The IDS Den Mother (Full Interview)

Interview with Becky Bace on February 28 2002 by Richard Thieme

TimeLine

1984-1997 National Security Agency. Senior electronics engineer.

1989-1995 Led the Computer Misuse and Anomaly Detection (CMAD) Research program and helped NSA build its Information Security Research and Technology Group (R2).

1995 NSA’s Distinguished Leadership Award for in recognition for building the CMAD community.

??? - technical monitor for the IDES (Intrusion Detection Expert System) and NIDES (Next Generation Intrusion Detection Research Program) at SRI International

1996 - Los Alamos National Laboratory - Deputy Security Officer for the Computing, Information, and Communications Division, charged with determining protection strategies that allowed the Laboratory to balance needs for security with needs for availability and performance.

1998 – With partners Dr. Christopher Wee and Terri Gilbert, established and became President/CEO of Infidel, Inc., a network security consulting practice, providing strategic and operational consulting services.

1999 - the ICSA Intrusion Detection Systems Consortium released its first collaborative project, a white paper written by Becky Bace entitled, “An Introduction to Intrusion Detection and Assessment.”

2000 - author of “Intrusion Detection” (McMillan Technical Publishing, January, 2000)

2002 – Venture Consultant with Trident Capital

2002 - co-author with Fred Smith of a book on technology and litigation to be published by Addison Wesley.

RT: A former colleague at NSA calls you the “den mother” of intrusion detection research in the 80s and 90s. “Nobody expected an imposing half-Japanese half-Alabama teamster/moonshiner female to be so sharp technically,” he says, adding that you were always an “outsider.” I would guess that some of your success has come in spite of that and some because of it.

BB: I am co-authoring a book with attorney Fred Smith about problems with litigation based on expert technical witnesses and I wanted to say on the dust jacket, “Becky Bace learned the value of sound engineering practice as a 8-year-old calculating ratios for dynamite charges blowing up stumps on a north Alabama farm,” but Fred said no.

My grandfather was principal of an elite girl’s schools in Tokyo and my mom went to birthday parties at the imperial palace. They lost everything in the war and she was a war bride. My dad was a self-educated teamster from a classic Alabama dirt-farmer family. I was one of seven kids raised in Birmingham, Alabama.

RT: Did you always want to be an engineer?

No. I thought I would do something in the medical world but epilepsy came into full bloom in my adolescence and I was told that no medical school in its right mind would touch me.

Jimmy Hoffa used his bonus money one year to set up a scholarship fund and I was a recipient. In my senior year of high school, while neurologists discussed how to classify my disability, I won the Betty Crocker award for Alabama which included a scholarship and I became the only woman to attend the University of Alabama – Birmingham in engineering.

RT: When did computing enter the picture?

At Alabama, I took my first course as a freshman (1973) on a machine with 1 meg of memory, a monster IBM mainframe. I did the punch card scene, doing Fortran and COBOL, and ended up in engineering because I fell in love with math. I became convinced that math was not the best professional risk, so I went into engineering.

One day while I was struggling with a thermodynamics course I woke up and said, if this is what I have to do professionally for the rest of my life I will slit my wrists. I was teaching an engineering lab and a couple of technicians for Xerox said, come work for us. We’re under the gun for affirmative action. With your background, you’re heaven-sent.

I remember the guy across the desk at Xerox saying, I guess we have to hire you, since you passed the test. I stayed with Xerox for five years as a copier specialist repairing copier machines, taking courses in math and economics at night.

I moved to Baltimore with Paul, my husband, and finished a degree at night. I saw an ad for NSA in BYTE magazine. I had a job I loved running a data processing shop for a civil engineering firm but the agency hired my husband first and he said, remember those people at school wandering around who didn’t match their shoes and if you gave them a stick of gum to chew, they would walk into a wall? This place is crawling with them. You’ve got to come here.

So I did.

