• United States




Listening to the echoes of cybersecurity history

Jan 17, 20185 mins
CyberattacksData and Information SecurityTechnology Industry

Advancing the cause of security means letting the lessons of the past inform our actions today.

The start of every new year brings with it a promise to ourselves to follow a new path. This is an effort to avoid mistakes we know will lead to unsatisfactory outcomes. Sadly, cybersecurity suffers from the same problems we face in other aspects of our lives: the ease with which we adhere to poor decision-making or lapse into behaviors that we know are not good for us.

While it is true that the market for cybersecurity products and services has been growing, the problems are the same, the impacts are worse, and while we make progress in discrete areas, at a meta level we’ve effectively been standing still.

SANS publishes Top 25 Software Errors and the Open Web Application Security Project (OWASP) publishes its Top 10 vulnerabilities list; the nature of the problems noted in both lists has remained disturbingly consistent over time. The Common Vulnerabilities and Exposures (CVE) list cannot keep up with the demand for its alphanumeric designators. In other words: there are so many problems we cannot keep track of them.

How we got here

Allow me to dissuade you of the notion that any problem we are dealing with in cyber security today is new:

  • In 1976 a book called Computer Capers documented this then-new and scary problem of computer crime. It addressed system vulnerabilities, theft of intellectual property and money, and insider threats.
  • In the mid-1980s The Cuckoo’s Egg was a detailed account of how a telephone billing discrepancy led to the discovery of Soviet intelligence using German hackers to exploit U.S. government and affiliated computer systems.
  • In 1998 series of attacks on DOD computers were detected. The prevailing theory at the time was a preemptive move on the part of the Iraqi government. Ultimately three teenagers with no political-military motivations were identified as the perpetrators.
  • In 2007 over 45 million credit and debit card details were lost in a data breach at TJX companies. At the time it was the largest loss of such data. The biggest breach before that? 40 million records in 2005 at CardSystems Solutions.

Documenting the total number of computer security incidents that have occurred in just the U.S. would fill several volumes. I have given you some prominent examples to show that the same problems go back decades. Yet in 2011 the then-Deputy Commander of U.S. Cyber Command complained about the “…real dearth of doctrine and policy in the world of cyberspace.” This came as a surprise to those of us who contributed to policy-making because it seemed to ignore things like:

  • 1998: Joint Doctrine for Information Operations
  • 2003: National Strategy to Secure Cyberspace
  • 2006: National Infrastructure Protection Plan

This is a very modest sample of just the unclassified governmental documents that address these issues. It does not include classified documents, dozens of other reports and studies from other governmental organizations as well as non-governmental ones. That is not a dearth but a deluge.

Groundhog Day

From the first PCCIP report to the National Strategy to Secure Cyberspace to the CNCI and everything in between, everyone who has studied these issues has come to the same conclusions about what is required to address them. Because security activities are not coordinated or mandatory, to paraphrase science fiction author William Gibson: the knowledge required to improve cyber security is known, it is just not evenly distributed.

  • Not a day goes by without yet-another story in the media of how vulnerabilities in computer systems are exploited for at the expense of the legitimate system owner; stories that are indistinguishable from those captured in Computer Capers, a book that is forty years old.
  • 30 years ago, Dr. Stoll related in The Cuckoo’s Egg of how he tried to get both domestic and international law enforcement agencies, intelligence agencies, and private industry to work together to catch the Hanover Hackers. Anyone who works a computer crime case today finds themselves fighting those same battles.
  • Exploiting vulnerabilities in widely-used code was a new thing when the Morris Worm ran roughshod over the Internet in the 80s, yet things like Heartbleed and Shellshock are treated like something novel.

Pundits talk about the hack-of-the-month as a “wake up call” when in fact after every incident we push the snooze button and pull the covers over our heads. Any lessons we might have learned are quickly forgotten or ignored, and the process of wheel-reinvention begins anew.

Breaking the cycle

Forward progress requires action. Action that will have an impact at scale. What actions to take should be informed by the hard fought lessons learned, and recognition that how we’ve been doing things hasn’t been sufficient.

  • Study and appreciate our history. Security was being done before the Internet was a thing. If names like Parker and Neumann are unknown to you, you’ve not gone nearly far back enough.
  • Focus on gaining ground, not scoring points. Like football, this is a business of inches. Make enough small gains and you’ll be surprised where you end up; try to be Doug Flutie every day and you’re going to be sorely disappointed.
  • Aim for the center mass. Your solution for some edge-case may earn you nerd street cred, but it is not going to improve the situation for the 99%. The things that make a real difference are usually the most unglamorous and mundane.
  • Give some thought to design and usability. The people who need the most help when it comes to security will not use the command line. Elegant code that doesn’t get used is not a solution, it’s a hobby.

We can listen to and learn from the echoes of history, or we can keep doing what we’ve been doing and wonder why nothing changes. I don’t know that I’ll ever retire a security problem, but I’d like to retire knowing I contributed to forward progress.


Michael Tanji currently serves as Chief Operating Officer of Senrio, an IoT security start-up. He was co-founder and Chief Security Officer at Kyrus Tech, a computer security services company, one of the co-founders of the original Carbon Black, and the former CEO of Syndis.

Michael began his career as a member of the U.S. Army’s Military Intelligence Corps, working in a number of positions of increasing responsibility in signals intelligence, computer security and information security. He is a veteran of Operation Desert Storm and was stationed in various locations in the U.S. and overseas.

After leaving active duty Michael worked as a civilian for the U.S. Army’s Intelligence and Security Command, leading a team of analysts and programmers supporting intelligence missions in the Pacific theater. His service with INSCOM culminated as the Technical Director of the J6 in his command, responsible for evaluating, acquiring and deploying information technology in support of intelligence collection and analysis missions.

Michael left INSCOM to join the Defense Intelligence Agency, where he deployed in a counterintelligence/human intelligence role in support of Operation Allied Force. He later served as the lead of the Defense Indications and Warning System, Computer Network Operations, responsible for providing strategic warning of cyber threats to the DOD. He was one of the handful of intelligence officers selected by-name to provide intelligence support to the Joint Task Force – Computer Network Defense, the predecessor to what would eventually become U.S. Cyber Command. His expertise led to his selection as his agency’s representative to numerous joint-, inter-agency, and international efforts to deal with cyber security issues, including projects for the National Intelligence Council, National Security Council, and NATO. After September 11, 2001 Michael created the DOD’s first computer forensics and intelligence fusion team, which produced the first intelligence assessments based on computer-derived intelligence from the early days of the war on terror.

After leaving government service in 2005 Michael worked in various computer security and intelligence roles in private industry. He spent several years as an adjunct lecturer at the George Washington University and was a Claremont Institute Lincoln Fellow.

Michael is the editor of and a contributor to Threats in the Age of Obama, a compendium of articles on wide-ranging national and international security issues. He has been interviewed by radio and print media on his experiences and expertise on security and intelligence issues, and had articles, interviews, and op-eds published in Tablet Magazine, Weekly Standard, INFOSEC Institute, SC Magazine and others.

Michael was awarded a bachelor’s degree in computer science from Hawaii Pacific University, a master’s degree in computer fraud and forensics from George Washington University, and earned the CISSP credential in 1999.

The opinions expressed in this blog are those of Michael Tanji and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.