Those Who Cannot Remember The Past

Information security is a fast paced industry. Everyday, people are dropping exciting projects on GitHub, data breaches keep journalists in work, universities teach the next generation of practitioners and security companies churn out invoices. It’s all frenetic, it’s a turbo charged little corner of the world. If you stood still for a few weeks you could miss a headline worthy attack or a system that needs to be patched. I wouldn’t swap it for the world. It’s beautiful – all of it.

If I was an alien landing here on planet earth and debating what it is all for though, I probably wouldn’t conclude it is a global collaboration of experts to remove the threats of nefarious computer use… we are all actually quite bad at that. Sure, we have specialisms, we have become experts in a thousand different fields and there are some really clever people mixed in but cyber crime continues to rise in nearly every guise. Information flows freely from big companies, computer users don’t understand fundamental security procedures. The information we claim to secure is currently far from safe.

Why is a question I urge everyone to ask themselves.

Why can a multi-billion pound company get rolled over by a teenager?

Why do Governments sporadically ignore their own advice?

Why are we supporting this digital merry-go-round?

The Much Needed Pause

There is a lot to be said for the expression ‘less haste and more speed’. wouldn’t it be good if we could stop the industry and turn it back on again.

I am left pondering what I would change if we could press restart and how I articulate this in writing. Let me have a go:

We need to take this problem right back to its very inception, the first notable problems regarding information security the human race had to overcome. We then need to analyse our current use of technology methodically, learning from the combined experiences of as many people as we can.

As a big fan of the planning methodology ‘Get Things Done’ or GTD I am irked that we can’t just reflect a little more on the problems we all have. Hardly surprising due to the aforementioned haste we all experience, it can sometimes feel like there is no alternative other than flowing with the torrent of Twitter drama, vendor lies and knee-jerk incident response.

Can History Really Help Us?

I think it can. As per the title, ‘Those who do not learn history are doomed to repeat it’. When we think of our history on earth, it’s littered with Kings and Queens, warriors, pyramids, engineering and mathematics… most of which we haven’t learnt a great deal from as it is. But the history of information security is more recent, with the benefit of being done by IT types that know how to document everything obsessively.

Enter stage left, pioneers like James P Anderson and Willis H. Ware, people who led the InfoSec field from as early as 1968.

Some of the previously classified reports they worked on are available online and I urge any reader to set-aside a few hours to read.

Security Controls For Computer Systems 1970

Willis H. Ware, 1970. Original URL: https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf

Computer Security Technology Planning Study

James P. Anderson, 1972. Original URL: http://seclab.cs.ucdavis.edu/projects/history/CD/ande72a.pdf

Security Controls For Computer Systems 1979

Willis H. Ware, 1979. Original URL: https://apps.dtic.mil/dtic/tr/fulltext/u2/a076617.pdf

Standing On the Shoulder Of Giants

What could even the fastest glance at the above documents show us? Lets take a look:

If we make it hard for users, unneeded problems are created.
Use hardware keys for better security.
External threats are more of a problem than internal ones.
If security costs too much, we will rationalise that it’s not worth it.
We are using codebases too big to audit effectively.
Security is a multifaceted problem.

To Conclude

This article may have all the appeal of GCSE History, I know. Old stuff isn’t as shiny and alluring as the cutting edge technologies we all have in our lives. But what if it was all mostly right and generations of enthusiastic professionals skipped over it. What if the secrets and answers to our very modern problems are right here in plain sight for us to benefit from. If it wasn’t for a chance conversation with Michael Kemp many years ago, I personally would have never seen this side of information security and I am left wondering how many more may also not understand that our fast paced ways are simply trying to re-invent the wheel.

If you made it this far, share the article with people that care.