The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - July-Sept. (2012 vol.34)
pp: 4-21
Edward Hunt , College of William & Mary
ABSTRACT
The US Department of Defense was the driving force behind the development of sophisticated computer penetration methodologies. By analyzing the security of the nation's time-sharing computer systems, security analysts developed an expert understanding of computer penetration. Eventually, the US and its intelligence agencies utilized computer penetration techniques to wage offensive cyberattacks.
INDEX TERMS
US Department of Defense, Military communication, Cyberspace, Security, Computer security, Information protection, cyberwar, information assurance, history of computing, computer security, computer penetration
CITATION
Edward Hunt, "US Government Computer Penetration Programs and the Implications for Cyberwar", IEEE Annals of the History of Computing, vol.34, no. 3, pp. 4-21, July-Sept. 2012, doi:10.1109/MAHC.2011.82
REFERENCES
1. W.J. Broad, J. Markoff, and D.E. Sanger, "Israeli Test on Worm Called Crucial in Iran Nuclear Delay," New York Times,16 Jan. 2011; www.nytimes.com/2011/01/16/world/ middleeast 16stuxnet.html.
2. S. Weinberger, "Is This the Start of Cyberwarfare?" Nature, vol. 474, 2011, p. 143; www.nature.com/news/2011/110608/full474142a.html .
3. N. Falliere, L.O. Murchu, and E. Chien, "W32.Stuxnet Dossier, Version 1.4," white paper, Feb. 2011, p. 55; www.symantec.com/content/en/us/enterprise/ media/security_ response/whitepapersw32_stuxnet_dossier.pdf .
4. D.E. Sanger, "Obama Order Sped Up Wave of Cyberattacks Against Iran," New York Times,1 June 2012, www.nytimes.com/2012/06/01/world/middleeast obama-ordered-wave-of-cyberattacks-against-iran.html .
5. R.A. Clarke and R.K. Knake, Cyber War: The Next Threat to National Security and What to Do about It, HarperCollins Publishers, 2010, pp. 145, 259.
6. Clarke and Knake, Cyber War, p. 93.
7. W. Safire, "The Farewell Dossier," New York Times,2 Feb. 2004; www.nytimes.com/2004/02/02/opinionthe-farewell-dossier.html , and T.C. Reed, At the Abyss: An Insider's History of the Cold War, Random House, 2005, pp. 266–270.
8. W.J. Broad, "Computer Security Worries Military Experts," New York Times,25 Sept. 1983.
9. J. Walsh, "'Lack of Reciprocity' Prompts IIASA Cutoff," Science, vol. 216, no. 4541, 1982, p. 35.
10. P. Grant and R. Riche, "The Eagle's Own Plume," Proc. United States Naval Inst., vol. 109, no. 7, 1983, p. 34.
11. D.A. Fulghum, "Yugoslavia Successfully Attacked by Computers," Aviation Week & Space Technology,23 Aug. 1999.
12. J. Arquilla interviewed by Frontline,4 Mar. 2003; www.pbs.org/wgbh/pages/frontline/shows/cyberwar/ interviewsarquilla.html.
13. D.A. Fulghum, "Telecom Links Provide Cyber-Attack Route," Aviation Week & Space Technology,8 Nov. 1999.
14. C. Crew and J. Markoff, "Contractors Vie for Plum Work, Hacking for U.S.," New York Times,31 May 2009; www.nytimes.com/2009/05/31/us31cyber.html .
15. Corey Kilgannon and Noam Cohen, "Cadets Trade the Trenches for Firewalls," New York Times,11 May 2009; www.nytimes.com/2009/05/11/technology11cybergames.html .
16. Clarke and Knake, Cyber War, pp. 261–262.
17. P.A. Karger and R.R. Schell, MULTICS Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, vol. II, L.G. Hanscom Air Force Base, Electronic Systems Division, June 1974, p. 6; http://csrc.nist.gov/publications/history karg74.pdf.
18. C. Weissman, "Security Penetration Testing Guideline," tech. memo 5540:082A, Handbook for the Computer Security Certification of Trusted Systems, Naval Research Laboratory, 1995, p. 23; www.dtic.mil/cgi-binGetTRDoc?AD=ADA390673.
19. Computer Security Division, Computer Security Resource Center, "Early Computer Security Papers, Part I," Nat'l Inst. Standard and Technology, http://csrc.nist.gov/publicationshistory .
20. For more insight into what organizations should be included in the "defense establishment," see K. Flamm, Targeting the Computer: Government Support and International Competition, The Brookings Institution, 1987, pp. 42–78, 93–124. For a specific example, see W.H. Ware, Security Controls for Computer Systems (U): Report of Defense Science Board Task Force on Computer Security, RAND, R-609-1, 11 Feb. 1970, pp. xi–xii; http://csrc.nist.gov/publications/history ware70.pdf. Organizations involved in the Ware report include RAND, SDC, Lockheed, DoD, Case Western Reserve, CIA, NSA, ARPA, DCA, Mitre, IBM, and MIT.
