Interview with Professor Ross Anderson

Ross Anderson was born in 1956 in Birkenhead. He has a younger brother. The family spent the first five years of his life in Wallasey, near Liverpool, where his father was working as a research director at a vaccines firm near Speke. The family then moved up to Scotland where Ross’s parents are from. He says: “Until I was eleven, we lived near a mining village called Annathill. My dad was a research pharmacist, he started off working for a drug company and was busy developing ulcer drugs and working on oligosaccharides.  My mum was also a chemist.  While I was very young she worked as a locum in a hospital and then when we got a bit older she got herself a chemist’s job, after we had moved to Gourock in the west of Scotland when I was eleven.”

Having moved to Gourock, Ross joined the Boy Scouts which had an amateur radio club run by Ian Simpson, an engineer at IBM based at Spango Valley, three miles away from Gourock. Ross says: “That’s where I first figured out what transistors were and what shortwave listening is about, and we would build simple analogue circuits.”

At the age of sixteen Ross became fascinated with mathematics having read

Elementary Mathematics from an Advanced Standpoint by Felix Klein, which he found in his local library. This made up his mind to become a mathematician despite his family’s desire for him to become a doctor.

At the age of seventeen, Ross applied to study medicine at Glasgow University, he says: “I also applied to study science in case I screwed up my exams, and so when I arrived at Glasgow I started doing the science course and it took the medics a whole term to realise that I was doing science rather than medicine, because it was beyond their experience that someone who had been admitted to do medicine would study another subject instead.”

Having completed his first year at Glasgow, at the age of eighteen Ross applied to move to Trinity College, at University of Cambridge. He says of the experience: “As a youngster I was way out on the Asperger’s spectrum, I was a bit of a fish out of water at school, I wasn’t particularly sociable, I was good at school work, I wore glasses, so I got bullied, and it was a great relief to get to Trinity because among Trinity mathematicians I was in my element.  There was a whole bunch of people who thought and behaved and socialised just like me.  So that was a liberation.”

Ross was encouraged to skip a year and start on Part IB in his first year, which he says: “was perhaps a bit too ambitious”. Adding: “Cambridge sometimes encourages bright kids to skip a year and get straight into the meat of it, but as a result I had a hell of a hard work in my first year and at the end of my second year when I’d finished Part II, the full undergraduate degree, I was feeling a bit burned out. I didn’t feel like doing Part III, a maths MPhil, because I didn’t reckon I would be able to hack it.”

His other option was a diploma in computer science, but it did not appeal to his desire to answer the questions he was interested in such as the meaning of life, the universe and everything, so he decided to spend his final year at Cambridge studying history and philosophy of science which he describes as “a complete gear change”.

Ross first learned computer programming at the Glasgow Schools Computer Centre, under the influence of his maths teacher, Willy Wilson, who arranged for his students to visit the centre one afternoon a week and write programs in Fortran on a 1104 IBM mainframe using punch cards.

Ross followed up his computing experience as part of the IB maths Tripos at Cambridge where he learned to program in FOCAL, which he describes as “a language that was a mash-up of Fortran and ALGOL. He adds: “So I duly did a numerical analysis in FOCAL and solved differential equations and so on, but it didn’t occur to me at the time that I would want to go and actually make a career in computing.  Now, with hindsight, the computer industry ended up devouring me and almost all of my contemporaries, whether they’d been studying maths or physics or geology or computer science or whatever, because it’s just where all the jobs were in the 1970s and in the 1980s. For kids who had some idea how to program, you could just walk into a well-paid job, and if you didn’t like it, you could walk down the road and get a better job for more money.”

