Cybersecurity governance: a prehistory and its implications
| Date | 11 September 2017 |
| Pages | 449-465 |
| Published date | 11 September 2017 |
| DOI | https://doi.org/10.1108/DPRG-05-2017-0026 |
| Author | Bradley Fidler |
| Subject Matter | Information & knowledge management,Information management & governance,Information policy |
Cybersecurity governance: a prehistory
and its implications
Bradley Fidler
Bradley Fidler is Assistant
Professor of Science and
Technology Studies,
Stevens Institute of
Technology, Hoboken,
New Jersey, USA.
Abstract
Purpose –The purpose of this paper is to understand the emerging challenges of cybersecurity
governance by analyzing the internet’s early history.
Design/methodology/approach –Tracing the design and management of early internet and network
security technologies in the USA in the 1970s and 1980s.
Findings –The US Department of Defense separated the research and management regimes for
networks and network security, with the latter restricted to military networks. As such, the absence
of cybersecurity technologies on the early internet was not an oversight, but a necessary
compromise. This ordering of networks and security had enduring technological, political and even
cultural consequences, which are breaking down today.
Social implications –Political, technological and metaphoric distinctions between networks and
security should be challenged; cybersecurity will transform internet governance.
Originality/value –New historical sources and analysis provide a novel perspective on contemporary
challenges of cybersecurity governance.
Keywords Governance, History, Cybersecurity, Arpanet, Defense Data Network,
Transmission Control Protocol (TCP)/Internet Protocol (IP)
Paper type Research paper
Introduction
This paper provides an analysis of early internet history, so as to better understand the
challenges faced in contemporary cybersecurity governance and its relationship to internet
governance. Its focus is on the design and management of the Arpanet, as well as the early
phase of the internet’s development, when the internet was centered on its Arpanet
backbone (c. 1979-1985). It argues that, during the 1970s, the US Department of Defense
separated major elements of the design and management of networks from the design and
management of network security. This separation of network from network security was a
consequence of the Department of Defense’s need to build and secure military networks:
not only did the networks require the security necessary to carry classified traffic, but many
of the technologies they used to provide this security were also classified. It impacted the
design and management of the internet in part because, through the mid-1980s, the
infrastructure and management of the civilian internet was a component of a larger military
internet, the Defense Data Network.
The split of networks from network security was extremely influential on the
development of the civilian internet. There are two major consequences of this split.
The first impact can be traced to the research and development strategy used by the
Information Processing Techniques Office (IPTO) of the Advanced Research Projects
Agency (ARPA; now DARPA). IPTO was the computing office within DARPA, the US
defense agency tasked with creating revolutionary technological advances for the
military. This strategy involved testing prospective computing technologies for the
Received 22 May 2017
Revised 1 July 2017
Accepted 2 July 2017
The author would like to thank
Milton Mueller and two
anonymous reviewers for their
extremely insightful
observations and criticisms –
this paper is far stronger as a
result of their contributions.
The author would also like to
thank Arpanet and early
internet practitioners, many of
whose interviews the author
draws on here, for their time
and insights. Any remaining
errors are the author’s
responsibility.
DOI 10.1108/DPRG-05-2017-0026 VOL. 19 NO. 6 2017, pp. 449-465, © Emerald Publishing Limited, ISSN 2398-5038 DIGITAL POLICY, REGULATION AND GOVERNANCE PAGE 449
Department of Defense in the unclassified, civilian world. If the technologies proved
successful, they could be transferred to the military or intelligence community for
(usually classified) use. In the case of computer networking, this meant unclassified
networking testbeds such as Arpanet, the general-purpose computer network funded
by DARPA that went online as an experiment in 1969. Through its funding of the
Arpanet, DARPA created a civilian networking community in the USA that designed,
built and managed unsecure networks. To put these networking technologies to use for
the military, DARPA funded research and development projects to add security
technologies in a modular fashion, modifying the existing networks for military use.
Thus, the modular structure of the security technologies that developed in this
arrangement mirrored the modular structure of the classified and unclassified research
worlds. The absence of network security on the early internet was not an oversight
(Timberg, 2015), but a byproduct of its institutional and political context. By the
mid-1980s, the protocols that structured the internet architecture were unsecure by
design. The internet technology, management governance organizations of the early to
mid-1980s had little experience developing security technologies and even less in
governing their use. Computers attached to the internet could contain their own security
software, but the networking protocols themselves did not provide the security
technologies that we increasingly take for granted today. For example, while a
mainframe or personal computer might be protected against unauthorized entry, the
design of the internet did not provide for encrypted traffic, secure routing or a secure
namespace.
The second consequence lies in the historical origins, and present moment, of internet
governance. By the mid-1980s, the lack of network security, noted above, was
accompanied by emerging (civilian) internet governance practices that evolved around
managing networking – and not security – technologies. This history is significant because
the technologies and management structures of the Arpanet and early civilian internet
ultimately became the global internet, as the internet absorbed competing systems and as
others fell to the wayside.
This paper addresses only a limited portion of the breadth of technologies and
organizations that fall under the label of cybersecurity. Today, cybersecurity is a broad
topic that extends beyond what might come to be managed by internet governance
organizations like the Internet Corporation for Assigned Names and Numbers (ICANN). The
early history of security addressed in this paper is that of network security, which refers to
security technologies deployed as part of network architecture. (Today, technologies like
BGPsec and DNSsec fall under this category; the firewall on a personal computer would
not.) This paper is an effort to understand the technologies of network security and the path
dependency that they created for the portions of cybersecurity that deal with technologies
integral to networks. This focus is necessarily limited, as there were less security
technologies in existence decades ago, and not all of the security technologies in existence
were deployed on networks or in network-facing machines.
A similar caveat is necessary for the distinction between the history of computer networking
and the historical trajectory of the internet. The history of computer networks is far broader
than the history of the internet, and includes many more networks and technologies than
identified here. Some of these networks and technologies – such as those identified below –
were influential in the design of the internet. However, the present-day technologies and
governance model of the global internet emerged, in large part, in a subsection of the
history of computer networking. To only address the history of the internet is not to say that
the larger, global history of networking is any less important. Rather, this paper’s focus on
the history of the internet is more limited, meant only to better understand specific
characteristics of the technologies and governance models with which we live today.
Finally, the analysis that follows is agnostic regarding the quality, utility or any other
PAGE 450 DIGITAL POLICY, REGULATION AND GOVERNANCE VOL. 19 NO. 6 2017
To continue reading
Request your trial