Honoring the Fathers (and Mothers) of Cybersecurity on July 4th
The United States of America would never have existed (at least not in the way we know it) if not for the contributions of a small group of visionaries we know as the Founding Fathers. These men – John Adams, Benjamin Franklin, Alexander Hamilton, John Jay, Thomas Jefferson, James Madison, George Washington, and a host of others – built a framework of government that lasts to this day.
To mark July 4th, we decided to come up with a list of Founding Fathers (and Mothers) of Cybersecurity. This was no easy task. After all, there is no cybersecurity equivalent to the 1787 Constitutional Convention in Philadelphia, the Federalist Papers, or any of the other forums in which America’s Founding Fathers debated ideas back and forth. Cybersecurity was not invented in one place and time but has developed over time, with each expert building on the work of those who came before them.
For the purposes of this article, we focused not on founders of cybersecurity businesses or solutions but on visionaries who developed theories and standards still used in cybersecurity today. Hundreds of names could be rightly considered pioneers of cybersecurity. We felt that these seven people (or in one case, a group of people) stood out.
1. Auguste Kerckhoffs
For our first Founding Father, we have to go way back to the late nineteenth century when Dutch linguist and cryptographer Auguste Kerckhoffs devised his six principles of practical cipher design. The second and best-known principle, known simply as Kerckhoffs’ principle, states that a cryptosystem “should not require secrecy, and it should not be a problem if it falls into enemy
hands.” This principle was later reformulated by American mathematician Claude Shannon, who said, “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.”
Kerkhoff’s principle and Shannon’s maxim stand in contrast to the principle of “security by obscurity,” which argues that if the inner workings of a system are kept secret, it will be less vulnerable to hackers. Today, the Kerkhoff-Shannon concept is favored in the cybersecurity and cryptography communities, where it is recognized that open discussion and analysis of algorithms leads to better and more secure systems. As an example, protocols like HTTPS, SSL, and TLS are all open source. The only thing actually hidden from the view of cybercriminals is the private key sent between your server and the connecting clients.
2. Ray Tomlinson
The modern history of cybersecurity can be traced back to the 1970s when a researcher named Bob Thomas created an experimental computer program named Creeper that was able to move the mainframe computers running the TENEX operating system using the ARPANET (Advanced Research Projects Agency Network). Thomas’s program was not malicious, with the only effect being that it placed a message on the teletype reading, “I’M THE CREEPER; CATCH ME IF YOU CAN.”
In response, Ray Tomlinson – yes, the man who implemented the first email program on that same ARPANET system – created Reaper, a similar program that moved across the ARPANET system and deleted Creeper. So, in addition to being a Founding Father of email, Tomlinson can be considered a Founding Father of anti-virus programs and cybersecurity.
3. F. Lynn McNulty
Lt. Col. Frederick “F.” Lynn McNulty was the first Director of Information Systems Security for the U.S. State Department. During his 30-year career, he was repeatedly asked to testify on cybersecurity matters by U.S. House and Senate sub-committees. He has been called the father of U.S. federal cybersecurity infrastructure for his influence on the deployment of key federal cybersecurity infrastructure.
According to SCMagazine.com’s Robert Bigman, McNulty’s contributions to cybersecurity are “woven into the DNA of almost every government information security policy and program.” Bigman credits McNulty’s security initiatives as the basis for The Computer Security Act of 1987, which assigned the National Institute of Standards and Technology with responsibility for developing standards and guidance to improve the security and privacy of federal computer systems.
4. Dorothy Denning
The only “Founding Mother” on our list, Denning is credited with numerous cybersecurity innovations including lattice-based access control (LBAC) and intrusion detection systems (IDS). A veteran information security researcher, she is currently Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate School.
While working at SRI International in the 1980s, Denning and Peter G. Neumann developed an IDS model using statistics for anomaly detection that is still the basis for intrusion detection systems today. The model combined a rule-based Expert System to detect known types of intrusions with a statistical anomaly detection component based on profiles of users, host systems, and target systems.
Other initiatives Denning is credited with include timestamps in key distribution protocols, cryptographic checksums for multilevel database security, and a method for improving the security of digital signatures with RSA and other public-key cryptosystems.
5. Frederick B. Cohen
A veteran computer scientist, Frederick B. Cohen is considered a pioneer in computer virus defense techniques and in fact invented the term “computer virus.” In 1983, while a student at the University of California’s School of Engineering, he wrote a paper calling attention to the importance of studying computer viruses. He later pioneered many computer protection techniques, including core technologies used in anti-virus software and trusted platform modules.
Today Cohen is seen as an expert in management, particular related to information technology and risk. He also leads and participates in government and privately sponsored academic research on topics related to IT.
6. Ron Rivest, Adi Shamir, and Leonard Adleman
If you look closely at these people’s surnames, you’ll notice they spell out the acronym RSA. That’s no coincidence, for Ron Rivest, Adi Shamir, and Leonard Aldman were the developers of RSA, a public-key cryptosystem still widely used for secure data transmission today. They publicly described their algorithm in a 1977 paper.
Another trio, Whitfield Diffie, Martin Hellman, and Ralph Merkle, also deserve mention here for their invention of the Diffie-Hellman key exchange, a method of securely exchanging cryptographic keys over a public channel and one of the first public-key protocols.
7. Carl Landwehr
Carl Landwehr’s incredible career has seen him lead cybersecurity research programs at the National Science Foundation (2001-2004, 2009-2011), IARPA (2005-2009), Mitretek Systems and the Naval Research Laboratory (1982-1999). From 2007 to 2010, he served as editor-in-chief of IEEE Security & Privacy Magazine and was associate editor of several IEEE journals. He is currently lead research scientist at the Cyber Security Policy and Research Institute at George Washington University.
Landwehr has published a number of influential papers covering topics such as the identification of software vulnerabilities toward high assurance software development, architectures for intrusion-tolerant and multilevel security systems, token-based authentication, and system evaluation and certification methods.
The sheer breadth of work earns Landwehr a place in our list of Founding Fathers of cybersecurity.
Cybersecurity – a never-ending project
Like the constitution and other structures of American governance, the field of cybersecurity owes its existence to great thinkers of the past but is also capable of evolving to keep up with the times. We look forward to watching new generations of men and women make their impact on the world of cybersecurity.