After completing his degree, Ross joined Ferranti as a development engineer where he worked for a year. He explains: “The job was set up by a friend of my father, Roy Tate, who was a senior person in their inertial systems division in Edinburgh. He had been responsible for developing the inertial navigation set for the Tornado, and he had an interesting project to adapt this so that it would be useful in midget submarines in the North Sea.  So my work for a year was messing around with analogue to digital converters, Kalman filters and so on. While doing that I did an IEE qualification in computer engineering by private study and that enabled me to join the IEE as an associate member and got me a foot on the commercial ladder. Technically, working for Ferranti was fun, but I wasn’t very impressed with the way things were set up. They had some fancy tools to play with, but the pay was lousy and the promotion prospects were worse, so I got disillusioned with the idea of working for a defence contractor. The corporate structure was very oldy-worldy, the engineers were all at the bottom and the engineers’ pay scale went up to about where all the salesmen’s pay scale started. Ferranti went bust while I was there and had to be bailed out by the government.”

After his year with Ferranti, Ross decided to take a gap year and travel. He says: “I saved up a thousand quid and set off on the hippy trail to India. I got as far as Istanbul. There a revolution was starting in Iran, so I spent three or four months just wandering round the coast of Turkey, and I ended up in Aleppo in Syria, just as the Shah fell, and then I went down to Damascus and the little hotel that I was staying in was full of rich Persians who had just basically fled the country and were waiting around trying to find American visas.  It was all very historical and dramatic.” Ross then travelled to meet a friend in Cairo and spent time travelling through Sudan, Yemen, Saudi, Jordan, Israel, Syria and Turkey, and eventually back home.

Once back from his travels in 1980, and realising he was not going to get a job in Scotland, Ross went to London where he did a variety of jobs including selling advertising, foreign language typesetting and so on.

He says: “I did this and did that and then in 1982 the Sinclair Spectrum came out and I got one and started writing software for it.  Among other things, I eventually wrote some cryptography software because we just had the early beginnings of email with things like Prestel, Starlink, CompuServe and so on. It was nothing like as good as today because SMTP email had not been invented to pull all the proprietary email systems together, and so what we needed was something that would take a file and encrypt it in such a way that it would go through Prestel or go through CompuServe etc, which meant that it was quite fiddly ASCII-armouring it in an appropriate way.”

Ross’ interest in cryptology had come via a friend from Trinity who was working at an estate agent which wanted a system to send messages to its partners without them being able to be read by their secretaries.

He continues: “I started digging into it, and I realised that the linear congruential generator that was used for these systems was reasonably easy to reconstruct if you could guess just a few bytes of plain text.  So, I started looking into cryptography and  reading the research literature that was available, including a book by Beker and Piper, called Cipher Systems, the first textbook on cryptography in English since about the 17th century. They were proposing a particular type of stream cipher and I suddenly realised that I knew how to solve this.  So I wrote a paper on it and sent it off to Cryptologia. In the meantime, I sat down with my friend Keith Lockstone and we figured out how to produce a better stream cipher, and produced this email software which we managed to sell to one or two people.”

In early 1986, Ross was hired by Barclays who were looking for somebody who knew anything about cryptography. He explains: “I spent three years looking after the security of cash machines and funds to funds transfers and things like that. That was an experience of a different type of large corporate organisation, not a defence contractor, but Barclays is in some ways a bit like the civil service, only better paid.  I began to understand a bit how bureaucracies work, the twelve layers of managers that sit between the serfs who do the work and the big guy in the big office, and all the games that people play and how these cause stuff to go wrong.  This was, if you like, psychological preparation for doing work on economics of security a dozen years later.”

Having spent a couple of years with Barclays, Ross was “assailed by wanderlust” and went to Hong Kong. He says: “I’d never been there, and thought I’d look around. When I was there I spoke to HSBC and Standard Chartered. Standard Chartered  wanted to hire a cryptographer, so I spent some time there designing the security infrastructure and architecture for all their branches in the Far East. It was a higher-level job and better paid.”

Unfortunately, Ross did not enjoy living in Hong Kong so after a couple of months he moved to take on a project to invent prepayment electricity meters for the Electricity Supply Commission of South Africa (ESCOM).

