Spafford to chair external board for $45M Sandia Labs digital assurance campaign

WEST LAFAYETTE, Ind. — Eugene H. Spafford, professor of computer science in Purdue University’s College of Science and internationally recognized authority on cybersecurity, has been chosen to help Sandia National Laboratories in its campaign to manage digital risks to high-consequence systems.

Spafford, Executive Director Emeritus of CERIAS, Purdue’s Center for Education and Research in Information Assurance and Security, has been appointed chair of the External Advisory Board for Sandia’s Digital Assurance for High Consequence Systems (DAHCS) Mission Campaign.

The newly launched research campaign’s goal is to transform and simplify digital risk management for decision-makers, such as systems engineers and program executives.

Through Sandia’s Laboratory Directed Research and Development program, the campaign invests in research that develops generalizable scientific foundations to safeguard high-consequence systems such as satellites, hypersonic vehicles, nuclear weapons and critical infrastructure like nuclear power generators. It aims to reshape the scientific domain from one driven by expert-dependent pockets of excellence — through techniques like red teaming, security-by-design and formal analysis — into a sustainable, scalable and rigorous discipline.

Will Zortman, Sandia’s DAHCS campaign manager, says the $45 million initiative is a strategic investment to “replace the status quo of ad hoc, slow and costly digital assurance methods with a rapid, cost-effective and generalizable way to secure systems and mitigate threats.”

The effort, which will take place over the next seven years, will involve scientists and engineers across government, industry and universities.

Among the notable challenges the research campaign faces, Spafford says, is institutional reticence over potentially significant expenses to rework or replace existing systems. “Companies and government agencies haven’t wanted to invest in new approaches that don’t build on existing systems because they already have made huge investments in technology,” he says. “Thus, most of what’s been done to date has been directed to fixing or enhancing existing technology based on flawed designs and assumptions.” He notes that this has usually led to incremental changes that don’t fully address fundamental deficiencies.

Spafford acknowledges that the goal of developing new technologies for such diverse critical systems is highly ambitious, and success will be defined by multiple metrics.

“We need methods and principles to design and build high-assurance systems,” he says. “We must be confident that they’re going to perform over time, under stress and possibly with adversaries trying to corrupt them. We must understand how to measure risk accurately to make appropriate investment decisions.”

Spafford, “Spaf,” worked at Sandia during a recent sabbatical and currently serves on another of Sandia’s boards, its National Security Programs Advisory Board.

“Professor Spafford brings unique insight into where the cyber community is and where it needs to go, as well as strong connections across diverse systems communities. This positions us to, together, mature into a community that can reason holistically about complex systems.” says Zortman.

Spafford has helped define and shape the field of cybersecurity for 40 years. His pioneering research in cybersecurity, cyber forensics and security policy has resulted in scores of academic and professional organization honors. Among them are the National Computer Systems Security Award from the National Institute of Standards and Technology and the National Security Agency; the Kristian Beckman Award from the International Federation for Information Processing; and the Harold F. Tipton Lifetime Achievement Award from the International Information System Security Certification Consortium (ISC2).

In addition to being named to the Cyber Security Hall of Fame in 2013, Spafford has been elected to prestigious fellowships in the Association for Computing Machinery, the Institute of Electrical and Electronics Engineers, the ISC2, the American Association for the Advancement of Science, and the American Academy of Arts and Sciences. He also is a distinguished fellow of the Information Systems Security Association.

Spafford currently serves as editor-in-chief of the journal Computers & Security and was co-author of the book “Cybersecurity Myths and Misconceptions,” which recently was named to the Cybersecurity Canon Hall of Fame. At Purdue, he also serves by courtesy in professorial appointments in the schools of communication and electrical and computer engineering, and the departments of philosophy and political science.

Purdue’s Department of Computer Science is part of Purdue Computes, an initiative emphasizing four key pillars of Purdue’s extensive technological and computational environment.

About Purdue University

Purdue University is a public research institution demonstrating excellence at scale. Ranked among top 10 public universities and with two colleges in the top four in the United States, Purdue discovers and disseminates knowledge with a quality and at a scale second to none. More than 105,000 students study at Purdue across modalities and locations, including nearly 50,000 in person on the West Lafayette campus. Committed to affordability and accessibility, Purdue’s main campus has frozen tuition for 13 years in a row. See how Purdue never stops in the persistent pursuit of the next giant leap — including its first comprehensive urban campus in Indianapolis, the new Mitchell E. Daniels, Jr. School of Business, and Purdue Computes — at https://www.purdue.edu/president/strategic-initiatives. 

Writer/Media contact: Amy Raley, araley@purdue.edu

Source: Eugene Spafford, spaf@cerias.purdue.edu