In Memoriam: Ross Anderson, 1956-2024
Ross Anderson unexpectedly passed away in his sleep on March 28th in his home in Cambridge. He was 67.
I can’t remember when I first met Ross. It was well before 2008, when we created the Security and Human Behavior workshop. It was before 2001, when we created the Workshop on Economics and Information Security (okay, he created that one, I just helped). It was before 1998, when we first wrote about the insecurity of key escrow systems. In 1996, I was one of the people he brought to the Newton Institute at Cambridge University, for the six-month cryptography residency program he ran (I made a mistake not staying the whole time)—so it was before then as well.
I know I was at the first Fast Software Encryption workshop in December 1993, the first conference he created. There, I presented the Blowfish encryption algorithm. Pulling an old first edition of Applied Cryptography (the one with the blue cover) down from my shelf, I see his name in the acknowledgments. This means that at either the 1992 Crypto conference in Santa Barbara or the 1993 Eurocrypt in Lofthus, Norway, I, as an unpublished book author who had written a few cryptography articles for Dr. Dobb’s Journal, asked him to read and comment on my book manuscript. And he said yes. Which means I mailed him a paper copy. And he read it, and mailed his handwritten comments back to me. In an envelope with stamps. Because that’s how we did it back then.
This is back when "crypto" meant cryptography, and we would laugh when military types said "cyber" or "cybersecurity." We all called it "computer security" and then "Internet security."
I have known Ross for over 30 years, both as a colleague and a friend. He was enthusiastic, brilliant, opinionated, articulate, curmudgeonly, and kind. Pick up any of his academic papers and articles—there are 302 entries on his webpage—and odds are that you will find at least one unexpected insight that will change how you think about security. He was a security engineer, but also very much a generalist. He published on block cipher cryptanalysis in the 1990s, on the security of large-language models last year, and on pretty much everything else in between.
His masterwork book, Security Engineering—1,200 pages in its third edition—illustrates that breadth. It is as comprehensive a tome on computer security and related topics as you could imagine. Twenty-nine chapters cover everything from access control to tamper resistance, from banking security to nuclear command and control, and from psychology to security printing. Every page is infused with his knowledge, expertise, wisdom, and uncanny ability to cut through the nonsense that too often surrounds traditional security disciplines. (Also note his 15-lecture video series on that same webpage. If you have never heard Ross lecture, you’re in for a treat.)
Ross was a pragmatic visionary. His mastery of both the technologies and the underlying policy issues showed a deep command of multiple fields, and a rare capability to both work within them and synthesize around them. He was also able to weave this knowledge into narratives that were both compelling and comprehensible to the layperson. In his 1993 paper "Why Cryptosystems Fail," he pointed out that both cryptography and computer security got threat modeling all wrong, and that we were solving the wrong problems. It’s not the math, he wrote; it’s the implementation and the people and the procedures. In 2001, he was the first person to recognize that security problems are often actually economic problems, kick-starting the academic discipline of security economics.
He didn’t suffer fools in either government or the corporate world, giving them no quarter by disproving their security claims. As a graduate student, he defended people accused of stealing from ATM machines by banks who maintained that their security was foolproof. It was a pattern that repeated itself throughout his career: analyze a real-world security system from all angles, understand how it fails, and then publish the results—angering the powers in charge of that security system.
Here’s one example of many. In 2014, he was hired as an expert witness to defend people accused of tampering with the curfew tags used for offender monitoring. He studied the physical tags and their security, and also the economic, policy, and security implications of the tagging system. He even went as far as to wear an ankle bracelet himself. It promptly broke, proving his point. You can read the whole story in Chapter 14 of the third edition of his book.
That sense of justice and confronting power infused much of his work. He fought against surveillance and backdoors. He and I were part of the second and third academic take-downs of government attempts to break encryption. His 2022 rebuttal of child protection as a pretense to break encryption is particularly scathing.
Ross also fought for academic freedom, repeatedly publishing his findings in the face of corporate threats. Many things we all use are more secure today because of Ross’s work.
He was a blistering letter writer to those he believed deserved it. Verbally, he could be a hurricane in your face if he disagreed with you, but he would also engage with your points and was always willing to change his mind. And he enthused about, argued with, and listened to everybody: students, colleagues, partners of students and colleagues, random people he crossed paths with. Everyone was a sounding board for whatever ideas he had in is head.
And his head was constantly filled with ideas—mostly good, some not so good—and seemingly inexhaustible energy to implement them. He founded five different conferences, including the Information Hiding Workshop and Decepticon. He co-founded the Cambridge Cybercrime Centre. He founded the U.K.’s Foundation for Information Policy Research, and wrote most of the papers that the organization submitted to Parliamentary Inquiries on dumb legislative ideas. When the legislative center of power moved to Brussels, he helped form the European Digital Rights organization to provide advice there.
All this was part of his gift of fostering community. And it’s nowhere more evident than his legacy of graduate students at Cambridge University. His CV lists thirty-two of them, and seven more that he was currently advising. Many have carried his legacy of pragmatic security analysis of real-world systems.
Ross was elected as a Fellow of the Royal Society and a Fellow of the Royal Academy of Engineering in 2009. In 2016, he was awarded the British Computer Society’s Lovelace Medal, the U.K.’s top prize in computing. From 2021, he split his time as a professor between the University of Cambridge and the University of Edinburgh and was elected a Fellow of the Royal Society of Edinburgh in 2023. He was absolutely rageful against Cambridge University for making him retire at 67—and he was right.
He also played the bagpipes throughout his life. I dedicated a 1998 cryptography paper, "The Street Performer Protocol," to him because he "spent some of his youth busking on the streets of Germany with his bagpipes." Those were good stories.
He is listed in the acknowledgments as a reader of every one of my books from Beyond Fear on. Recently, we’d see each other a couple of times a year, at this or that workshop or event. He hosted me at Security and Human Behavor at Cambridge’s Churchill College in 2022. The last time I saw him was last June at SHB in Pittsburgh. We were having dinner on Alessandro Acquisti‘s rooftop patio to celebrate another successful workshop. He was going to attend my Workshop on Reimagining Democracy in December 2023, but had to cancel at the last minute. The day before he died, we were discussing how to accommodate everyone who registered for this year’s SHB workshop in December. I learned something from him every single time we talked. And I am not the only one.
My heart goes out to his wife Shireen, their daughter Bavani, and the rest of their family. We lost him much too soon.
Categories: Computer and Information Security