Ross explains: “It was clear by then that power was going to pass to Nelson Mandela, so ESCOM had to electrify millions and millions of informal dwellings in the townships, and they started a crash programme to design and build the technology for this. I worked on the project with Johan Bezuidenhout, who was running that programme.  We designed a mechanism whereby you can sell electricity by entering a twenty-digit number into a meter and the lights will come on, this involved the hierarchy of vending machines.  It uses cryptography in the sense that you have got a twenty-bit number, that’s sixty-six bits, so you’ve got sixty-four bits of cipher text encrypted with a block cipher, and you’ve then got two bits of plain text, into these sixty-six bits you’ve got to shoehorn an entire instruction set, such as change the tariff from x to y, or, dispense so many kilowatt hours, or whatever.

“There’s an interesting point in that in the near future there’s going to be a flag day because the counter is going to roll over, and this means that all the meters in the world – and there’s now a hundred million of them in a hundred countries supplied by a hundred vendors – are going to have to have the counter updated by putting in two special tokens which will reset it to zero.  This process is about fifty per cent complete in South Africa. That was an engineering lesson learned, had we thought carefully about it then, we could have decided to make the time clock in the electricity meters eight seconds rather than one second, and then instead of the clock rolling over after thirty-odd years, it would be a couple of centuries and nothing anybody could worry about, but back then we were really pressed for space and we just didn’t believe that the meters would still be around after thirty years.  So that is the electricity industry’s equivalent of Y2K and we propose to write a paper on it some time in the near future with old colleagues with all the lessons that we learned.”

Having spent several years as s security consultant working around the world and with the recessions starting to bite, Ross made the decision to return to the UK to study for a PhD. He explains: “I was suffering from imposter syndrome because I’d spent several years advising several banks and utility companies on how to do cryptography, and I’d never actually done a proper university course in it, not that there were many in those days.  I’d never been to a crypto or Eurocrypt conference and I thought that some day I should do a PhD in this subject so that I actually know what I’m talking about.  And so one day I just said to myself, well, you always said you’d do a PhD one day, looks like today’s the day.”

Ross contacted various universities, including his alma mater, Cambridge, where Roger Needham invited him for a chat together with David Wheeler. Ross says: “They were the two full professors doing security and cryptography at the time.  David Wheeler had been the first of Maurice Wilkes’s research students and he’s the guy who wrote the world’s first computer program, because he crafted the initial orders for the EDSAC, a copy of which we duly gave to Bill Gates when Bill Gates bought us a new building in 2000 or thereabouts. Roger Needham had also been a student of either Maurice Wilkes or David Wheeler, and he had invented some of the world’s first cryptographic protocols when he was working in industry for Xerox at Xerox PARC where Chuck Thacker invented the modern workstation and Butler Lampson wrote the software for it. They had workstations on a local area network, ethernet had just been invented, and they were using that, and they needed some way of authenticating workstations to resources, so Roger had invented the Needham-Schroeder Protocol. Somebody had then broken it, so they fixed it and then he worked on something called the BAN logic, the Burrows-Abadi-Needham logic, with Martin Abadi, who was then at Digital Research and is now at Google Research, and Mike Burrows who was then Roger’s research student, and ended up writing AltaVista and ended up being at Google. Roger was very proud of this and gave me a copy of his tech report on the BAN logic.”

The BAN logic helped Ross write a protocol for the NetCard project he’d been working on in Johannesburg which became the template for a process adopted by Visa, and years later became eventually the GeldKarte in Germany and Proton in the Netherlands, and it went into the patent pool which gives us EMV today.  He explains: “The NetCard protocol was something that I’d been helping to work on at the time and so I went away with the BAN logic and I figured out how to use the BAN logic to verify it, and wrote that up in a paper which duly impressed Roger and David, and I got a research place at Cambridge.”

Ross became a PhD student of Roger Needham and also worked with David Wheeler.

