Cyber Security 20 Years Later, part 1: The late 90's

Stephen Lahanas,
VP, Semantech Inc

Early last year, I wrote an article reflecting upon what's happened over the past twenty years in the field of E-learning. Today, I'm going to take a similar retrospective exploration of the emerging field of Cyber Security. On the face of it, neither field seems particularly related to one another - however upon deeper examination we'll see there are a number of interesting parallels and connections. And of course, I happened to work in both fields over the years, so I've followed the evolution of both topics with great interest as each field has matured.

In 1997-8, very few people used the term "Cyber Security." At that time, the field of practice was typically referred to as "Information Assurance" or Information or Computer Security. While the nomenclature itself isn't perhaps all that important, the shift in the name of the practice was also connected to the changing nature of the practice as well. The shift being described here specifically is the increasing focus on network and Internet connectivity and the increasing vulnerability associated with it.

The move towards Web-based, then Cloud-based interconnected information architectures has made Information - now Cyber Security - exponentially more complex and critical (both to business and government). Much of the security that was effectively in place before the 1990's was a natural byproduct of the relative difficulty in ever being able to gain access to internal networks or systems in the first place (a.k.a. "security through obscurity"). This doesn't mean that there weren't real threats before; merely that the threats have increased almost logarithmically in relation to the inter-connected nature of our information environments as they have evolved.

My Experience with Cyber Security - the 90's

While I had been aware of IA during the early 1990's, it didn't have much of an impact on what I was doing until I got involved with web application development around 1995. At that point, I learned very quickly about how pioneering hackers and crackers were exploiting the situation and we in the industry were working feverishly to harden both network access as well as application security (especially e-commerce). My first purely Cyber project was development of an experimental Intrusion Detection solution for the Air Force in 1997. I named it SANE, or "Secure Adaptive Network Environment." The title was perhaps a bit optimistic in regards to the true scope of the project, however I chose it purposefully in order to position the product family for what I thought would be coming down the pike in the future. Here is what I thought was likely to happen back then:

1. The threats would become more advanced and numerous - thus tracking vulnerabilities would need to be built-in to any intrusion detection solution.

2. No one system or organization would be able to track all events or attack profiles - the attack signatures would need to be managed at a collaborative, industry-level.

3. The general nature of IA (later Cyber Security) was too reactive, which would place it in a perpetual game of catch-up against the bad guys. In other words, we were moving towards a no-win situation where the bad actors were taking nearly all of the initiative.

4. I also envisioned a day when active or offensive counter-measures would be required and that these would eventually be built directly into our military doctrine.

This diagram, while developed a few years ago, was largely inspired by this first Cyber project.

Not that anyone was keeping score, but all of these predictions have come true. I'm not trying to imply here that I had any special sort of prescience, I'm afraid I don't have any paranormal powers. No - this was all merely a logical set of conclusions based on what I was observing in real-world contexts at the time. The developments in the field are merely a logical progression atop what had already been occurring and it was also what I would do if I put myself in the mindset of any of adversaries & defenders wishing to exploit or adjust to the situation.

In 1998, I quickly followed up that project with another one for the Air Force called GCSS-AF. Remarkably, elements of that project are still in place (although most of it has now moved to the Cloud). I served as an information Architect in charge of Web Security (still wasn't referred to as Cyber yet) among other things. GCSS-AF was interesting and ground-breaking at the time as it was introducing the pre-Cloud notion of unified application hosting along with the actual application transformation of all the systems migrating to that hosting environment. Making it even more interesting was its simultaneous adoption of DISA's emerging consolidated data center offerings. Everything I experienced in this project reinforced what I had previously recognized in the Intrusion Detection experience the year before; although several new observations emerged:

1. In situations like this (which was an effective preview of all Cloud scenarios) there were opportunities to consolidate security (a unified security architecture), yet the relative complexity of the effort instantly increased by at least a factor of 100x (compared to network assurance of a smaller organization or focus on a handful of web-based applications). This added complexity made certain problems unmanageable and many specific projects within the program did not succeed as a result.

2. Another corollary situation that we found ourselves dealing with was commercial off the shelf software (COTS) adoption and its impact on security. I was on the business team that helped to make some of the initial recommendations regarding enterprise purchases of Microsoft products for the Air Force at that time. What some of us (architects and engineers) pointed out then was that the move - while perhaps inevitable - was a relatively high-risk scenario from a security perspective. Our rationale was simple - once we did standardize on a core set of technologies (whether we're talking about Microsoft Office as desktop apps, or NT or even as Oracle platforms for DBMSs) that we'd be caught within a perpetual arms race between those vendors and the hacker community continuously trying to defeat their platforms. In other words, once a flaw was found by any bad actor in any given COTS product, then all adopters of that product were also instantly vulnerable. We predicted, accurately, that the cost of keeping up with these vulnerabilities would far outweigh any cost savings that might be associated with standardization. Again, this was completely predictable and unfortunately, I don't think we've solved this predicament just yet.

I finished up the 90's working on E-Learning projects, but found myself knee-deep in information security again several years later. The initial similarities I witnessed in the late 90's between these two emerging fields of practice included:

• Both were more or less being reinvented at the same time. E-learning's prior iteration was referred to as "Distance Learning;" however that approach hadn't really tackled core process or pedagogy - merely moved them into new delivery channels - like television. Likewise for security, Information Assurance had been around for a couple of decades, but even as new technology was being introduced before (e.g. distributed computing and early networks), there hadn't been a major re-evaluation of the core principles or processes yet - that began in the late 90's.

• The Subject Matter Experts in both fields felt threatened - and many rather than rising to the occasion - dug in for a defense of the "old ways." This had a chilling and problematic effort for both Cyber Security and E-Learning. For E-Learning, it served to nearly kill that emerging industry in the cradle and for Cyber Security it made many organizations slower to react to the real-world threats than should have been the case.

• And for both fields, there were also opportunities for non-SME's who were willing to think outside of the box and help to invent new paradigms more or less in progress.