By: Fariss Samarrai | University Communications
Gary McGraw describes himself as an “alpha geek.”
The information technology expert got his first computer, an Apple, in 1981 at the age of 15. Four years later, he got on the public “net” when few in the public had even heard of the Internet. He also wrote the 10th chapter of the first book ever sold on Amazon (“Fluid Concepts and Creative Analogies: Computer Models of the Fundamental Mechanisms of Thought”). And he’s also a multi-instrument musician who twice played his violin at Carnegie Hall.
McGraw holds a Ph.D. in cognitive science and computer science from Indiana University and a bachelor’s degree in philosophy from the University of Virginia. He is vice president of security technology for California-based company Synopsys, and helped create the field of software security. He is the author of 12 books, including the bestselling “Software Security.”
McGraw will speak at UVA Thursday at 1:30 p.m. as part of a National Cyber Security Awareness Month event in the Newcomb Hall Kaleidoscope Room. His talk is titled “A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM.”
He answered some questions for UVA Today.
Q. How does one go from a philosophy degree to a Ph.D. in cognitive and computer science?
A. My route to the software security “mud” from the ivory tower is an interesting one. I started on the top floor of the ivory tower studying philosophy at UVA. Paul Humphreys [philosophy of science professor] taught a class called “Computers, Minds, and Brains,” which I took. We refactored that class by bringing in Doug Hofstadter’s 1985 book, “The Mind’s I.” Long story short, after inviting Doug to give a talk at UVA through the psychology department and seeing a run of Melanie Mitchell’s Copycat computer program, I decided to get my Ph.D. with Doug.
That meant moving to Bloomington, Indiana for grad school. I earned my dual Ph.D. implementing and writing about creativity and artificial intelligence through the Letter Spirit project – which modeled central aspects of human high-level perception and creativity, focusing on the creative act of letter-design. That put me somewhere closer to the ground floor of the ivory tower (since I actually wrote a ton of computer code).
I moved into computer security after grad school when I joined a startup called Reliable Software Technologies. We sold that company to Synopsys in December 2016 (during my 21st year as an employee). By this time, I was knee-deep in the commercial software security mud.
Q. Why does cybersecurity merit an entire month of awareness?
A. Software has become the lifeblood of society and modern business. Now that software is in everything, it must be made to behave. A critical aspect of making software behave is securing it while it is being designed and implemented (that is, building security in).
Getting the general public to understand why computer security is important and why it involves building security in through better engineering is a job we have just started. The public thinks computer security is about hackers, anti-virus nonsense and firewalls, but there is way more to it than that! Perhaps we should have a cybersecurity year of awareness in 2018.
Q. What are the top cybersecurity issues of the day facing government and the public?
A. Building secure software. Sadly, the U.S. government is three to five years behind the commercial market when it comes to building security in. But there is some good news. The financial services and independent software vendor verticals have embraced software security and made great progress in the last decade.
We know what to do. We know how to do it. Now we must scale software security and make it as efficient as possible.
Q. What are a few simple steps people can do to protect themselves online?
A. Keep your software up to date, and keep your nose out of dangerous areas on the Web.
Q. Can cybersecurity really exist?
A. Yes, for some definitions of “cyber” and “security.” Security is a risk-management exercise. The key is to inject security into the software development lifecycle(s) in order to properly manage software security risk (see my book “Software Security” for a treatment of the software security touch points and the BSIMM for detailed metrics about software security in the real world).