He says: “I was still trying to do stuff with David Wheeler on cryptography, I spent several months of the first year of research trying to design better identity-based signature systems. We started off from one that a couple of guys in the Netherlands had published and David and I worked on various iterations. I came up with a protocol that seemed to work and I sent it off to Eurocrypt, and it came back with the damning referee’s report saying, sorry, this has been already invented by Fiat and Shamir four years ago. Because I hadn’t been going to the conference and hadn’t read all the conference proceedings I wasn’t aware that I was rediscovering this.  So I was a bit downhearted.” Roger’s advice for Ross was to go and find some new problem and tackle it.

Ross continues: “My break came when 2,000 people sued thirteen banks for £2 million that had been stolen from them by means of phantom withdrawals from cash machines. The lawyers who were running this hired me as an expert witness. We collected a huge amount of information from various sources about how cash machine frauds were done. There were quite a lot at the time because cash machines used very simple protocols and magnetic strip cards which were easy to forge.”  Unfortunately, the banks defeated the class action claiming that some were genuine fraud victims and others were people just “chancing their arm” and so the case was sent to the Small Claims Court.

Ross adds: “So that class action basically failed and three years later I found myself in Southwark Crown Court being an expert in another trial where the guy who had done most of these frauds was sent down for six and a half years.  He had basically developed various tricks for cloning mag strip cards, including parking a furniture van opposite an ATM and having a camera which recorded people entering their PIN, and he would then go to the rubbish basket where the ATM tickets were discarded. In those days the ATM tickets had the full sixteen-digit account number on them, and there was no card verification value that anybody would check, so if you had an ATM ticket which said account number so-and-so and transaction time is such-and-such, and you have got your furniture van video says the PIN entered at the time such-and-such was 1232, then you’re in business.”

As a result of the experience, Ross wrote a paper entitled: Why Cryptosystems Fail, he says: “It looked at all the ways in which real cryptosystems fail, even though the cryptography was okay, the procedures around it, the way in which keys were loaded into hardware security modules then into ATMs, the way key material and cards and PINs were managed in bank branches, the operational security around, dumb things like writing the full sixteen-digits of the account number on the ticket rather than just the last four digits.  The cryptographers at the time were a bunch of idealistic mathematicians with no real world experience, although there were some exceptions.”

With encouragement from Roger and from Robert Morris Senior, the Chief Scientist at the National Security Agency was encouraged to include cryptography and crypto-protocols in his PhD. Upon completing it, he became friendly with Eli Biham, the inventor of differential cryptoanalysis. Ross explains: “Eli was one of the guys with whom I started a series of workshops on fast software encryption in 1993 so that we could have a place to put this kind of work. In addition to Eli Biham there was the late Jim Massey of ETH, Lars Knudsen, various people from KU Leuven, initially Bart Preneel and then Joan Daemen, and Vincent Rijmen who eventually produced the Advanced Encryption Standard Competition. For a period of time during the nineties there was a number of us working on designing better block ciphers and breaking existing block ciphers, and from all of this the AES competition sprouted which ran through, or parallel with, lots of FSE workshops. It was at these workshops that the block cipher that Eli Biham and I came up with, Serpent, was first shown, as were the ciphers that became Jim Massey’s entrance and the ciphers out of which the Rijndael algorithm that eventually became AES grew.

“There was a whole community of us, perhaps a hundred people, who were working on block ciphers and stream ciphers. That came to an end when the AES competition finished.  Five of us got through to the second round and then the voting at the final AES conference put Rijndael first and Serpent was second, and in due course the US government announced Rijndael the winner.”

Following the competition Ross set his mind to looking at “what new worlds to conquer” He had already started to work on two other topics including copyright marking and information hiding and together with one of his PhD students had produced some software called StirMark. He set up a series of workshops including the Information Hiding Workshops, which split into the ACM Information Hiding and Multimedia Security Workshop.

