Oral History

  1. Oral History Interview with Carl Landwehr, conducted by Jeffrey Yost, April 21, 2014.. Babbage instate OH 436, also available at:


Landwehr, C.E., and Latham, D. L. Secure Identification System. U.S. Patent 5,892,901, April 6, 1999. The patent covers a family of devices to secure a workstation automatically when a user leaves its vicinity and to unlock it automatically when an authorized user approaches it, using active RFID technology.

Refereed Periodicals

  1. Landwehr, C.E. Prolog to the Section on Privacy and CybersecurityProc. IEEE, Vol. 100, May 13, 2013, pp. 1657-1658.
  2. Landwehr, C.E., D. Boneh, J.C. Mitchell, S. M. Bellovin, S. Landau, M.E. Lesk. Privacy and Cybersecurity: The Next 100 Years. Proc. IEEE, Vol. 100, May 13, 2012. pp. 1659-1673.
  3. Landwehr, C.E. Cybersecurity: From Engineering to Science. The Next Wave, Vol. 19., No. 2 (2012) pp. 2-5.
  4. Avizienis, A., Laprie, J.-C., Randell, B. and Landwehr, C. Basic Concepts and Taxonomy of Dependable and Secure Computing.  IEEE Trans on Dependable and Secure Computing, Vol. 1, No., 1 (Jan 2004), pp. 11-33. Also available as University of Maryland, Institute of Systems Research, Technical Report TR 2004-47.
  5. Witten, B., C.E. Landwehr, M. Caloyannides. “Will Open Source Really Improve System Security? IEEE Software, Vol. 18, No. 5 (September/October 2001) pp. 57-61.
  6. Landwehr, C.E. Computer Security,”  Tutorial paper, International Journal on Information Security Vol. 1, No. 1, pp. 3-13, July, 2001.
  7. Landwehr, C.E. and David M. Goldschlag, "Security Issues in Networks with Internet Access"Proc IEEE Vol 85, No. 12, Dec. 1997, pp.2034-2051.
  8. Landwehr, C. E., A. R. Bull, J. P. McDermott, and W. S. Cy, "A Taxonomy of Computer Program Security Flaws, with Examples," ACM Computing Surveys, Vol. 26, No. 3 (Sept., 1994) pp. 211-254.
  9. Landwehr, C.E. and R.Y. Kain. On Access Checking in Capability-Based SystemsIEEE Trans. on Software Engineering Vol. SE-13, No. 2(Feb. 1987) pp. 202-207. Reprinted from Proc. 1986 IEEE Symposium on Security and Privacy, April, 1986, Oakland, CA [Received Symposium Outstanding Paper Award]
  10. Landwehr, C.E., C.L. Heitmeyer, and J. D. McLean.    A Security Model for Military Message Systems.   ACM Trans. on Computer Systems, Vol. 2, No. 3, August, 1984, pp. 198-222. 
  11. Landwehr, C.E.    Best Available Technologies for Computer Security.  IEEE COMPUTER, Vol. 16, No. 7 (July 1983), pp.86-100. [Reprinted in Advances in Computer System Security, Volume II, Rein Turn, Ed., Artech House, Dedham, MA, 1984, pp. 76-107.]
  12. Landwehr, C.E.    Formal Models for Computer Security, ACM Computing Surveys, Vol. 13,  Number 3 (September, 1981).  Also published as NRL Report 8494,  September, 1981.  Translated and reprinted in Japanese computer journal  bit, Shuppan Kyoritsu, Tokyo, 1983, No. 1 (January), pp. 95-124. [Reprinted in Advances in Computer System Security, Volume II,  Rein Turn, Ed., Artech House, Dedham, MA, 1984, pp. 108-122.]
  13. Landwehr, C.E.    An Abstract Type for Statistics Collection in SIMULA.  ACM  Transactions on Programming Languages and Systems (TOPLAS) Vol. 2, No. 4 (October 1980) 544-563.  Early version published as NRL Report 8373,  March, 1980. Also see subsequent technical correspondence in TOPLAS documenting errata.
  14. Landwehr, C.E. An Endogenous Priority Model for Load Control in Combined Batch -  Interactive Computer Systems.  Acta Informatica Vol. 7, (1976) 153-166. (Also appeared in Proc. Int. Symp. on Computer Modeling, Measurement, and Evaluation IP WG 7.3, ACM SIGMETRICS) Harvard U., March, 1976.

