Spaf for ACM VP!

NB: This is a personal page and is not affiliated with nor endorsed by the ACM.

Last update: 2014-03-11 2100 EDT


Every even-numbered year, the ACM (Association for Computing Machinery ACM, not the Academy of Country Music) conducts elections for its Council and officers. 2014 is an election year. I was asked by the nominations committee to stand for election for the ACM Vice President position. I agreed.



My long experience with ACM has allowed me to become very familiar with the many facets of the organization. My experience as a member of the computing profession has repeatedly shown me the great value of ACM. I strongly believe that ACM is a powerful force for advancing the profession of computing around the world, and for helping to enhance the benefits — and reduce the dangers — that computing presents to society at large, and to our members.

ACM has a long history of advancing and supporting computing research. Our conferences and publications — supported by the SIGs and a great professional staff — are the leaders in promulgating definitive new results. Our technical leadership clearly needs to continue and grow, but the path to do so is largely understood: ACM leadership must continue to provide resources, support, and encouragement to the SIGs and members who constitute that portion of our community.

However, we also see growth of a set of challenges around the use and context of computing: how do we use computing to help advance society, address issues of privacy and civil liberties in an “always on” world, increase the participation of women and under-represented groups, secure our networks and machines from both criminals and overzealous governments, and increase educational opportunities? How do we support open communication yet control fraud and abuse? How do we reconcile local culture and laws with a truly global Internet? These are all major questions beyond simply “is it possible” to use computing to make things happen, but questions of “should we do it” and “how do we do it while respecting basic rights”?

I am particularly concerned about questions related to the erosion of personal privacy by both government and industry, actions in support of women and students in computing, and the threats of computer crime and terrorism. I am certain that ACM can enhance its role to better address solutions and advocacy in all of these areas. As the premier global organization of the computing profession, ACM should be the group people inside and outside computing turn to for leadership and advice across this spectrum of issues. We should be in a position not only to respond, but to be leaders on these and related issues.

I believe that I am uniquely qualified to contribute to growth — of ACM, of the mission of ACM, and of the value of ACM to the computing profession and society. As Vice President, it would be my honor to continue my service to ACM while addressing these issues with your assistance and support.

If you are a member of ACM, I ask that you vote for me in the election this spring. (And if you are not a member, please consider joining, then voting!)

Also, please share this post with others who are in computing who may be members of ACM.

Qualifications and Experience

Typically, when running for an office, a candidate will list prior experience and honors to provide some indication that he or she is qualified, experienced, and has quality ties to the community. So, here is a partial list demonstrating my experience as a leader and innovator. A more complete narrative bio is available via my WWW pages, as is as an abbreviated academic vita.


This is a list of my ACM activities and honors. not including activities as a speaker, on conference committees, or reviewing:

  • ACM member since 1978, now a Life Member
  • ACM Fellow since 1997
  • Member of SIGCAS and SIGSAC; formerly also member of SIGPLAN, SIGOPS, and SIGSOFT
  • Chair, ACM Self-Assessment Committee, 1990–1996
  • Chair, ACM Awards Committee for the International Science and Engineering Fair, 1992-1994
  • Chair of US Public Policy Council of ACM, 1998-2014 (member since 1996)
  • ACM representative on the CRA Board of Directors, 1998-2007
  • Chair, ACM Advisory Committee on Security and Privacy, 2001–2003
  • Editorial Board of ACM Transactions on Information and System Security, 1999–2004
  • Editorial Board of ACM Journal on Educational Resources in Computing, 2007-2009
  • Associate Editor of ACM Transactions on Computing Education, 2009-2012
  • Member, ACM/IEEE-CS Joint Taskforce on Undergraduate Curricula, 1988–1991
  • Member ACM Awards Committee, 1992–1994
  • Member ACM SIG Technical Standards Committee 1992–1996
  • Member, ACM Education Council, 2006-present
  • 2004 SIGCAS Making a Difference Award
  • 2006 SIGSAC Outstanding Contribution Award
  • 2007 ACM President’s Award