He explains: “So we had these two other lines of work in basically the signal processing aspect, also the hardware tamper resistance side, because I recruited as a PhD student Markus Kuhn, who had developed some interesting hacks against smartcards whilst still an undergraduate.” He goes on to explain that many Star Trek fans in Germany were motivated to reverse engineer smartcards because the programme was encrypted in the country. Ross continues: “So that became a line of work for us and eventually we had Sergei Skorobogatov, who ran our tamper lab for about twenty years. During the period we invented semi-invasive attacks on smartcards; we started off by asking is it possible to circumvent the tamper protection bit on our microcontroller by just flashing light at it to ionise it.” With various experiments, they found it was possible and over a period of twenty years, the team produced dozens of papers and won lots of awards and created the field of semi-invasive, semi-conductor failure analysis.”

In 2001, Ross also started a number of other projects including one with a PhD student on API attacks. Ross explains: “The hardware to generate and manage PINs, Personal Identification Numbers, over the years have become really, really complicated because as the banks started networking together, and Visa and Mastercard got involved, so we went from security modules with a dozen or two dozen transactions to security modules with hundreds. Complexity is the enemy of security, so I got a bright research student, Mike Bond, and I gave him the manual for a hardware security module and I said, ‘Mike, nothing this complicated can be secure.  Find the bug’.” The student duly came back initially with a false alarm but followed it up by finding a vulnerability.   Ross continues: “And thereafter we found one after another, after another.  … There’s so much complexity that it’s a really, really hard job to guard against these feature interaction attacks.  That gave us the pleasure of breaking the IBM 4758, which was the only device in the world that was certified to FIPS 140 level four, that is unbreakable by the US Government.  When you’ve broken a certified unbreakable device, that’s a feather in your cap.”

Having broken the IBM 4758, Ross sent a paper to IBM and told them it would appear in the Oakland IEEE Security and Privacy in ten months’ time, giving them time to fix the issue and update the software.  However, just a couple of weeks prior to the deadline, Ross met the head of IBM’s banking services at a conference and he knew nothing of the paper. Ross adds: “It turns out that the whole ten months had been wasted by IBM because their hardware security people in Raleigh, North Carolina, were arguing with their software security people in Watson labs in New York over whose fault it was.  So at the open conference we disclosed a live vulnerability that could be used to exploit the hardware security modules on which thousands of banks depended and there was a torrent of downloads of the paper from our website coming from IBM.com. This was another experience of how the internal political economy of the corporate world gets in the way of security.”

Another project that Ross began in 2001 was research on security economics with the first workshop on the Economics of Information Security in Berkeley in 2002.  The workshop was “hard going” as Ross described it, but it lead to him writing his first copy of Security Engineering, followed by a paper entitled Why Information Security is Hard: An Economic Perspective. He gave the keynote talk at the Symposium and Operating System Principles at Banff in Canada on the paper. He says: “It really took off among the assembled operating system security crowd, many of whom had been involved in government work and had been aware that they had failed for twenty, thirty years to persuade any of the big tech firms to produce any operating systems that would pass Orange Book evaluation. Thereafter we had the WEIS workshop and we got together forty or fifty people at the first WEIS who’d been thinking about similar stuff, including Jean Camp who had been talking about the need for vulnerability markets, which emerged round about that time. Bruce Schneier had written once or twice about the role of incentives, and there was a couple of guys from University of Maryland who’d been financial economists, Marty and Larry, had written a paper on the incentives to invest in information security and what’s your optimal investment. From these seeds grew the modern discipline of security economics.  That’s been a wild ride.  I think it’s contributed quite a lot to our understanding of how things break in real life.”

Also in 2001 Ross published his book, Security Engineering: A Guide to Building Dependable Distributed Systems, He says: “I was inspired by Bruce Schneier, whose book, Applied Cryptography, had become a runaway bestseller, and I thought there needs to be something similar that looks at security in the round.” Much of the material for the book came from the variety of courses that Ross was teaching at Cambridge.

