You've heard from me in this space before, but this is my first column as IEEE Security & Privacy's editor in chief. I feel both honored and privileged to have the opportunity to assume this responsibility. George Cybenko, as both the driving force behind the magazine's creation and its EIC for the first four years, is a hard act to follow. But because he created such a strong base for the magazine, I'm hoping it won't be a difficult act to continue. You can expect the mix of articles, departments, and special issues on current topics to continue. You'll see some new names in the masthead as we replace those rotating off the editorial board; this is a normal process for all IEEE publications. We'll continue to strive for fresh and interesting material to keep you at the forefront of technology and issues in security and privacy.
These are changing times for print publications and for professional societies. The technology that many of us helped develop is having tremendous impact in publishing and in information distribution generally. As a trial, the IEEE has allowed us to offer subscriptions to nonmembers of the IEEE Computer Society at a greatly reduced price: US$29 per year. Together with our content, this offer has helped us increase our subscription base in a time of generally declining participation in professional societies. We're also trying to take advantage of new media. A prime example is Gary McGraw's Silver Bullet Security podcasts. Digested versions of these appear in the magazine (p. 9 of this issue).
I'm especially interested in hearing from you about what you like and don't like in S&P. We can and do monitor the download rates for various articles that we print, but those statistics tell only part of the story. This is a volunteer effort, and we depend on freely submitted contributions from the community. To ensure the quality of what we publish, we also depend on a peer-review process, which requires volunteer work. I want our volunteers' time to be well spent.
If you would like to help—particularly if you have ideas for improvements—please get in touch with me by email (firstname.lastname@example.org), but if you see me at a meeting, feel free to corner me. If you would like to submit a contribution to one of the magazine's departments, please contact the department editor (their email addresses are at the top of each department's opening page). Information on how to submit regular articles is available on the magazine's Web site ( www.computer.org/security/).
Shifting gears a little, there's another activity in which I would like to engage you: grand challenges. Few people can have failed to notice the interest that Darpa's challenges for autonomous vehicles have generated. Similarly, I've been impressed by the great interest that the RoboCup soccer competitions have generated. In addition to possibly advancing the state of the art, such competitions can be highly educational and entertaining. A few years ago when I asked Google cofounder Sergey Brin what he had found most beneficial in his undergraduate career at the University of Maryland, he pointed to the programming competitions in which he had participated.
While at the US National Science Foundation, I spent some time trying to figure out how to structure a challenge or a competition that would help us move beyond our present stage of penetrate-and-patch security. A colleague with experience on both the defensive and offensive sides of software security told me why offense is easier: Most software comes bundled, and something in the bundle is likely to have an exploitable flaw; once the flaw is exploited, today's systems have few internal barriers to contain attacks. He attributed this situation, in part, to deficiencies in computer science education. In his view, students rarely face the responsibility of developing a significant piece of software and then integrating it into a larger system. Without such experience, students are unlikely to grasp the need to carefully check input parameters and provide strong internal barriers in software systems.
I thought it would be great to come up with a competition that could help students learn these lessons, but doing so isn't easy. The US National Institute of Standards and Technology has made very effective use of competitions to design new, open source cryptographic algorithms, but the primary competitions I've seen in computer and network security have been capture-the-flag exercises or penetration tests of one sort or another. These have their benefits, but they don't seem likely to lead to long-term technical progress in security.
But just because I haven't been able to come up with the right idea doesn't mean you can't. Here are my desiderata for a challenge problem in computer and network security:
1. It must be difficult enough, and relevant enough, that accomplishing it will lead to a measurable advance of some sort in security technology.
2. It must be possible to impartially and repeatedly rank the results of efforts by different competitors.
3. It must be interesting enough to attract widespread interest and simple enough to explain to those not involved in the field.
There's much more to be said on this topic, but I would like to hear your views. If you'll contribute, I'll summarize the results in a future column.