January 11, 2002
Colloquium Speaker: Roger R. Schell
Dr. Roger Schell is an internationally recognized contributor to information security concepts in the business context. He is co-founder, President and CEO of Aesec Corporation; a new company focused on appliances built on hardened platforms for secure, reliable e-business on the Internet. Dr. Schell previously ran successful engineering organizations as Senior Development Manager at Novell, as Deputy Director of the government's Computer Security Center and as Vice President for Engineering at Gemini Computers, Inc. He received a Ph.D. in Computer Science from MIT, an M.S.E.E. from Washington State, and a B.S.E.E. from Montana State. He originated several key modern security design and evaluation techniques and holds patents in cryptography and authentication. The NIST and NSA have recognized Roger with the National Computer System Security Award, the nation's highest honor in the information security field. During five years at Novell, Dr. Schell created and managed a development team that delivered significant new security capabilities with every NetWare release, it is the only system ever evaluated by the U.S. Government as a secure (Class C2) network. His team shipped in Novell's flagship product a powerful public key infrastructure (PKI), secure authentication services that included SSL, a modular and extensible audit capability, and a powerful and flexible international cryptographic infrastructure. Dr. Schell was a co-founder and Vice President for Engineering at Gemini Computers, Inc., where his business and technical developments for commercial high-assurance (Class A1), secure network computers were the basis for a company that won the majority share of the worldwide high assurance computer market. Earlier, he was the founding deputy director of the DOD (now National) Computer Security Center, which he grew into a respected organization of more than 150 security professionals. For his work there he is widely regarded as the "father" of the Trusted Computer System Evaluation Criteria (the "Orange Book"), which has been the most widely used international security standard for computers and networks.
The state of the science of information security is astonishingly rich with solutions and tools to incrementally and selectively solve the hard problems. In contrast, the state of the actual application of science, and the general knowledge and understanding of the existing science, is lamentably poor. Still we face a dramatically growing dependence on information technology, e.g., the Internet, that attracts a steadily emerging threat of well-planned, coordinated hostile attacks. A series of hard-won scientific advances gives us the ability to field systems having verifiable protection, and an understanding of how to powerfully leverage verifiable protection to meet pressing system security needs. Yet, the vendors that produce information technology products and the customers that specify purchasing requirements generally lack the discipline, tenacity and will to do the hard work to effectively deploy such systems. In summary, the state of the science in computer and network security is strong, but it suffers unconscionable neglect in delivered products.