When Did Cyber Security Start?

You may have seen some suggestions that cyber security started with the first antivirus, and a date given of 1987 as the first year of commercial antivirus.

Sorry to say that it’s wrong (at least I find it wrong). If we try again, then we could say 1971 when the first worm (Creeper) was released, along with arguably the first antivirus in the single-purpose Reaper in 1972. While Reaper was designed to remove copies of Creeper, it did move and replicate through the ARPANET, so arguably was another worm itself.

While I can see the argument for Creeper and Reaper as a start date, I can’t bring myself to agree. Either we point at arbitrary events to describe when cyber security started, which could take us back to 1966 (the time-sharing mainframe CTSS suffered a password breach as the welcome message got switched with the master password file), 1971 (the launch of the ARPANET), or even 2003 when the US government established the National Cyber Security Division.

The Beginning of Cybersecurity

Cyber security began between 1970 and 1972 with the publications of the Ware and Anderson reports. I will explain below how I came to this conclusion and the important historical points you need to be aware of for this answer to make sense.

To get to the start, we need to decide what cyber security really means. I go with the definition that it’s the discipline of security applied to the cyber domain.

The cyber domain is ‘a global domain within the information environment consisting of the interdependent networks of information, technology infrastructures and resident data, including the internet, telecommunications networks, computer systems, and embedded processors and controllers’. (NIST)

Security on the other hand is protection of assets from threats. Assets can be anything, including people, information, or physical systems. Threats (when we’re dealing with security) can ultimately always be traced back to a person.

If Cyber Security Didn’t Start in 1987, Then When?

I tend to stick to a few different dates. 1969 was when the first two nodes of the ARPANET came online, even if it wasn’t declared operational until 1971. Just because something exists, though, doesn’t mean that a formal security discipline exists around it. Really we need to look at when people started formally considering approaches to security in the cyber domain.

That leaves us with a couple of reports which were the first to formally consider the aspects of security.

The Ware Report

The first of these is the creatively named ‘Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security’ by Willis H. Ware (and others), published in 1970. Published here is a generous word, as originally the report was classified as Confidential until DARPA declassified it in 1975. The Ware report set out a number of different controls which would be recognised as fundamental by any cyber security professional today. Even where some terminology has changed over time, concepts are familiar to anyone who has studied or practised cyber security.

The Ware report set out a number of what it calls vulnerabilities, although nowadays we would refer to them as threats since they are external and uncontrolled rather than weaknesses within a system.

1. Accidental Disclosure - what we now might call a negligence threat, the result of failure of some component or control whether hardware, software, or configuration by an operator
2. Deliberate Penetration - a malicious threat, although the report then makes a distinction between a passive approach (such as wire tapping, covered under Passive Subversion) and an active approach referred to as Active Infiltration which includes compromise or elevation of privilege by a legitimate user
3. Physical Attack - mentioned by the report, but specifically called out as outside the scope

What’s fascinating about the Ware report, and the next ones we’ll be talking about, is how modern many of the approaches taken in them are. As an example, threat modeling (or modelling) is often considered to have started in 2004 when Frank Swiderski and Window Snyder wrote the **first book**on it. There are some earlier references, but most consider it to have begun at the earliest in the 90s. Given that (good) threat modelling is now seen as essential to designing secure systems (though far too often overlooked, leaving us in the insecure world we inhabit), we’d expect to see it popping up fairly early on in the timeline.

Image taken from the Ware Report, showing something anyone aware of threat modelling should find very familiar.

The diagram above should be recognisable to anyone as at least a basic threat model, showing different attacks and vulnerabilities of a system. Further in the report we have recommendations for controls, what we might now recognise as architectural principles for secure system development, consideration given to risk management and costs, and far more. Some terminology has changed over the years, and the report itself considers multi-use systems (i.e. what we’d now consider mainframes and terminals) rather than the true peer to peer networking that would come along shortly, but even a brief reading shows the foundational thinking that underlies even the most modern cyber security approaches.

The Anderson Report

So we’ve got an argument for 1970 as the date cyber security started. The only problem is that while there’s mention of networks, in 1970 the ARPANET wasn’t really in an operational state so the definition of network was more about a multi-user mainframe with remote terminals. Lets step a little further into the future-past, with the publication of the equally creatively named ‘Computer Security Technology Planning Study’ Volume I and Volume II.

James P. Anderson also worked on the Ware report previously, and his two-volume follow up drew heavily from and expanded upon it. Many of the recommendations he made for designing and implementing secure systems have, frankly, been ignored over the decades to the detriment of the cyber security ecosystem, and some are being rediscovered and renamed.

To take an example, if you’ve heard of zero-trust network architecture, you can find the core concepts that lead to the approach in volume 2 of the report. More importantly for those of us trying to define a conception date for cyber security, the Anderson Report talks a lot more about the ‘movement toward the establishment of large dispersed networks of related computer systems’. This gives us a more modern perspective of networks being key to cyber security.

So When Did Cyber Security Start?

We’ve got our answer. Admittedly, it might cover a range, but there’s a stronger argument for it than there is for saying it began with the first software tool of a particular type. Cyber security is about a methodical, considered approach to security within the cyber domain. Since the cyber domain didn’t exist (in any practical way) before the 1970s, we’re not going to need to look back further, but the pioneers of the field were very much active and thinking about the problems we still struggle with today back in that time.

My answer - cyber began in the years between 1970 and 1972 with the publications of the Ware and Anderson reports. And if you read those reports carefully, it’s changed surprisingly little since then.