Conference Papers

  1. Landwehr, C.E. A Building Code for Building Code: Putting What We Know Works to Work. In Proc. 29th Annual Computer Security Applications Conference (ACSAC), New Orleans, Dec 2013.
  2. Landwehr, C.E.  History of US Government Investments in Cybersecurity Research: A Personal Perspective, Proc. 2010 IEEE Symposium on Security & Privacy, May 2010, pp. 14-20.
  3. Landwehr, C.E. Results of Workshops on Privacy Protection Technologies. In Protecting Persons While Protecting the People, Second Annual Workshop on Information Privacy and National Security, ISIPS 2008, New Brunswick, NJ, USA, May 12, 2008. Revised Selected Papers. C. S. Gal, P. B. Kantor, M.E. Lesk, eds.Springer Lecture Notes in Computer Science, Vol. 5661, 2009, pp. 45-56.
  4. Landwehr, C.E. Trusting strangers: open source software and security. Building the Information Society, Proc. IFIP 18th WCC Topical Sessions, Kluwer, 2004, pp. 679-683.
  5. Landwehr, C.E. Improving Information Flow in the Information Security Market. Short paper and viewgraph presentation, First Workshop on Economics and Information Security, May 16-17, 2002, University of California at Berkeley, R. J. Anderson and H. Varian, Co-Chairs. Published as a book chapter, 2004.
  6. Landwehr, C.E., C.L. Heitmeyer, and J. D. McLean.  A Security Model for Military Message Systems: Retrospective. Proc. 2001 Annual Computer  Security Applications Conference. Invited paper for “Classic papers” track.
  7. Syverson, Paul F., Gene Tsudik, Michael G. Reed and Carl E. Landwehr, "Towards an Analysis of Onion Routing Security," Proc. Workshop on Design Issues in Anonymity and Unobservability Berkeley, CA, July 2000
  8. Landwehr, C.E.  "Protecting Unattended Computers Without Software," in Proc. Thirteenth Annual Computer Security Applications Conf., San Diego, CA, Dec., 1997, pp.274-283.
  9. Landwehr, C.E. Dependability, Survivability, and System Architecture. Position paper, in Proc. SEI Information Survivability Workshop, 1997.
  10. Froscher, J. N., D. M. Goldschlag, M. H. Kang, C. E. Landwehr, A.P. Moore, I. S. Moskowitz, C. N. Payne "Improving Inter-Enclave Information Flow for a Secure Strike Planning Application," in Proc. Eleventh Annual Computer Security Applications Conf., New Orleans, LA, Dec., 1995, IEEE CS Press PR07159, ISBN 0-8186-7159-9, pp. 89-98. [Received the conference Outstanding Paper Award].
  11. Froscher, J. N., M. H. Kang, J. McDermott, O. Costich, and C. E. Landwehr, "A Practical Approach to High Assurance Multilevel Secure Computing  Service," in Proc. Tenth Annual Computer Security Applications Conf.,  Orlando, FL, Dec., 1994,ISBN 0-8186-6795-8, pp.2-11.
  12. Landwehr, C. E., "Hidden Safety Requirements in Large-scale Systems,” in  Proc. 13th World Computer Congress, IFIP Congress 94, Vol. 3, K. Duncan  and K. Krueger, eds., Elsevier Science B.V. (North-Holland) pp.295-302.
  13. Landwehr, C.E., “How far can you trust a computer?” in SAFECOMP’93, Proc. of the 12th Int’l Conf. con Computer Safety, Reliability, and Security, Poznan-Kiekrz, Poland, Oct., 1993, Janusz Gorski, ed., ISBN 0-387-19838-5, Springer-Verlag, New York, 1993.
  14. Payne, C., J. N. Froscher, C. E. Landwehr, “Toward a Comprehensive INFOSEC Certification Methodology.”  Proc.  Sixteenth National Computer Security Conference, Baltimore, MD, Sept., 1993.pp. 165-172 .
  15. Meadows, C. and C.E. Landwehr, “Designing a Trusted Application Using an Object-Oriented Data Model,” Research Directions in Database Security, T. Lunt, ed. (Proceedings of  the First RADC Workshop on Database Security) Springer-Verlag, 1992 (workshop held 1988).
  16. McLean, J., C. E. Landwehr, and C. Heitmeyer, “A Formal Statement of the MMS Security Model,”Proc. 1984 IEEE Symposium on Security and Privacy, Oakland, CA, April 23-26, 1984.
  17. Landwehr, C. E., and J. M. Carroll, “Hardware Requirements for Secure Computer Systems: A Framework,” Proc. 1984 IEEE Symposium on Security and Privacy, Oakland, CA, April 23-26, 1984.
  18. Landwehr, C. E., and H. O. Lubbes, “Determining Security Requirements for Complex Systems with the Orange Book,”  Proc. Eighth National Computer Security Conference, Gaithersburg, MD, Oct., 1985.  pp. 156-162.
  19. Landwehr, C. E., “Does Program Verification Help?  How Much?” Proc. Verification Workshop (VERKshop) III,  ACM Software Engineering Notes, Vol 10, No. 4 (Aug. 1985) p.107.
  20. Landwehr, C. E. “Some Lessons from Formalizing a Security Model,” Proc. Verification Workshop (VERKshop) III,  ACM Software Engineering Notes, Vol 10, No. 4 (Aug. 1985), p.111.
  21. Landwehr, C. E. “Requirements for Class A1 Systems and Major Differences Between Division A and Division B Systems.”  Transcription of invited talk, Proc. Sixth DoD/NBS Computer Security Conference, National Bureau of Standards, Gaithersburg, MD, Nov. 1983.
  22. Heitmeyer, C., C. E. Landwehr, M. R. Cornwell, “The Use of Quick Prototypes in the Secure Military Message Systems Project," ACM SIGSOFT Software Engineering Symposium on Rapid  Prototyping, April, 1982, Columbia, MD (with C.L.Heitmeyer and M. Cornwell).  Reprinted in ACM SIGSOFTSoftware Engineering Notes,  Vol. 7, No. 5 (Dec. 1982) pp. 85-87.
  23. Security Model for a Family of Military Message Systems, proceedings of Workshop on Implementing DoD Multilevel Security Policy on  Capability-Based Operating Systems, March, 1982,  MITRE M83-17, October, 1982.          
  24. Landwehr, C. E., “Software Engineering Techniques Applied to Protocol Simulation,”   Proc. Summer Computer Simulation Conference 1980, AFIPS Press, Arlington, VA, pp. 203-207.  Also published as NRL Report 8385.   Revised and published as “Applying Software Engineering to Protocol Simulation,” inSimulation, Society for Comp. Simulation, La Jolla, CA, Nov. 1981 pp. 157-164.
  25. Landwehr, C. E. “Assertions for Verification of Multi-Level Secure Military Message  Systems,” SRI Workshop on Formal Verification (VERkshop), April,  1980.  Published in ACM SIGSOFT Software Engineering Notes Vol. 5, No. 3 (July 1980) pp. 46-47.