Ross’ book was not only aimed at students however. He explains: “If you’re doing real engineering you have to look at real systems in the real world, you can’t do that by just standing at a blackboard and thinking about mathematics. I was aiming the book not just at a PhD student who needs to bring himself up to speed with what’s going on the field and learn the basics across a range of different self-disciplines.  I was also aiming it at Dilbert, the random guy sitting in his cubicle somewhere in America or elsewhere who’s trying to build systems and suddenly he needs to know a bit about security.”

In the mid nineties, Ross did some work for the British Medical Association at the time that the government was looking to centralise medical records into one database so that they could manage the health service more centrally. Ross says: “However, doctors didn’t want this, so the grounding on which they chose to fight was patient privacy, whether the network should be encrypted and what the access control rules for the system should be, and so on and so forth. I advised them on that for a couple of years and I got to see how governments behave and misbehave when they’re trying to get their way and how they fail to build systems that are actually any use or they’re any good.”

In 2010, Ross took a sabbatical and spent three months at Google as a visiting scientist. He explains: “My main contribution was being part of the team that designed Android Pay. The ambition was to get it running in time for the London Olympics in 2012, but although we had the system itself working in late 2011, moving the banking system was just too hard.  There’s an awful lot of inertia in payment systems as there are in other technological systems that have network effects. The big showstopper is how you persuade large numbers of stores to spend hundreds of millions of pounds replacing all the chip and pin terminals to tap and pay.  The big store chains only really bought into that once Apple also brought out its own Apple Pay, and it was then clear that this was going to be a future direction.”

During the same sabbatical period between 2010 and 2011 Ross spent three months at Carnegie Mellon University. He says of the experience: “At CMU I was working with Alessandro Acquisti, George Loewenstein and Nicolas Christin. We applied for and got a large Department of Homeland security grant, of which Carnegie Mellon was the lead grant holder, the project was on the behavioural economics of cybercrime.  In other words, once you start using economic and behavioural economic ideas, can you understand a bit more about the kind of people who do cybercrime and perhaps how they can be deterred.”

The project led to work on deterrence of deception which Google helped to fund, and Ross started to hire a cache of people whose degrees were in psychology rather than just in economics or computer science.  Ross adds: “In 2015 we got a big grant from the UK Engineering and Physical Sciences Research Council to consolidate this as the Cambridge Cybercrime Centre.” The centre is the outcome of over ten years work and allows researchers and those interested in cybercrime to access and analyse data drawn from many different sources purely for the benefit of research.

“We thought we collect a lot of data anyway, and we can also get in data from industrial partners, from firms that run spam filtering services or threat feeds or whatever, who are prepared to let their data go to academia, just provided we don’t supply it to anybody who might actually pay them money for it. So we set up inbound and outbound licence to collect data about cybercrime, you can give it to us and we can give it to 350-odd researchers to play with, under an appropriate NDA.  If you’re a researcher who wants to do a PhD on cybercrime, we’ve got the data.  Or if you want to try and train one of these new machine learning classifiers to spot bitcoin scams or hate speech, we’ve got the data.

“We started collecting hate speech three or four years ago, and so we’ve got one database, CrimeBB, which is a scrape of over a hundred million messages sent to underground acquisitive cybercrime forums, places like hack forums, where people buy and sell malware and try and recruit kids into their crime gangs and so on and so forth.  This could be used by social scientists, criminologists, psychologists and so on, to track the evolution of particular crime types, and even to discover new crime types that we didn’t know about before.  And because we’ve got this data and because we maintain it as a resource for researchers worldwide, we’re a bit like a particle accelerator or a space telescope, this is a shared resource for all researchers.

“The Centre is also currently working on a search engine using Elasticsearch, which enables people to go through our collections of data and look for messages of a particular type.  The reason that we built this is that the majority of our licensees are not actually computer scientists, they are basically humanities and social sciences people, they’re lawyers, psychologists, political scientists, criminologists and so on, and if we can provide them with better tools we get more uptake and we get more use of our data.”