RT: Talk about going to a culture that didn’t know what to do with you.

I don’t think I ever fit in, anywhere. Until that point, I was a classically Japanese southern woman, and all three cultures teach you that if you’re rejected, it’s your fault. That first year was hard, but I found my stride.

RT: Didn’t someone recognize your capabilities?

I was rescued by a gifted man who had a group doing special projects. There was a generation of amazing people inside the agency and he was the first I met. After I did a project for him, the management said that people wanted me to act as if I was a file clerk and it was obviously not going to happen, so they needed to find something for me to do. I designed a couple of integrated systems which was fun.

RT: When did you realize the particular contribution you could make?

When I got involved in security in 1989, Gene Spafford was the gold standard. At UC-Davis where we were doing a brain trust sort of project, I said I felt almost embarrassed talking to him, my academic career was so checkered, and it turned out he had every bit as eclectic a background as I did.

RT: That kind of background is what qualifies you and Spaff to have 70,000 foot views. That’s hard for people who fit into slots to understand.

Spaff said that when you do not connect with a bureaucracy, everyone assumes that the problem is that you have too little to offer, and the problem is more often that you have way too much.

RT: What a relief to find out you’re not crazy.

It’s very therapeutic. (laughs) Everyone who is uppity deserves a community of support.

During a difficult period caused by my son’s diagnosis as autistic, a friend in the NCSC (NATIONAL COMPUTER SECURITY CENTER) research group said I needed a job that did not involve so much travel. She had a project that pointed toward the initial intrusion detection work. I looked at what they were doing and thought, I may be an idiot, but this is the only thing we’re doing here that makes sense to me.

RT: Why was that?

The approach to computer security was much more formal then. They had bought Edgar Dykstra’s view of the programming process, that it should be mathematically rigorous and use very formalistic instructions for all programming. Those formal methods would make for correct programs and correct programs would not be insecure. That was the logic. They had customers, however, military customers, who worried about security but were also starting to see the lead edge of the effect of doing IP networking and they were not happy.

RT: They saw what was coming.

Oh, yes. They absolutely knew what was coming. Remember who was at NCSC (NATIONAL COMPUTER SECURITY CENTER), Marv Schaefer got his start there when they saw that he could hack a 370, Bob Abbott was there in the 70s, these were guys who knew there was trouble coming but were just so tied up in the Orange Book and the Rainbow Series way of doing things – which I thought had nothing to do with the way the military actually used computers. I knew from having built systems that it did not resemble the software development process being promulgated by DOD. It was a classic case of the left hand not understanding what the right hand was doing.

I challenged a manager above me to let me to run with it. We had funding locked in anyway. The way it works, you contract in three year chunks, and by month eighteen, even if you have really egregious sins, it costs more to back out of the contract than let it roll through. So I said lets let it roll through and I’ll come to you with a strategy for either straightening it out or bringing it down. They said OK. I did not always see eye-to-eye with the bureaucratic way of doing things so I actually got on the telephone with stakeholders – that was radical – and looked around to see who was doing work in this space. I started to forge relationships and connections.

RT: You have said, "I don’t believe that anyone in defense circles, which are at the root of a lot of what we know about security, could ever have foreseen the impact that the World Wide Web has had. Some folks in defense were blindsided by the whole notion of distributed systems."

Yes, that’s right. The people in the ranks knew that security was going to be a headache. I don’t think they understood how or to what degree it would be a headache but they were already having trouble.

RT: Who was “the enemy” at this point in time?

You had your classic threats - the Soviet bloc, the Latin America drug scene, the Chinese, various rogue elements, different hot spots in the mideast. In intelligence, to a degree, you have got to verify everybody. You have treaty instruments that have been in place for ages but still have to be verified. You also get a certain number of executive requests in a place like the agency. They’re very liberal about who gets covered by their protective stuff. A variety of people would come in with very pressing very interesting problems. That’s what made it so much fun. We also had internal threats, don’t forget. John Walker, a whole rogue’s gallery of turncoats.

