An interview with Matt Bishop

Matt Bishop
I’ve always been interested in mathematics and a little bit in law. When I was an undergraduate at Berkeley, I was an astronomy and applied math major. I did some work with computers in both the physics department and in the math department and I rather enjoyed it. So I got interested in computers and the place where computer science, mathematics, and law all meet is computer security. So that’s what I started looking at and really enjoyed what I saw. 

I got a master’s in math at Berkeley where I did much more computing. I went to grad school at Purdue. Dorothy Denning was my advisor. She’s an expert in computer security.

Matt Bishop
The overall theme is essentially vulnerability analysis. What I’ve been doing more specifically is looking first of all at data anonymization, because there have been a number of advances in that, such as differential privacy, and I’m very curious what you need in order to deanonymize things. As vulnerability analysis may require data, the data you get is typically anonymized; how does that affect its usefulness?

I’m also looking at the insider problem. We’ve developed what we think is a fairly good model. We’re testing the model out right now to see whether or not it actually is a good one. And I’m also doing network security. We’re looking at security of science DMZs. Those are networks that are very, very fast, so they can’t use ordinary firewalls that would slow down traffic too much, and the amount of traffic is typically huge. Maybe a petabyte a day or something like that.

The other two things I more or less fell into by accident. The first one was election security. Basically, I knew the clerk-recorder here through another project that I worked on. The clerk-recorder is the election official. And so she asked me in 2003, “I’m hearing a lot about electronic voting and I really don’t know how much I should trust it. Could you take a look at it?”

So I did and basically said, “It looks interesting, but it’s not there yet, not ready to be used.” Then I was in Maryland visiting a friend at another university and a student of mine introduced me to his boss. They invited me to come along to talk to some people about testing electronic voting systems. So I went and asked a couple of questions and I guess they liked it because when they got the contract to do the testing, they asked if I wanted to participate. 

Matt Bishop
My sense is that it is definitely not ready. The problem is understanding what the requirements are for an election. There are a lot of them, but one of them is transparency, that people can see how the election is being conducted. Now you can interpret that in a lot of ways — transparent to the election officials, transparent to computer scientists or mathematicians, transparent to your average person on the street.

If it’s the computer scientists and mathematicians, then they can analyze the source code and analyze the cryptography that’s being used. If it’s to the election officials, some of them may be able to do that a little bit, some may not. If it’s to the average person, no way, and if you use paper you can literally — at least in our county — watch everything from the beginning of the day to the end of the day.

The only thing you can’t watch is how the person is voting in the booth. But with a computer, what goes on inside is not something you can watch. That’s one of my problems. The second one is that all of the voting machines that I’ve looked at are not built with high-assurance software development techniques. They are built with industry-standard techniques, which is probably the best way to put it, and that’s not saying much.

The one that really scares me is internet voting. There are times when that might be appropriate. For example, service people overseas who can’t get their ballots in on time. In that case, if they vote from a secured system and precautions are taken, then it’s probably no worse than mailing in or faxing in your ballot. When you fax in the ballot as is typically done now, you have to include something which basically says, “I’m waiving my right to keep my ballot confidential.”

But if you vote from your home machine or a laptop somewhere, that raises all sorts of other issues because they can be compromised in such a way that what you see on the screen is not what goes out. 

I would not use internet voting. The systems aren’t robust enough and it’s too subject to denial of service attacks because elections have to happen within a certain period of time. And unlike banks, counties and states, or counties at least, don’t have the money to do large-scale replication. With a bank or the military, they do that. If you do a DDoS attack on one of them, you’re probably going to slow it down a bit, but that’ll be about it. At the county level, if you do a DDoS attack, it’s gone.,

Matt Bishop
The insider problem is traditionally defined as the problem that arises when someone you trust betrays that trust. For example, Robert Hanson was an FBI agent who worked in counterintelligence against first the Soviet Union and then Russia.

