Security pioneer Ross Anderson dies at 67
A man with a list of accolades long enough for several lifetimes, friends remember his brilliance
Obituary Venerable computer scientist and information security expert Ross Anderson has died at the age of 67.
His family broke the news to Anderson's friends and colleagues at the University of Cambridge, where he worked as a professor of security engineering and senior research fellow at Churchill College. He passed away unexpectedly in his sleep on Thursday, March 28.
While it's difficult to label Anderson as a single type of professional since, like many great minds, his interests were as deep as they were broad, it would be fair to describe him as a decorated security expert and celebrated engineer – among the finest and most respected of his time.
Among a long, long list of personal awards, notably, he was a former winner of the British Computer Society's Lovelace Medal – the UK's most prestigious computing award – and was also a Fellow of the Royal Society, joining intellectual hall of famers Isaac Newton, Charles Darwin, Stephen Hawking, and Alan Turing.
His professional work spanned many areas including information security, cryptography, reliability of systems, information hiding, adversarial machine learning, cybercrime analysis, security psychology, and more.
Anderson's work was driven largely by real-world problems and he authored and co-authored an extensive array of papers, many of which he has made available for free under the Creative Commons License.
A pioneer in peer-to-peer systems and hardware tamper-resistance, he spent years working, and ultimately had a significant influence, on the secure design of widely used real-world technologies, including chip and PIN bank cards. Anderson's efforts to publicize security flaws in ATMs led to changes made to their design across the world.
The publication for which he will most likely be remembered best is Security Engineering. First published by Wiley in 2001 and now in its third edition, it's described by close friends as his "masterwork book."
Security Engineering covers a broad spectrum of topics from infrastructure to embedded systems, and more recently cloud services and social media. Like Anderson as an author, the book is seen by many as an authority on information security, rich in insights.
Away from academia, Anderson had a keen interest in information security policy, creating the Foundation for Information Policy Research (FIPR) think tank in 1998.
FIPR has advised and affected various pieces of UK tech policy since then, and was instrumental in bringing amendments to the Regulation of Investigatory Powers Act 2000. Such examples include preventing browser surveillance without a warrant and raising the authorization level for police to access passwords and decryption keys to chief constable.
Anderson was also known for never shying away from fights with his employer. He and the University of Cambridge, where he taught since earning his PhD there in 1995, have clashed on various matters for decades, with Anderson fighting fiercely for what he believed.
His successful campaigns led to Cambridge academics retaining their intellectual property amid threats it would instead be transferred to the university, and for an institutional approach of tolerance rather than respect in response to free speech debates within university walls.
Most recently, he was embroiled in a battle against a policy that mandated the retirement of academics at the end of the academic year once they turn 67 years old – one adopted only by Cambridge and Oxford. It meant this year would have been his last at Cambridge, but he planned to continue teaching at the University of Edinburgh.
Cambridge colleague and friend John Naughton said one of Anderson's final acts before passing was being engaged in an email discussion with colleague Jon Crowcroft about potentially using generative AI to "add spice to the campaign" against forced retirement.
"As Jon observed afterwards, it could almost serve as an obituary," Naughton wrote in a flattering piece about Anderson.
An illuminating extract from Naughton's blog described Anderson as a friend and respected colleague:
Many people found him formidable and indeed sometimes forbidding. He didn't do small talk. And yet when you were lucky enough to get to know him (as I was) he was great company. He and I used to walk round the '800' Wood near Cambridge with his two lovely dogs, deep in conversation about the sordid ingenuity of cyber-criminals, the short-sightedness of academic administrators, the intrusiveness of national security agencies, as well as about Celtic folk music of which he knew a lot. (He was a piper and shared my interest in Uileann piping.)
I learned such a lot from those conversations. Ross changed the way I looked at computing, and alerted me to the political economy of the technology which has shaped my thinking ever since. He always spoke his mind – which is why when an email from him would arrive at 8am on Sunday mornings I knew that he had read my Observer column and had something to say about it, and accordingly braced myself before reading further.
- Vernor Vinge, first author to describe cyberspace and 'The Singularity,' dies at 79
- RIP John Walker, software and hardware hacker extraordinaire
- David Mills, the internet's Father Time, dies at 85
- Martin Goetz, recipient of the first software patent, logs off at 93
Frank Stajano, a professor of security and privacy at Cambridge and former PhD student under Anderson, remembered the late academic in a piece published via the blog to which many of the university's brightest security minds contributed, including Anderson. He wrote:
His enthusiasm, his wide-spectrum intellectual curiosity and his engaging prose were unmatched. He stood up vigorously for the causes he believed in. He formed communities around the new topics he engaged with, from information hiding to fast software encryption, security economics, security and human behaviour and more. He served as an inspiring mentor for generations of graduate students at Cambridge – I know first hand, as I was fortunate enough to be admitted as his PhD student when he was still a freshly minted lecturer and had not graduated any students yet. I learnt my trade as a Cambridge Professor from him and will be forever grateful, as will dozens of my "academic brothers" who were also supervised by him, several of whom post regularly on this blog.
Ross, thank you so much for your lively, insightful and stimulating contributions to every subfield of security. You leave a big void that no one will be able to fill. I will miss you.
Bruce Schneier, another of Anderson's colleagues and friends of over 30 years, described at length his fond relationship with the Cambridge man. He said:
He was enthusiastic, brilliant, opinionated, articulate, curmudgeonly, and kind. Pick up any of his academic papers – there are many – and odds are that you will find a least one unexpected insight. He was a cryptographer and security engineer, but also very much a generalist.
He published on block cipher cryptanalysis in the 1990s, and the security of large-language models last year. He started conferences like nobody's business. His masterwork book, Security Engineering – now in its third edition – is as comprehensive a tome on cybersecurity and related topics as you could imagine. (Also note his fifteen-lecture video series on that same page. If you have never heard Ross lecture, you're in for a treat.)
He was the first person to understand that security problems are often actually economic problems. He was the first person to make a lot of those sorts of connections. He fought against surveillance and backdoors, and for academic freedom. He didn't suffer fools in either government or the corporate world…
… I learned something from him every single time we talked. And I am not the only one.
As well as a brilliant academic, Anderson will be remembered as a loving husband, father, and grandfather by his wife Shireen, daughter Bavarni, and his grandchildren. The family has asked for privacy at this difficult time. ®
Biting the hand that feeds IT