Books, Book Chapters, National Research Council Studies

  1. Engineered Controls for Dealing with Big Data, in Privacy, Big Data, and the Public Good: Frameworks for Engagement. Julia Lane, Victoria Stodden, Stefan Bender, Helen Nissenbaum, eds., Cambridge University Press, 2014, pp.211-233.
  2. Autonomous Vehicles in Support of Naval Operations. Committee on Autonomous Vehicles in Support of Naval Operations, Naval Studies Board.  National Academies Press, 2005. (Co-Author with John Deyst, chair, and other committee members).
  3. Improving Information Flow in the Information Security Market. Book chapter, Economics of Information Security, L. Jean Camp and S. Lewis, ed., Kluwer, 2004, pp. 155-164.
  4. Networking Health: Prescriptions for the Internet. Committee on Enhancing the Internet for Health Applications: Technical Requirements and Implementation Strategies, E.H. Shortliffe, Chair. National Academy Press, 2000.
  5. For The Record: Protecting Electronic Health Information. Committee on  Maintaining Privacy and Security in Health Care Applications of the  National Information Infrastructure.  National Academy Press, 1997, 264 pages. ISBN 0-309-05697-7.  (Co-author with Paul D. Clayton, Chair, and other committee members)
  6. Landwehr, C. E.  Protection(Security) Policy and Models. Chapter 90 in Computer Science and Engineering Handbook, A. B. Tucker, Jr., Ed., CRC Press / Assoc. of Computing Machinery, 1997, ISBN 0-8493-2909-4,  pp.1914-1928.
  7. Chapter on agent security in J. Williams, Bots and Other Internet Beasties,  (with David Goldschlag and Michael Reed), Indianapolis, 1996, ISBN 1-57521-016-9.
  8. Database Security, VIII: Status and Prospects. IFIP Transactions A-60, Elsevier Science B.V., Amsterdam, ISBN 0 444 81972 2, 1994 (co-editor with J. Biskup,  and M. Morgenstern).
  9. Database Security, VII: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Lake Guntersville, Alabama, USA, 12-15 Sept. 1993, Elsevier (North-Holland), Amsterdam, 1994, (co-editor with T.F. Keefe), IFIP Trans. A-47, ISBN 0 444 81833 2, April, 1994.
  10. Dependable Computing for Critical Applications 3. ISBN 0-387-82481-2 Springer-Verlag, New York-Wien, 1993 (co-editor with B. Randell and L.  Simoncini).
  11. Database Security, VI: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Vancouver, British Columbia, USA, 19-21 Aug. 1992, Elsevier (North-Holland), Amsterdam, 1992, (co-editor with B.M. Thuraisingham), IFIP Trans. A-21, ISBN 0 444 89889 1, April, 1993.
  12. Database Security, V: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Shepherdstown, West Virginia, USA, 4-7 Nov. 1991, Elsevier (North-Holland), Amsterdam, 1992 (co-editor, with  S. Jajodia) ISBN 0 444 89518 3, April, 1992.
  13. Database Security, IV: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Halifax, U.K., 18-21 September, 1990,  Elsevier (North-Holland), Amsterdam, 1991 (co-editor, with  S. Jajodia) ISBN 0 444 89076 9, May, 1991.
  14. Database Security, III: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Monterey, California, U.S.A., 5-7 September,  1989, Elsevier (North-Holland), Amsterdam, 1990 (co-editor, with  D.L. Spooner) ISBN 0 444 88701 6, June, 1990.