Selected Other

Here are a few non-ACM offices/positions/honors

  • Professor of Computer Science at Purdue University (see vita for details of other appointments, dates, etc)
  • Executive Director, Purdue University CERIAS since 1998
  • Fellow of the AAAS since 1999
  • Fellow of the IEEE since 2001, member of the Computer Society and Communications Society
  • Fellow of the (ISC)2 since 2008
  • Distinguished Fellow of the ISSA in 2009, and Life Member
  • Chair, IFIP TC-11.4 on Network Security 1993-1996
  • Chair CSTB Committee on Depicting IT in Innovation 2009-2010
  • Member, FIRST Steering Committee 1992-1994
  • Member, IFIP TC-11.8 1993-1997
  • Member, NSF CISE Advisory Board 1998-2000
  • Member, USAF Science Advisory Board 1999-2003
  • Member US GAO ECMIT Advisory Board 2003-present
  • Member, Microsoft Trustworthy Advisory Board 2003-2005
  • Member, US President’s Information Technology Advisory Committee (PITAC), 2003–2005
  • Member US Air Force University Board of Visitors, 2009-2013
  • Member US Naval Academy Cyber Advisory Board, 2012-present
  • Editorial Board, Usenix Computing Systems 1987-1992
  • Editorial Board, Virus Bulletin, 1991-1997
  • Editorial Board, Journal of Artificial Life 1993-2002
  • Associate Editor, Usenix Computing Systems, 1992–1994
  • Academic Editor, Computers & Security, 1998–2009, EiC 2010-present
  • USAF Meritorious Service Medal in 2003
  • IEEE Computer Society’s Taylor L. Booth Medal in 2004
  • Honorary D.Sc. from SUNY in 2005
  • Computing Research Association Distinguished Service Award in 2009
  • Upsilon Pi Epsilon ABACUS Award in 2009
  • SANS Lifetime Achievement Award in 2011
  • Purdue University’s Morrill Award for excellence in teaching, research, and service in 2012
  • Named to Cybersecurity Hall of Fame in 2013
  • (ISC)2 Harold F. Tipton Lifetime Achievement Award in 2013

Q & A

I’m willing to answer reasonable questions about my opinions relative to the ACM VP position. Email your questions to me and I will put them up, with my responses, if they are germane. Thus, this posting will evolve with time and input. I will update the datestamp at the top of the posting whenever that happens.

I suggest that you seek answers to the same questions from other candidates for the office of VP should you be using these answers to help make your decision as to the candidate for whom you cast your ballot.

Q. What is your position on role of encryption? What are the ethical implications that might arise when the next Snowden routes their [sic] findings through Tor or its descendants? What is the role of the computing community in addressing such questions?

A. Privacy is a fundamental right, although not an absolute one. Privacy is protected by law and custom in most countries of the world. More importantly, it is a fundamental principle that ACM supports — see the ACM Code of Ethics, #1.7. As members of ACM we are committed to upholding these shared principles. Other principles also apply to the questions you pose — supporting the dignity of others, using technology safely, and honoring confidentiality, etc. (If you haven’t read the Code of Ethics recently, now is a good time to remind yourself of the principles ACM holds as important; I had a small role in helping draft these, btw.)

More generally, there will be on-going questions about the balance between anonymity and disclosure for valid law enforcement purposes. My own view is that personal and organization privacy is important, and should be preserved against anything but pursuit of the most egregious offenses. What is egregious? Cases of significant abuse of others, such as human trafficking and slavery, spread of WMD, and coordination of terrorism against civilians are all examples that come to mind; I do not believe that physical freedom and the right to life are subservient to a right to privacy. Political or religious dissent are most definitely not in the category that warrants violation of privacy rights.

The problem we have — as society and profession — is to define such circumstances and appropriately safeguard (via law, audit, and oversight) any use of methods that circumvent or limit privacy. There is no simple solution to finding that balance, unfortunately. It is not a zero-one solution.

