In April 2023, the GÉANT community was saddened by the passing of Andrew Cormack, then Chief Regulatory Advisor at Jisc, UK. Andrew’s legacy ranges from helping pioneer firewalls in academia, to demystifying legal requirements for the research and education sector, to enthusing over the beauty of moths. Jisc described him as “a man who truly embodied Jisc’s ethos of using technology as a force for good in the world of education and research”.
Here, Andrew’s long-standing colleague and friend, Tim Chown, reflects on his experiences of working with Andrew, and Andrew’s unique contributions to the world of cybersecurity in research and education.
Bringing firewalls to universities during the Wild West of the 1990s internet
When I first met Andrew, at some event in the late 1990s, he immediately struck me as being very personable, friendly, chatty – an absolute pleasure to talk to.
We first worked together on a Jisc-funded project looking at deploying firewalls on the University of Southampton’s campus.
Back then – 25 years ago – very, very few universities had firewalls. It was the Wild West as far as the internet was concerned. You could connect in and out of universities quite freely, and the thought of having firewalls or access control just wasn’t there.
So our challenge – and this is where Andrew’s input was really valuable – was looking at how to deploy a firewall in an environment where the academics and university staff really didn’t want to have a firewall. Because they were very concerned about losing their ability to do their work and research.
Andrew helped us think through the project and come up with a practical solution that worked very well. He understood that it’s all about talking to the users and understanding what they want to do, and how you most appropriately apply the technology to achieve that.
By coming up with a good methodology for doing it, we showed that you can deploy firewalls without disrupting people’s work. And we also found that many academics don’t quite need the fully open internet access that they thought they did.
Understanding users’ needs to find pragmatic solutions
The approach Andrew encouraged was to speak to the academics and researchers first, to look at what they’re doing and identify the traffic flows they needed. Then, first install a security appliance where you allow any of the traffic they currently want, and block everything else.
Most firewalls have what’s known as a default deny policy. You block anything you don’t know or want, and allow the things that you do choose to trust.
“Andrew’s advice was to initially be very, very generous in what you allow through the firewall, and then slowly tighten it up where you can, by observing what was happening. And that approach, at a very simple level, proved to be very successful, and something that was widely shared and adopted elsewhere.”
It was a very good project, and it showed the great insight Andrew always had: a blend of understanding the technology while also being pragmatic about how you apply security and security policy.
Combining wide-ranging technical and legal knowledge
Andrew’s amazing strength was his ability to apply his way of thinking to a wide range of technical areas, and to continually give good advice across those varying areas. He understood the key issues of different technologies, and crucially, understood how legal requirements apply to those technologies.
He could interpret all the different legal constraints of regulations, such as the UK Government’s Investigatory Powers Act, and how they apply to a university in a research and education (R&E) environment, and advise the R&E sector accordingly.
For many people working on developing and deploying technical solutions, the legal side is – to be blunt – often the cause of frustration, and something that can get in the way.
But it’s something that’s very important, and that you absolutely have to deal with. Particularly around things like GDPR, so knowing what personal identifiable information is and your responsibilities there.
“Andrew’s great strength was being one of the few people I know with a perfect balance of understanding both technology and the relevant laws, and being able to blend the two together to give superb, pragmatic advice to anyone that wanted it. And being very approachable and friendly in doing so.”
Combining that deep technological and legal knowledge is a very difficult thing – and no one I know has ever been able to do it as well as Andrew did.
In some ways, I think it’s just an innate skill that Andrew had. And he developed it by training himself in different areas. He had to learn the technology, and spend time taking various courses to become qualified from the legal side as well.
Providing useful, thoughtful advice
I think Andrew was, for many people like me, the go-to person when they wanted advice on the legalities of applying technology. He was just so good at it.
Sometimes you might not like the answer he gave you, because you wanted to do something and he’d very carefully explain why you couldn’t! And that’s not what you wanted to hear.
But he would ask you just the right questions – often painstakingly detailed questions – so he could understand and then advise you. And the advice he gave was always good. So that’s why I always turned to him.
Andrew was always really inspiring and encouraging in any conversation. I think he simply genuinely got enjoyment and pleasure from helping people.
Helping improve understanding of important topics through blogging
Andrew always enjoyed writing about things, and putting things into plain English that people can easily understand. Right up to his death in April 2023, he was blogging on Jisc’s website.
“Andrew had a great ability to identify issues that were of importance to our sector, and then write about them in a very clear and understandable way. He gave people good practical advice and pointers to where they could look further. I think he was driven by a very simple but beautiful desire to help people.”
Andrew’s final published blog was on AI. How AI is going to affect our future lives is obviously very topical in the news, but there’s also a whole raft of issues with how AI is applied to the R&E sector. This blog, like so many others, captured key issues so succinctly.
Proactively engaging with other people’s interests
Another of Andrew’s very endearing qualities was that from time to time he would spot something, know it was of interest to you, and ping you an email about it.
So for example, I’ve got a longstanding interest in IPv6 technology, which allows you to connect more devices directly to the internet to support future growth. Once, IPv6 was mentioned during a discussion in the [UK parliamentary] House of Lords. Andrew happened to see that, emailed me about it, and we ended up having a really interesting discussion about it.
“It wasn’t just that you approached Andrew and he answered. He would act proactively, with me and presumably with a lot of other people he knew as well. He would see something he knew you’d be interested in, bring it to you, and start a conversation. And some really good ideas came from those conversations.”
Exemplifying GÉANT’s community spirit
Andrew was very well-liked, and indeed loved, by people at Jisc, in the GÉANT community, around Europe and in many places in the rest of the world.
He was on the board of trustees at the Vietsch Foundation, and had a lot of passion for supporting its work [to promote research into and development of advanced technology for scientific research and higher education].
It was established through the legacy of Willem Karel Vietsch, who had a very similar philosophy to Andrew of looking at technologies, working out how they would apply to the R&E sector, and pushing forward understanding of those. Again, it’s about helping the sector.
Andrew was also on the GÉANT Community Programme. His outlook and philosophy all comes back to helping the community, and just being so friendly, approachable, and passionate about it.
“The beauty of the GÉANT community is having people from 40 or so countries working together collaboratively. It’s the opposite of a commercial competitive environment. Everyone wants to collaborate and share what they’re doing and help each other. And Andrew was just a really, really good example of someone who embraced that community and that spirit.”
Opening eyes to the wonders of moths
Outside of work, Andrew was an extremely passionate moth enthusiast. He would set moth traps in his back garden and see how many different moths he found over time. I believe he caught and catalogued around 250 types.
Andrew was a member of the Gwent Wildlife Trust, and blogged for them on moths and more.
He frequently shared photos of moths in our internal social media group. Some of them are stunning.
“Before, I just thought of moths as those annoying things that eat your carpets. But Andrew opened a whole new world for me, showing me these beautiful creatures. It’s a fascinating world.”
After Andrew passed, a group of Jisc people selected a weekend when they all set moth traps. Then they shared photos of the moths they’d found, as such a nice way to remember Andrew and his hobby.
About Tim Chown
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero‘. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23