RT: As to folks in defense being blindsided by distributed systems, did you see clearly the nature of distributed systems and what they would bring in the security space? What were the dynamics of your interactions with people who could not see what was coming?

When I was at the NCSC, they were dealing with the TNI, the Red Book, the trusted network interpretation, which was supposed to be taking the principles of the Orange Book and extrapolating them to the arena of networked systems. It turned out to be the nature of networked systems that you have an erosion of security with each additional system added to the network. Adding systems, even adding modules, degrades reliability very rapidly. Security in a lot of cases is a function of reliability. You get the same roll-off only worse as you cobble things together. With the TNI, you have what we called the cascade effect to describe this roll-off. So they knew from a formal point of view that indeed this was a big problem, but it was thought to be an ivory-tower, arm’s-length kind of issue.

There’s a difference between what people can assimilate from a formalist point of view, the abstracted point of view, and what they can assimilate at the fingertip level. At that point people were grappling with the idea that they had sensitive data out there to begin with and that people could actually use that data to nail them. So part of the issue was a general difficulty in mapping their real lives to things that went on in the system, in the virtual world, as well as really “grokking” the nature of the threat, the nature of the instabilities, and their inability to secure the system.

RT: Was that frustrating for you?

To a degree, but I am willing to beat my head against the wall only so much. Then I go off and start laying the groundwork for something that will solve the problems.

I cobbled together people who had at least a partial view of what was wrong. That connected me with Tsusomu Shimomura, Matt Bishop, I paid a lot of attention to Dan Farmer, people I regard very highly. I systematically worked my connections, and serendipity helped a lot. So I cobbled together a community – a fast-growing community – of good people ...

RT: Please be specific. You have internalized how to do this so deeply it may feel intuitive, but some people don’t know how to do it. “Cobbling together a community of the right people” may sound vague, and what you call “serendipity,” others might say is a high degree of intentionality and practical know-how.

My partner at Infidel, Terri Gilbert, says that serendipity is what happens when you consciously make a piece of yourself available. Things do converge. It’s amazing how things converge over time.

I learned a lot of it just growing up. In the Japanese community, there are about three degrees of separation between people and if you want to get something done, you'll use that awareness. There was an element of that and for me, coming from a small town, it was natural to rely on your community for support. But it also feeds into the law of large number effects. If enough people vote on a particular outcome, you’ll reach convergence over that population pretty quickly and that convergence will be nicely centered on the correct answer. An exercise that illustrates that is, take a room full of forty people and ask for the market cap of IBM and their answers will end up converging with an error rate of maybe three per cent. That’s pretty amazing. We are understanding that there are powerful ways of counteracting these big hairy problems. If you apply enough people with a few criteria at the beginning, you will immediately begin reaching a degree of convergence. You may not find the needle right away but you’ll eliminate the three quarters of the haystack that’s not productive.

RT: The only way to fight a network is with a network.

Absolutely. We see this in warfare. Some people act like as if we should be able to take on computer security using analogies from World War I or World War II. That paradigm doesn’t work when you’re talking about the ultimate in guerilla warfare.

I also keep getting very actionable, valuable insights from totally orthogonal sources. I am working with an entrepreneur who is a genius at taking businesses and building value quickly. He has built billion dollar organizations in a year. He understands how to take high value propositions and make them ubiquitous. He says people need to understand that to recruit for a fast-build start-up, there are meta-life cycles for corporations and the staff at any point in that life cycle must reflect the needs of that organization. The people who make a start-up go beautifully are not the people to manage it once it is built. You need a different mind set. It’s a waste of capital, though, if you throw away people for all time simply because they don’t fit the needs of the organization at that point in its life cycle. I see the government doing that in security. What makes it particularly damning is that security is a chase function. Security by nature is always response, there is always a second and third wave. If you are supposed to be chasing the bleeding edge, and the bleeding edge is a start-up, why would you think a bureaucrat is the right person for the job? Security is one of those functions that does not have the luxury of becoming a bureaucracy.

