Alan Paller, a Mover on Cybersecurity Threat, Is Dead at 76
He made it his mission to find, recruit and develop the next generation of digital warriors to defend the nation against an onslaught of cyberattacks.,
Alan Paller, a cybersecurity pioneer who devoted his life to improving the digital defense of the United States, died on Nov. 9 at his home in Bethesda, Md. He was 76.
His death was confirmed by the SANS Institute, the organization he founded in 1988. The cause was not specified.
Mr. Paller was a gentle but relentless champion for cybersecurity education. He believed that the future of the nation relied on a pipeline of trained professionals who could defend its digital systems from the growing onslaught of cyberattacks.
“Our ability as a nation to maintain our technological leadership depends on building a sufficiently large pipeline of talent beyond the people already going into cyber,” Mr. Paller told The New York Times last year. “A vein of elite but hidden talent runs through the population.”
Mr. Paller made it his mission to find and train these hidden cyberninjas. His SANS Institute (the letters stand for SysAdmin, Audit, Network and Security), is the world’s largest cybersecurity research and training organization, developing more than 40,000 cybersecurity practitioners each year.
He was also president emeritus of the SANS Technology Institute, a separate teaching organization that brought together the world’s top cybersecurity practitioners as instructors to train industry on how to hunt attackers, conduct forensics and defend critical systems like the power grid, banks and water and transportation systems.
In 2013, the institute became an accredited cybersecurity college and graduate school.
“He wanted to bring professionalization to a field that has an increasingly crucial role for the world,” said James Lyne, the SANS Institute’s chief technology officer.
Mr. Paller was among the first to call attention to the cybersecurity work-force crisis. There are currently 3.5 million unfilled cybersecurity jobs, according to Cybersecurity Ventures, up from an estimated one million in 2014, even as the frequency and severity of cyberattacks grow.
Mr. Paller knew that the United States, as a free-market society, was at a disadvantage in bridging this gap. Unlike Russia and China, which tap cybercriminals and private sector security professionals to conduct sensitive operations, the country has no forced conscription policy, does not work with cybercriminals and must compete with banks and businesses like Google and Palantir, which pay security engineers handsomely.
Those Americans who do choose government work often opt to work on offense at the National Security Agency or Cyber Command; fewer want to do the grueling work of defense at federal, state and local agencies.
Mr. Paller was determined to stop the bleeding. After taking his graphics software company, ISSCo, public in 1987, he pivoted to cybersecurity education. He had studied engineering and computer science at Cornell University and earned a master of engineering degree from M.I.T. in 1968, but he was also something of a social engineer and power broker.
In 2009, he persuaded a mutual friend to introduce him to the new deputy homeland security secretary, Jane Holl Lute, whose responsibilities included cybersecurity.
“He said, ‘You’re not doing enough about cybersecurity,'” Ms. Lute recalled in an interview. “I told him, ‘We’ve been here for 10 minutes.’ Then he said: ‘There’s a coming crisis in the cybersecurity work force. Homeland Security needs to lead the way, and you need to start by getting your own house in order.'”
Mr. Paller proposed that the Department of Homeland Security set up a cybersecurity work-force task group. He and Jeff Moss, the founder of the Black Hat hacking conference, would be co-chairmen.
“And don’t give us more than 60 days to get this done,” Mr. Paller told her. He had little patience for bureaucracy and regularly castigated bureaucrats in his widely-read newsletter, News Bites.
- With Apple’s latest mobile software update, we can decide whether apps monitor and share our activities with others. Here’s what to know.
- A little maintenance on your devices and accounts can go a long way in maintaining your security against outside parties’ unwanted attempts to access your data. Here’s a guide to the few simple changes you can make to protect yourself and your information online.
- Ever considered a password manager? You should.
- There are also many ways to brush away the tracks you leave on the internet.
The 2012 task force became the first formalized effort to develop a more agile cyber work force, in part through competitive scholarship programs. (Mr. Paller also headed a cybersecurity task force for the Federal Communications Commission and was a member of the NASA Advisory Council.)
