending. More details are online.