The History of Cybersecurity Until Morris Worm and Introduction of Computer Incidents Response Teams to Cybersecurity
The history of cybersecurity begins with mainframes in the 1960s. The first types of computers suitable enough for businesses appeared during this period. Until this time, the word “computer” was a concept related to people who did calculations, and the word “cyber” was a concept belonging to the world of science fiction. During this period, computers were secured with guards and doors. Physical security procedures allowed only authorized persons to have physical access to computers to operate them.
Computers were huge and guarded by private security personnel in hundreds of square meters. Over time, this security function was combined with the role of the computer operator, called the job control technician. Persons who need to use the computer deliver their data and programs to the operators in a deck of punched cards, allowing the operator to transmit the punched holes in the cards to a card reader that will automatically convert them into bits and bytes.
Towards the end of the 1960s, the practice of transferring the data on the punched cards to the main computer via cables, thanks to the card readers in the offices. This situation brought along the task of security personnel to ensure the physical security of this emerging new cable network. However, since confidentiality, integrity and accessibility, which are the basic components of information security, were not accepted as industry standards in this period, confidentiality was of no importance, with a few exceptions belonging to military and intelligence units. In this period, the deterioration of the integrity of the processed data due to the continuous malfunction of the system and the non-functioning of the written codes was a more important security requirement.
In the 1970s, punch cards began to be replaced by data entry technologies from keyboard and terminal. This situation has brought about a change in the security model based on the security of the data entry system with a punched card. While physical measures regarding cable and building security continue, customized logical interfaces for users created for electronic data entry have been added to them. These logical interfaces, which were designed separately according to the authority of each user, were accessed with user names and passwords, and after logging in, the data were accessed according to the authorizations of the users. With the keyboard technology, the use of computers began to become widespread. This situation has brought with it concerns about privacy and cryptology algorithms have started to be developed, which prevents unauthorized access to data, especially in military circles.
The issue of storing and processing personal data on computers without paying attention to confidentiality attracted the attention of the US justice circles and the 1974 Privacy Act was adopted to ensure the privacy of the data stored in information technologies. This law includes data privacy sanctions for government agencies that process and store data from US citizens.
The hub technology, which emerged in the late 1970s, enabled the creation of a local area network for computers. Anyone who owns a computer on the network could access the data in the local area network (LAN) created in this new technology. MAC and DAC protocols have been developed to overcome this emerging trust gap. The MAC protocol provided mandatory access control, while the DAC provided the separation of publicly accessible data. However, these protocols determined who could gain access at the hardware level. With the first LAN technologies, it has become more difficult to follow the actions of computer users. In addition, since there was no technology such as encryption of network traffic, it was possible to listen to network traffic and intervene.
In order to prevent possible security breaches in computer technologies, “Reliable Computer System Evaluation Criteria”, which would later be called the orange book due to the color of its cover, was published by the US Department of Defense in 1983. In this publication, it is still valid today, such as the necessity of determining mandatory corporate policies for information systems security, how the content of the relevant policy should be, classifying user privileges by acting according to the access list logic, determining which data can be accessed, processing sensitive data in an encrypted manner with cryptographic encryption methods. It included security firsts (Trusted Computer System Evaluation Criteria). This publication was later replaced by the “Common Criteria for Information Technology Security Assessment” document, which has now become the industry standard considered in the purchase of a cybersecurity device or in the security requirements of IT projects.
At around 8:30 p.m. on November 2, 1988, a maliciously clever program was unleashed on the Internet from a computer at the Massachusetts Institute of Technology (MIT).
This cyber worm was soon propagating at remarkable speed and grinding computers to a halt. “We are currently under attack,” wrote a concerned student at the University of California, Berkeley in an email later that night. Within 24 hours, an estimated 6,000 of the approximately 60,000 computers that were then connected to the Internet had been hit. Computer worms, unlike viruses, do not need a software host but can exist and propagate on their own.
Berkeley was far from the only victim. The rogue program had infected systems at a number of the prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web. Among the many casualties were Harvard, Princeton, Stanford, Johns Hopkins, NASA, and the Lawrence Livermore National Laboratory.
The worm only targeted computers running a specific version of the Unix operating system, but it spread widely because it featured multiple vectors of attack. For example, it exploited a backdoor in the Internet’s electronic mail system and a bug in the “finger” program that identified network users. It was also designed to stay hidden.
The worm did not damage or destroy files, but it still packed a punch. Vital military and university functions slowed to a crawl. Emails were delayed for days. The network community labored to figure out how the worm worked and how to remove it. Some institutions wiped their systems; others disconnected their computers from the network for as long as a week. The exact damages were difficult to quantify, but estimates started at $100,000 and soared into the millions.
One morning in November 1988, Marion Harris called, saying there was something bad happening on the ARPANET. NPR confirmed this. I had a sinking feeling: would our firewall hold up to whatever was happening? That feeling has dominated my thoughts about security ever since. Besides, there would be no end to the complaints, ribbing, and whining if the attack got through. Working in the UNIX room toughened the skin. I rushed into work, and the whole place was abuzz. The short answer was yes, the firewall had held. Peter Weinberger was on the phone basically saying “neener neener” to a variety of sites, especially Bellcore. Those folks had completely rejected the idea of a firewall, and were completely bogged down with the Morris worm.
In the ARPANET project, which was the starting point of the Internet, computers were interacting online over the network. The main service of this period was the e-mail service, where users sent e-mails to each other. In 1988, Robert Morris, whose father was a researcher at AT&T Bell Laboratories, was introduced to computer technologies at a young age and questioned their security vulnerabilities, developed the first worm-type malware of the internet and started spreading it over ARPANET. This software took advantage of the vulnerability of the email service and copied itself to computers using this service, preventing the computers’ basic services from running. Only AT&T Bell Labs was affected by this attack. This was not because they had taken security measures to make the email service more secure. It was because they were testing a “firewall” system, a new technology that analyzes inbound internet traffic. This attack resulted in the creation of new policies on ARPANET security. Firewall technology was expanded and access policies began to be implemented through the firewall. This practice continues today in a similar way. “Computer Incidents Response Team” was established within ARPANET and specialized teams were established to respond to such situations. An understanding of detection and recovery as a core cyber security function has been developed. Developers also began creating much-needed computer intrusion detection software.