RT: You use a lot of “action” words – cobble together, actionable, worked my connections ... and I get a picture of a whirlwind churning up all this swirling paper.

You have to go beyond what’s necessary. People confuse necessary with sufficient. There are plenty of measures in security that are necessary. You can not do security without any of them – things like penetration testing, vulnerability assessment. You need them, but doing them is not enough. I think it was Donn Parker who said that “paranoia is not enough.” You can be paranoid from now until kingdom come, you can be deeply and painfully aware of everything that’s wrong, everything that will enable someone else to nail you, but that knowledge is not enough. It won’t do any good unless you make that knowledge actionable. There are a lot of people who get so tied up in learning all the different problems and characterizing all the threats that they forget to do something about mitigating them.

RT: You led the CMAD effort for half a dozen years, so despite the frustration of dealing with bureaucratic structures, you learned to be creative and effective. How?

The mission is intrinsically linked to the community. By nature our work had to be a community activity. I had to give up the notion that I could prioritize my own well-being or career above that of the mission. One road to hell in any bureaucracy is when people at executive rank are allowed to get away with putting personal aggrandizement or well-being ahead of the mission. Then they lose credibility internally as well as externally and its the loss of internal credibility that nails you. When you lose credibility inside, the people who work under you lose passion in a way that’s devastating. Given the structure and the limitations of government employment, if you lose passion, you’re screwed. The crimes that dissipate passion ought to be dealt with harshly but never are.

But – and its a big “but” – for every upper manager that tuned me out, there were a half dozen people junior to me who were really with the program.

RT: Your approach was unorthodox, to say the least.

I built alliances that were totally unholy and unprecedented. I spent time across the river where there is supposed to be a blood feud [with the CIA]. I had managers who would say, well I’ll cut this funding then just to penalize you, but I had others across the river or in the military who would say, well if that’s what it takes, I’ll put my own funding there to cover it. I had cohorts in other organizations willing to execute according to my plan even though I had no direct power over them.

RT: You created a “functional network” to achieve the real mission outside of organizational boundaries by finding common ground. People are dying to give themselves over to a mission if given the opportunity.

When I go back to DC and hear that the message has not changed, it reminds me how crazy-making it was. I finally realized it was better for me simply to acknowledge that I needed not to be there.

RT: I keep keying in on the fact that so much of your success came from working the task through a network of committed people. It’s been said that you have an uncanny way of picking technology futures based not only on the technology, but on determining if the people talking about the technology have a clue. You made some key investments in intrusion detection early on that the community is seeing the benefit of now, but that weren't obvious back then. How can you tell if someone has a great idea – or is full of hot air – when others can't?

I have been extremely fortunate to have good mentors, brilliant people like Ruth Nelson and some graybeard mentors. One of the latter, toward the end of my time with NSA, started a group to help people think about the fact that people attacked networks and that a lot of otherwise vanilla defense analysts needed to have a sense of how that happened. I worked on developing that program and part of the task was to select people for it. My style of interviewing people for the group differed from everyone else’s. I would ask questions and with some of the applicants, I became adamant and invariably those were the people who did the best. Once they were in the door, they were just stunning. There is an element of real passion but also an element of quick uptake which is fun to watch. Watching them was like seeing scans mapping visual activity as it moves in the brain – it was like that, watching them, their uptake of ideas as well as the ability to chain it all together, pull it into an incisive vision and say, “Oh, that’s the problem!” These folks were basically savants, and you got a sense that you were riding shotgun on their capabilities.