Asked if there is anything he would have done differently, Ross says: “With the benefit of hindsight of course we could have got to where we are a lot faster, and there’s been a whole series of times in my career where somebody comes out with a great idea in cryptography and you say I wish I’d thought of that.  But apart from that, I think I’ve had a fairly good run.

“I’ve been lucky to be around at the right time in that when I started publishing, the field was so small.  My first serious paper, Why Crypto Systems Fail, appeared at the first CCS conference and there were about eighty people there.  So in the space of three days I could get to know them all, including many of the greats in the field like Whit Diffie, Dorothy Denning, Matt Blaze and Carl Landwehr and so on, they were all there.  And Roger was there also to introduce me to them. For someone coming into the field now it’s harder work, because if you go to a CCS conference nowadays, there’s going to be 1200 people and there’s going to be a hundred papers in about six different tracks and so much of the low-hanging fruit has already been picked.”

Ross says that over the next five years, we should be looking at how artificial intelligence and machine learning will change the cybersecurity landscape. He explains: “Lots of people are hoping that large language models will make it easier either to do attack or to do defence, and so far that doesn’t seem to be happening.  We’re probably going to see for the most part just incremental changes as AI tools are used as personal productivity assistants by people doing either attack work or defence work.  But it’s quite possible that you’ll see something changing radically.”

“The best analogy that I can give is ransomware.  We did a couple of surveys of the cost of cybercrime, one in 2010 and one in 2017, and the amazing thing was, that the pattern of crime hadn’t really changed, despite the fact that people had moved from laptops to phones and that they’d moved from on premises service to the cloud, or that they’d moved to social with everything.  And so that’s showing you that the patterns of cybercrime are not fundamentally technological, they’re fundamentally to do with the constraints in the surrounding legal and economic system.  But the one thing that was changing by 2017 and has really changed since then is ransomware, because the invention of bitcoin meant it was possible to collect ransoms, which hadn’t been possible with any skill beforehand.  I think that an awful lot of the growth in the cybersecurity industry over the past few years has been down to the fact that medium-sized firms are now at risk of being hit by serious ransomware attacks and having to shell out tens of millions of dollars, or having the embarrassment of seeing their customer data or their internal emails posted on the internet.

“It is quite possible that some application of machine learning will similarly trigger some radical change in the environment sometime in the next few years.  And so watching out for that, figuring out what it is and what to do about it, will be one of the big research problems in the years immediately ahead.”

Reflecting on his achievements, Ross says: “I suppose it’s for the security economics work that I’m most known, but where I get my kicks is from working on novel problems with bright young people and pushing forward the boundary.  I’m not the sort of person who’s just going to sit there and look at my old best paper awards from twenty years ago.”

Asked what he would change if he had the political power based on his experience Ross says: “My focus would be on the standard and policy questions like consumer protection, competition, and privacy.  These are things that come up again and again and again in the tussle between big firms and small firms, and the tussles between exploitative monopoly firms and defenceless consumers, in the tussle between police and intelligence agencies and tech.  But given the nature of things, it’s unlikely that any new dispensation would stay uncontested for long.  There’ll always be somebody coming along trying to lobby for a little bit more of the pie.”

Ross’s advice to students considering a career in technology or cyber is to follow their dream. He says: “If they can’t think of anything better to do, then of course they must go and work in industry and get some real world experience.  But if you’ve got somebody who goes and works in Google or Facebook or whatever for a year or so, decides they don’t like it and goes to academia instead, that’s perfectly fine.  You don’t need a big house and you don’t need to fly business class on holidays, what you need more than anything else is to be happy. On the other hand, there are people who’ve been in academia who’ve left to go and work in industry, because they eventually get bored with academia and they want to build stuff that people will actually use.  Both types of career path are just as valid, it depends on your circumstances and your personality and other factors at the time.”

Interviewed by Elisabetta Mori

Transcribed by Susan Nicholls

Abstracted by Lynda Feeley