ROBERT SLADE ABOUT THE HISTORY OF INFORMATION SECURITY: A REVIEW’S REVIEW

Robert Slade is a well respected and well known infosec practitioner
who has every right not to like a handbook like the one I edited, if
only because -with several kilograms in weight- it cannot pass for a
pocket book. In most cases, however I do not regard his criticisms as
appropriate or fair.
Slade’s objections can be summarized as follows:
(1) the book does not mention works by Denning, Stamp or Winkler:
authors Slade has reviewed previously;
(2) the book omits important topics such as malware, cryptographic
infrastructure or physical security;
(3) the book is subdivided randomly and the titles of various parts
are misleading;
(4) contributions about topics that are treated, such as privacy or
internet security, are “incomplete”, “terse”, “unpolished”, or
“scattered”;
(5) the book is more about people than about technology, and,
therefore, questions related to the influence of technology on
politics or the other way round cannot be analyzed properly;
(6) the book does not offer an historical overview from one, all
compassing vantage point

To start with the first item in the list, about not mentioning
Denning, Stamp or Winkler. D.E. Denning is mentioned eighteen times,
P.J. Denning (her father I believe) is mentioned three times. P.J.
Denning is the editor of a very interesting book reviewed by Slade ten
years ago, dealing about the future of computer security, not about
its past. Stamp and Winkler are authors of excellent “how-to-books”,
containing some points of historical interest, but they do not offer
any historical narrative. What I had hoped to include, for instance,
was a history of I 4: a time honoured institution where large
companies have been sharing their experiences with cyber crime and
industrial espionage. Without it, the history of information security
cannot be written properly. It did not come as a surprise, however,
that nobody could be found to write it. The information required, may
still affect the share values of the companies involved.
The second statement, about omitting important topics in the industry
such as malware, physical security: this is simply not true. Malware
is discussed in three contributions: those by DeNardis, by Brenner and
by Jacobs and his fellow authors. Physical security is treated by
Yost, writing about Tempest and the radiation of cryptomachines; and
in contributions about SIGINT establishments where various attempts of
burgling embassies are mentioned. Some notes about a cryptographic
infrastructure can also be found in my contribution, but it doesn’t
affect computers as it is about the 18th century. One of the main
points of this book is to show, that current issues in information
security can already be found in the era of the electromechanical
machines or the era of parchment, ink and feather, albeit under
different conditions and different headings. The historian has to deal
with the fact that concepts and terms can change over time, as does
technology, whereas practices have still much in common.
Now about point three: the way in which the book is subdivided and the
misleading titles of its parts. The part about communications security
has an appropriate title, as it does not restrict itself to
cryptography, or to code breaking for that matter. The contributions
about Russian, American, Dutch and British SIGINT agencies, give
plenty of examples of the interception of letters or bribing of
officials. Nor is the book subdivided arbitrarily. The contributions
about privacy- and export regulations in part five are all about law
and compliance. They have also in common that they are dealing with
government policies, affecting the rights of citizens. The effort to
limit the export encryption software by the US government, is as
damaging to the privacy of the citizens of Europe, as is the
unprecedented and fully legal amassing of data by American enterprise,
which can only be curbed by a U.S. government more sensitive to
privacy issues than previous ones.
As for the presumed “incompleteness” of certain contributions: it may
well be true that ongoing research will reveal new facts or insights,
and this exactly how it should be. Science is cumulative. Many topics
have still to be investigated or have to be investigated more
thoroughly. Demanding that a handbook should only appear after
EVERYTHING has been investigated or known, is ridiculous. This is
tantamount to saying that handbooks should not be published at all.
That being said, I challenge Robert Slade to come up with a better, or
more comprehensive piece about the privacy debate in the U.S. and
Europe, than the one Jan Holvast has written for this book. The
tremendous advantage of his approach is, that it actually relates
forty years of history on both sides of the Atlantic in slightly more
than thirty pages.
Now about point five, the handbook being too much about people, and
not enough about technology. I can and will not deny that people play
an important role in the narrative of this book, but I hardly believe
that this constitutes a problem. For example, Diffie and Landau, point
out that the rise of open software community and the successful
evasion of U.S. export regulations by Philip Zimmermann through an
appeal on the Fifth Amendment, paved the way for the liberalization of
U.S. crypto policies around the turn of the millennium. Laura de
Nardis tells us that the whole concept of malware owes its break-
through to two people, Morris the father and Morris the son, working
at different sides of the law. Jack Copeland pointed to the decisive
role played by Thomas Flowers, an engineer at the British Post Office,
in the development of Colossus: a role impossible to plan or to
anticipate by any of his superiors or colleagues. To these examples
many more can be added of exceptionally gifted code breakers who were
able to force their way where nobody else could, more often than not
acting without the consent of their superiors . One of the strange
characteristics of the history of information security, is that so
many depend on what is done by so few. This does not mean, however,
that technical matters are ignored altogether: on the contrary. The
contributions about code breaking during the Second World War, for
instance, show which weaknesses of AXIS code traffic had to be
exploited in order to achieve success and explain how it was done.
Let me finish with Slade’s complaint about the lack of an overall view
of the history of information security. I can understand that such a
summary would come in handy for some one who doesn’t want to read
separate contributions. But I doubt whether a summary like that can be
written at this stage and the scope of the handbook does not demand
such a piece to be included. The history of information security is
treated from different angles which is exactly how it should be as the
approach followed in this handbook is multidisciplinary.