CSO Perspectives (Pro) 5.17.22
Ep 5559 | 5.17.22

Bonus: Cybersecurity Canon Hall of Fame interview with Ben Rothke on "A Vulnerable System: The History of Information Security in the Computer Age."



Rick Howard: You're listening to the theme song of the HBO long-running hit "Game of Thrones," the unofficial anthem for the Cybersecurity Canon Project, the project designed to find the must-read books for all cybersecurity professionals because one of the greatest characters of all time, Tyrion Lannister, had this to say about reading books. 


Kit Harrington: (As Jon Snow) Why do you read so much? 

Peter Dinklage: (As Tyrion Lannister) Well, my brother has a sword, and I have my mind. And a mind needs books like a sword needs a whetstone. That's why I read so much, Jon Snow. 

Rick Howard: Which means it's Cybersecurity Canon Week here at the CyberWire, where we are interviewing all the Canon Hall of Fame inductee authors for the 2022 season. I'm Rick Howard, the chief security officer, chief analyst and senior fellow here at the CyberWire. And today's book is called "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew Stewart. Enjoy. 


Rick Howard: I'm joined by Ben Rothke, a very old friend of mine, one of the original members of the Cybersecurity Canon Committee, a senior information security manager at Tapad and - how do I say this, Ben? - a voracious reader. Thanks for coming on the show. 

Ben Rothke: Pleasure. 

Rick Howard: So, Ben, you and I have been involved in the Cybersecurity Canon Project since its inception. I remember going to dinner with you and Steve Winterfeld, another founding committee member, at the RSA Conference in 2013 to try to convince you to be part of the project. And you didn't hesitate for a second. So if I've never said it before, thanks for volunteering. You know, the canon project couldn't be what it is today without your efforts back then and which continues today. 

Ben Rothke: Yeah, my pleasure. You know, thanks for spearheading things and starting it. 

Rick Howard: So today, we're talking about the latest entry into the Cybersecurity Canon Hall of Fame, a book called "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew J. Stewart and published by Cornell University Press in September 2021. And, Ben, you know Andrew, right? 

Ben Rothke: Yeah. I mean, it's one of those, you know, sort of internet friends. We've never met in person. But yeah, we go back, you know, a number of years. Actually, I was a advance reader of the book. So yeah, I enjoyed it from before it was publicly available. 

Rick Howard: So you wrote the original review for this for the canon project. So why is this a Cybersecurity Canon Hall of Fame inductee? 

Ben Rothke: For a lot of reasons. Those getting into technology or anything generally or information security specifically, it's often if you just jump in and, you know, start doing things. But, you know, Santayana said those who don't learned history are doomed to repeat it. So this is, in large part, a history of information security. As Isaac Newton said, if I've seen further, it's by standing on the shoulders of giants. I think this really shows the context of information security, its history and where it's coming from and, you know, how we got here today, how some of the issues that are, you know, inherent in the design of, you know, the first computers and some of the trajectories which were mistaken plague us today. 

Ben Rothke: So I think it really is a fundamental text because really, to - you can't just do information security. You have to, you know, understand its history. And, yeah, I mean, sure, you know, someone can be a firewall administrator. You could harden, you know, Linux boxes. So that's in a very limited sense. But if you're working at the enterprise level in the big picture and understand what this thing called security is, you know, having this understanding of, you know, how we got here today really can be a good linchpin to, you know, how are you going to go, you know, move forward? 

Rick Howard: I thought the section of the book about the early history was fascinating. He covers the period of mainframe computers from the beginning of the digital age - I mean, this is way back to the 1940s - and the incipient research of how to secure them. And he makes the case that earlier researchers tried to design a secure computing system but never really attained that goal. And so I love that little, you know, storytelling there. Did you have a favorite part of the history that you like? 

Ben Rothke: Security is all about trade-offs. And, you know, we could never build a perfect system, and you've got complex programs with hundreds of thousands or millions of lines of code. Bugs are, you know, inherent, and it's impossible to certify and prove security. And I think that's - from an academic perspective, it's almost impossible to build any system that's, you know, provably secure. But once again, you need to know that going in the real world is that, you know, everything really is a trade-off. 

Rick Howard: That's really a good point. Yeah. That's a very good point. 

Ben Rothke: And that's - once again, if you're in a, you know, small auto body shop, then security means one thing. If you're at, you know, a brokerage, and you're, you know, making billion-dollar trades, obviously, you need a lot more security there. I mean, you know, he talks about the economics of security, the psychology of security. You know, that drives everything. 

Rick Howard: One of the main thesises of the book is that there are three stigmata that are causing us to fail as an infosec community. And I had to look up stigmata in the dictionary and find out what it meant, right? So from dictionary.com, a stigmata is a mark of disgrace, like a stain on one's reputation. And according to Stewart, the three stigmata are data breaches, nation-state activity and opportunity cost created by epistemic closure. Epistemic closure - another word I had to go look up, you know, and that means alternate reality. Like, you know, he was - he's really up against stunt hacking. So if I'm reading this right, Stewart is saying that because of data exfiltration, espionage activity and DEFCON stunts - made famous by the Cult of the Dead Cow, by the way, back in the early 2000s - there is a permanent stain on the infosec community. Is that how you're reading it? 

Ben Rothke: It's not like the mark of Cain. But from an economic perspective, you know, we're pouring more and more into security, but each year, you know, the biggest breach ever, you know, turns into the next biggest breach ever. 

Rick Howard: Well, you know, Stewart seems to be saying, and we just need to recognize that, you know, that it's not a completely solvable situation. The stain is that we poured all these resources into cybersecurity for the past 30 years, and it feels like it's getting worse. But like you said early on, it's a trade-off on what you're trying to do with all the security features and functions and vendor products that we have. Am I... 

Ben Rothke: Oh, yeah. I mean, it's easy to get depressed about things. I mean, there - the CDC has - they, you know, weekly, they come out with, I think it is death and morbidity weekly. If you would only read that, it would be, you know, quite depressing. But there are a lot of security issues. But with that, it is working well. You know, things are taken seriously. You know, security people are empowered. He praises Bill Gates some years ago when he shut things down at Microsoft and said, we have to, you know, start taking security more seriously. 

Ben Rothke: So, you know, there is a lot of breaches. There's a lot of nation-state attacks. Things are working. There's a lot of smart security people out there. There's companies that are taking it seriously. There are CIOs that will not push out in a new version of an application if security doesn't sign off on that. So yeah, there are depressing things about it, but, you know, let's not focus exclusively on that. There is a lot of good stuff going on. 


Rick Howard: That's Ben Rothke, the senior manager at Tapad, and the book is called "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew Stewart. And it's the latest addition into the Cybersecurity Canon Hall of Fame. For more information on the project, go to your favorite search engine and look up Cybersecurity Canon - that's canon with one N, as in canon of literature, not two Ns, where you blow stuff up - and Ohio State University, the project's official sponsor.