March 11, 2014: People of ACM: Eugene H. Spafford
Tuesday, March 11, 2014
Eugene H. Spafford is chair of ACM's U.S. Public Policy Council (USACM), and is a Member-at-Large of the ACM Council. He is a professor of Computer Science at Purdue University, and founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) there. His current research interests are focused on issues of computer and network security, cybercrime and ethics, technology policy, and social impact of computing.
Spafford is a Fellow of ACM, AAAS, IEEE, and the International Information Systems Security Certification Consortium (ISC2), and is a Distinguished Fellow of the Information Systems Security Association (ISSA). Among the many honors he has received for his research and educational contributions are the NIST/NCSC National Computer Systems Security Award; the ACM SIGCAS Making a Difference Award; the ACM SIGSAC Outstanding Contribution award; a U.S. Air Force medal for "Meritorious Civilian Service"; UPE's ABACUS award; and the CRA Distinguished Service Award. In 2013 he was named to the Cyber Security Hall of Fame.
He received PhD and MS degrees in Information and Computer Science from the Georgia Institute of Technology, a BA in Mathematics and Computer Science from State University of New York at Brockport, and an honorary D.Sc. from the State University of New York.
As a pioneering Internet security researcher and a well-known skeptic about achieving truly secure systems, are you optimistic about efforts to build a more secure network?
No, I'm not. I see two problems associated with this approach. First, any significant network that is developed will need to accommodate existing (legacy) systems in some manner, and be operated by some of the same people we have now — there is simply too much invested in legacy systems. This will lead to participating organizations continuing to make poor choices about their priorities for security (and privacy). Many security problems come about because of user error, misconfiguration, poor patching, indirect attacks, and a failure to properly prioritize and fund appropriate safeguards — it isn't only the design of the networks. A new set of network protocols and connections will not address the full range of issues.
Second, even if there is some success with a new network, will it be accepted? If it works really well, then there are many who will want to switch to it. However, the current network will undoubtedly continue to exist and that will lead to efforts to have a presence in both domains, leading to leakage and other problems. Only very strong controls (economic and legal) could keep them separate, and that will only work for limited access by a limited number of users. But if the new network is limited, there won't be the economic incentives to use it or to produce innovations and infrastructure as compared to the existing networks. In either case, there will be those who still want to use the existing network and all its protocols, so we will continue to have problems there.
As a professor who has received all three of Purdue's highest honors for education, what is your view of the current state of computer science education and how could it be improved?
It is clear we have had impressive successes in computing education. However, we also have a number of challenges, and they vary in differing locales around the world. "Computing" covers a great deal of territory, with scores of professional paths that have computing at their core, and hundreds in other fields that depend on computing.
We need to find better ways to convey computing concepts clearly to a wider audience — especially now that we have fewer people choosing computing as a major field of study than are necessary to meet projected demand. We must recognize the great range of possible skills, from technical application to theoretical formulations, and how to present the right mixes to students based on their abilities, interests, and needs. In many places we should do a better job of teaching something about the social context of computing to all of our students, and equip them to make good choices, especially in an environment of rapid change. That includes making sure they all know something about security as well as privacy, safety, and ethical behavior.
We too often teach mechanical skills in place of fundamental concepts. This helps prepare students for the immediate job market, but it is not really giving them a lasting foundation for a career. We've seen waves of fads and popularity in what employers want, but some of those may peak within a few years of students graduating. Think about languages — at various times Pascal, ADA and Cobol were the path to employment. Now it seems Ruby and Python are exciting. Remember VMS? RISC? 5th Generation Computing? Before long, "cloud computing" and "big data" will join them. For those of us intent on educating professionals, we should not lose sight of fundamentals.
Along with the problems concerning the material we teach, we have to do a better job of making sure that educational opportunities are a beacon and an enabler for everyone with the requisite ability and dedication. In some parts of the world (and certainly in the US), we have significant shortages of women and those belonging to minority groups matriculating in computing. Some of that may be because we aren't teaching computing-related material early enough, or we're teaching in ways that discourage some groups of students. Whatever the cause, this situation must change, both for the good of society and the health of the field.
When did you develop your interest in how public policy and computing technology impact each other?
My interest in public policy is something that has been with me as long as I can remember. I was involved in student government in both high school and college. I also got started in computing early in high school (not common in 1971). As a long-time fan of science fiction literature, I was already thinking about how technology could impact society, so there was a natural melding of my interests well before I started college. In grad school I saw first-hand some of the great new ideas for using computing, but I also saw some of the issues that concern us today: what happens when systems fail, how do security flaws create problems, what happens with privacy, and how do we set laws and regulations when the policy makers get their understanding of computing from movies and television? I realized that those were not topics being taught in any of my classes.
My graduate work was on how to build computers that were fault tolerant. My post doc was devoted to methods of software testing and debugging, to find and fix design flaws. And for the last 25 years I have been looking at issues of security and privacy. All of these areas have policy components. I believe my exploration of their connectivity has improved my impact as a researcher, made me a better teacher, and given me an opportunity to help influence policy formation for the better.
As an inspirational leader of ACM's U.S. Public Policy Council (USACM), what advice would you give to young computing professionals considering getting involved in policy?
One of the big differences between computing and policy has to do with answers. In computing, we usually have an attitude that we are finding THE answer or THE set of answers. We believe that the programs we write are correct. We seek proofs of problems. Our answers are finite, and may simply come down to 0 or 1.
In public policy, there may not be definitive answers achievable with finite resources — it has a little similarity to the halting problem. Policy decisions need to take into account personal preferences, economics, politics, and too often, superstition and ignorance. To be effective in working in policy, it is necessary to understand that choices involve tradeoffs — and what is optimal or correct at a local point is not necessarily the best choice at a macro level.
Thus, I'd counsel young people to get involved if they can think in terms beyond zero and one — if they can work towards consensus, and hold multiple contradictory ideas at once. It's different than what we normally teach in computing, but it is possible.
Beyond that, I'd encourage them to do it. The world needs informed, educated people to help set public policies. Those who are able to help policymakers and the general public understand complex issues of science and technology can help make our world a better place — and that can provide a great sense of accomplishment. I'd particularly recommend that they think about how it relates to the ACM Code of Ethics that helps guide who we are as members — especially imperatives 1.1, 2.7, and 3.5.