As a profession, we should seek to help define the issues, make policymakers and the public aware of the tradeoffs, and work to establish the mechanisms and safeguards that support out views. There will never be a perfect solution, but as informed professionals we should be in a position to help shape the discussions; we should be involved in the policy decisions and not only technology development.

As ACM VP I will continue the positions I have maintained for years with USACM, including enhancing privacy protections and responsible use of computing.

Q. What do you think of the new ACM copyright policy, and when and how would you recommend that the policy be evaluated to determine whether further changes should be made? What do you think of issues of open access generally?

A. The copyright issue is not simple, unfortunately. It is deeply involved with one of the core services of the ACM — the digital library — and with our publication of journals and conference proceedings that are then collected in the DL.

The ACM Digital Library (DL) is a great resource that many people use on a regular basis. It is valued because it is available, organized, indexed, curated, and regularly enhanced with new features. All of that is not without cost, however, especially some of the provisioning that is not immediately user-visible. For instance, the ACM DL not only has a lot of users and a great deal of new input on a regular basis, but it also is a target — it is regularly undergoing attacks, including DDOS, that need constant defense and extra provisioning. (I presume some attackers would like to deface entries if they could get in.) That’s simply one example of on-going need. Maintaining the DL in perpetuity requires funding for equipment, staff, and communications, and maintaining resources for evolution and expansion. Some people point to other on-line examples as lower cost, but they do not have the same profile or content, so I’m not convinced that such comparisons are fair … especially if stretched over many decades; we want useful ACM resources to be sustainable over perhaps hundreds of years, not simply a dozen or so.

Likewise, our journals and conference proceedings are highly valued because of their content and professional production values. The factors that go into that production are not free, nor are they performed by volunteers or amateurs — there are real costs involved. Some of the costs are fixed, such as salaries and benefits for editorial staff, and are not closely tied to volume of publication. We cannot afford to give that content away without some income stream to support its continued high-quality publication.

Over the last few years, ACM has increasingly opened up access to authors while still trying to maintain a reasonable level of control both for content protection and to ensure adequate income for maintenance. Simply basing upkeep on member fees doesn’t make much sense when ACM is expanding into parts of the world where membership fees are a major barrier, and when many members don’t use the DL or subscribe to any of the publications. Fees levied against the subscribers is the current strategy, and it continues to evolve, with 4 major policy changes in the last decade.

I was on Council when the policy changed last year to make it easier for individual authors to provide more access to their work; I voted for that change. I am certain that there will be more changes yet to come, and I support continued discussion of the issues.

As to the more general issue of “open access,” I do not have a fixed point of opinion. For-profit and non-profit journals have been around for a long time, and have contributed to great success across many fields. I don’t think there is cause to view “non-open access” as a great evil, as some seem to do. It is a business model. Competition has arisen with a variety of levels of “open” in different configurations, some of which are of dubious quality, and others which seem to satisfy a set of needs; there are also for-profit journals that are high quality and some that are not. Publishers are adjusting their models in response, and the whole area is evolving. ACM offers one of the lowest rates for Gold Access for journal publications. I think open discussion is valuable, and that will lead market forces to converge towards some solutions that preserve and enhance the qualities we most need (which, in turn, may or may not be what we think we want). In the end, we will have a range of solutions that meet multiple sets of needs for different audiences.

As to ACM publications and the DL, I see this evolution occurring as we continue to discuss the pros and cons of various approaches, and the policy has evolved greatly over the last few years. Version 8 of the policy is less than a year old — if you haven’t read it, you should.

As ACM VP I will be open to suggestions and comments about what we do and how we should consider changes. However, I will also continue to be concerned with how ACM is able to afford to maintain its publications and Digital Library to be high quality and useful to the membership and the profession for the foreseeable future.

Q.& A. SIGPLAN posed some questions to all the ACM candidates about the Digital Library and publications. We answered those as a group.

