James P. Anderson

Applying the Reference Monitor Concept to Security

by Dan Geer


Anderson made many contributions, but for the purpose of this nomination I will highlight a mere two of them. The first is the 1972 paper now known as "The Anderson Report" (which followed on the 1968 Defense Science Board's "Ware Report" in which Anderson also participated). That "Anderson Report" set the U.S. information security research agenda for over a decade, and rightly so. You can read it here:
http://csrc.nist.gov/publications/history/ande72.pdf

Anderson also developed the ideas that we today call "Intrusion Detection" in his 1980 work "Computer Security Threat Modeling & Surveillance." Similarly, you can read that work here:
http://csrc.nist.gov/publications/history/ande80.pdf

Altogether, Anderson was involved in something over two hundred reports and standards including "The Rainbow Series" and, in particular, "The Orange Book" where, amongst many other places, Anderson contributed the Reference Monitor concept. In Peter Denning's words, Anderson did not invent the RefMon term, but rather "Jim recognized the fundamental importance of the reference monitor for computer security practice and stumped endlessly for its adoption."

Gene Spafford's encomium overlaps much of this note; see:
https://www.cerias.purdue.edu/site/blog/post/passing-of-a-pioneer

An entrepreneur, author, scientist, consultant, teacher, and architect, Dr. Daniel Geer is Chief Information Security Officer at In-Q-Tel and served as Chief Scientist at Digital Guardian. Previously, Dr. Geer served as CTO of @stake and  ran the development arm of MIT's Project Athena,where his staff pioneered Kerberos, the X Window System, and much of what we take for granted in distributed computing. He has co-authored several books on risk management and information security and is past president of the USENIX Association.