The April 2023 issue of IEEE Spectrum is here!

Close bar

Eugene H. Spafford: Malware Nemesis

The Purdue professor has been fighting cybersecurity threats for decades

5 min read
Photo of older white man in a suit standing next to racks of computers.

Eugene H. Spafford began working in computer cybersecurity before it was even a recognized field.

Brian Powell

During Eugene H. Spafford’s more than three decades as professor of computer sciences at Purdue University, in West Lafayette, Ind., he has made groundbreaking contributions to computer and network security. A member of the Cyber Security Hall of Fame, he is considered one of the most influential leaders in information security.

But he didn’t start out aiming for a career in cybersecurity. Indeed, the field didn’t really exist when he graduated from the State University of New York at Brockport with a bachelor’s degree in math and computer science in 1979. Spafford then went to Georgia Tech to pursue a master’s degree in information and computer science.


In the early ’80s, the IEEE Fellow recalls, computer security consisted primarily of formal verification—using mathematical models and methods—and cryptography, focused on mainframes.

“We didn’t have commercial networking,” Spafford says. “Viruses, malware, and other cyberthreats had barely emerged. There were no tools, experts, or jobs—yet.”

However, computer security became a hobby of his.

“I did a lot of reading and studying on where computers might be used and where they could go wrong, as well as reading science-fiction books that explored those possibilities,” he says.

Meanwhile, his graduate and postdoc work revolved around more traditional areas of computing. “The faculty [at Georgia Tech] had me design and teach a class in hardware support for operating systems,” he recalls. “I loved the teaching and the investigation aspects. I ended up staying on to get a Ph.D. in 1986, researching reliable distributed computing.”

His postdoc work was in software engineering: investigating how to write software that does what the developer wants it to do.

Investigating the first cybersecurity attack

In 1987, Spafford joined Purdue’s computer science faculty. A year later, he was pulled into the investigation of the Morris worm, the first high-profile cybersecurity attack.

The code had been created by a college student who allegedly intended it to be a research experiment. Also known as the Internet worm, it made headlines when it caused a major denial-of-service incident that slowed down or crashed a significant number of the computers connected to the Internet.

“The demand for cybersecurity professionals has never been higher, given people’s expanding reliance on computation and storage.”

Spafford was part of the team charged with isolating, analyzing, and cleaning up after the worm. There was a considerable sense of urgency, he recalls, since no one knew what the worm was doing, who had written it, and what its ultimate effects might be. He put in 18-hour days dissecting the code, documenting what it did, and responding to press inquiries.

“Until the worm event, security at government agencies was primarily about mainframes and information secrecy,” he says. “Now, it also was clear that the availability, even integrity, of systems could be at risk—and that we didn’t have good tools for protection and analysis. Suddenly, everyone from hobbyists to Pentagon staff was concerned about securing their computers.”

How cybersecurity has evolved

Spafford’s early involvement in combating cybersecurity threats led him to a rewarding career as a teacher, researcher, speaker, author, consultant, and organization builder.

He wrote a conference paper, The Internet Worm Incident, in 1989 to capture what had happened and the lessons learned. His other security projects included developing the open-source security tools COPS and Tripwire, as well as early firewalls and intrusion-detection systems. He was one of the founders of the field of cyber forensics, which involves collecting and analyzing digital data for investigations and providing legally admissible evidence. Spafford wrote the first papers on the topic.

Eugene H. Spafford

Member Grade:

IEEE Fellow

Employer:

Purdue University

Title:

Professor of computer sciences

Education:

SUNY Brockport, Georgia Tech

Publications:

Spafford has authored or coauthored over 150 books, chapters, papers, and other scholarly works. Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us, Addison-Wesley Professional, 2023, with Leigh Metcalf and Josiah Dykstra;

Government activities:

Testified before the U.S. Congress nine times, contributed to 10 major amicus curiae briefs before U.S. courts, including the Supreme Court.

In 1998, Spafford founded Purdue’s Center for Education and Research in Information Assurance and Security, becoming its executive director emeritus in 2016.

Just as computing and cybersecurity have evolved, so has the teaching of computing and cybersecurity, Spafford notes. “When I was starting in the field, I could describe and teach courses on how a computing system worked, from hardware to networking, and all the points along the way where security had to be put in place,” he says. “Fast forward to today, and looking at any major system in use, no person alive can do the same thing. The systems have gotten so big and there are so many variables that no one person can comprehend the whole stack anymore. To do well at security, you need to understand what a stack overflow is and the timing of instructions.”

Many computer science programs no longer teach assembly language or machine organization, he notes.

Spafford’s work has been recognized with many awards, but the honor he’s most proud of is the Purdue University Morrill Award, which he received in 2012. The award recognizes faculty who have made extraordinary contributions to the university’s mission of teaching, research, and community service.

“It was given not only for scholarship, but also for excellence as an educator, and for my service to the community,” Spafford says. “It thus represented recognition by a community of my peers for accomplishments along multiple dimensions. I value all the other recognitions I have received, but this was the one that covered the broadest scope of my work.”

The state of cybersecurity today

How well are companies doing on the security front today? Spafford says some are doing a pretty good job by partitioning their systems, hiring the right people, and doing the right kind of monitoring. But, he says, others don’t understand what it means to have good security or aren’t willing to spend money on securing their systems.

“We are in a marketplace where fundamental good practices are often ignored in favor of new add-ons and new features,” he says. “Instead of using sound engineering principles to build strong, resilient systems, the majority of the money spent and attention paid has gone to adding yet another layer of patches and building extensions on top of fundamentally broken technologies.”

Career tips

Given cybersecurity’s broad and still-evolving range—there are now close to 40 cybersecurity specializations—Spafford advises those contemplating a career in it to get a sense of what aspects of security they find exciting and intriguing. Once you’ve done that, he says, what you need to learn depends on what you will be doing.

Those interested in cybersecurity forensics, for example, will need to understand operating systems, networks, architecture, compiler design, and software engineering. “This helps you understand how systems function, how things fit together, how flaws arise, and how they are exploited,” he says.

For other areas of cybersecurity, you may need to study psychology and management theory to better understand the people involved, he says. Those who want to learn about policy should get some legal background, because law enforcement calls for yet a different set of skills.

The demand for cybersecurity professionals has never been higher, given people’s expanding reliance on computation and storage, and their growing digital connectivity. “All these have changed the nature of what we do with computing and have increased the attack surfaces that can be used by those who would violate security,” Spafford says. “Thirty years ago, the Internet connected research centers—our homes and automobiles weren’t attack surfaces. Now it’s the Internet of Almost Everything.”

This article appears in the March 2023 print issue as “Eugene H. Spafford.”

The Conversation (0)