  15. Database Security II: Status and Prospects:  Results of the IFIP WG 11.3 Workshop on Database Security, Kingston, Ontario, Canada, 5-7 October, 1988,  Elsevier (North-Holland), Amsterdam, 1989 (editor) ISBN 0 444 87483 6,  June 1989.
  16. Database Security: Status and Prospects:  Results of the IFIP WG 11.3 Initial MeetingAnnapolis, MD., U.S.A., October, 1987,  Elsevier (North-Holland), Amsterdam, 1988 (editor) ISBN 0 444 70479 5.
  17. Database Security:  Where Are We?  in Database Security: Status and Prospects, (C. Landwehr, ed.) Elsevier (North-Holland),  Amsterdam, 1988.
  18. Multilevel Data Management Security, Air Force Studies Board, Commission on Engineering and Technical Systems, National Research Council, National Academy Press, Washington, D.C., fall, 1983 [FOUO]--> [no longer FOUO as of Nov 1993] (contributor to two of three subcommittee reports).

Technical Reports

  1. Building Code for Medical Device Software Security. (with Thomas Haigh). IEEE Computer Society, March, 2015. Also available at:
  2. Workshop to Develop a Building Code and Research Agenda For Medical Device Software Security: Final Report. Report GW-CSPRI-2015-01, January 8, 2015. Also available at: 
  3. Safe Use of the Internet for Defence Purposes.  STP-11 report, 1997. (Editor and author, with contributions from other STP-11 members)
  4. Proc. NRL Invitational Workshop on Testing and Proving:  Two Approaches to Assurance.  ACM SIGSOFT Software Engineering Notes, Vol. 11, No. 5 (Oct. 1986) pp. 63-85.  (Edited, with J. McLean, D. Good, S. Gerhart,  N. Leveson).
  5. A Framework for Evaluating Computer Architectures to Support Systems with  Security Requirements, with Applications.  NRL Report 9088, Nov., 1987. (with B. Tretick, J. M. Carroll, and P. Anderson).
  6. User’s Manual for the Secure Military Message System M2 Prototype, NRL Memorandum Report 5757, March 28, 1986 (with B.T. Tretick, M.R. Cornwell, R.J.K. Jacob, and J.M. Tschohl).
  7. Executing Trace Specifications Using Prolog.  NRL Report 8940, January  1986 (with J. McLean, D. Weiss).
  8. An Approach to Determining Security Requirements for Naval Systems.  NRL Report 8897, May 1985 (with H.O. Lubbes).
  9. Designing Secure Message Systems:  The Military Message Systems (MMS) Project.  Computer-Based Message Systems, Elsevier Science Publishers B.V., NY, pp. 247-257 [Proc. IFIP 6.5 Working Conf. on Computer-Based Message Services, May 1984, Nottingham, England, North Holland] (with C. Heitmeyer).
  10. A Security Model for Military Message Systems.  NRL Report 8806, May 31, 1984 (with C.L. Heitmeyer and J. McLean).
  11. Military Message Systems:  Requirements and Security Model, NRL Memorandum Report 4925, Sept., 1982 (with C.L. Heitmeyer).
  12. Best Available Technologies (BATs) for Computer Security, NRL Report  8554, Dec. 21, 1981.
  13. Analysis of Alternative Satellite Channel Management Systems, NRL Report 8404,  October, 1980 (with M. E. Melich and P. J. Crepeau).
  14. Performance Studies of the Distributed CPODA Protocol in the Mobile  Access Terminal Network.  NRL Memorandum Report 4084, Sept., 1979.
  15. Load Sharing in Computer Networks: A Queueing Model.  Merit Computer Network MCN-1174-TR-18 (Nov. 1974), Ann Arbor, Michigan.

