At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

All Papers and Patents

Tom Berson

I am the founder and owner of Anagram Laboratories, a thriving information security consultancy. Anagram will celebrate its 35th Anniversary in 2021.

I have been interested in the technologies and ethics of information security since 1957, and have been working in the field since 1967.

There are few things sweeter than the respect of one's peers.

  • In February 2020 I was elected a Member of the National Academy of Engineering (NAE), "For contributions to cybersecurity in the commercial and intelligence communities."

  • In January 2004 I was the first person appointed a Fellow of the International Association for Cryptologic Research (FIACR) "For visionary and essential service to the IACR and for numerous valuable contributions to the technical, social, and commercial development of cryptology and security."

Since its founding in 1999 I have been an Advisory Board Member and the Chief Security Advisor at (NYSE: CRM). Salesforce is a pioneer and the leader in cloud software for enterprise sales, marketing, service, data analytics and customer relationship management (CRM). The trust issues raised in this context go far beyond traditional security concerns.

At Stanford University, I am an Affiliate at CISAC, the Center for International Security and Cooperation of the Freeman Spogli Institute for International Studies. I work there on issues of cybersecurity policy.

I was a member of the National Research Council's Committee on Policy Consequences and Legal/Ethical Implications of Offensive Information Warfare. This is very interesting stuff. Our report, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, concludes that, although cyberattack capabilities are an important asset for the United States, the current policy and legal framework for their use is ill-formed, undeveloped, and highly uncertain. It further concludes that U.S. policy should be informed by an open and public national debate on technological, policy, legal, and ethical issues they pose.

I am a lifelong student of Oriental wisdom literature and martial arts. During 2018 I ran a seminar at CISAC titled Information Warfare and Sun Tzu.

During 2000-2002 I worked part time as a Principal Scientist at the fabled but dysfunctional Palo Alto Research Center (PARC). My PARC colleagues and I investigated the implications of a future in which cryptographic operations are abundant. I organized workshops on Life in a Future of Cryptographic Abundance in 2000 and 2001. My essay, Cryptographic Abundance, appeared in Technology Review for Jan/Feb 2002.

In December 2000 I had the honor of delivering the IACR Distinguished Lecture in Kyoto. I spoke about the past 30 years and the next 20 years from personal, technical, and professional points of view. The title of my talk was "Cryptography Everywhere." Twenty years later, cryptography is everywhere.

My professional life is full. I was an Officer or Director of the International Association for Cryptologic Research (IACR) for thirty years. I enjoyed a 14-year stint as an editor of the Journal of Cryptology, an archival journal of important results. I am Past-Chair of the IEEE Computer Society Technical Committee on Security and Privacy. I am on the advisory board of the International Journal of Information Security (IJIS).

From 1979-1986 I was a successful Silicon Valley entrepreneur at Sytek, Inc., a pioneer in broadband local area networking. I still love the problems and opportunities at early-stage and fast-growing companies. Companies I am participating in at the moment include Stackrox for container security, Elevate Security for changing user security behavior, Arceo for managing cybersecurity risk, Faros for secure dev/ops, Kentik for net/ops, System1 for curing brain diseases and Tiatros for mental resilience.

Some other completed projects include membership in the National Research Council Committee to Develop a Cybersecurity Primer, the Committee to Review C4I Plans and Programs, and participation in a six-month Program in Coding Theory, Computer Security and Cryptography at the Isaac Newton Institute for Mathematical Sciences in the University of Cambridge.

I am a life member of Clare Hall, Cambridge.

My Erdös number is 2.

My amateur radio call sign is ND2T.

Here is my professional bibliography

You will have to type this.
or phone/mail. My PGP public keys are here.