Mr. Paller’s pet project was the National Cyber Scholarship Foundation, which hosts hacking challenges for high school and college students. The idea was based in part on the example of China, which runs regular hacking competitions to identify its next generation of digital warriors.
“We have no program like that in the United States — nothing,” Mr. Paller told The Times in 2013. “No one is even teaching this in schools. If we don’t solve this problem, we’re in trouble.”
His program offers college scholarship funds and free SANS trainings, with the goal of finding and developing 25,000 new “cyberstars” by 2025. Last year, Mr. Paller and Mr. Lyne rolled out a new game, CyberStart, which challenges students to track down cybercriminals, in exchange for $2 million in scholarship funds.
“People in this industry talk about public-private partnership all day, but I can only really think of four examples, and two of them came from Alan,” said Tony Sager, the former chief operating officer of the National Security Agency’s Information Assurance Directorate, which oversees cyberdefense.
In 2001, Mr. Sager was at the N.S.A., working on Code Red, a computer virus that had just spread to hundreds of thousands of computers in a single day, when he received a call from Mr. Paller asking if anyone at the agency was addressing Code Red.
Mr. Sager was, but couldn’t discuss it. “I told him if I say no, I’m an idiot,” he recalled, so he replied, “Of course we are, Alan.”
Mr. Paller said he was running a conference in Washington of the best minds in industry. “He said: Come to this ballroom at 7 p.m. Bring anyone you want. We’ll have snacks.”
The next thing Mr. Sager knew, he and his colleague Paul Bartock were the only two government people in a room of 60 or so industry experts armed with code, data and tools. “They had more talent in that room than the government could assemble in a day,” Mr. Sager recalled. “We knew we would never operate the same way again.”
As threats proliferated, an exasperated Mr. Sager gathered the N.S.A.’s top cybersecurity experts into a room at Fort Meade, Md., locked the door and told them that nobody was to leave until they had all agreed on how to mitigate the peril.
The problem, as Mr. Sager saw it, was a “fog of more” — his play on the military concept of the “fog of war.” The cybersecurity industry was awash in tools, and yet the problem was only getting worse. Mr. Sager’s team drew up a two-page list of steps that they felt should be taken immediately and sent it to senior leaders at the Pentagon.
“It basically said, ‘If you don’t know where to start, start here,'” Mr. Sager said.
Somehow — Mr. Sager still does not know how — Mr. Paller got his hands on the list, called up Mr. Sager and started hatching a plan to expand and update the list in line with current threats and rebrand it — as the Computer Security Controls: prioritized and actionable steps of the very first things organizations needed to do to stop cyberthreats.
He then lured Mr. Sager and Ms. Lute to run a nonprofit, now called the Center for Internet Security, to oversee the project.
Soon the controls were hanging in boardrooms; in 2016, Kamala Harris, then the attorney general of California, warned businesses in the state that failure to comply with the controls would make them potentially negligent in the eyes of a 2004 California law.
Alan Terry Paller was born on Sept. 17, 1945, in Indianapolis, to Benjamin and Ruth (Pearl) Paller. His father was an engineer, his mother an English teacher.
He is survived by his wife, Marsha Mann Paller, whom he married in 1968; two daughters, Brooke Paller and Channing Paller; a sister, Joan Pines; and two grandsons.
Mr. Paller pushed to get more women into cybersecurity, and regularly donated to women’s causes. When Ms. Lute told him that her daughter’s short-track speed skating club would shut down because it had no funds, he became its biggest financial sponsor.
The club has since won four consecutive national championships. Of the 12-person World Cup team, five hail from the tiny club that Mr. Paller supported.
“He had 100 great ideas before breakfast,” Mr. Sager said of Mr. Paller. “Of those, 60 would turn out to be too expensive or impractical, but his batting average would have gotten him into the Hall of Fame.”