WASHINGTON, D.C.—Believe it or not, the computer security community—and the rest of us—can learn a lot from rock star Frank Zappa and author T.C. Boyle.
That’s the latest message of Gary McGraw, who helped create the software security field in the mid-1990s. In 2000, he co-wrote the first book on software security, and he has since written 11 other books and more than 100 peer-reviewed articles on computer science and security problems in scientific publications. He’s currently serving as vice president of security technology at Synopsys.
McGraw, a self-described “big fan” of Frank Zappa, said he pulled his long-owned dishdasha out of storage to dress as the mustachioed rock icon for a 2017 New Year’s party. And in his keynote speech at the ShmooCon hacker conference here last month, he discussed how to encourage hackers to be more like “out of the box” thinkers Zappa and Boyle.
“I wanted to inspire people that are a little bit entrepreneurial to follow their passion, and do what they think is right,” McGraw told me in a post-keynote interview. “I also wanted to get the hacker’s mentality to also embrace science. I think one of the problems that we have in the so-called research community is, you’ve got people that are really good at breaking systems, but they really are very bad at science, and they’re bad at citations—knowing previous work, knowing who did what.”
A large problem the computer security community faces, McGraw argued, is that too many people are pointing out that software is “broken”—and not enough people are working on ways to fix it. A study published last year about business trends from 1993 to 2010 found that entrepreneurial optimism is strongly linked to business success. Perhaps, McGraw hinted, a bit more optimism that broken software can be fixed will drive people to actually fix more software.
In his presentation, McGraw related seven quotes from his two-headed Zappa-Boyle muse to the lives and careers of his computer security hacker peers.
- “All the good music has been written by people with wigs and stuff,” Zappa sarcastically said. This is like proclaiming that “all the good security stuff has already been done,” McGraw said, adding that passion leads to good stuff, so if you’re passionate about computer security, you should follow that interest. Otherwise, he says, “you’re just getting paid, and what’s the point of that?”
- “A composer is a guy who goes around forcing his will on unsuspecting air molecules, often with the assistance of unsuspecting musicians,” Zappa also said. McGraw said people in any given field rely on one another to achieve their goals—like a rhythm section. A network of like-minded people can help you do whatever it is you’re attempting to accomplish, even without that intention or knowledge. “Sharing your ideas is part of that rhythm, and expect to work on the same problem for months,” he says. “Changing the world takes time.”
- “Classical musicians go to the conservatories; rock ’n’ roll musicians go to the garages.” McGraw said this third Zappa quote is about the importance of practice, which includes scientific analysis and hands-on experience. “Do both of those things,” he advised, and don’t rely too much on one or the other, which would lead to an institutional bias.
- “The professorial dictum has always been to write what you know, but I say write what you don’t know, and find something out. And it works,” Boyle said. The significance of that quote, McGraw said, is the notion that people need to work on “new stuff.” McGraw pointed to his current, newer efforts, such as the BSIMM project, the CISO report, and the IEEE Center for Secure Design, which he began working on because “we needed something in the field, and it just wasn’t there.”
- “Who can achieve the conscious-unconscious state of the reader, when everything is stimulation, everything is movement and information?” McGraw said this Boyle quote emphasizes a need to be centered and “remain calm,” even in the face of information overload. “Part of leadership is being calm in the face of certain disaster.” How to achieve that calm, however, involves working with peers to set realistic goals, and not mandating results in a top-down manner.
- “We are animals, and we are made in this way, and this is how we behave. I’m just kind of fascinated by how we can deny that we are animals and what our impact on the other animals is like, and how quixotic we can be in trying to assess what we’ve done in trying to correct it.” McGraw said this Boyle quote reminds him about how people in the computer security need to figure out how to give back to their communities at large. He raises money for the Leukemia Cup Regatta by promising to sail in a kilt on a windy day, if his team hits its fundraising goal. And if you don’t have money, “give time.”
- “There is pleasure in making art for its own sake, but I think it screams for an audience. I really think it would be difficult to write, were I to know that no one would ever read it.” This Boyle quote, McGraw said, should inspire people to know their audience—to figure out whether they’re researching or hacking for other researchers or hackers, the general public, or a group in between, and to present their work accordingly. Complicated security interfaces are just as lost on the general public as jargon.
Another challenge the computer security industry faces is organizational homogeny, McGraw says, as certification standards promote streamlined training.
“There are different kinds of levels of how you approach your career,” he says. “I think it’s OK for people to find their place. There’s plenty of room for people who aren’t really super-creative to get lots of good work done in security.”