He also gave Russia a lot of information. And that’s an example of an insider because he had access to information that was very sensitive and he was trusted to use that information only in a particular way. Selling it was way outside what he was supposed to do. And that was a betrayal of the trust. So he was an insider because he had access to the sensitive information and it was a threat or a problem because he was able to sell it.

So we’ve got a model of vulnerabilities that’s tied very much to policy. And so what we’re trying to do is place the insider into that model because, with a vulnerability, like a buffer overflow or something like that, that’s typically down at the runtime level. But the insider is more of a higher level problem because the person normally has access to that information. You can’t say, we’ll give you access to this information, but we’re going to implant these things in your brain so that you can only do what we want. Ignoring the morality, that doesn’t work.

Cybersecurity Guide
So the human factor.

Matt Bishop
It is entirely the human factor there. There are controls you can do, for example, if the insider works for your company and goes for a part of the system that he or she is not entitled to look at — you can use technical controls for that. But the issue there is that it is still a human problem. I should also point out if you start analyzing the definition of an insider very closely, you’ll find many different definitions. 

The one we use in our research is very similar to the definition I gave earlier, but it’s not that exact one we just talked about. 

Matt Bishop
Yeah. The example that I have used in the past is an insurance analyst by day, seller of medical information to pharmaceutical companies at night. The other one I’ve used the system administrator by day, attacker by night.

Same skills, same knowledge.

Matt Bishop
The Computer Security Lab is one of the oldest in the country. It started in 1986 when Karl Levitt joined the faculty. I joined in 1993 and we’ve done all sorts of research ranging from intrusion detection systems, network-based intrusion detection systems — by the way that was started here — and we’ve done pretty much everything from vulnerabilities analysis to database security to network security to anonymization. 

I’m looking at, as I said, electronic voting. One of my colleagues is looking at the security of social networking, which is a very hot topic now. A third colleague is looking at adversarial machine learning and fuzzing. Fuzzing is used to detect vulnerabilities in adversarial machine learning basically to mess up an AI system. 

Another colleague is looking at identity management problems. Now, another thing about the lab is that basically anybody in the department who works in security, and there’s a large number of people, will usually somehow be involved with the lab. So we have, for example, software engineers who are of their own group, but in a sense when they do security, they are part of the lab. So we found that being very flexible in who we work with really enhances things.

Cybersecurity Guide
It sounds like quite a range of research topics.

Matt Bishop
We’re eclectic, we like everything. We’re interested in everything.

Matt Bishop
I wrote the book because in the late nineties, I was looking for a good computer security textbook and I couldn’t find one that I liked to use in graduate classes. So I figured I might as well pull my notes together and create one. So that’s what I did and it’s had some success. 

People started asking for a second edition and it took me quite a while to write that. The main changes are that it covers more threats such as availability, which wasn’t really discussed in the first edition, but it’s now become a much more important topic. I updated the examples to include more things that have arisen lately.

For cryptography, I included the AES and various chaining, various blockchaining methods that weren’t in the first one. I also included material about attack analysis, which again was in the first one but only a very little part. Now it has its own chapter. We cover attack trees and provide models, and include things like incident handling. The rest of it I basically updated. 

Cybersecurity Guide
It must be hard, given how fast cybersecurity moves, to write a book about it.

Matt Bishop
It is. And that’s why the book focuses more on principles. It doesn’t so much talk about, well here’s how you defend a Linux box. You can get that elsewhere. But if you want to know why you’re doing the things you need to do to defend the Linux box, the book will show you.

Matt Bishop
First off, the field really took off between 2000 and 2003 — somewhere in that interval as more people became connected to the internet and suddenly discovered that they were at risk. During that time, a lot of people basically said, “Security is … we’re safe,” and they found out they weren’t.

In fact, I think about five years ago, a member of the British parliament went on TV and basically said, “You know this identity theft stuff is all BS.” Guess what happened to him? Within 24 hours, he said, “Oops,” because his identity was stolen. So it’s becoming much more mainstream now and it’s going to get much worse with the internet of things, which essentially was not designed with security in mind.

