Q&A with Rob Cunningham, Part 2

Robert Cunningham

Dr. Robert K. Cunningham, chair of the IEEE Cybersecurity Initiative, described his approach to the Initiative’s priorities in his initial public interview. In this Q&A Cunningham articulates the Initiative’s specific, near-term objectives.

Question: One of your goals for the IEEE Cybersecurity Initiative is to make it the “go to” destination for cybersecurity professionals, researchers and students. How do you plan to accomplish this objective?

Cunningham: In fact, our three major goals are to become the go-to online presence for security and privacy students and professionals, to improve security and privacy understanding for students, and to improve the security and privacy designs and implementations being developed by professionals.

In order to accomplish all three goals, the first thing we need to do is make information about all of the disparate IEEE efforts in these areas much easier to find, and to improve the coordination among the efforts.

Question: What are your thoughts on increasing the Initiative’s online presence and usefulness?

Cunningham: We already have a large number of very high-quality efforts in the areas of security and privacy. But until recently, these have all been disparate efforts scattered about various IEEE programs and societies, which makes it harder for end users to find what they need. I’m going to nudge every person and organization in IEEE to coordinate their activities and ensure that the Initiative offers a single point of online access to these rich resources.

Our resources include the outstanding magazine, IEEE Security & Privacy, which is useful to everyone from graduate students and academics to professionals. We host a fantastic conference every year in the greater San Francisco area; the 37th IEEE Symposium on Security and Privacy is set for 23-25 May 2016 in San Jose, Calif. We have ongoing efforts in the policy arena on privacy protections. We’re developing materials for cybersecurity education for students and professional development.

If you’re just entering the field or, say, you’re a professional with a new set of responsibilities, we want to enable you to easily access these resources and understand the latest developments in a fast-moving field. That starts with a single website that ties together all the work we’re doing.

Question: What can the Initiative do to help students gain a better understanding of issues in cybersecurity?

Cunningham: A few developments motivate my thinking in this area. First, I know that the United States needs substantially more people with expertise in computer security in the workforce. I suspect that that same problem is a challenge for IEEE members across the globe. From speaking to a number of faculty members in the field, I also know that they have difficulty finding good, up-to-date cybersecurity problems to truly challenge their students. So we’re going to take the work the Initiative did with “Avoiding the Top Ten Software Security Design Flaws” and put together a series of challenge problems that illustrate what the flaws mean, and then show people how to build software in a more secure fashion. That’ll be useful for professors in the classroom and for students who want to learn on their own.

Other, complementary cybersecurity education efforts are taking place outside of IEEE, so for us I think the opportunity lies in leveraging some of the work that we’ve already done. Apart from the challenge problems I just cited, we might benefit students by picking a number of the problems as the basis for an online competition. Part of the fun of working in a developing topic area, where research needs to be done, is that we may think we know the best answer, but that’s not always the case. This is an ideal area in which to apply a bit of crowd-sourcing. We may have an answer in mind, but if the broader IEEE community comes up with a better overall answer, then we’ll reward that person or team and make that information available to the broader community as well.

Question: What sorts of resources do working cybersecurity professionals need and what can the Initiative offer them?

Cunningham: We want to make sure that professionals, when asked to design secure systems, have a go-to resource to figure out how to build those systems. We’re developing a number of products to enable the easy access they need. We have a series called The Building Code Series for industry verticals that need to build secure systems. The first one, which is online today, is “Building Code for Medical Device Software Security.” There’ll be more related topics coming in that series.

We also want to host broader discussions about potential pitfalls in this area. The report I cited earlier, “Avoiding the Top Ten Software Security Design Flaws,” does a nice job of explaining what those flaws are and how to avoid them. But we recognize, and we’ve already gotten feedback on this, that more fundamental, drill-down information is needed. So we’ll publish a series of additional documents for professionals. Say you need to learn more specifics about, for example, authentication processes, you’ll be able to turn to a deeper dive on that subject and learn the best practices related to authentication.

Question: IEEE is a volunteer-driven organization that provides personal and professional value for participation. What sorts of help does the Initiative need and how should interested parties get involved?

Cunningham: In my initial Q&A, I mentioned the Initiative’s steering committee. My vice chair, Ulf Lindqvist, and I are acutely aware that we need a variety of perspectives to review and plan the Initiative’s work to ensure that IEEE is tackling gaps in cybersecurity work or areas that are receiving insufficient effort. So our steering committee has academics, industry experts and government personnel with a wide range of trusted computer security backgrounds from a diverse set of organizations, companies, and agencies across the world. I hope to make announcements in that area soon. Of course, readers should check our website regularly for news. I plan to tap that team of people to lead some key areas for us, but I’ll need broader help than that.

We have a number of needs for volunteers. First, we need a “theme coordinator” who can help us articulate a monthly cybersecurity theme, ensure that the themes are consistent and at the right level of complexity. We need someone to develop a regular webinar series and use social media to build a community of participants. We need a social media coordinator to help us work with our PR firm to identify important new things that are developing in the cybersecurity community and help us develop a “take” on each of those as they come out. These efforts will make a valuable contribution to the cybersecurity conversation. Last but not least we want to create opportunities for us all to get together and talk about the future. We haven’t set a date yet, but this spring we’d like to hold a workshop to discuss work we’ve accomplished, try out the challenge problems that we’ll develop this winter and look ahead to new priorities.

So we need some help! We’re underway and pretty excited, because this is very hot area, and one in which IEEE already offers tremendous resources and expertise. We just need to bring it all together in a slightly more coherent fashion. Doing so will provide great value to all IEEE members and, indeed, the “humanity” – our global society – that is our mission to benefit. Check our website for particulars on all these opportunities. We’re looking forward to getting more people involved and energizing this whole community.