Part of it too is that I learned to make a decision as to whether I was willing to take a risk on somebody and pull them into the community. Then the energy of the community helps as to whether or not the person gets it. The community in and of itself has a dynamic that helps with the filtering and it’s usually a kind of compassionate filtering. Some folks don’t have it when they come through the door but pick it up quickly because of the community.

RT: You feel an “upward call” in the presence of people who call forth an evolutionary leap to express capabilities you didn’t know you had.

Yes. Here’s an example. We had an expert’s workshop on the future of intrusion detection and anomaly detection. We found that as a group when we got together to talk about our intrusion detection research, we would often say, I have an intuitive feeling that this or that would be helpful but I don’t have the expertise to try to apply it. I had a strong cast of people all of whom had some discretionary budget. We decided to pool resources and come up with a scheme that let us actually hire the people with those particular domains of expertise. We asked them to look at what we had done so far with our research, then come to us with a educated presentation on how their expertise could be applied to the problem. Instead of the workshop being a kind of mindless marketing exercise that bored us all senseless, we were all in student mode again. We had gifted people come in like Sam Stern of Sandia who was the titan of sophisticated signals filters or Peter Cheeseman from NASA Ames who was the god of anomaly detection for radio telescope searches. We identified people we wanted to play with and most of them stuck around.

In 1995, at one of the meetings, Tsusomu shows up with evidence of a bunch of stuff he found over Christmas which turned out to be Kevin Mitnick. What was great fun was that people got excited about whether or not the evidence was real, whether or not his conclusions based on the logs were valid. Someone said to me, I know it’s valid. I asked, how do you know? and they said, because Bill Cheswick stopped playing chess on his laptop.

When you can make a decision like that on the basis of what somebody else in the room does, you have a functional community. Across that community continuum, you have a fair amount of clue.

RT: You have said that you had no delusions about the capabilities of the government side of the fence because there are things commercial superstars can do far better than their government counterparts. Like what?

In government, we tended to believe that we could be security specialists without being systems specialists. That’s bogus. The ability to deliver on security mechanisms is directly proportional to the degree of mastery we have of the actual systems we are trying to protect.

I recently keynoted an investment conference for a venerable Wall Street firm and said that they should not invest in techy toy firms any more. We are at a critical juncture in the life cycle of security products – either they have legs or customers have brand loyalty to them or they show things like a maturity of engineering process, or not. So instead of sitting back and saying, we’re smarter than those customers, we know better than they do what they need, we should actually query customers about what they need. We have had a tremendous amount of hubris in the security field. We have said we were security gurus so we did not have to know anything about how customers interact with their systems. But it’s all about value. If you don’t understand your value proposition, you’re screwed.

You had also better have a sense of the context in which security operates. We tend to get so enchanted as a community with content that we forget about context. It’s all about context. Right now it’s critical to integrate products. We have to integrate with the users, the human side; we have to integrate with the underpinnings, the network, the platforms; and we have to integrate with the business itself, with policy and the corporate bureaucratic fabric. Any gaps in any of those will give you problems from a functional point of view and also from a security point of view, a liability point of view. It’s very difficult.

RT: And now you’re working in the venture capital arena.

Yes. Building new firms is great fun. It’s returning to my old venue but from a different angle. I love seeing new ideas. Instead of being a failed bureaucrat, I’m a start-up person who was stuck in the wrong slot.

RT: Any last words of wisdom?

It’s important to remember that we can not have too much intellectual capital. It distresses me to hear people say, we won’t work with that person, or we don’t need that person because she’s a woman or the color of their face. It’s a terrific waste of human capital.

The people in security who are truly gifted have an ability to see in other dimensions, see through a different set of eyes. Often they are real characters. It would be a tragedy to narrow the pool of people who have those eyes for something as stupid and petty as bias.

Terri Gilbert said, “You know, the whole notion of how to secure this stuff once it’s automated really is the problem of this generation.” I think she’s right. We have to get real about it. Trust is central. Information security is a context in which we can define these critical human and community concepts in a way that matters.

BACK