Information Security staff
Published: 01 Dec 2003
Best Unsung Hero: Ralph Merkle
Distinguished Professor of Computing & Director of the Georgia Institute of Technology Information Security Center
Interest in computer security is driven by events, and the number of events is increasing dramatically.
Ralph Merkle knows his contributions to the development of public key cryptography could have received more attention.
After all, two other researchers -- Whitfield Diffie and Martin Hellman -- received the prestigious Marconi Foundation award in 2000 for advancing PKI technology, which paved the way for virtually every secure online transaction. But Merkle accepts that notoriety is fickle and understands that his well-documented contributions are known to anyone truly interested in infosecurity. Most Stanford University patents for public keys credit his work, and Merkle's research, which he began in the early 1970s, is cited in dozens of cryptography books.
"The awareness of people's specific contributions in highly technical areas is often highly variable," Merkle says. "I actually feel quite fortunate to have as high a level of recognition as I have had. Looking at it objectively, quite a few people in the industry are aware of my contributions."
One reason why Merkle's work may have been somewhat overlooked is that he hasn't devoted his entire career to infosecurity. For years, he devoted most of his attention to cutting-edge nanotechnology research, most recently with a startup in Dallas. He did, however, continue some infosecurity work on the side.
When the Georgia Institute of Technology called with an offer to take over its Information Security Center, Merkle knew the time had come to focus more on infosecurity.
"Interest in computer security is driven by events, and the number of events is increasing dramatically," he says. "That means that resources are now available that weren't 10 or 20 years ago. When there were no resources, working on the problem was a lot less interesting. Now that there's been this huge shift, it makes the whole thing a lot more fun."
Rich Demillo, the dean of the College of Computing at Georgia Tech, says that as soon as Merkle surfaced as a candidate, the university moved to land him. And while not all of his students know of his seminal contributions to the field, they quickly realize he has a lot to offer.
"He's such an understated guy," Demillo says. "But the students catch on real quick. They can tell right away there's a lot of substance there."
Best Problem Solver: Phil Zimmermann
Creator of PGP
Perhaps no problem plagues the Internet community more than privacy. And perhaps no individual has done more to keep e-mails and electronic documents from prying eyes than Phil Zimmermann, creator of the encryption program Pretty Good Privacy -- better known as PGP.
The former software engineer created the freeware and a furor when authorities launched a three-year criminal investigation in the early 1990s, suspecting PGP's worldwide distribution violated U.S. cryptography export restrictions. The feds eventually backed down, and the program's popularity soared. Another unexpected boost came two years ago, when authorities admitted they couldn't crack -- through conventional means, anyway -- the PGP-protected computer files of a reputed Mafia don accused of racketeering.
Zimmermann later formed PGP Inc., which was bought by Network Associates in 1997. After failing to turn the app into a enterprise-class product, Network Associates sold the technology last year to a new company, PGP Corp., for whom Zimmermann serves as a consultant. Zimmermann also founded the OpenPGP Consortium, which promotes the open-source development of PGP technology.
A fellow at Stanford Law School's Center for Internet and Society, Zimmermann remains one of the industry's strongest privacy advocates -- a distinction that's earned him several technical and humanitarian awards.
Best Forensics Instructor: Raemarie Schmidt
Computer Crime Specialist, National White Collar Crime Center
Thousands of law enforcement officials have Raemarie Schmidt to thank for helping them crack computer crimes. As a supervisory computer crime specialist at the National White Collar Crime Center (NWC3), Schmidt is responsible for all course scheduling and curriculum development in computer forensics.
"Over the years, I've developed an understanding of how to get some of this technical material into a forum that the officers can understand," she explains. The result: more pursuits and successful prosecutions of computer criminals.
A former chemist, Schmidt joined the NWC3 in 1996 as an instructor after working several years in the State of Wisconsin crime lab. Schmidt also works to establish baseline forensics guidelines for organizations such as NIST.
Her advice to anyone in law enforcement considering specializing in computer forensics: become a meticulous note-taker.
"In the forensic field, you need to pay attention to detail," she says. "You're not going to remember everything about an examination or those pieces of evidence if, as in a lot of cases, it doesn't go to court for a year or two."
Looking ahead, Schmidt wants the examination of computer evidence to evolve into a full-fledged, accredited forensic science used by all state crime laboratories.
Best Multitasker: Kirk Bailey
CISO of the City of Seattle
I guess I ended up with so much to do because there's so much that needs to be done.
