If Ed Amoroso had not literally been born to work with computers, then he may have had a future in motivational speaking, or perhaps even as a suitable replacement for Garrison Keillor on a Prairie Home Companion. Among Amoroso’s many gifts, one of the first that strikes anyone who meets the AT&T senior vice president and chief security officer is his knack for telling a good story. Not to mention that he comes with a voice that, contrary to many of his New Jersey-born counterparts, cuts through with broadcast-like clarity.
It’s his gift with words that allows Amoroso to walk the fine line between much of the tech babble that industry insiders employ, while at the same time convey complicated security-related concepts in a concise, entertaining, and informative fashion. Don’t get me wrong, Ed Amoroso can throw out acronyms and technical terminology with the best of them. But what I have gathered from hearing him previously speak, and then sitting down with him face to face, is that Amoroso recognizes who his audience is, then goes about explaining concepts in a straightforward, relevant manner. It’s likely something he learned from his background as a college professor, which is something I will explore just a bit later.
As I sit across the table from Amoroso at AT&T’s Security Research Center in downtown Manhattan, I quickly realize that he is not your typical tech junkie. While he did not give the impression that he was forced into computer science as a profession, the story of Amoroso’s upbringing reminded me of the technological equivalent of a sports family dynasty, along the lines of the Ripken’s, Unser’s or Manning’s.
“I came from a computer science family”, he says proudly, with his father earning one of the first computer science PhD’s ever awarded while at the University of Pennsylvania. “So I grew up as a kid with computer terminals in our home connected to the Arpanet.” Certainly, this was the type of thing that was highly unusual in your typical 1970s household.
“When people talk about the internet, I think of it as something that has been constant my whole life”, he candidly reveals. He views this exposure to computers at an early age as a decided advantage, as a young Ed Amoroso found himself “writing programs and playing little games” well before most people were aware of the possibilities that computers possessed.
|"Security shouldn’t be this sterile thing where you sit back and write policy – and let others determine how that policy plays out – but rather, [it should] be very hands on, and we should be in the trenches understanding how technology works"|
Amoroso, who grew up in Neptune, New Jersey, hails from a large Italian-American family, which he jokingly refers to as comprising about 30 cousins along with his aunts, uncles, and other immediate family. For more than 30 years, Amoroso’s father was a professor of mathematics at the Stephens Institute of Technology in Hoboken, which provided him with exposure to some of the pioneers in the field of computer science – among them John Hopcroft of Cornell University, the renowned theoretical computer scientist.
“I mostly played with their kids”, an amused Amoroso recalls, “but I had to know who they were. There were all of these famous guys coming and going into and out of my house, so I grew up with that kind of perspective.
“It’s not like I simply fell into computer science”, he says. “It was just sort of all around me.” He then goes on to list the tech credentials of the Amoroso family tree: a brother who was a developer at Bell Labs, in addition to a sister and two uncles who are computer scientists.
After attending Christian Brothers Academy in Lincroft, New Jersey, Amoroso moved on to Dickinson College in Carlisle, Pennsylvania, where he majored in physics. Upon graduating from Dickinson, he accepted a teaching assistantship at Stephens – where his father taught – and to this day the younger Amoroso maintains his relationship with the school as an adjunct professor. But it was while at Stephens that he began his affiliation with AT&T, when Amoroso was invited to participate in the Doctoral Support Program offered by Bell Labs, allowing him to pursue his master’s and PhD in computer science.
Having been entertained thus far by Amoroso’s journey to the working world, I then asked him to recount his progression from student to his current position as senior vice president and CSO of AT&T, one of America’s largest telecommunications providers. Unlike many in the security world, or other professions for that matter, Amoroso has spent his professional career within only one organization. He was all-too-happy to recall the climb, and share some of the interesting experiences he had along the way.
By his count, Amoroso has been practicing some form of computer security for more than 26 years within, among others, the company’s Chief Security Office and other variously branded labs that have come and gone underneath the telcom giant’s banner. He recalls his first few weeks with AT&T’s Bell Labs, and it was a chance for Ed Amoroso the storyteller to practice his craft.