And now people are very concerned about, for example, Alexa recording you and sending the recording somewhere, or the police subpoenaing all those records or listening in, things like that. So privacy really is going to become a big problem. By the way, with privacy.

One of the arguments against worrying about it as, “Well, if you’re not doing anything wrong, why should you care?” Best answer I’ve heard to that is, “Great. What’s your credit card number? Please give me your credit card number and all your codes. Okay. If you’re not doing anything wrong, you should give in to me.”

Matt Bishop
I’ve gotten a lot of very good advice from my advisor and from other people, from a couple of other faculty members I worked with. I guess the best advice is to figure out what you want to do and where you want to do it.

For example, do you want to work in industry? Do you want to work in academia? Do you want to do research? Do you want to write, teach? You know that sort of thing. And once you’ve done that, don’t be afraid to change. Sometimes things in your life will cause you to change direction. That’s fine. 

As far as students go, the advice I give people who are interested in security is to learn the technology but don’t stop there. If you just know the technology, you’re going to be great at the low level working with systems. But the moment you come into contact with people, you’re going to have problems.

So I strongly encourage prospective computer security people to take humanities, social sciences, study those as well as the technology and the technical courses. So that way when situations arise, you can place them in the proper context of the culture you’re working with.

Security is not just a technical problem, it’s a human problem, a societal problem and a political problem. And the more you know about those three things, the better off you are.

Matt Bishop
A couple of things as far as books go if you are an upper-division or graduate student, I think mine’s pretty good. There’s also Ross Anderson’s and the Pfleegers’ books, both of which are good. Each of us has a different flavor. Beyond that, the 1976 paper by Jerome Saltzer and Michael Schroeder called “The Protection of Information in Computer Systems”. It’s the one that first made explicit certain principles of secure design and security and it’s a superb paper.

The part that’s most pertinent now is the first part where they talk about the principles. There are, see, another one that I would suggest people should read is some of the older papers that people have written because first of all, while they deal with the technology that has advanced, that is no longer what we have now, the ideas there can be taken and applied to the technology we have now and very readily and oftentimes by doing so, you’ll see things that people miss.

So if you’re into math, the Multics papers, for example, the Unified Multics Exposition is a very good one. If you’re not, then papers about computer crime by Don Parker are good.

Also, the other book that I would really recommend is Sun Tzu’s The Art of War. It’s not directly applicable, but the pattern that it teaches you, the way it teaches you to think is very good and you can apply a lot of that if you make the appropriate mental translations, you can apply it to security. Saul Alinsky’s Rules for Radicals and Reveille for Radicals are also good ones. They are not technical, but they show you how to deal with organizations and basically political things that really don’t go your way. Those are the only ones I can think of off the top of my head, but there are an awful lot of very, very good ones out there.

For whatever it’s worth before I did my book, I taught the computer security class using papers and Saul Alinski’s Rules for Radicals, Sun Tzu’s The Art of War, Machiavelli’s The Prince, and there’s a wonderful book by Eric Frank Russell called Wasp, which is basically about an interstellar war. It’s science fiction. And what they do is they take a human, one person trained to be a pain in the neck basically, then put a behind enemy lines and say, “Have fun.”

Matt Bishop
I think a lot of that is going to be defined by the political and social realms because those are changing very rapidly. I also think that network security is going to become even more critical than it is now. And also the technology that’s being built has security problems.

So as the technology evolves, security people have to evolve. You have to focus on not so much on, well how do you secure system A, but why do you want to secure it this way? That sort of thing. That’s one path.

The other path, which I hope we don’t go down, is somebody will release a super worm or super whatever and take out about three-quarters of the computers in the world. What do we do then? But the main thing is practice being flexible and practice looking at things in an unusual way. The usual phrase that’s used is out-of-the-box thinking.

Cybersecurity Guide
Excellent. Thank you so much for your insights.