Rossfest
We all went to Rossfest last week. Ross Anderson, renowned professor of security engineering at Cambridge and Edinburgh universities, died suddenly and much too young last March. His death came as a shock. Many people came to Rossfest with recollections of his life and his contributions to cryptography and cybersecurity. The atmosphere was jovial. Despite a background of depressing geopolitics there was no note of the dismal or morose, rather a defiant camaraderie and sense of hope.
For those unfamiliar with Prof. Anderson's work, he is of course the author of "Security Engineering: A Guide to Building Dependable Distributed Systems", a seminal textbook that provides comprehensive insights into designing secure systems. This work has become a cornerstone in the education of security professionals worldwide. I knew Ross as one of his many proofreaders of the third edition.
Security Engineering was one of the core textbooks for our students on their MSc in Cybersecurity Engineering. It is so readable that some students feasted on all of the more than 1000 pages, which took quite some time. It is truly a bible of cybersecurity as it contains everything in one place and how it all connects.
In collaboration with colleagues, Anderson conducted influential research on information hiding techniques. His survey on steganography, Information Hiding: A Survey, co-authored with F.A.P. Petitcolas and M.G. Kuhn, offers an in-depth analysis of methods used to conceal information within other data.
Anderson co-developed the Serpent encryption algorithm, which was a finalist in the Advanced Encryption Standard (AES) competition. Serpent is renowned for its high security margin and was designed to be both secure and efficient.
Recognising the interplay between economics and security, Anderson explored how economic incentives impact security practices. His paper Why Information Security is Hard: An Economic Perspective delves into the challenges of aligning economic incentives with effective security measures. With his research group he conducted many revelatory works including Measuring the Cost of Cybercrime and Why Cryptosystems Fail where real-world failures of cybersecurity is examined in gory detail with hard-hitting practical emphasis.
That practical slant was so valuable when we undertook research into Vendor Malware. Students found the candid treatment of incentives for business, governments, state sponsored actors, and supply chains most helpful. Ross' book served as background reading on three other modules at Southamptom Solent, communications theory, network security and cryptography.
Let us be the ones to say here what was clearly in the air at Rossfest, but which some academics might not feel comfortable so bluntly putting their names to:
Firstly Ross was loved. It's usual enough when someone dies to say how very loved they were, but clearly Ross Anderson was worshipped as an indubitable Good Egg by all who knew him while walking and breathing in messy, everyday life. Importantly, that includes his adversaries who recognised a formidable gentlemen.
Ross was not liked by the university to which he devoted his life. The fact is they wanted rid of him by forced retirement. At an institution taking funding from Elon Musk and some morally questionable technology organisations, Ross ruffled feathers with his plain integrity. He was not, however, an "activist" - which made the integrity all the more galling for some.
Indeed, Ross epitomised the highest scholarly values of balanced, good-natured disputation, intellectual sparring, falliblism and irreverent banter, so much so that it is fair to say he was also feared. Many speakers recalled feelings of "intellectual intimidation" before coming to realise Ross' profoundly humane and approachable true nature. In his directness, Ross did not suffer fools gladly, nor pause to shoot down evidently stupid ideas if he sensed any note of disingenuity or artfulness in those he engaged with. These admirable qualities are clearly gold in a world where cybersecurity has become the definitive weakness of Western liberal democracy while at the same time everybody is frightened, muted, and taciturn in order to serve corporate and government masters who control their grant money.
Ross Anderson was literally encouraging - he gave courage. And it is infectious.
Generosity was a recurring word in all recollections. Ross gave his time and attention to people. But he did not do so indiscriminately, and I therefore suspect something even more profound; that Ross eschewed status - a heresy and remarkable position to hold in a place like Cambridge University. Many recounted lengthy, deep email exchanges with Ross, even if they felt like a "lowly nobody" or academic "outsider", as was my own experience.
All those assembled recognised most of all that Prof. Ross J. Anderson contributed to defining "security", a word that spans and cleaves meaning across disciplines. Across mathematics, computing, physical reality, social sciences, psychology and politics he joined dots and drew together tribes.