“I see this guy walking around – big beard, right out of central casting”, he says with a smile. “This is what a hacker is supposed to look like.” Having walked the floor at many a security conference, I know exactly the type he is talking about. Amoroso was clueless as to who the bearded man was at the time, but soon found out it was Bob Morris Sr, who he labeled “one of the fathers of the UNIX operating system”.
He was then recruited into one of Morris’ projects. “I thought it would be just one project”, Amoroso reminisces. “I didn’t realize it would be a 30-year career.”
Amoroso and his colleagues walked into Morris’ office one day, and after a series of frantic keystrokes, and showing the fledglings the root prompt, Morris declared “I’m in”. Of course, one of Amoroso’s contemporaries asked exactly what Morris had done, and as the AT&T CSO recalls, Morris “would say something we didn’t understand, and we would just walk out in awe, having no idea what he did.”
There was a huge gap between what Morris was able to do, and what Amoroso and his young colleagues could even understand at the time. Thus began his life-long love affair with hacking and security.
|["ISPs are] in a natural place, a good vantage point, to try to help end users"|
Contrary to popular misconceptions about hackers, Amoroso believes that the art – in its truest form – holds great value: he called it “the ability to understand enough about technology that you could ‘break it’”. He acknowledges that this initial thirst for understanding on the part of hackers has evolved, in many cases, into “mischievous things, where people break into other people’s networks.
“That was never the original concept of hacking”, Amoroso asserts. “It was always, you wanted to know how something worked; you wanted to understand how an operating system or an app worked. So you took it apart and you broke it, and you knew what was strong and weak about it, and you shared that for the purpose of improving it, not to go steal somebody’s credit cards or whatever.”
The increasingly sensationalized image of hackers is something he has undoubtedly witnessed during his two-plus decades in computer security, namely “the concept of hacker as a very non-pejorative term to the concept of hacker as a clearly pejorative term”. He finds this to be a highly unfortunate characterization, because the skills involved with hacking a piece of technology are vital to security. “When you take your car to someone who’s going to fix your engine, you hope that guy (or gal) has broken a bunch of engines and taken them apart, and made mistakes”, he says. An analogy like this is just one example of how Amoroso deftly puts technical concepts into the terms almost anyone can understand – the hallmark of a gifted communicator.
Amoroso, who oversees AT&T’s worldwide team of security researchers, says he does his best to preserve the inquisitive nature of his team in an effort to promote greater understanding of the company’s technologies. “Security shouldn’t be this sterile thing where you sit back and write policy – and let others determine how that policy plays out – but rather, [it should] be very hands on, and we should be in the trenches understanding how technology works, and finding ways to make it better by deeply understanding what it’s all about”, he maintains. Amoroso says this is not the case with every company’s security program, and is proud that his outfit runs a bit differently than most.
The talents of AT&T’s CSO are not limited to his role within the company’s security program. Ed Amoroso is also a published book author (five times over; see a review of his latest book on pg 45) and regularly teaches courses at Stephens Institute of Technology. He admits that being an adjunct professor at Stephens has led directly to his prolific writing exploits because, “when you teach, you get a lot of books…because your notes become text books”.
He has spent the last 22 years as a professor at Stephens and, by Amoroso’s estimation, has taught somewhere between 3000 and 4000 students. Among his students have been current CSOs looking to solidify their technical education, as well as graduate students who have gone on to their own careers in computer security. More than just a few of them, Amoroso observes, have gone on to be published in hacking literature.
“I think I created an interest in security in a lot of young people that has played out as a very enjoyable career for an awful lot of people”, he says with pride.
I ask him how continuing to teach helps him with his day job at AT&T. It appears, by his account, to be a give-and-take relationship. “If there is any one topic were you’d better be on your toes, it’s security”, he responds. “I can’t think of a better way than to get up in front of a bunch of undergrads and graduate students and lecture on these things. Because a senior undergraduate who has already got a job is sitting there tapping his or her pencil and, if there’s something they don’t agree with, they’re going to shout it out, right into your face.”
Many executives, Amoroso believes, rarely receive such unfiltered feedback from their colleagues, especially their direct reports. In the academic setting, students are “happy to tell you what you’re doing wrong”, he says, adding “you wouldn’t get that anywhere else”.
The Changing Face of Security
Not only has Amoroso had the pleasure of watching the world of computers evolve from a highly specialized niche product, used by only a select few organizations, to that of widespread consumer-based device available in pocket-sized forms. He also got in on the ground floor of the security field.
