Interview: Dorothy Denning

With natural beauty like this at nearby Pebble Beach, it’s easy to see why Denning dreamed of a return to California
With natural beauty like this at nearby Pebble Beach, it’s easy to see why Denning dreamed of a return to California
Dorothy Denning
Dorothy Denning

Dorothy Denning is, by her account, an introvert who prefers a life of quiet contemplation. If it were any other way, then the online world may be a far more dangerous place than it is today.

If Dorothy Denning was more socially inclined, then she might be Mrs Denning, your son or daughter’s ninth-grade math teacher. I don’t mean this as a slight toward math teachers, but it seems to me that the role Denning has played in educating computer scientists has been integral to many of the cybersecurity advancements we can take comfort in today.

It was during the recent RSA Conference in San Francisco that I embarked on a 150-mile-plus car ride to speak with Denning on a sun-splashed afternoon in February – and the trip was well worth it. Denning has spent the last decade tucked nicely away in Monterey, California, serving as a Distinguished Professor in the Naval Postgraduate School’s Department of Defense Analysis. The role marked her homecoming to Northern California.

This professor names just three interests outside her professional pursuits: reading, cooking and hiking the surrounding hills and mountains of California. She’s not a CISSP, nor does she hold any other professional certifications in the area of information security – “all of my certifications are honorary”, she remarks. By her own admission, Denning is not an operational security professional, but rather a researcher whose job is to educate young people on the fundamentals while also pondering its philosophical and theoretical aspects during her spare time.

“I’m not responsible for security anywhere, other than on my own computer, and I’m not even responsible for security here”, she concedes, referring to the NPS, where she is currently teaching courses about conflict in cyberspace and network attack/defense for the US military’s joint Special Operations Command. The former is for the military’s policy- and decision-makers, so they are up to speed on current issues and can make informed decisions; the latter focuses on specific methods and technologies employed for network attacks and defense.

Denning says the NPS will likely be the last stop in her career, but she was more than happy to recount the steps that brought her from a childhood home in Grand Rapids, Michigan, to her current office adjacent to Monterey Bay.

Back Where it All Began

Denning speaks fondly of Ann Arbor, home to the University of Michigan, where she earned both her bachelors and masters in mathematics. It wasn’t until her junior year as an undergrad that this future National Cyber Security Hall of Fame honoree gained an interest in computers. She got a job working for the head of the radio astronomy department, doing what she called “technical typing” – a precursor to word processing. The position required many computations, and instead of doing them by hand with a calculator, Denning explains that she received access to the department’s computer and was told “that it might be fun if I learned to program”. Fun indeed, she affirms.

Next was a senior year study of computer programming, which Denning says she simply loved. Yet, upon graduating, her plan to seek a career teaching math went forward…almost as planned.

Unable to secure employment as a teacher in Ann Arbor, Denning says she returned to her radio astronomy gig, while also earning a master’s in mathematics. This time, however, the advanced degree had a “focus on computing”, as she recalls. “After that I went to work in the computing center, and gave up” on her quest to be a high school math teacher.

Nevertheless, computers made her “happy as a lark” whenever she could get time in front of one, keeping in mind that this was the late 1960s to early 1970s, when using a computer required making a reservation. It also didn’t hurt that Denning’s stint as a student teacher was less than rewarding. She found programming “much more suited to me than teaching those kids”, citing her distaste for the disciplinary aspects of teaching adolescents.

Discipline, however, is not even on the radar for her current position at the NPS, even if working for the government was not her first choice. “The students here are really phenomenal”, she says with a sincere fondness. “They’re smart and they’re disciplined, and they’re interested. I learn a lot from them as well.”
Denning knows that her current position at the NPS allows her to have an impact on the nation’s security. Nearly all of her students are commissioned military officers with numerous tours of active duty under their belts.

Staying on Campus

When it was time to leave her native Michigan, Denning remained within academia by taking a position in the computing center at the University of Rochester in New York. Denning was among the first instructors for the subject at the school, and it was here she realized that “teaching college was a lot more fun than high school”.

Still a student herself, Denning moved on to Purdue University in 1972, both to teach and earn a PhD in computer science. It was here that she met her future husband, Peter Denning, a professor and pioneer in the field of virtual memory, who she describes as having a profound influence on her professional life. It was also at Purdue, during her PhD thesis, that Denning first became interested in security, following the initial publications on public key cryptography and the RSA algorithm. In 1975, during her first faculty teaching assignment at Purdue, Denning incorporated cryptography into the security course she was teaching. Several years later, in 1982, she published her first book: Cryptography and Data Security.

The two Dennings remained at Purdue until 1983, when Peter landed a position at NASA’s Ames Research Center in California’s Bay Area. It was then that Denning began her eight-year foray into the private sector, first as a staff scientist in the Computer Science Lab at SRI International, then as a software engineer with Digital Equipment Corp.

“I was never as happy as I was in academia”, Denning readily confesses. She subsequently hired a career consultant, who told her what she already knew – that it was time to return to campus. Her husband was offered a position at George Mason University in Virginia, so the couple hit the road once again. Denning was chosen for a faculty position at Georgetown University, where she chaired the Department of Computer Science and would remain for the next decade.

