Ross John Anderson, FRS, FREng, is a researcher, writer, and industry consultant in security engineering. He is Professor of Security Engineering at the Computer Laboratory, University of Cambridge where he is part of the Security Group. Anderson’s research interests are in security, cryptology, dependability and technology policy.

In cryptography, he designed with Eli Biham the BEAR, LION and Tiger cryptographic primitives, and co-wrote with Biham and Lars Knudsen the block cipher Serpent, one of the finalists in the Advanced Encryption Standard (AES) competition. He has also discovered weaknesses in the FISH cipher and designed the stream cipher Pike. In 1998, Anderson founded the Foundation for Information Policy Research, a think tank and lobbying group on information-technology policy. Anderson is also a founder of the UK-Crypto mailing list and the economics of security research domain.

He is well-known among Cambridge academics as an outspoken defender of academic freedoms, intellectual property and other matters of university politics. He is engaged in the ″Campaign for Cambridge Freedoms″ and has been an elected member of Cambridge University Council since 2002. In January 2004, the student newspaper Varsity declared Anderson to be Cambridge University’s “most powerful person”.

Anderson was elected a Fellow of the Royal Society (FRS) and a Fellow of the Royal Academy of Engineering (FREng) in 2009.

“What will security standards and certification look like ten years from now?”

The “embedded systems” of 20 years ago became “things that think” a decade ago; the hype is now about the “Internet of Things” and no doubt by 2026 the marketing folks will have come up with a fresh slogan. However several trends are now visible as computers and communications find their way into all sorts of devices.

First, security is mostly an aspect of safety; indeed most European languages use the same word for both (Sicherheit, surete, seguridad, sicurezza…).
Second, although there are some cross-cutting technical standards (such as for crypto algorithms and protocols) and operational norms (such as the disclosure of breaches and vulnerabilities), these are by no means enough. Just as we don’t rely on product liability law to ensure car safety but have a large body of regulation around testing and type approval, so also we have a growing body of standards and regulation around the security of everything from tachographs to smart meters.

Third, as regulators in fields from electric power distribution to healthcare realise they have to start thinking about malice as well as error and mischance, security standards and certification will continue to get ever more complex. We have already seen conflicts between policy goals; cars today are easy to steal because of crypto export restrictions in the 1990s when their remote key entry systems were being designed.

Fourth, the computer industry’s freewheeling approach will not translate well to industries such as energy and healthcare where certification and liability are taken very seriously; so complexity and conflicts can’t always just be optimistically waved away.

Finally, the predatory business models that characterise the IT industry will spread, adding competition policy and consumer protection issues to the mix. The likely outcome is an ever more complex regulatory environment for many industries — and one which the UK will be ever less able to shape if the brexit vote leads to Britain abandoning the Single Market.