He remembers the early days of computer security, before it was complicated by things like the internet. It was a time where he estimates about 300 or 400 bona fide security practitioners, or as he explains, the same old faces in places like the National Computer Security Conference, which took place in Baltimore each summer. At that time, says Amoroso, “you could practice your craft without the threat of making a mistake and becoming humiliated. You really could kind of feel your way around.”
Then came the arrival of the internet age. He remembers a time, just before the turn of the century, where many believed the network should be, as he termed it, “dumb”. It was the idea that the network provider should simply push data from place to place, with the intelligence reserved for the end point. Common wisdom held “that the service providers – the Verizon’s, the AT&T’s, the BTs – should just push the packets”.
"I think collectively, as a community, we’re going to need to figure out a better way to identify ourselves, and to get access to things we care about"
He then recalls the period between 2003–04, when an onslaught of viruses and worms were in circulation. “On our networks, we noticed that we were pushing the viruses and worms to our customers more efficiently than anybody, and bragging about it”, Amoroso reveals. “So it was around that time that we got the idea that we needed to rethink the way network security is done.”
What the industry began advocating for was a more centralized view of network security rather than an ‘every person for themselves’ model. Amoroso characterizes many organizations’ security models, both then and now, thusly: “In a neighborhood, it would be like, instead of having an air force or police department, every house in the neighborhood sends grandpa up onto the roof with a helmet and field glasses, looking around for incoming targets.”
So AT&T’s Amoroso, along with the security practitioners at many of the large carriers, began to see the sensibility in playing an active role in network security. Virtualizing security, or pushing it upstream into the network, is the natural evolution he identifies, which is currently in progress – both at AT&T and at other service providers.
“I think people need help with security”, Amoroso says. “It would be nice if people were at least able to say, ‘my carrier helps me a lot’. I think it’s a renaissance for the carrier. It’s not just AT&T; I think it’s anyone who sits globally between the attackers and the victims, namely the ISPs. They’re in a natural place, a good vantage point, to try to help end users”.
Currently, Amoroso has about 40 researchers under him working on mobile security issues and identifying potential vulnerabilities. He identifies the convergence of mobile computing and cloud storage as a particular security concern going forward.
“What we find is, it’s not necessarily the case that what you have stored on your BlackBerry, or your iPhone, or your Android that’s the key, but rather that the device unlocks the ability to get to cloud assets like your Facebook page, your email, and other things”, Amoroso says. Add to this mix that many people do their banking from mobile devices, and the amount of information the device becomes a portal to can be staggering, he adds.
The future of computer and data security, Amoroso believes, must be far more prolific than it has been in the now-fading PC era. “As we do [mobile security]”, he continues, “we must do a better job than we did, as a community, for PCs and LANs. I don’t know about you”, he says to me, “but the PC experience has been kind of a bad experience” from a security perspective.
“Do you like doing system admin on your PC?”, he asks me. Not many people would respond in the affirmative to that question.
On the device side, Amoroso says his organization maintains a hacking group that collaborates with the wider whitehat community. They hack all of AT&T’s devices “like crazy” he contends. “For anything that comes in, we’ve got a little Santa’s workshop, and [our researchers] are trying to break them, and break into them, and try to find problems.”
One of the areas he identifies as a potential security issue are mobile apps – especially the privacy implications. “Privacy for individuals has become a big issue, because where in the past your credentials were with the bank somewhere on paper, now your credentials are electronically scattered everywhere”, Amoroso says. “I think collectively, as a community, we’re going to need to figure out a better way to identify ourselves, and to get access to things we care about – your medical records, financials. As a security community, we probably have not done a great job to date in giving people good, solid models.”
Both Amoroso, and AT&T, have decades of experience in security. But the concept itself, ‘security’, is often overlooked at many organizations or embraced only after an incident has occurred. Ma Bell has had a network security team in place for nearly four decades – perhaps longer than any other provider. This was in response to the phone phreakers of yesteryear, while today’s researchers defend against clandestine malware, application vulnerabilities, and denial-of-service attacks.
Amoroso tells me that “Security is something that hurts when it hits something you care about”. With nothing less than its reputation and service on the line, never has security been more important for AT&T, or for any other service provider.