biography: Brian SNOW

22 May 2013

Text Size

Expert Opinions

“Build-in Security: Ensure that security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."

Obama-Biden Plan, Agenda: Homeland Security, December 2008
“Consider the use of smart cards ... for especially critical functions. Although more costly than software, when properly implemented the assurance gain is great. The form-factor is not as important as the existence of an isolated processor and address space for assured operations – an ‘Island of Security,’ if you will. Such devices can communicate with each other through secure protocols and provide a web of security connecting secure nodes located across a sea of insecurity in the global net.”

Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008
"My colleagues at MIT and I have been building simple quantum computers and executing quantum algorithms since 1996, as have other scientists around the world. Quantum computers work as promised. If they can be scaled up, to thousands or tens of thousands of qubits from their current size of a dozen or so, watch out!”

Prof Seth Lloyd of MIT, MIT Review 2008
“When will we be secure? Nobody knows for sure – but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services.”

Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", 2005
“Assurance is best addressed during the initial design and engineering of security systems, NOT as an after market patch. The earlier you include a security architect in your design process, the greater the likely hood of a successful and robust design. As the quip goes, he who gets to the (module) interface first wins.”

Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008
"The future ability of quantum computers might be a decade or two away, their future ability to break public-key cryptography has important implications for the encryption of highly sensitive information today. For these applications, we must already design new public-key cryptosystems and one-way functions that are immune to quantum cryptanalysis."

ARDA, Report of the Quantum Information Science and Technology Experts Panel, 2004
“Never underestimate the attention, risk, money and time that an opponent will put into reading traffic.”

Robert Morris, former Chief Scientist of the US National Security Agency (NSA), National Computer Security Center, "Crypto '95 invited talks by R. Morris and A. Shamir", 1995
"Even a relatively small quantum computer, one that had a few tens of thousands of qubits, could consider so many different values at once that it would be able to break all known [ed: RSA, D&H, ECC, AES-128] codes commonly used for secure Internet communication.”

Prof Seth Lloyd of MIT, MIT Review 2008
“Advances have often been done in steps, and beyond approximately 10 years into the future, the general feeling among ECRYPT partners is that recommendations made today should be assigned a rather small confidence level, perhaps in particular for asymmetric primitives.”

European ECRYPT Network of Excellence, “Yearly Report on Algorithms and Key Lengths (2007-2008)", 2008
“The rapidly evolving field of quantum computers is one of the most active research areas of modern science, attracting substantial funding that supports research groups at internationally leading academic institutions, national laboratories, and major industrial-research centers.”

ARDA, Report of the Quantum Information Science and Technology Experts Panel, 2004
Florence Luy asks the question: "Is the writing on the wall for 1024-bit (RSA) encryption?"
Dutch mathematician Hendrik Willem Lenstra: "The answer to that question is an unqualified yes."

Florence Luy, Hendrik Lenstra, “A mighty number falls”, 21 May 2007, École Polytechnicque Fédérale de Lausanne
"But conventional security is not enough. The complexity of today's operational environment means organisations must embrace a level of business resilience that is normally associated with the protection of critical national infrastructure."

Detica, a BAE Systems Company
“It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders!”

Robert Morris, former Chief Scientist of the US National Security Agency (NSA), National Computer Security Center, "Crypto '95 invited talks by R. Morris and A. Shamir", 1995
"Security and dependability issues typically go along with the life cycle of a technology. The trend to first deploy a technology and later fix its problems – typically driven by economic motives – is gradually making way for security by design, resulting in improved security at the beginning of the life cycle."
SecurIST, “D3.3 – ICT Security & Dependability Research beyond 2010: Final Strategy”, January 2007
"There is a good chance that large quantum computers can be built within the next 20 years. This would be a nightmare for IT security if there are no fully developed, implemented, and standardized post-quantum signature schemes."

Prof. Johannes Buchmann, et al, “Post-Quantum Signatures”, Oct 2004, Technische Universität Darmstadt
“Systems built without requirements cannot fail; They merely offer surprises. Usually unpleasant!

Robert Morris, former Chief Scientist of the US National Security Agency (NSA), National Computer Security Center, 1995
“Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice.” … “The major shortfall is absence of assurance or safety mechanisms in software. If my car crashed as often as my computer does, I’d be dead by now.”

Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008
"History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did."

Bruce Schneier, "Why Cryptography Is Harder Than It Looks", 1997
"First and foremost, there is no proper excuse for continued use of a broken cryptographic primitive (MD5) when sufficiently strong alternatives are readily available, for example SHA-2. Secondly, there is no substitute for security awareness." ... "Advice from experts should be taken seriously and early in the process. In this case, MD5 should have been phased out soon after 2004."

Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Wegerr, "MD5 considered harmful today - Creating a rogue CA certificate", December 2008
Public key crypto key exchanges (RSA, D&H, ECC) would be ‘flat-lined’ under a quantum computer attack … "Open Problem”

Brian Snow, Former Technical Director of the US National Security Agency (NSA), Public Key Cryptography 30th Anniversary Conference, Dec 2006

Resources

Security bibliography

Biographies

biography: Brian SNOW

Security bibliography - Biographies

Full Name:	Brian D. SNOW
Former job title:	Technical Director of the Information Assurance Directorate of the United States National Security Agency (NSA).
Current activity:	- Security and Ethics Consultant. - Member, US National Academy of Sciences Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity.
Personal webpage:	LinkedIn
Personal email:	briansnow at comcast.net
Personal phone:	+1-301-854-3255
Statement:	Brian Snow, "Statement on Synaptic Labs." (2011)
Streaming Video:	"Our Cyber Security Status is Grim (and the way ahead will be hard)", free streaming video, 23 minutes long, November 2011.
Streaming Video:	See more free videos by Brian Snow below.
Best known for:
Awards:	Brian Snow is now a “Distinguished Member of the Cryptomathematics Institute (CMI)” at the NSA (2011)

Biography:	Mathematician/computer scientist, Brian taught mathematics and helped lay the groundwork for a computer science department at Ohio University in the late 1960’s. He joined the National Security Agency in 1971 where he became a cryptologic designer and security systems architect. Brian spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. Computer Security, Network Security and strong Assurance were major aspects for these systems. He created and managed NSA’s Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity. His later years at NSA were the model for what it means to be a senior Technical Director at NSA (similar to a Chief Scientist or Senior Technical Fellow in industry); he served in that capacity in three major mission components – The Research Directorate (1994-1995), The Information Assurance Directorate (1996-2002), and The Directorate for Education and Training -- NSA’s Corporate University (2003-2006) He was the first Technical Director appointed at the “Key Component” level at NSA, and the only “techie” at NSA to serve in such a role across three different Directorates. Throughout those years, his Credo was: “Managers are responsible for doing things right; Technical Directors are responsible for finding the right things to do.” In all of his positions, he insisted that the actions NSA took to provide intelligence for our national and military leaders should not put U.S. persons or their rights at risk. He was a leading voice for always assessing the unintended consequences of both success and failure prior to taking action. Brian retired in 2006 and is now a Security Consultant and Ethics Advisor. B.A. mathematics 1965 -- University of Colorado
Quotes:	"*He who gets to the interface first, wins.*"
Publication:	Brian Snow, "Our Cyber Security Status is Grim (and the way ahead will be hard)", Malta Internationl Cyber Awareness Seminar, free streaming video, 23 minutes long, November 2011.
Publication:	Brian Snow, "The Importance of Implementation", World Science Festival 2011, (Courtesy of worldsciencefestival.com)

Publication:	Brian Snow, "Cyber-Terrorism: A Question of Intent", World Science Festival 2011, (Courtesy of worldsciencefestival.com)

Publication:	Brian Snow, Clinton Brooks, "Privacy and security: An ethics code for U.S. intelligence officers", August 2009
Publication:	Steven J. Greenwald, Steven J. Greenwald, Brian D. Snow, Richard Thieme, Richard Ford, "Towards an Ethical Code for Information Security?", 2008
Publication:	Brian Snow, "We Need Assurance!" (see our bibliography page for PDF, MP3) also see: Streaming video of his presentation in 2008.
Publication:	Brian Snow, "It's not lovely code, it's an ugly monkey", AusCert 2008, (Courtesy of ZDNet.com.au)
	See recommended Personal Software Process bib entry, Capability Maturity Module CMMI Level 5 (overview), ISO 9000 on Wikipedia.
Publication:	Brian Snow, "How encryption can go bad", AusCert 2008, (Courtesy of ZDNet.com.au)

This website uses cookies to manage authentication, navigation, and to provide you with a better and more personal service. By continuing to use this website, you are consenting to this use. Find out more here.

"Synaptic Laboratories is a rare company; they tackle the hard problems! Their basic approach is directly relevant to Governments and/or any commercial companies that deploy products that must function correctly in high-risk environments. They differ from most competitors in that not only do they work hard to get the concepts right, they also work very hard to assure the implementation is correct and robust as well."

Brian Snow - Member, National Academy of Sciences Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity

Former Technical Director, Information Assurance Directorate, US National Security Agency

Expert Opinions

Related Items