Software Engineering Institute

September 1, 2016—Honoring a career that spanned 30 years, the leadership and staff of the Software Engineering Institute (SEI) gathered recently to mark the retirement of Richard Pethia, founding director of the SEI’s CERT Division. Pethia, who served as director of CERT since1988, guided the organization through tremendous growth and change. Under Pethia’s leadership, the unit expanded and evolved from the CERT Coordination Center—a small group focused on computer incident response—to a research organization of more than 200 professionals dedicated to solving problems with widespread cybersecurity implications.

“I just want to say how fortunate we’ve been to have so many good people working for us over the years,” said Pethia. “In addition to all the technology we helped go out into the world, we also have people who’ve been here, worked with us, and gone and done some wonderful things. I’m very happy for the CERT staff and all the CERT alumni.”

Under Pethia’s leadership, the CERT Division made numerous contributions to the development and maturation of the field of cybersecurity, including efforts that led to the creation of the Forum of Incident Response and Security Teams; the development of software vulnerability discovery, analysis, and remediation techniques; seminal research in the area of malware analysis; CERT-developed cybersecurity awareness and education programs; a virtual training environment available to government, Department of Defense, and other constituencies around the clock and around the world; leading-edge research on the problem of insider threat; CERT-developed tools that support law enforcement cyber forensics efforts; CERT-developed secure coding practices and standards; and the risk and resiliency management practices OCTAVE and CERT Resilience Management Model.

On several occasions, Pethia testified before U.S. House and Senate committees and the Pennsylvania Legislature on Internet and e-commerce security issues, cyber-defense, the effects of computer viruses, and possible actions to prevent future viruses from impacting networks. He has also presented on computer security and computer crime to the FBI, the Department of Justice, and Interpol.

In 2003, the SEI awarded Pethia the position of SEI Fellow for his vision and leadership in establishing the CERT Coordination Center, for his development of the CERT Division’s research and development program, and for his ongoing work and leadership in the areas of information assurance and computer and network security.

Prior to joining the SEI, Pethia was director of engineering at Decision Data Computer Company. He also served as manager of operating systems development for Modular Computer Corporation. He earned a BS in mathematics from the University of Pittsburgh.

The Defense Advanced Research Projects Agency (DARPA) charged the SEI with forming the CERT Coordination Center in 1988 in the wake of the Morris Worm, an event that crippled much of the fledgling Internet. Larry Druffel, then SEI director, tapped Pethia to head the new unit. Pethia had been with the SEI since 1986, and Druffel knew he was the person for job. “Rich was mature personally and technically,” said Druffel. “He knew how to work with people, he had a sense of personal integrity, and he didn’t have a big ego.” These qualities proved essential at a time in which the rules of the road had yet to be defined.

Looking back at those early years, Pethia can chuckle now at episodes that in hindsight sound almost quaint. In a recent chat with SEI News, Pethia ruefully recalled a series of attacks on U.S. systems launched during his first years at the CERT Coordination Center. “We finally traced the attacks to a particular university in the Netherlands,” he said. “We called the university and talked to the one contact we had in the systems administration department.” Pethia asked the gentleman if he could help stop the attacks, but at the time the Netherlands had no laws against unauthorized system access.

The systems administrator referred Pethia to the university president, who reiterated that there was no law or university policy in effect to prevent the activity. “And, by the way,” said Pethia, recalling the words of the university President, “the young person who’s doing this is a high school student. We open our doors to the community to use our equipment because we think that’s a nice, social thing to do.”

Undaunted, Pethia tried another tack. “OK, we said,” recalled Pethia. “If you won’t stop it, can you at least give us the phone number of this person so we can call him and tell him to knock it off? They gave us the phone number and we placed the call. The young man didn’t answer, but his mother did, and we told her what was going on. The attacks stopped that night.”

In managing those seminal incidents and attacks, Pethia and CERT learned valuable lessons that laid the foundation for the computer security incident management practices used today by CSIRTs around the world. “I think we’ve brought a perspective to security that was missing in the past,” said Pethia. “When we started working in this area, people were very much concerned about protecting computers. We helped shift the thinking to protecting the things the computers do for you. So, the whole notion of resilience, system survivability—a lot of those ideas were started here, promoted here, and have found their ways out into the world in a variety of different places.”

During Pethia’s tenure, the Internet grew to insinuate itself into nearly every facet of society. The stakes for cybersecurity are now higher than ever, and the threat more dangerous, more widespread, and more rapidly evolving. “I think the biggest challenge we’ve had, and the one we’re going to continue to have, is the rapid pace of change in the technical base,” said Pethia. “New technologies come online literally every week. The opportunities the bad guys have to attack that growing space, and the opportunity they have to find new ways to attack things, is going to continue to be a challenge for the whole community.”

Pethia does not see any immediate relief from cyberattacks and other threats to cybersecurity, but he does envision new adaptions to the threat environment on the horizon. “I think we’re going to keep seeing attackers being successful, to the point that industry is going to feel some real pain. And I think the next big step is getting people to spend more time in the software and system architecture process putting special controls on the high-value and high-priority assets that they have and not trying to protect everything from all forms of attack.”

In addition to targeted controls, Pethia thinks more can be done in software development to mitigate threats. “The one thing that would truly make a difference is that if security were treated, in the software engineering process, as a first-class attribute (like, for example, reliability, and speed of execution), I think that one change alone, in the industry, would make a lot of the problems we see on a day-to-day basis disappear.”

Pethia plans to maintain his involvement with the SEI after some well-earned rest. The SEI is currently conducting a national search to identify a candidate to succeed Pethia. In the interim, CERT Division Deputy Director William Wilson will serve as acting director.

For more on the SEI CERT Division, visit http://cert.org/.