- Computer Security
Few areas of computing capture more headlines today than cybersecurity. Yet, historians have barely scratched the surface of the rich history of computer security due in large part to lack of relevant archival and other source materials. With encouragement from computer-crime expert Donn Parker, in early 2011 Thomas Misa and I proposed to the National Science Foundation (NSF) a multiyear Charles Babbage Institute (CBI) computer security history infrastructure project. NSF Trustworthy Computing Director Carl Landwehr funded this project (NSF 1116862), which is now overseen by his successor, Secure and Trustworthy Cyperspace (SaTC) Director Jeremy Epstein. In addition to Landwehr and Epstein, we are grateful to the computer security pioneers who serve on our project’s advisory board: Rebecca Bace, Matt Bishop, Bob Johnston, Stuart Katzke, Steve Lipner, Andrew Odlyzko, Donn Parker, and Gene Spafford.
The CBI project consists of conducting 30 research-grade oral histories, collecting archival resources, developing a computer security wiki, and publishing original scholarship. We have made major advances on all fronts, having conducted oral histories with 26 seminal figures (to date) in computer security (including Rebecca Bace, David E. Bell, Peter Denning, Dorothy Denning, Butler Lampson, Carl Landwehr, Karl Levitt, Steve Lipner, Teresa Lunt, Peter Neumann, Roger Schell, and Gene Spafford), secured important new archival collections (from Steve Lipner and Lance Hoffman), produced a frequently visited wiki,1 and published scholarship.
With our project’s core being “infrastructure,” or facilitating scholarship by ourselves and others, we proposed to NSF an add-on Computer Security History Workshop of historians and pioneers held at CBI in July 2014 (a write-up appeared in the January–March 2015 issue of the Annals2). This issue is the first of two special issues of the Annals publishing the revised papers from that workshop. It markedly advances scholarship on many different critical aspects of computer security history.
Michael Warner and Steve Lipner’s articles focus on important foundations of computer security and their aftermath. Warner concentrates on policy history within the legislative and executive branches. He highlights key policy responses to potential foreign threats to US government information systems between the mid-1960s and the early 2000s. Lipner examines the context and challenges with implementing computer security standards (with a goal of commercially produced “high assurance” systems) under the Department of Defense’s Trusted Computer System Evaluation Criteria (TCSEC), or the Orange Book. It turned out that lengthy and costly system development and unwieldy certification hindered the goal of commercial high assurance systems, leading to the “death” of the Orange Book in favor of the “more straightforward and deterministic” international Common Criteria in the 1990s.
My article and Rebecca Slayton’s each extend these foundations. I examine the importance of IBM user group Share and how IBM and start-up SKK listened to organizational users and built access control systems (short of high assurance) that were widely purchased by companies and launched the computer security software products industry. Slayton examines computer security metrics used by the US government where regulators placed a high value on risk analysis while practitioners questioned the measurement of risk. She demonstrates that the value of risk analysis was often overlooked, even as it led to important individual and organizational learning. [End Page 6]
Finally, Laura DeNardis and Dongoh Park focus on aspects of the political and social history of digital communication security, surveillance, and cryptography. DeNardis analyzes the design tension between national security interests for surveillance and network security in computer networking from the mid-1980s into the 2000s, concentrating on the work of the Internet Engineering Task Force (IETF). She demonstrates how the Internet engineering community has consistently opposed indiscriminate technologically based government surveillance. Park’s article provides a case study of public-key encryption technology in South Korea. He details how US export regulations on cryptographic technology led the Korean government to develop identity infrastructure consisting of a unique public-key encryption algorithm. His case highlights the major social and cultural challenges, as well as technological ones, in implementing a PKI system.
- From the Editor in Chief
It is a great pleasure to welcome back to the Annals as...