Richard Ford caught a bug more than 20 years ago and he still hasn’t shaken it off.
In Ford’s case, the bug was Spanish Telecom, a computer virus that wiped out “a whole bunch” of his data while he was studying quantum physics at the University of Oxford in England. He began investigating and, well, he decided to keep investigating.
Two decades later, Ford is a renowned and sought-after expert on cybersecurity. The Harris Professor of Computer Science in Assured Information at Florida Institute of Technology, Ford also is head of Florida Tech’s Department of Computer Science and Cybersecurity, teaching campus-based and online courses, including in the Master of Science in Information Assurance and Cybersecurity program.
The “more I have taught online, the more I realize that the online medium can be a very effective teaching modality for the right students and used in the right way,” Ford wrote on his website, www.malware.org.
Ford also is associate director of the Harris Institute for Information Assurance, which he helped establish in 2009. The institute, which is located on the Florida Tech campus in Melbourne, Florida, engages in education, research and training. Research projects have included a virtual keyboard that’s resistant to spyware and Biologically Inspired Tactical Security Infrastructure, or BITSI, which was funded by the U.S. Army Research Laboratory.
Although headlines of late have been dominated by major hacks at corporations including Home Depot, Target and JPMorgan Chase, Ford has said such intrusions are symptomatic of a systemic problem. The complex nature of our networks leaves power grids and other critical infrastructure vulnerable to cyber attack.
“The lights stay on in my house because of computers as much as because of generators,” said Ford, who previously worked in the private sector for companies including IBM and Cenetec, holding titles such as research director, chief technology officer and director of engineering.
“Take out our cyber infrastructure and you turn off the lights,” he said. “It’s that simple.”
We caught up with Ford recently via email while he was traveling overseas and asked about his work at Florida Tech, his biggest cybersecurity worries and his tips for protecting yourself online. (Here’s a clue: update your computer.)
Q. Tell us about your background and how you came to Florida Tech.
I’ve worked in computer security or something related my entire life: Virus Bulletin magazine; IBM Research; the National Computer Security Association; those kinds of places. In the late 1990s, I was involved in a web startup around the big run up of the Nasdaq, and when I got out of that I was looking for something new to do. I was in venture capital for a few years, but as the market turned, that turned out to be a pretty tough gig, and my old boss asked me when I was happiest in my life. Without hesitation, I responded the years I had been studying for my PhD and the light came on for me – I should go back to college! After that, it was easy. Florida Tech had the right attitude, the right size and the right location. Interestingly, they also really valued my industry experience, not just tolerated it, and that was the deciding factor for me.
Q. What sparked your interest in computer viruses and cybersecurity?
Like most researchers who got into security when I did, I got hit by a virus and wanted to learn more. In my case, it was the Spanish Telecom virus. I wrote some awful little analysis of it when I was at the Oxford, and it got the attention of Peter Lammer and Jan Hruska, who owned Virus Bulletin. They invited me to visit and, that was that, new job.
With that said, during that lunch, opportunity met preparation. I’d always been interested in security because it was like a puzzle, and I couldn’t understand how exploits worked, so I had taught myself a lot of assembly language and reverse engineering skills. When I walked in, I was pretty well qualified, but I didn’t know it.
Q. You have called for the development of a more comprehensive approach to cybersecurity. What specific components would you like to see included in such a strategy?
I’d like to see us start by taking a good look at our expectations. You can’t have it all. I’ll use a car analogy. We all know that buying a car is about tradeoffs. If you want a V-8, F-Type Jaguar – and who doesn’t – you don’t expect it to get hybrid-like miles per gallon. If you need the capacity and function of a minivan, it’s not going to look like a Mustang convertible. Nobody expects a manufacturer to provide both; they know they are trading out different needs and wants. With computing, however, we seem to want it all, want it now and want it so we can do whatever we want without any risk whatsoever. And, guess what, that’s never going to happen.
So, a revisit of security requires us to start getting real about tradeoffs and expectations. Let’s think about Snapchat-like services for a moment. Guess what? If I send a picture that I don’t want going public to someone via a system like that, I have no control over it (the person at the other end could just snap a picture of their screen, right?) and so I shouldn’t be surprised when it gets out. Duh!
I shouldn’t really spend a lot of time trying to stop that, and asking for it to be all locked down is pretty unrealistic. If we keep trying to build a computing Utopia it’s not going to work.
Second, we need to look at disruptive technologies. So much of what we do is because of momentum. We do X. Why? Because we’ve always done X. That’s not a good reason.
Q. Florida Tech has been designated a National Center of Academic Excellence in Information Assurance Research by the National Security Agency’s (NSA) Central Security Service. What does this recognition mean for Florida Tech?
