Revisiting Past Cyber Security Recommendations: Lessons we Have Failed to Learn


  • Matthias Schulze IFSH
  • Jantje Silomon Institute for Peace Research and Security Policy (IFSH)



History of IT Security, Security Controls, lessons learned


Cyber-security is constantly evolving as new technologies introduce new vulnerabilities and threat actors constantly develop new techniques to penetrate systems. Much focus in scholarship is on the cyber-offense, while few analyse changes in the cyber-defence posture. Since its inception, defensive information security has evolved and introduced a plethora of new security controls to either prevent, detect, mitigate, or respond to new cyber-attacks. When studying cyber-incidents, a paradox becomes apparent: often, low-end security fails are responsible for most breaches, such as default system configurations and credentials or violations of the principle of least privileges. Even security sensitive organisations such as the US DoD or IT companies suffer from this paradox, as a recent NSA/CISA report indicates: large sums are spent on high-end security programs only to be compromised by low-end attacks. This paradox becomes even more pronounced when introducing a longitudinal historical perspective: many of these issues have been known for decades, as reports from the 1970s show. These include inadequate hardware and software not designed with security in mind, the issue of managing resource access controls in a multi-user environment that includes remote terminals (aka a cloud infrastructure), malicious insider threats that bypass security controls, as well as the issue of applying timely software patches. In sum: while the IT security industry is rushing to introduce new high-level security controls and technologies, the main issues seem to be age-old problems and the failure to learn lessons from the past, warranting a historical approach. In this paper, the origin of security controls is examined, shedding light on relevant best practices, recommendations and why they emerged. Starting in the 1960s, we analyse the emerging technologies of each subsequent decade, explore what changes in IT-security controls these new technologies necessitated, and how IT and later cyber-security changed over the years. Furthermore, reference is made to the aftermath of selected cyber-attacks to further highlight is analysed to explore potential shifts in security paradigms beyond those introduced by technology itself.