Cybersecurity is constantly evolving as new technologies introduce new vulnerabilities and threat actors develop new techniques to penetrate systems. Much focus in scholarship is on the cyber-offence, while few analyse changes in the cyber-defence posture. Since its inception, defensive information security has introduced new security controls to either prevent, detect, mitigate, or respond to new cyberattacks. More recent measures include implementing machine learning and behavioural analysis, DevSecOps as well as building Zero-Trust architectures, among others.
When studying cyber-incident defence, a paradox becomes apparent: in many cases, low-end security fails are responsible for a majority of breaches, such as default system configurations and credentials or violations of the principle of least privileges. Even security-sensitive organisations such as the US Department of Defense or IT-companies suffer from this paradox. A recent joint report from the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) report indicates that such organisations spent large sums on high-end security programs just to be compromised by low-end attacks. The paradox becomes even more pronounced when introducing a longitudinal historical perspective. A US Air Force report from 1972 identifies similar security problems to those we still face today.
These include inadequate hardware and software not designed with security in mind, the issue of managing resource access controls in a multi-user environment that includes remote terminals (aka a cloud infrastructure), malicious insider threats that bypass security controls, as well as the issue of applying timely software patches. In sum: while the IT security industry is rushing to introduce new high-level security controls, the main problems in securing systems seem to be age-old problems. Thus, a historical approach to cyber-security is warranted.
In this talk, we will examine security controls of past decades, shedding light on relevant best practices and recommendations. Starting in the 1950s, we will analyse the emerging technologies of each subsequent decade and ask what changes in IT-security controls these new technologies necessitated and how cyber-security changed in general over the years. Furthermore, the aftermath of selected cyberattacks will be analysed to explore potential shifts in security paradigms beyond those introduced by technological development.
Dr. Matthias Schulze is the head of the research focus “International Cybersecurity” at the Institute for Peace Research and Security Policy at the University of Hamburg (IFSH). Before his work at IFSH, he was the deputy head of the Security Research Group at the German Institute for International and Security Affairs (SWP), as well as the Principal Investigator in the European Repository of Cyber Incidents project.
He completed research stays at the Canadian Citizen Lab and researched and taught at the Chair of International Relations at the Friedrich-Schiller University in Jena, where he obtained his PhD in Political Science. In addition, he is the host of the Percepticon.de podcast on his main topics: cyber conflicts, cyber espionage, and disinformation.
Jantje Silomon joined IFSH as a researcher in April 2019 and became part of the “International Cybersecurity” (ICS) team in January 2021. Previously, Jantje was based at the University of Oxford, conducting her doctoral research on the topic of malware weaponisation. She completed her BSc in Computer Science, before spending some time in South East Asia, predominantly China.
Upon returning to the UK, she worked in academia and industry, while also gaining an MRes in International Security and Global Governance.