Cybersecurity Expert Jim Mellander Retiring from NERSC

NERSC is losing one of its cybersecurity experts, but not to a bug or a virus.

Jim Mellander, senior cybersecurity engineer at NERSC, is retiring November 1. He’s been with NERSC since 2009 and affiliated with Berkeley Lab for nearly 15 years.

Mellander is well known in cybersecurity circles, having developed a number of innovative techniques to enhance cybersecurity at Berkeley Lab and NERSC. He’s also written several notable security software programs, including Update, a UNIX-based sniffer detector; Kazaa Obliterator, which disrupts many types of unauthorized peer-to-peer traffic; and Stomper, which prevents access to unauthorized websites. In addition, Mellander is co-author of Intrusion Detection and Prevention, published by McGraw-Hill, and he has received a Best Paper Award from Information Security Bulletin.

Despite his many contributions to the field, Mellander did not set out to become a cybersecurity expert. But he was drawn to computing early in his career—about the time microprocessors were starting to go “mainstream.” His first job involved doing software development and administration, and eventually some programming, for a company that provided multiple listing services to the real estate market.

“Sometime in the 70s or 80s I was recommended for a job in Pleasanton by one of my professors at UC Berkeley, and it was on very crude equipment from a company that seemed super high tech at the time,” he recalled. “It was even before microprocessors.”

While the job was “terribly boring,” it did help him get a contract position at Lawrence Livermore National Laboratory (LLNL) as a systems administrator—a job that ultimately led him to write his first security code.

“Systems administration is in some sense boring, so you want to automate it to get the boring stuff out of the way and then work on things that are more interesting,” he said. “As long as you are doing your job, it’s cool. So, once I automated the sysadmin stuff, I started working on some code that was interesting to me at the time, although now it is outdated and unnecessary—Update, a ‘sniffer detector,’ which detects whether or not the computer it is running on is ‘sniffing’ the network and collecting data.”

That program led to a full-time position at LLNL, where Mellander spent much of the 1990s installing Update throughout the Lab.

“It became a required piece of software on all the UNIX systems at LLNL because that was a significant security threat at the time,” he said.

Stolen Credential Attacks

In 2000 Mellander joined Berkeley Lab's IT Division as a cybersecurity engineer and stayed there until taking a similar position at NERSC nearly five years ago. While at Berkeley Lab, he became a pioneer in detecting and understanding stolen credential attacks—something he says remains one of the biggest security threats in computing today.

“I didn’t set out to be a cybersecurity expert, but that was what I got into. It was what I was interested in,” he said. “To most people, computer security is ‘The vendor put out patches and I patched so I’m good, right?’ But it is way more than that, not just specific threats but more systemic things, where a combination of factors can add up to a perfect storm.”

Take the recent Shellshock and Heartbleed bugs, which exposed vulnerabilities in open source codes that had been around for many years and reviewed likely by thousands of eyes, Mellander pointed out.

“What these recent security issues should be showing us is that often we have excessive reliance on the tools or mechanisms that the best of human ingenuity has developed, but actually they could have fatal flaws—there are almost certainly more out there yet to be discovered,” he said. “We really need to think about what we are relying on on the Internet to keep us secure. How do we know they are actually secure? Things that look so brilliant now that are building blocks for future advances will be viewed as primitive by standards of the future, so we need to challenge our assumptions about what we are relying on and whether those really are the things we should be relying on.”

Challenges and Rewards

Working at NERSC has offered its own set of challenges and rewards, Mellander emphasized.

“NERSC has a different environment (compared to the labs) because of the assets that have to be protected,” he said. “The challenges are to develop different ways of looking at the supercomputers from a security standpoint, noninvasively. In supercomputing, performance is king and everyone is vying to be as near the top as possible. So in terms of cybersecurity, how do you adequately monitor a system without significantly impacting that performance? There are lots of things you could do, but even a 1 percent slowdown is probably not acceptable.”

As a result, Mellander has been involved in building an infrastructure at NERSC for monitoring and looking at different aspects of cybersecurity in a passive way and developing new process to enhance the security of the supercomputers.

“We are looking not only externally—what is coming from the Internet, which in some cases is difficult to tell because of all the encrypted connections—but also the interior view,” he said. “How does the health of the system look from the inside, and how can that health be checked in a way that doesn’t seriously impact performance?”

Another, more recent challenge comes from ever-increasing networking speeds, he added.

“It is getting more and more difficult to monitor the information coming in from the Internet,” he said. “It’s almost like you need a supercomputer just to monitor all the traffic coming into the supercomputers. So the challenge there is to decide what part of this traffic actually has a security significance to it and what part doesn’t.”

While he isn’t sure exactly what he will be doing once he retires—he has thoughts of learning the ukulele and is already studying ancient Greek to satisfy a self-imposed goal of doing or learning something different every year—Mellander is ready to try something new.

“It certainly is exciting to be working with world-class people and world-class equipment doing cutting-edge stuff,” he said. “There are people here who have this real brilliance, this really high level of expertise in their area; instead of following the leaders, we are the leaders. But if you’ve been going down this one particular path—computer, computer, computer—at some point you have to take a left turn and try something else.”