Kirk Bailey had his hands full when he became Seattle's first CISO in April 2002. Starting almost from scratch, he had to formulate a security policy, win approval from city officials and implement it as quickly as possible.
He faced an uphill battle, says David Matthews of the city's legislative affairs office. City officials were largely uninformed on infosecurity issues, and Seattle's budget was "crumbling." But Bailey has a talent for getting others to follow his lead.
He also maintains his leadership of Agora, an informal but powerful coalition of private and public security experts he founded in 1994. Agora has been widely recognized as a model for sharing security information, so much so that Bailey has been called to Washington, D.C., to explain to the General Accounting Office how Agora works.
Though he admits it can be burdensome at times, his work with Agora is rewarding. "It's hard to imagine not dedicating the time to keep my hand in it," Bailey says. "If it were not for Agora, I doubt I would be able to do my job as a CISO."
To round out his schedule, Bailey speaks at conferences and in classrooms around the country. "It's important for security professionals to be active and involved," he says. "I enjoy getting out there because I like to test my thinking and opinions about professional issues."
Finally, Bailey says if he can fit it in without infringing on his personal life, he'll accept the occasional private consulting engagement--choosing only assignments that "catch my attention."
Matthews says Bailey manages to shift gears and stay focused on the task at hand by being ultra-organized, with stacks of color-coded project folders on his desk. "He works very hard. But he also knows when to take a break and reflect on the important things in life."
"I guess I ended up with so much to do because there's so much that needs to be done," Bailey says.
Best Industry Spokesman: Bruce Schneier
Author, cryptographer and CTO of Counterpane Internet Security
Like or loathe him, you've got to admit that cryptographer Bruce Schneier knows how to capture media attention. From titillating talks to shamelessly promote his books (including the best-selling Secret & Lies and the recently released Beyond Fear), to outrageous remarks on the speaker circuit, Schneier frequently grabs the spotlight with outspoken opinion and candor.
For example: "Most advisories trade on fear. Most newspaper and magazine articles trade on fear," Schneier said in a recent Information Security interview. "Too many security companies are crying wolf far too often, and it hurts us all." Not exactly a measured comment, considering his company, Counterpane Internet Security, is one of those companies vying for attention.
Schneier, creator of the Blowfish and Twofish algorithms, is articulate and prolific. In addition to best-selling books, he provides commentary on news events in his monthly Crypto-Gram newsletter, read by more than 90,000 subscribers. His opinion pieces run in some of the nation's largest newspapers. And he speaks at dozens of conferences a year.
Such exposure benefits us all, since Schneier is among the few industry leaders to break into the mainstream press in a big way. When a major breach is discovered, reporters often turn to him for comment--and, to his credit, he's usually available. Such access can go a long way in creating a better-educated Internet community to help fight the good fight.
Best Awareness Trainer: Donna Robinson-Staton
U.S. Department of Housing and Urban Development
Remember the scene in the film Marathon Man, where the Nazi dentist, drill poised, repeatedly asks his victim, "Is it safe?" If you work for the U.S. Department of Housing and Urban Development (HUD), you do.
It's the opening scene of a video program director Donna Robinson-Staton uses to reinforce the need for sound infosecurity among HUD's 13,000 employees.
"I like being a transformational leader who's always thinking, 'What can we do differently and how can we up the ante?'" says Staton, who runs HUD's Enterprise Security Awareness Training Office.
Her CIO's mandate was to train more than 3,000 HUD employees in security awareness this year. Within two months, Staton reached almost 7,000 workers with instructor-led training at HUD's headquarters and 20 field offices.
To heighten interest in infosecurity, Staton and her small staff employ pop culture and personal experience. For instance, to kick off the campaign, HUD held a symposium on identity theft to show the personal impact of insecure network systems.
So far, she says, 85 percent of those who've gone through her security training rate it above average to outstanding.
Best Consensus Builder: Sallie McDonald
Department of Homeland Security
We're out there every day, working as hard as we can to win that trust.
Fifteen years ago, Sallie McDonald felt she was at a low point in her public service career. But advice from her professors in graduate school turned that around and eventually steered her toward the upper echelons of the federal government and, ultimately, her current post at the Department of Homeland Security.
"They told me I had an ability to bring people together and that I needed to build on those strengths," McDonald says. "I've been trying to do that ever since."
