Drifting into cyber security
I see a lot of discussion now about whether one can get into information security without formal qualifications in the field.
I find that interesting because I did, and so did many with whom I have worked as colleagues and suppliers and clients, partly because it wasn't a formally defined field then.
And I'm reminded of it now because I am refreshing myself in the niche field of security for embedded systems, which is interesting because that is where I started, and security was - and still very much is - a key part of that field, but seems weirdly unknown to many who are expert in cyber security but comment with seeming ignorance of its maturity. (By the way I thoroughly recommend the excellent webinars and extensive literature on this from Intel, Arrow, Infineon and many others.)
Like me, our company - BORES, founded by my wife Sarah and me and now run by our son James - drifted into security early on, by accident and without really thinking about it. Working on the early days of MRI, we required very powerful embedded computing and signal processing, which led to using the very new 'floating point' Digital Signal Processing (DSP) chips and associated systems. These offered a step change in processing power from earlier integer devices: in fact at that time a single DSP32C chip was classed as a supercomputer and required a special export licence. So I left MRI and together Sarah and I set up BORES, in 1988, to support and promote these new devices. The header image is one of the first we used - based on the AT&T DSP32C processor. The 'AT&T' gives the game away - AT&T being in origin a telecom company - and we quickly found that an important application of these things was outside our initial target market of image and audio processing, but in telecoms and monitoring. Specifically speech processing, for example word spotting in telephone call monitoring, which led us to working with government and other agencies - and to some of our devices being classified as restricted exports. As usual, any innovation led to an arms race and word spotting technology was countered by speech processing to defeat it, and to innovative way of avoiding patterns in actual speech, but we remained focused on the technology and enabling its applications rather than developing them.
领英推荐
As in current cyber security, the field and its challenges were - and still are - complex, hard and complicated: and evolution was very rapid, both in technology and application. Quite early on multi-processor systems became common - the largest being the AT&T Pixel machine which was basically what would now be called a GPU, having 64 DSP32C processors and rivalling for compute power the then current Cray supercomputer. Applications grew too, so that now DSP is no longer really a field in its own right but an integral part of almost all computing systems and devices.
One of the early challenges, though, was how to protect your own machine? Since, in telecom security applications, you were by definition going to be connected, how could you ensure that your machine and its information remained Confidential, Integral, and Available? And since these systems were for the most part embedded, and intended to just run without intervention, how could you avoid being hacked, remotely or physically? What if your opponent soldered a JTAG debugger to your device to hack it before its secure boot? What if your data gathering station was discovered - how fast and how securely could you destroy any information it held and any evidence of its purpose? How might you restore and retrieve information from an opponent's machine, that had been securely destroyed? And at a less combative level, when you sent a software update to an embedded device in, say, one of those new-fangled Digital Video Recorder thingies, how could you recover if the downloaded update was corrupt, or the power failed during update, or..? Which brings me back to the impression I have - perhaps incorrectly - that many real experts in cyber security don't seem to understand just how mature, how advanced, is embedded device security. Note here I am not talking about systems where someone shoves a Raspberry Pi into a weather station - that's fine but it's mainstream computing drifting into embedded systems, side-stepping the field's long history of secure development.
I had no formal qualifications for information security: yes I had physics, math, computer design, image and signal processing, audio and medical, but more as a slew of not quite directly relevant qualifications and experience. I still have no formal qualifications really - I don't necessarily need them because I work on oversight, policy, guidance and mathematical analysis - and any graduate from for example the excellent CAPSLOCK transition-into-cyber training could beat me hands down on a cyber-awareness smackdown: so I certainly don't see why anyone else should be excluded from the field based on lack of formal qualifications.
It was invented by people with no qualifications in it, so let's not gatekeep too much.
Thanks a lot Chris Bore for detail and informative. This is INIT process, when innovating person like you to step in to do Industry CLASS work . I am sure you will make it. Still for me , your DSP effort in early days way Gateway for many and i am sure you will open a gate for Security version of Embedded Systems/ May be look at https://www.jkuse.com/dltrain/deploy-in-edge/kanshi and i this is to audit IP traffic. Few months back , i did take part in https://www.jkuse.com/home/jkevents/nfsu-goa National Forensic Sciences University (NFSU), Goa Campus . Cracking Embedded system security audit will be challenging problem and it might feed industry for another 20 years. //jk