Clifford Neuman is the Director of USC Center for Computer Systems Security, Associate Professor of Computer Science Practice in the USC Viterbi School of Engineering, and a Scientist at USC’s Information Sciences Institute.
He received an SB degree in Computer Science and Engineering from the Massachusetts Institute of Technology in June 1985. Upon completion, he spent a year working for MIT’s Project Athena, where he was a principal designer of the Kerberos authentication system.
Neuman began graduate studies in the Computer Science Department of the University of Washington in the fall of 1986, received an MS degree in 1988, and a Ph.D. in June of 1992. Faculty profile
Key takeaways from the interview
- Student demographics and interests: Students include those currently employed in industries like oil and gas, and defense, and those aspiring to work in security consultancy, cloud providers, or software development organizations.
- Cybersecurity reading recommendations: Clifford Neuman suggests Bruce Schneier’s book “Schneier on Security” for understanding fundamental security issues and solutions.
- Future of cybersecurity: Emphasizes the importance of designing and building “securable” systems, focusing on system architecture rather than just specific defenses. Highlights the need for simplicity in systems to reduce bugs and the effectiveness of controlling information flow and preventing supply chain subversion.
- Privacy and data management: Advises against collecting unnecessary data, and comparing personally identifiable information to toxic waste due to the costs and risks of safe storage.
- Key takeaway: The importance of focusing on system architecture to enhance security, rather than solely relying on specific defenses against known threats.
How did you first become interested in cybersecurity, and how did that experience lead you to your position as the Director of the Center for Computer Systems Security at USC?
I became interested in cybersecurity back in the 1980s while I was a student at MIT. At that time, as a student worker, I was managing some of MIT’s computer systems, and the potential for computer security problems was evident. When we, at MIT, started to deploy distributed computing technologies — trying to get them out of the machine rooms — the problems became more complicated and more apparent.
That led me to ultimately take a position after graduating from MIT, working at MIT’s Project Athena. I worked to develop a user authentication system called Kerberos, which we deployed initially at MIT, but which is now used for enterprise user authentication in just about every computer operating system. I’m sure you are using it. You might not know it, but you probably are.
And after getting Kerberos deployed at MIT, I went to the University of Washington to work on a Ph.D. There I focused on another distributed computing problem in the area of naming. I worked on security issues while I was at the University of Washington, but my Ph.D. focus was on managing distributed information, including addressing problems that led to the early days of the web.
When I took a position at USC after my Ph.D., much of my work returned to security. A few years after I arrived at USC, we formed the USC Center for Computer Security to coordinate much of our computer security research at USC.
Is there, or has there been, a predominant area of cybersecurity interest throughout your career?
If you think about the technical sub-areas of security, my main focus has been in the areas of authentication, authorization, and policy. That is, how computer systems are programmed to determine what is allowed and what is not allowed.
In the mid-1990s, I also worked heavily in the electronic payment area, which in those days I described as applied computer security. Until that time, people were like, “Why are we going through all these steps to make our system secure? There aren’t any problems.” But in the mid-’90s, when we started to have commerce on the web, all of a sudden, there was money. And when there’s money, this became a target. And therefore, that created a natural application area for security. It drove the need.
Can you describe the degree options available at the Information Sciences Institute of the University of Southern California for students interested in cybersecurity?
There are several degree options provided within the Viterbi School of Engineering at USC, specifically within the computer science department and the data science program. The main one for security practitioners is our Master of Science in Cybersecurity Engineering. That’s a two-year program that can be completed in about a year and a half if you’re motivated to do so. And it teaches both the fundamental theory of computer security for high-assurance systems and the practical application of security techniques in today’s more common networked mobile and cloud environments.
The topics covered include foundations, network security, information system assurance, privacy, cryptography, and forensics. We’ve got many other available options, but those are the main things students take in the area. Most students take these classes on campus. Well, not this year, but generally. Our degree program is also available to remote students that may be employed in the industry. The currently employed students typically take one class a semester instead of two, so it takes a little longer to get through the program.
We offer a second master’s program, an M.S. in Computer Science with a cybersecurity specialization. That program focuses on more of the fundamentals of computer science, including A.I. That program is then supplemented through several classes that students take specifically in the area of security. But if they take that program, they take fewer classes specifically directed to security. They do gain an understanding of how security fits into other areas of computer science.
For our Ph.D. programs, we don’t have a formal computer security department. Students conducting Ph.D. studies in computer security enroll in either computer science or computer engineering. I’ve supervised Ph.D. students in security for almost 30 years, and others in the department have supervised security Ph.D. student even longer. They complete their dissertations in the area of computer security under the supervision of faculty who conduct research in those areas.