Those skills will be sorely tested in her new role as director of outreach and strategic partnerships in Homeland Security's infrastructure protection area. The agency is eager to show the infosecurity industry that its concerns are a priority.
"I think anybody's job in government is to bring people together, but particularly at DHS, where we are new and trying to do so much," McDonald says.
Every day, McDonald deals with representatives of government agencies, private industry, academia and international organizations, some of whom believe DHS's structure shortchanges cybersecurity. That complaint has echoed in the industry ever since the departure of former cybersecurity czar Richard Clarke, who gave up his high-level post rather than take a subordinate position in DHS.
"I focus on the fact that we're all feeling the same stress right now," she says. "We're as new to this as everyone else. Finding common ground makes it a little easier for people to get behind what we're doing."
McDonald worked for the General Services Administration for 24 years, rising to assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection before moving to DHS.
Initially a telecommunications expert, she was in charge of all customer activities during the implementation of the Washington Interagency Telecommunications System -- hardly a minor task, but not nearly on the same scale as what DHS is attempting -- create a new agency that integrates and replaces dozens of existing government institutions.
"We're still very immature as an organization," she says. "But we're out there every day, working as hard as we can to win that trust."
Best Academic Researcher: David Wagner
Assistant professor of computer science
University of California, Berkeley
David Wagner is best known in crypto circles, given the breadth of his academic research revolves around cryptography theory and the design and analysis of symmetric key systems. But in recent years, the young professor has branched out into software, wireless and sensor network security at computer science powerhouse University of California, Berkeley.
"One reason that writing secure software is so hard is that programmers must handle data from untrusted sources with great care. We are building tools to help programmers with this error-prone task," Wagner and his fellow collaborators write about The Software Security Project on their Web site.
Wagner is a bit bashful about his achievements, preferring to let his work speak for itself. A quick look at his Web site shows he's not only prolific but, whenever possible, will praise coworkers--particularly his graduate assistants. In the cutthroat world of academia, such modesty is refreshing.
Among recent efforts in which Wagner has played a key role is MOPS, a tool for verifying security properties of C code, and BOON, a tool to detect buffer-overflow vulnerabilities in C. Both are publicly available.
In addition to the obligatory technical papers and publications required of professors, Wagner is program cochair of the 2004 IEEE Symposium on Security & Privacy and serves on key committees for at least six other infosecurity organizations.
Best Cybercop: Robert Weaver
U.S. Secret Service
After watching his office collapse during the 2001 World Trade Center terrorist attacks, Bob Weaver rededicated himself to serving his communities as a special agent with the U.S. Secret Service's New York Electronic Crimes Task Force (NY ECTF). Now in charge of that flagship field office, Weaver is making good on that promise.
In recent years, the affable Weaver has placed an emphasis on preventing digital crimes.
The New York task force has helped nab more than 1,000 cybercriminals responsible for more than $1 billion in losses. It's trained more than 60,000 police, prosecutors and industry practitioners in cybercrime prevention. The New York program is a model for other task forces around the country.
"The NYECTF is a government success story, highlighted by an unparalleled sharing of information, a unique ability to analyze data with a diversity of partners and a community-centered civil defense force for the protection of our national security," says Weaver.
Best Bug Hunters: David and Mark Litchfield
Next Generation Security Software
If finding software vulnerabilities is, as David Litchfield contends, akin to fishing, then he and his younger brother Mark can tell quite a few fish tales.
The day Oracle launched its "Unbreakable" marketing campaign, the duo found 24 holes in Oracle products. "It was extremely breakable," David says, adding that since then "Oracle is getting closer to the unbreakable claim."
Since starting the vulnerability research company Next Generation Security Software in 2001, the Litchfields have found 80 major vulnerabilities. That, they claim, is an unofficial world record.
That feat also brings their tally of publicized, less serious flaws to more than 200. They have another 50 for off-the-shelf software "still in the hopper." Did we mention these guys are self-taught, having avoided computer studies in boarding school?
"They are indeed fun," David says of his bug-hunting adventures. "I don't know if Mark and I are just lucky, or it's instinct."
What's even more amazing, however, is that vulnerability research occupies a small fraction of their time. The rest is spent running their U.K.-based startup and trying to drum up VC funding, which has proven difficult despite their impressive track record.
Now, the Litchfield brothers want to create intrusion prevention tools. "We need to be able to protect against the vulnerabilities that are unknown yet," Mark says.