Lots! It benefits our students, most importantly, because they have access to certain scholarships and opportunities. It benefits the university because we get a liaison officer who can help us coordinate with the government. It also is a pretty nice reward and recognition for the late nights and weekends that it takes to do top-of-the-end research in this space. We’d do it anyway, but it’s nice somebody noticed.
Q. Can you tell us about some of the research being conducted at the Harris Institute for Assured Information at Florida Tech?
Yes, but I’d have to … well, you know the drill. Kidding aside, I’ll speak in generalities because a lot of what we do is “cone of silence” kind of stuff. The person you need to get to brief you on this is the professor who runs the institute, Dr. Marco Carvalho (see my comment about nights and weekends up above; Marco is seriously dedicated to the science of cybersecurity). He leads a bunch of different projects, but some of the ones we have done together are a secure platform – from the ground up – that has interesting and novel properties. That project was fun because we had a couple of undergraduates build their own CPU (central processing unit) from something called a Field Programmable Gate Array, or FPGA. That’s low-level cool stuff. With that said, on some of his work, Marco’s got little helicopters and tiny trains, and that’s really cool, both for the faculty and the students.
It’s not unusual to come into work and find a student has inadvertently stuck a quad ’copter to the ceiling. I love my job.
Q. Why should students consider enrolling in Florida Tech’s Master of Science in Information Assurance and Cybersecurity or MS in Information Technology/Cybersecurity degree programs offered 100% online?
Obviously, there are benefits to being on campus – perhaps the biggest is that you can work in our labs and get hands-on with our experiments. However, not everyone can do that, perhaps due to budget, work schedule or location. So, with our online program, the same people who are in the lab doing “cool stuff” helped design the courses you’ll be taking. I recorded and designed Host and Application Security, for example. Come to the lab if you can, but if you can’t, this is a pretty good way to get access to the same kind of education in a more accessible setting.
Oh, and jobs. Did I mention jobs? We have a horrible shortage of qualified people in cybersecurity and this is a good way to get qualified.
Q. What has surprised you most about teaching courses online?
Honestly? I didn’t want to at first; I did it because I was asked. However, I’ve discovered that the classes can address many problems you face in the classroom. My in-class teaching is better because of my online and vice versa, and I didn’t predict that at all.
Q. Do you have a favorite class to teach?
Gosh, that’s hard. They’re all different and so are rewarding in different ways. I actually love teaching undergraduate classes, such as Programming in a Second Language (CSE 2050), because the students are so new to the subject. However, the truth is you have to be pretty enthusiastic about anything you teach – if you don’t love it, it shows, and your students know it.
Q. Do you have a favorite student success story?
I’d love to tell you it’s my perfect student, the one that gets a 4.0 and a Big Job. However, I think my favorite student (and I’ll be vague here to protect some privacy) struggled all the way, taking more time than one would expect to complete, getting over the finish line with just a fraction to spare on their GPA. That student gave it all they had, and I will be forever proud of them. With that said, I’ve got some pretty good “I got a 4.0 and got rich” stories, too.
Q. What do you believe are the greatest cyber threats facing the nation?
Apathy. Seriously. We know there’s a problem, but we don’t want to change. We want everything the way it was but we want it secure. We have to change our expectations. If you want a more “traditional” answer, of course, critical infrastructure. The lights stay on in my house because of computers as much as because of generators. Take out our cyber infrastructure and you turn off the lights, it’s that simple.
Q. What are the most important steps that individuals can take to protect themselves online?
Update your computer. Really, it’s that simple, mostly anyway. Running Windows Update isn’t enough; you need to update things like Flash and Acrobat. There’s a tool that’s free for noncommercial use, Secunia Personal Software Inspector, that I think helps users a great deal.
Q. What about businesses and other organizations?
For businesses, it’s the same, but there’s a bit more to lose. Depending on the size of the business, solutions can range from very similar to home offices and all the way up to dedicated hardware helping provide security. Security’s complex; there’s no “one size fits all” approach
Q. You are a licensed pilot. Did you ever consider a career in aviation?
Ha! No. I mean, yes, I guess. As a kid I dreamed of it, but I only got my license four years or so ago. It was the first time in my life I had the time and the money.
Q. You’re a past winner of the National Flute Association’s Big Band Jazz competition. When did you start playing flute and who are your favorite performers?
I’ve played saxophone and clarinet since I was young – maybe 12 or so – but only after I moved to Melbourne in 2003 did I switch to flute. It took 10 years of hard work to finally start playing well, but finally things are clicking. Strangely, I listen to a lot of different horn players. On flute, of course, my favorite is Ali Ryerson, with whom I have studied quite a bit. But, in general, Michael Brecker, Dexter Gordon, Herbie Mann, Jackie McLean … the list is pretty long and I could list players all day!
So much talent out there – that’s one of the reasons I stick to computers!