Technical Correspondence

  1. Defining Formalism.  Comm. ACM 34, 10 (Oct. 1991) ACM Forum  contribution, pp.15-16 (with J. McLean, C. Heitmeyer).
  2. On Nondeterministic Programs, Technical Correspondence, Comm. ACM 25, 4 (April 1982), p. 292.
  3. Protecting stored data remains a serious problem. Military Electronics/Countermeasures, Santa Clara, CA, Apr. 1983, pp.26-36.
  4. Usage Statistics for MTS.  ACM SIGMETRICS Perf. Eval. Rev. Vol. 4,  No. 2 (April, 1975).

Editorials and Columns

  1. Privacy Research Directions. Security and Privacy Viewpoint, Comm. ACM 59, 2 (Feb., 2016), pp. 29-31. 
  2. We Need a Building Code for Building Code. Security and Privacy Viewpoint, Comm. ACM 58, 2 (Feb. 2015), pp. 24-26.
  3. Sailing Away!  IEEE Security & Privacy 8, 6 (Nov./Dec. 2010), pp. 3-4.
  4. Drawing the Line. IEEE Security & Privacy 8, 1 (Jan./Feb. 2010), pp. 3-4.  
  5. A National Goal for Cyberspace: Create an Open, Accountable Internet.   IEEE Security & Privacy 7, 3 (May./June. 2009), pp. 3-4.  
  6. Cyber Security and Artificial Intelligence: From Fixing the Plumbing to Smart WaterIEEE Security & Privacy 6, 5 (Sept./Oct. 2008), pp. 3-4.
  7. Up Scope. IEEE Security & Privacy 6, 3 (May/June 2008), pp. 3-4.
  8. Revolution through competition? IEEE Security & Privacy 5, 6 (Nov/Dec. 2007), pp. 3-4
  9. Food for Thought: Improving the Market for Assurance. IEEE Security & Privacy 5, 3 (May/June 2007), pp. 3-4
  10. New Challenges for the New Year.  IEEE Security & Privacy, 5, 1 (Jan.-Feb 2007), pp. 3-4.
  11. Speaking of Privacy.  IEEE Security & Privacy, 4, 4 (Jul.-Aug 2006), pp. 4-5.
  12. Information Assurance Technology Forecast 2005 (interview; S. Saydjari ed). IEEE Security & Privacy,4, 1 (Jan. – Feb. 2006), pp. 62- 69.
  13. Green Computing.  IEEE Security & Privacy, 3, 6 (Nov.-Dec 2005), p. 3.
  14. Changing the puzzle pieces.  IEEE Security & Privacy, 3, 1 (Jan-Feb 2005), pp. 3-4.
  15. Security cosmology: moving from big bang to worlds in collusion. IEEE Security & Privacy, 1, 5 (Sept.-Oct 2003), p. 5.


  1. National Science Foundation solicitation 12-503, Secure and Trustworthy Cyberspace solicitation, August, 2010.
  2. National Science Foundation solicitation 10-575, Trustworthy Computing, (in CISE Cross-Cutting Programs). August, 2010.
  3. Intelligence Advanced Research Projects Activity, IARPA STONESOUP solicitation, September 2009.
  4. Disruptive Technology Organization, DTO NICECAP solicitation, April, 2006.
  5. National Science Foundation Solicitation 04-524, Cyber Trust solicitation, December 2003.
© Carl Landwehr 2014