2.2. Computer Security: Then and Now
In the early days of computing, computer systems were large, rare, and very expensive. Naturally enough, those organizations lucky enough to have a computer tried their best to protect it. Computer security was simply one aspect of general plant security. Computer buildings, floors, and rooms were guarded and alarmed to prevent outsiders from intruding and disrupting computer operations. Security concerns focused on physical break-ins, the theft of computer equipment, and the physical theft or destruction of disk packs, tape reels, punched cards, and other media. (This was in the day when you could destroy a program by grabbing its card deck and scattering it to the wind. Incorrect reassembly of the card deck could cause some memorable computer errors. It was important to choose carefully one's victim in such a prank, lest they be faster or stronger than they appeared.)
Insiders were also kept at bay. Few people knew how to use computers, and only those who knew the secrets of the machine were privileged to stand in its presence. Most users never saw the computers that crunched their numbers. Batch processing meant that users submitted carefully screened jobsoften through protected slots in the doors of computer roomsto operators who actually put the machine through its paces.
Times changed. During the late 1960s and 1970s, computer technology was transformed, and with it the ways in which users related to computers and data. Multi-programming, time-sharing, and networking dramatically changed the rules of the game. Users could now interact directly with a computer system via a terminal, giving them more power and flexibility but also opening up new possibilities for abuse. Acoustic couplersmodems with foam pads into which a telephone handset was insertedallowed connectivity not just in the computer room or building, but from cities far away.
Telecommunicationsthe ability to access computers from remote locations and to share programs and dataradically changed computer usage. Large businesses began to automate and store online information about their customers, vendors, and commercial transactions. Networks linked minicomputers together and allowed them to communicate with each other and with mainframes containing large online databases. It became much easier to make wholesale changes to dataand much easier for errors to wreak widespread damage. Banking and the transfer of assets became an electronic business.
The increased ease and flexibility of computer access also had a dramatic impact on education. Universities and other schools that could not afford their own computer installations now found it possible to tie into computer networks and centralized computers and databases.
Finally, personal computers put the processing power on the desktop. Expensive mainframe connections were useful, but not always needed. More and more students had an opportunity to experiment with computers, and computers increasingly became a part of the curriculum. The result was a huge increase in the number of people who knew how to use computers. The desire to access shared resources led to interconnection of computers, which led eventually to the Internet. Today, if some resource is not available in the machine on your desk, that machine can connect to another that has the resource.
Inevitably, the increased availability of online systems and information led to abuses. Computer security concerns broadened. Instead of worrying only about intrusions by outsiders into computer facilities and equipment (and an occasional computer operator going berserk), organizations now had to worry about computers that were vulnerable to sneak attacks over telephone lines, and information that could be stolen or changed by intruders who didn't leave a trace. Incidents of computer crime began to be reported. Individuals and government agencies expressed concerns about the invasion of privacy posed by the availability of individual financial, legal, and medical records on shared online databases. As computer terminals and modems became more affordable, these perils intensified.
The 1980s saw the dawn of a new age of computing. With the introduction of the personal computer, individuals of all ages and occupations became computer users. Computers appeared on desks at home and at the office. Small children learned to use computers before they could read. As the price of systems dropped, and as inexpensive accounting packages became available, more and more small businesses automated their operations. PC technology introduced new risks. Precious and irreplaceable corporate data was now stored on diskettes, which could too easily be lost or stolen.
As PC networks proliferated, so did the use of electronic mail, and bulletin boards, dramatically increasing the ability of users to communicate with other users and computers, and vastly raising the security stakes. In the past, even a skilled attacker might have breached security only in a single computer, installation, or local area network; now she had the potential to disrupt nationwide or even worldwide computer operations.
The 1980s also saw systems under attack. Theoretical possibilities came to life as War Games-like break-ins played themselves out on the front pages of local newspapers: the Internet worm, the Friday the 13th virus, the West German hackers of Cuckoo's Egg fame, and players at espionage. Government, business, and individual users suddenly saw the consequences of ignoring security risks.
The 1990s faced the challenges brought by open systems, distributed computing, and massive interrelationships between network elements. Along with an increasing dependence on networks and the need to share data, applications, and hardware/software resources across vendor boundaries came increasing security risks. In this decade the security business came of age, with more vendors developing trusted systems, bundling security functions, and beginning the development of biometric devices and network security products such as firewalls and intrusion detection systems. Still, security systems lagged behind the technologies they sought to control. Both businesses and individuals lagged still further behind the growing ranks of attackers, many of whom were no longer elite hackers, but an annoying and dangerous breed of vandal known as the script kiddie, short on skill, long on a desire to interrupt computation for the sake of doing so.
In the 2000s, particularly after the attacks of 9/11, security took on a serious tone. Corporations and government alike became more willing to make security an integral part of their products and their jobs. New certifications for IT workers, such as the CompTIA's Security+, the (ISC)2 Certified Information System Security Professional CISSP, and the Cisco Certified Security Professional (CCSP) popped up, making security a hot ticket in an otherwise flagging industry.
The challenge of this decade will be to consolidate what we've learnedto build computer security into our products and our daily routines, to protect data without unnecessarily impeding our ability to access it, and to make sure that both security products and government and industry standards grow to meet the ever-increasing scope and challenges of technology.