I ask her why she finds a career in academia more fulfilling. Denning, in response, outlines two key factors. “I like the interaction with students, and I like to do my own thing, and that doesn’t work as well in industry”. In a university setting, Denning contends, she is free to pursue her own research interests without the commercial restraints.

Some People Take up Golf

Georgetown was a memorable stop for Denning, who looks on her time there with adoration. She and her husband, nonetheless, always longed for a return to California “where they would retire”. Retirement for Denning means continuing her career in academia, but her current role teaching Defense Analysis for the US government has become a national security imperative beyond anything she could have imagined.

Dorothy Denning may be on the government payroll, but she doesn’t hesitate or provide sugar-coated responses when we discuss some of the biggest trends in the world of information and cybersecurity – even in the context of national security.

I ask her if the term ‘cyber war’ is more hype than reality, and Denning insists that it’s a difficult question to answer. She does use this term in the classroom, “but I use it to refer primarily to cyber operations that would be conducted at a state level during a time of war”.

Denning supplements this by noting “the cyber operations that might take place in a state of war would also be in conjunction with other kinds of military operations. You’re going to use cyber operations to take out your opponent’s command and control systems.” She says these tactics have been previously deployed but is skeptical about the potential for conflict exclusively in a digital theater.

My conversation with Denning takes place about two weeks after President Obama’s State of the Union address, where he announced the signing of an executive order that seeks to improve cybersecurity for the nation’s critical infrastructure. I once again ask her if we should believe all of the hype.

"If things were really awful, people wouldn't…be on the internet. We haven’t crossed that threshold, and I don’t think we will"

“There certainly are vulnerabilities”, Denning agrees, but she questions the incentive to attack a nation’s critical infrastructure. “The vulnerabilities are there – the question is whether or not people are motivated to exploit them, and whether they have the capability.” The primary threats to critical infrastructure, in Denning’s view, are curious teenagers looking to experiment, or more maliciously minded terrorists. “These systems are vulnerable”, Denning reaffirms, adding that “we need to do better job protecting them”.

Denning then shares another nugget of logical wisdom when discussing crime in the digital world. I ask her if law enforcement is ill-equipped to effectively deal with the trend. “It is, but isn’t that true of all crime?”, she asks. 

Denning reiterates her confidence in the research community’s resilience while simultaneously dismissing the fear-mongering often deployed by politicians, the media, and security technology vendors. “If things were really awful, people wouldn’t be using cyberspace”, she maintains. “We haven’t crossed that threshold, and I don’t think we will. I think security will grow sufficiently that we don’t ever cross that threshold.”

This academic isn’t all ivory tower in her assessment, as Denning acknowledges the advancements security technology vendors continue to fund. Denning obverses that while publicly funded labs contribute their share of innovating prowess, “a lot of the innovation in security has come out of industry. Without the Symantec’s and RSA’s of the world, we’d be a lot worse off.”

So, Art Coviello: if you are reading this, be sure to put Dorothy Denning on your Christmas card list, if she’s not already.

Moral Choices

As our time together draws to a close, Denning reiterates why a career in academia continues to quench her intellectual curiosity better than any other outlet. Her current independent research centers on ethical issues in cyber warfare, which she is actively writing about.

One of these issues involves weighing the ethical considerations of cyber attacks in lieu of more traditional, kinetic ones. “Under certain conditions, in my view, it’s morally a better choice”, Denning says of the cyber attack option, especially if it can be executed in a non-lethal manner while also producing the desired outcomes. “Whereas if you drop bombs, then people are probably going to get killed. If you can do something that produces less harm, and is less risk to your own troops, that to me is morally better than doing it another way. I think cyber is a good alternative to some kinetic operations for that reason”, she unhesitatingly articulates.

Without prompting on my part, Denning them moves seamlessly into the follow-up question I’m itching to pose, before it ever has a chance to leave my lips. “Look at Stuxnet in terms of effects”, she continues. “If the effect is to ruin a thousand centrifuges at Natanz, to me it’s morally better to do it this way than to drop bombs and blow up the facility.”

"Look at Stuxnet in terms of effects. If the effect is to ruin a thousand centrifuges at Natanz, to me it’s morally better to do it this way than to drop bombs and blow up the facility"

Denning acknowledges Stuxnet did spread beyond the Iranian nuclear program to cause some collateral damage, but categorizes these effects as minor. The true negative impact of Stuxnet, in her opinion, was release of its code, which other parties can now use and build on over the long term. The malware infection purportedly authored by the US and Israeli governments, was both bloodless and successful in its operational objectives, achieving a level of moral superiority in Denning’s view.

This final point is especially poignant, given the makeup of the student population Denning now educates. If there is a way to achieve military and national security objectives without risking the lives of soldiers – or limit potential losses – then Dorothy Denning’s last decade has been successfully spent in the service of her country, as well as her own interests. It’s not a career spent making all of those Silicon Valley dollars she believes are still essential for promoting greater security, but that doesn’t mean Denning’s contributions are any less valuable. It’s for this reason that this understated professor of computer science deserves her own salute from a grateful nation – and world.

What’s hot on Infosecurity Magazine?