Q. Someone states: “I am deeply troubled by the ‘we have to get more people to code; issue, particularly when it pushes up against the realities (or lack thereof) of the career prospects for software professionals, particularly in the face of reported ageism, salary depression associated with H1B visas, and the alleged Silicon Valley hiring collusion. Do you have any comments on this?”

A. There are many complex issues buried in this question. I will try to address a few of them, although a deeper dive is beyond what I can write here!

First, as regards getting people to learn to code — that is a good thing. We want a more literate society. Learning to code helps unlock the ability to use computers rather than require others to act as intermediaries. Learning about computing and programming helps develop problem-solving skills and thinking logically. Furthermore, learning about computing also means being in a better position to understand the limitations of computing — helping to dispel the mystery and myths that some people still have about what computers can and cannot do. If given appropriate materials and supervision, learning about computing is simply a good thing.

There is a second issue in the question about employment and development of the profession. The question is phrased as a concern about USA policies, which are non-trivial. However, it is important to realize that ACM is an international organization, and the majority of members are not inside the US…and that split is likely to grow with time and increasing membership worldwide. Thus, answers that make sense for the majority of ACM members may not be to the liking of many in the US, or India, or any other locale. We need to identify the core concepts that apply across national borders.

Part of the problem in the US (and elsewhere) is a lack of explicit differentiation among different skill sets and professionalism. There are openings for several skill sets, but not all. “Computing” is a very broad term for what we all do. Practitioners need to stay current with new trends and techniques — part of what it means to be a professional. The field changes with time, often rapidly, and the professionals need to learn and change with it if they are to stay marketable. Some employers want technicians who know a particular set of artifacts and methods. Others want (even if they don’t realize it yet!) professionals who are committed to the principles and priorities for which ACM stands.

There are also issues of regionalism and expectations. There are many good computing jobs around the US — actually, around the world — but they require that job-seekers move to where those jobs are, and to accept conditions (benefits, pay, quality of housing, etc) that may not match what they expect within their current region. That is simply an economic reality: markets get saturated in some places, and employers are willing to pay only so much for certain skill sets; after a certain point, “good enough” is sufficient if it costs less. That is not to excuse illegal collusion to suppress pay or prevent movement between jobs — that continues to be wrong, as does discrimination based on age or gender (see the next Q & A)!

ACM provides a competitive edge for computing professionals. We provide continuing education resources, publications, meetings, research resources, and opportunities for professional networking. ACM support for various activities and participation in groups such as CRA and IFIP (among others) help to increase our visibility and awareness of issues. ACM members can help keep ahead of the pack in staying current on skills and trends, and that should result in being more marketable when there is some contraction in the field.

As ACM VP I will work towards maintaining and enhancing ACM services and opportunities for the professionals, and to continue to advocate that ACM take positions to help grow and promote the field. I look forward to working with the membership to address as much of this as we can, in a reasonable, sustainable manner.

Q. What is your position as regards women and other under-represented groups in computing?

A. I’m all for them! We work in a field where computers and algorithms have no gender, no ethnicity. We appreciate their ability to function without regard to any particular sexual orientation, religion, or national origin. Why should we be any different with our fellow professionals?

Computing is a discipline of thought, of imagination, of logical rigor, and of enthusiasm. None of those are present or absent in a person simply because she or he is shaped differently, or has somewhat different anatomy, color, or size. On the other end of a network connection, there is no way to tell if someone is tall or short, male or female, young or old, standing or confined to a wheelchair, or any of many other small differences that some humans seem to notice. Instead, we interact with the person who computes and communicates — a person as an intelligent being.

We need every imagination and mind, every talented person, to help us address the many issues we face. We need to find ways to tackle large problems, eliminate bugs, ensure privacy, and make computing accessible to the world. We cannot afford to be dismissive of someone because of quirks of anatomy or genetics or accident of birth. That means accepting and treating every person equally, with equal respect, and equal opportunity. It is because we know the power of computing — of computers without gender or ethnicity — that we are in the best position to understand the rationale for equal respect.

