Seminal Papers in Cybersecurity: A Review (Part 1 of 2)

The widely cited grandfather of all cybersecurity papers is the Ware report by Willis Ware from the RAND Corporation [1]. This paper was the result of a commission sponsored by the U.S. government in 1967 through the agency that would later become the present Defense Advanced Research Projects Agency (DARPA). As the U.S. government was one of the first large adopters of computer systems, it became clear in the mid-1960s that computer security was going to become a topic of major importance. The Ware report highlighted several issues of concern when considering the use of computer systems for handling U.S. government classified data. Unfortunately, at least in my estimation, the report spent little time identifying the nature of the issue—four paragraphs out of a 100-plus page report—but focused heavily on prescriptive methods of solving the problem.

This is an easy criticism 50 years later, and it is not leveled to minimize the importance of the recommendation that the commission provided: need-to-know privileges, roles-based access control, logging, etc. It is likely that all modern security controls could be traced back to the recommendations from this report. However, it is also fair to say that these controls do not solve the problem. Fifty years later, cybersecurity is just as relevant and likely in more disarray than it was back then. However, to say that these early researchers missed the opportunity is to underestimate the difficulty of the problem. Not to mention, how could these men and women possibly have known the extent to which computers have permeated our lives 50 years later.

Shortly after the Ware report was published, James Anderson published a two-volume report for the U.S. Air Force [2]. The Anderson report picked up where the Ware report left off and delved further into solutions without much discussion of the root of the problem. The paper astutely points out that designing security after the fact has little chance of being effective and makes a case against the use of “tiger teams” to find vulnerabilities in systems to achieve proper security. The paper advocates for a “reference monitor” that acts as the arbiter of system access, allowing or not allowing access to various levels of classified information.

My first reaction to this solution was the obvious question: “Who or what, then, is going to monitor the monitor?” This line of questioning will become an important one when exploring the deep recesses of first principles. However, for this background discussion, all we need to know is that developing solutions dominated the early conversations regarding cybersecurity, and to the extent that I can see, very little time was spent on defining the true nature of the problem. In that respect, not much has changed.

Despite Anderson jumping into solutions before the problem was properly defined, he very poignantly summed up the reason computer security was inadequate at the time—and I would argue still is inadequate today:

“A large part of the design problem is attributable to the absence of models as a medium for translating security requirements to technical specifications and as a source of acceptance criteria for evaluating the product. Without such models, system developers are forced to apply ad hoc security related techniques throughout the design and implementation of the system. This approach inevitably leads to exploitable flaws and makes the security assessments necessary for certification virtually impossible [2, emphasis mine].”

He rightly points out that a lack of models hampers any ability to adequately design a requirement. Where I feel he goes astray is that he never gets to first principles to develop the model. Having never developed these first principles to inform the models, how could we possibly solve the cybersecurity problem? I relate to Anderson in his comment about “ad hoc security related techniques.” It feels to me that modern-day cybersecurity is largely a suite of ad hoc programs and devices, marketing buzzwords, and fancy advertisements. However, I believe that the concept of first principles and dedicated, rigorous study of the problem to arrive at first principles can get us to where we need to be. This is not to dismiss the significant contributions of others in the field; there are many other smarter and better thinkers than I that have tried to solve this problem.