Gene Spafford, Professor of Computer Science at Purdue University, observed that “the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” In A Vulnerable System: The History of Information Security in the Computer Age (Cornell University Press), author Andrew Stewart shows how astute Spafford’s observation is. And for anyone who has been in information security for a while, the book is a walk down memory lane.
I saw the manuscript as a reader about two years ago and noted that this book provides an excellent blend of history, business and technical understanding. It is a great read for anyone involved in information security and is a compelling book from start to finish.
But more than just being a history of computer security from ENIAC until today (which is, in fact, a story that has been told many times already), Stewart is a good historian and gives the reader a comprehensive understanding of people, events and contexts from the past 70 years of information security.
If information security is a child, then as Stewart writes, the child was advanced from grade to grade while having serious learning difficulties. No teacher wanted to take responsibility, so the child was punted from school to school, advanced throughout. The child then graduates, and while wearing a cap and gown, is barely literate. That, my friends, is something like information security today.
If security were just about firewalls and encryption, things would be relatively easy to secure (or so we are led to believe). However, with people involved and people who are subject to irrational whims (the topic which won Kahneman and almost Tversky a Nobel Prize in economics), attackers gain their advantage. Stewart writes that revelations about the psychology and economics of security are, in fact, damaging to the commercial security industry, which wants people to believe that the only thing between them and security is an expensive piece of hardware or software.
While it may seem like Stewart is simply moaning about the current state of security, the truth is that he has his hand on the pulse of information security. He provides countless examples of where the industry has failed. An interesting example is where he writes of stunt hacking, which is where hacking is done for the solitary purpose of getting attention and promoting the person or employer. The danger of stunt hacking is that it is a distraction from serious security issues.
One of the more prominent stunt hacking episodes was at Black Hat 2019, where researchers claimed to be able to take over a Boeing airplane. While the security researcher dropped a bombshell that the Boeing Dreamliner is susceptible to hacking, I wrote (here) that there was, in truth, no real cause for concern.
While the history of information security does include a lot of doom and gloom, which the book shows, Stewart writes what is needed to turn this curve. There needs to be a concerted effort to understand better how complexity affects information security and how that complexity can be managed.
Stewart closes with the observation that after the Napoleonic Wars, Prussian general Carl von Clausewitz wrote that an effective military strategy requires insight into the great mass of phenomena and their relationships. It must be left free to rise into the higher realm of action. This is the case also with information security, where the substantial must replace the superficial, the essential must replace the ephemeral.
You do not have to be a CISSP to appreciate this book. Stewart has written an important book where he articulates the history of information security in a non-technical, readable and engaging format. Those who cannot remember the past are condemned to repeat it, both in world history and information security. The book details the past of how we got here, only by understanding that the industry can truly put security in place. For those who take security seriously or consider their privacy necessary, A Vulnerable System is a book that must be read.
Posted on
by Ben Rothke
Contributors
Ben Rothke
Senior Information Security Manager, Tapad
Security Strategy & Architecture
firewalls software integrity security architecture practitioner perspectives security operations
Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.
Share With Your Community
Related Blogs