I’ve been a champion of equal treatment for all my career — simply ask some of the people who have worked with me. I continue to talk about this topic, and addressed part of it recently in an interview (2nd question), and written about it in depth as regards women in cyber security, but those answers apply more generally than for the audiences where I presented them; rather than repeat all that here, I refer you to those linked items.

Equal respect and justice for all, within the field and outside it, are principles ACM holds dear. As members, we should note that items 1.4, 3.1 and 3.5 of the ACM Code of Ethics are items we pledge to uphold when we join ACM. Item 4.1 is equally important in this context. These are fundamental values of how we define our profession — as more than programming and algorithms.

As ACM VP, I will continue to champion the idea that respect and equal treatment are important, for the field and for society. That is something I have been living my whole life.

Other Info

Want more information on who I am, what I have done, and what I think? Here are some additional sources of info:

And feel free to contact me by email at — as a current member of ACM Council, I always willing and interested in hearing from members…and that will not change when I am ACM Vice President.


Some Thoughts on Lifetime Achievement

Earlier today I was awarded a Lifetime Achievement award from SANS during one of our regular CERIAS faculty receptions. I certainly am honored by this, given the many wonderful things that SANS does to educate and support the information security and response community. I was especially honored to have Lance Spitzner travel to Purdue to present the award oh behalf of SANS, and to have several other people from the community and Purdue show up for the event.

Getting the award

Lance giving the award to Spaf

Over the last two or three years I have received a few awards that could be considered as “lifetime achievement” awards in one way or another. They are certainly not given more than once, and they are considered to represent a career’s worth of accomplishment. I’m not going to argue that I have, indeed, done a few things worthy of note, although I would be the first to admit that I have had great collaborators and partners along the way. And I have the gray hair and scars to prove I’ve been at this more than a few years. The point that troubles me a bit is … “lifetime”? Am I really at such an advanced stage of senescence? Is the end that close at hand? My next birthday approaches apace, and I now wonder if I should worry about reaching it! I’ve been getting AARP solicitations in the mail for a few years, so perhaps this is another sign I should get my affairs in order?

I went to the RSA conference last month and two people who were former undergrad students of mine took me out for meals. It was very pleasant to talk to them and catch up on their activities. Both have started companies and done things to change the world. And both were undergrad students of mine 21 years ago — that’s about half their current ages! But as we talked I realized that some of the big problems I taught them about are still problems today…that issues I was warning governmental agencies and companies were coming, did, and are still here. There’s a sense of being frozen in that era and yet, here are people giving me “lifetime achievement” awards and making jokes about my age and gray beard, and the problems I started my career addressing haven’t really progressed.

Well, that isn’t true: many of those problems have gotten worse. 😦

Maybe it isn’t a sign of decrepitude that I am getting these honors. Maybe these are subtle hints to get the hell out of the way so the youngsters can get the corner office? Well, that isn’t going to work. Yet. I still have a little bit of fire left, and with some luck (and the discounts from the AARP) I might yet make a dent in some of the big problems. I know there are several people who would like me to retire (including some of my faculty colleagues at Purdue) but I really enjoy working with students. Every time I hear from former students about some success, I know that I had a tiny bit of contribution in that somewhere back in time, and that’s a good feeling.

100 years from now, the awards will be forgotten, and I will be too. But I know that the world will be a better place because of the students I have worked with, and have yet to work with. That may sound a bit corny, but in truth, it’s why I’ve been doing this for 24 years – and am not about to stop. That good feeling is the real lifetime achievement award, and anyone who has really connected with students knows exactly what I mean. That is why the SANS award means something special, too – it is decided by people who teach in the the same field.

My thanks to SANS, and to everyone who showed up for the ceremony today for the honor, and for your support of what we are all trying to do.

About me.

%d bloggers like this: