IBM Fellows

Fellows are the standard-bearers for IBM’s technical and scientific leadership

JR Rao

  • Director, Security Research
  • IBM Research
  • BT Electrical Engineering, Indian Institute of Technology, Kanpur
  • MS Computer Science, The State University of New York at Stony Brook
  • PhD Computer Science, The University of Texas at Austin

JR has been at the forefront of some of IBM’s biggest security breakthroughs, including the use of big data for security intelligence, and side-channel cryptanalysis that protects devices from literally leaking their cryptographic keys.

In his own words

JR Rao

… on verification and mosquitos humming in harmony

I studied computer science in the pre-Internet 1980s, when the big shift of the time was from mainframes to distributed computing. As a graduate student, I first worked on getting the best throughput by executing multiple transactions on distributed databases, all in parallel.

These engineering systems drew me to pursuing a PhD in “formal methods and program verification.” It looks at a question like, “when a swarm of mosquitos is humming, can you prove they are all humming in harmony?” Why is this important? Because it translates to understanding big, complex systems like American Airlines’s Sabre reservation system — the first in the world in the 1960s. While formal methods are used to build and verify critical systems today, I believe it will re-emerge as human ambition scales up and we tackle complex projects like a mission to Mars.

… on breakthroughs that protect cryptographic devices from side-channel attacks

From 1998 to 2005, I worked in side-channel cryptanalysis (the analog emissions such as power consumption and electromagnetic fields from cryptographic devices). Just by analyzing the power consumption of a card reader when a smart card was plugged in, you could completely break the card’s crypto, extract the secret key, and clone the card. For example, we were able to clone a GSM SIM card in minutes by taking as few as eight power samples.

We came up with provably secure countermeasures for our commercial cryptographic products by employing secret sharing schemes, where each bit of the secret key on the card is divided probabilistically into shares, and any computation using the secret key is done by accessing only the random shares at each point. Splitting the key amplifies the uncertainty of the adversary at each point and increases their work effort exponentially. From there we studied electro-magnetic transmissions and other devices such as SIM cards in mobile phones. This was the first time we were building an empirical discipline in security — looking at security in practice, and using the power of cryptography and engineering to build truly secure systems.

… on the growing complexity of security

Every platform shift, from the mainframe to cloud, poses new security issues. As we transform into a cognitive business, we’re storing — and creating businesses out of — all kinds of highly sensitive data, such as genomic data and healthcare records. It’s clear that the old models of security are insufficient in protecting such data needs. This is what led us to use big data for security intelligence.

So today, I’m working on how to use cognitive techniques to analyze the threat kinetics in enterprises, combined with consolidating the external threat intelligence from security vendors, to provide companies with true security insights. This “cognitive” approach uses threat analytics to take an internal look at a threat and how it’s evolving within an enterprise, let’s say at a medical research company. Then that information connects to the threat intelligence that our systems gather from the outside world. This breakthrough will transform industries because it lets companies lock down their business and their crown jewels — like their customers’ genomic data.

… on tackling hard problems with simplicity

One of the most useful things I developed is an instinct about where the hard problems lie and the importance of focusing on simplicity of solutions. My PhD advisor, Prof. J. Misra, told us that in computer science, complexity comes for free. We have to work hard for simplicity. Not just simplicity in the design and elegance of solutions, but how to communicate ideas simply. Another professor, E.W. Dijkstra, a pioneer in computer science, used to challenge us to give a presentation imagining that there was a blind man in the audience. This meant no PowerPoint and no gesticulating. He would say that if we had to use our hands to speak, then there was something wrong with our words!

… on advice for working at a big company

Throughout my career at IBM, I have been blessed with wonderful managers and mentors who have supported me. John Kelly challenged us to not just innovate but to “Think Big” in our scale and ambition. Even though we work for a big company, we should work at the boundaries of our capabilities and expand them. That is the only way to grow.

Chung-Sheng Li has also been a mentor, source of inspiration and personal friend. Among many things, I learned the important skill of thinking strategically for the company and the industry, and executing an idea across the company. I am indebted to all of them.

Share this page: