Dr. Robert K. Cunningham was named chair of the IEEE Cybersecurity Initiative in August 2015. This is his initial public interview in his new role and the first in a series by the Initiative’s subject matter experts.
Question: Congratulations on your appointment as chair of the IEEE Cybersecurity Initiative. Would you describe your work at the Massachusetts Institute of Technology (MIT)?
Cunningham: Thank you. I lead the Secure Resilient Systems and Technology Group here at MIT’s Lincoln Laboratory [in Lexington, Mass.]. I’ve been working on computer security since 1997. My early work was on evaluating and building computer intrusion detection systems, which led me to focus on preventing successful attacks on computer systems. Recently, my work has been to design a system such that even if successfully attacked, it can continue to operate and provide useful data and services for the user.
Question: What are your expectations for the IEEE Cybersecurity Initiative?
Cunningham: I see a number of significantly difficult problems in this field that the Initiative is well positioned to address.
The field has ongoing research and education needs. There’s a need in terms of education for people who are studying computer security. Then there’s a need to support the work of people who are building systems that aren’t necessarily security systems, but which need to provide the sort of guarantees that you’d want from a security system.
First, the IEEE supports one of the premiere conferences in computer security, the IEEE Symposium on Security and Privacy held every May in California. I want to strengthen and expand that support.
As chair of the Initiative, I’ll make an effort to share what we’re doing with the larger IEEE Computer Science and Engineering community and, in turn, learn from that broader community.
Question: As the Initiative’s second chair, how much work will build on the Initiative’s current direction and how will new priorities be developed?
Cunningham: I took over the chair position from Greg Shannon, who’s a terrifically thoughtful person, now working at the White House Office of Scientific Policy. Continuing what’s underway makes sense and we’ll soon have some outputs to discuss. Naturally, however, we’re reviewing what we should be doing next. I’m personally analyzing that ongoing work, what other IEEE societies are doing and what other organizations are doing, to determine where gaps exist or where an area is not being addressed with the weight and energy that the IEEE could bring to it.
I’m sharing my ideas with friends and colleagues to get feedback. To formalize that process, I brought in a vice chair whose insights I respect tremendously, Ulf Lindqvist from SRI. I’m also establishing a steering committee to provide broader input. Ulf and I are just two people, and the members of the steering committee will bring much broader expertise to determining the Initiative’s priorities. We’re just finalizing the committee’s membership, but we’re picking experts from academia and industry, from East and West coasts, and with interests in broadening those who join our field.
Question: How do you see your research at MIT in relation to your challenges as chair of the IEEE Cybersecurity Initiative?
Cunningham: I have the pleasure of working with phenomenally talented people at MIT’s Lincoln Laboratory. Our work has a certain focus, some of it in assisting the U.S. Department of Defense to meet very stringent restrictions about its data, how that can be shared and what sort of protections have to be built on top of it. In contrast, the IEEE tends to work not just on U.S. government problems, but on worldwide problems, and on consumer data protection and privacy. So my research certainly informs my perspective, but I recognize and am excited to think that the IEEE’s capabilities and larger mission will drive me in new and different directions.
Question: Obviously the topic of cybersecurity is vast. Could you describe your view of the terms “security” and “privacy” to let us in on your thinking?
Cunningham: I’ll use a fairly standard definition of security. It means ensuring the confidentiality, integrity and availability of data and services. I think of privacy, on the other hand, in terms of control of data. There’s a lot of discussion in the privacy community about what is the best definition to use. This definition was put forth by Alan Westin in his 1967 book, Privacy and Freedom, which examined the conflict between privacy and surveillance in modern society. More recent and nuanced definitions by Helen Nissenbaum think about this in terms of information flow in a manner consistent with a societal context, but I’m still learning about how to think about that and the technology it implies.
Increasingly, I think that the world citizen cares about privacy-related issues as more of our data is moving online, and as more services we want we expect to access anywhere, anytime. We still want to control information about ourselves, and we don’t want to let just anybody make use of that data for any purpose at all. I see this desire for control, for privacy, to grow over time. I think that the IEEE needs to get in front of thinking about that issue in particular and how we can build systems in such a way that it’s easy to ensure that that control goes to the right person at the right time.
Question: Can you take that thinking one step further and touch on some of the properties that solutions to security and privacy must possess?
Cunningham: In order to achieve security today, we must have a relatively large number of people do exactly the right thing all the time. The software developer of the app you’re going to use must design and implement that app in the right way. The system administrator that deploys the back-end of that app must configure it in exactly the right way. You must have the connection between you and the back-end app designed and configured in exactly the right way. And then the end-user has to use the system in exactly the right way. If you can line up all those people and processes with confidence and precision, then you can get confidentiality and integrity and availability guarantees. But that’s a long chain with many opportunities for people to make mistakes along the way, and they do.
My take on this is that we have designed systems and services such that all these people and steps must be done correctly. Going forward we’ll need to educate people to follow certain behavioral and technical protocols. And systems must be designed such that we don’t need so many people to always do the right thing in order to get the right outcome. I think this is achievable and world changing, and that’s why I’m interested in working with the IEEE, because I think there’s an opportunity to make that change.
Question: Do you have a timelines for progress in the Initiative’s work?
Cunningham: There is a little over two years left in this initiative, at least in the first round. Over the next couple of months I intend to lay out a two-year plan, which will undergo consistent review because developments over time should affect priorities. President Eisenhower once said that “plans are nothing, but planning is everything.” We’ll improve over time because the world of computer security moves extremely rapidly, and we must be nimble to affect change.