There are also several undergraduate dual majors and minors. Dual majors in the sense that we have an undergraduate major, but they can’t be taken as a standalone major. You can take it as a dual major with something else.
We also have a minor in applied computer security offered through the USC Viterbi Information Technology Program. And there’s a Bachelor of Arts in Intelligence and Cyber Operations, which is offered jointly through the Viterbi School of Engineering and the USC Dornsife College of Letters, Arts and Sciences.
Regarding your cybersecurity programs, are there options for students to learn on-campus, online, or a combination of offline and online?
Remote students actually end up taking the same classes as on-campus students, enjoying lectures through WebEx. They interact with the on-campus students as well; it’s not a separate program at all. They can view the recordings of the lectures if the times of the live classes don’t fit their schedule. These recordings are also available to our on-campus students who simply want to go back and review the lectures.
If you remember when you were in college, you might have gone up and asked, “Oh, do you mind if I record the lecture so that I can study it again later? Now there’s no need to do that. We’ve got it recorded with video, and students that want to go back can easily do that. I tend to lecture fairly quickly. If they want to go at half speed, they can do that. Or if they want to go back and jump to a particular part of the lecture to go over a particular thing, they can do that. And that’s available both for our on-campus students and for our remote students.
So remote students really are taking the same class, competing against the same students as the on-campus classes. And this is something that we’ve been doing for 20 years.
Well, that’s quite an offering. Can you describe the process you use to keep these programs relevant to an ever-changing cyber threatscape?
Many of our classes draw upon current events in developing exam questions and homework project assignments. In fact, sometimes we draw on what might be called future events because one of the things I like to do is to take something that’s in the news and then create a hypothetical scenario around that. Often, the hypothetical event actually happens later.
It is common to have class discussions centered around current events. And other times, if the module that is most relevant to a recent event is coming up in the future, I’ll then defer that discussion and tailor that discussion around the particular circumstances.
What are your students interested in, or what kinds of cybersecurity projects are they working on?
It’s a mix, and it depends a lot on how the students are coming to us. Some of our students are coming to us because they’re currently working in industry. Some students are sent to us by their employers, and their employers will fund a two-year program.
Our students have a broad set of security interests. We’ve got quite a number that are concerned with critical infrastructure. In particular, the oil and gas sectors. We’ve got one oil company that sends maybe two or three students a year into our program. We have a class specifically on cybersecurity in the oil and gas industry offered by our Petroleum Engineering Program.
We have a fair number of students also currently employed in the defense sector. And they’ve got their set of interests as well. Of the other students that enroll, many are interested in working for a security consultancy when they finish our program. Others go on to be security engineers, for example, at the major cloud providers or software development organizations.
If you were to build a cybersecurity reading list, what would be your top picks? (this could be books, papers, or lectures)
We like to reference a wide variety of articles and publications in our classes. It would not be easy to point to just one because there are so many. It would be a very long list to try and cover them all.
If you want to understand the fundamental issues related to security, a good starting point is the book Schneier on Security, by Bruce Schneier. It’s not too technical, but it lays out the relevant issues and offers solutions.
What do you think the cybersecurity industry or landscape will look like in five years? Ten years? And what do you think students today can do to best prepare for that future?
I think that students need to understand the fundamentals of computer security. That is, how to design, build, and deploy systems in, what I like to call, a securable manner. There isn’t a completely secure system, but a large part of what we want to do is develop systems that are “securable.” It is not enough to learn how to fix the problems that were exploited in last year’s attacks. Instead, we need to architect our systems to better manage the flow of information with simple rules. And simplicity is really the key here.
The more complex a system is, the more bugs you’re going to have. In some sense, this is more of an architectural issue than learning how to use security tools. Today’s systems are too complex. We can only improve security by better managing and controlling information flow and solving problems that we have with subversion, including supply chain subversion.
Focusing on the design of the application lets us apply security technologies in ways that are more effective. In other words, it’s more than just saying that “there’s a problem if we develop an application without authentication or encryption, so let’s include that at the start.”.
Instead, we need to take it one step earlier and understand what information you’re managing and the consequences of disclosing that information. Then build the architecture of the system — not the security architecture, but the architecture of the system. In this way, data will be naturally stored in an appropriate protection domain.
One of the things I tell my students is that the easiest way to keep an adversary from getting hold of information is not to collect it. In my privacy class, I tell students to think of personally identifiable information as being like toxic waste. If you collect it, you have to pay to store it safely. So the cheapest way to get by is not to generate or collect it.
If our readers could have only one takeaway from this interview, what do you hope it will be?
I would like them to take away some of what came out in the last question. That is, the one way we can better secure our systems is by focusing on the architecture rather than applying only specific defenses that fix yesterday’s problems.
Thank you so much for your time. I have sincerely enjoyed talking with you. Have a great day!