Helen spoke to many who said their lives were changed by Ross, and his contributions throughout a long career. There were so many speakers of all ages. Dr. Anh Vu and Prof. Alice Hutchings had worked closely and had built lasting personal relationships which were telling of his character fighting for inclusion, diversity and building a great workplace with cohort lunches together.
There were many professors, luminaries and company directors who spoke of working with Ross for decades and tracing his changing interests. Bruce Schneier noted how Ross began deep in the technical side of cybersecurity, and like himself began focusing more on deeper (and increasingly urgent) social impacts having built a solid mathematical/formal reputation. Dr. Jean Camp gained a rapturous applause for her speech about Anderson's fight for diversity in cybersecurity which is clearly there throughout his work. Ed and Helen spoke to Camp and other women at the event about work assisting vulnerable people with cybersecurity.
It is clear that Ross upheld the values we at Boudica call "Civic Cybersecurity", digital safety and knowledge not just for large organisations but for all members of the public as a basic educational and environmental right. A foundation for a new digital literacy. Stephanie Rosenbaum, CEO of TecEd and one of the first female CEOs of a tech company, gave inspiring conversation on diversity, comparing the US to the UK. Linda Camp also spoke about Ross fighting for women to be included more in research and discussions, and in mutual recollection of inspiring passages from Security Engineering. One such passage prompted heart-warming hugs among some of the women present whose lives had been changed by reading it.
Inevitably politics was in the air. Though students spoke highly of Cambridge University's inclusion improvements, diversity and LGBTQ+ society, expressing feelings of being able to "be themselves", some noticed it still falls short of reflecting the real makeup of the UK and it's neither race nor underlying class issues which still require attention but more complex problems of representatively including all mindsets. The questions remain; Security for who? Security from whom or what? Security to what end?
Here, Ross seemed a unifying force, able to effortlessly span all creeds, classes and generations. The photo montage of his life set up outside the lecture theatre showed clearly a working class, active outdoor life. If computers featured in Ross Anderson's early life they did not do so in the way modern youth experience them; dominating the attention of docile minds, spreading division and doubt, misogyny and mistrust. I think this upbringing, with a healthy detachment from digital systems, contributed to his level-headed objectivity and grounded social outlook.
We know from so many comments that Ross was uncomfortable with and challenged the sources of research funding. We noticed a lack of willingness from the UK academics to talk about issues with Big Tech and the unfolding US situation, something that the US academics were surprisingly happy to discuss. Research funding from UK government and charities has been in decline since 2010 and while our government have the facility, equipment and talent to really lead in cybersecurity and AI, instead we take donations from SpaceX and the like to build the AI centre. This leads to biased research. That said, it seems Cambridge last took funding from them in 2015, 10 years ago now, and have since distanced themselves from Musk especially in the last year. Cambridge University Press even published a paper last year about Musk pushing academics off Twitter
We heard repeatedly from ex-students and colleagues of profound gratitude for deep personal engagement and connection. Someone who truly listens, who holds others in mind, can in a single sentence change the course of ones life. It is rarely recognised that as practitioners in cyber-security we are exposed to all sorts of traumas, moral binds, and injustices. For his students Ross took on the role not only of an academic tutor but a life-guide and therapist.
Ross would no doubt dispute the epithet of a "gentleman". The definition of a gentleman is someone who knows how to play the bagpipes but chooses not to. They are after all, a battlefield marching instrument to put the "fear of God" into the enemy. Not only did Ross proudly play the pipes, he did so publicly, "busking" to make a living as a street musician. What we are sometimes glad to hear is not perfectly pleasant. I was hoping some pipers might have attended and fittingly disrupted the campus. Perhaps next time.
Finally, most heartfelt thanks to Prof. Frank Stajano, Dr. Anh V. Vu (congrats) and everyone else involved in organising Rossfest, compiling the Festschrift, extending us hospitality, sharing memories, and a lovely day. That thing… let's do it.