21. Clarke and Knake, Cyber War, p. 263.
22. I first reported on my research findings in my master's thesis, "Computer Penetration: The Pioneering Role of the United States Government and Its Alliance with Industry and Academia, 1965–1985," Univ. of Massachusetts, 2010.
23. D.B. Parker, Crime by Computer, Charles Scribner's Sons, 1976, p. 283.
24. T. Whiteside, Computer Capers: Tales of Electronic Thievery, Embezzlement, and Fraud, Thomas Y. Crowell Company, 1978, p. 115.
25. Whiteside, Computer Capers, p. 116.
26. Whiteside, Computer Capers, p. 155.
27. J. Murphy, P. Elmer-DeWitt, and M. Krance, "Computers: The 414 Gang Strikes Again," Time,29 Aug. 1983; www.time.com/time/printout0,8816,949797,00.html .
28. D.B. Parker, Fighting Computer Crime, Charles Scribner's Sons, 1983, p. 183.
29. Parker, Fighting Computer Crime, pp. 130, 183.
30. S. Levy, Hackers: Heroes of the Computer Revolution, Dell, 1984, p. 7.
31. D. Smith, "Who Is Calling Your Computer Next? Hacker!" Criminal Justice J., vol. 8, no. 1, 1985, p. 94.
32. Smith, "Who Is Calling Your Computer Next? Hacker!" p. 95. Smith's emphasis.
33. M. McCain, "Computer Users Fall Victim to a New Breed of Vandals," New York Times,19 May 1987; www.nytimes.com/1987/05/19/nyregioncomputer-users-fall-victim-to-a-new-breed-of-vandals.html .
34. S. Brand, "Keep Designing: How the Information Economy is Being Created and Shaped by the Hacker Ethic," Whole Earth Rev., May 1985, pp. 44–55.
35. R. Lehtinen, D. Russell, and G.T. Gangemi, Sr., Computer Security Basics, O'Reilly Media, 2006, p. 29.
36. Lehtinen, Russell, and Gangemi, Computer Security Basics, p. 30.
37. W. Madsen, "Intelligence Agency Threats to Computer Security," Int'l J. Intelligence and Counter-Intelligence, vol. 6, no. 4, 1993, p. 413.
38. Madsen, "Intelligence Agency Threats to Computer Security," p. 414.
39. S. Gorman and J.E. Barnes, "Cyber Combat Can Count as Act of War," Wall Street J.,31 May 2011; http://online.wsj.com/articleSB1000142405270230456310457635562313 5782718.html .
40. D. MacKenzie, Mechanizing Proof: Computing, Risk, and Trust, MIT Press, 2001, p. 160.
41. MacKenzie, Mechanizing Proof, p. 156. See also D. MacKenzie, and G. Pottinger, "Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military," IEEE Annals of the History of Computing, vol. 19, no. 3, 1997, pp. 41–59.
42. J.R. Yost, "A History of Computer Security Standards," The History of Information Security: A Comprehensive Handbook, K. de Leeuw, and J. Bergstra eds., Elsevier, 2007, pp. 601–602.
43. E.A. Anderson, C.E. Irvine, and R.R. Schell, "Subversion as a Threat in Information Warfare," J. Information Warfare, vol. 3, no. 2, 2004, p. 52; http://citeseerx.ist.psu.edu/ viewdocdownload?doi=10.1.1.105.505&rep= rep1&type=pdf .
44. C. Baum, The System Builders: The Story of SDC, System Development Corp., 1981.
45. R.L. Dennis, Security in the Computer Environment, SP 2440/000/01, System Development Corp., 18 Aug. 1966, p. 11; http://handle. dtic.mil/100.2AD640648.
46. Dennis, Security in the Computer Environment, p. 7.
47. Dennis, Security in the Computer Environment, p. 30.
48. W.H. Ware, Security and Privacy in Computer Systems, P-3544, RAND, Apr. 1967, p. 1; www.rand.org/pubs/papers/2005P3544.pdf.
49. H.E. Petersen and R. Turn, System Implications of Information Privacy, P-3504, RAND, Apr. 1967, p. iii; www.rand.org/pubs/papers/2005P3504.pdf.
50. B. Peters, "Security Considerations in a Multi-programmed Computer System," Proc. AFIPS Spring Joint Computer Conf., ACM Press, 1967, p. 285.
51. J. Bamford, The Puzzle Palace: A Report on America's Most Secret Agency, Houghton Mifflin Company, 1982, pp. 339–340.
52. W.H. Ware, "Foreword," Security in Computing, 3rd ed., C.P. Pfleeger, and S. Lawrence Pfleeger Prentice Hall, 2003, p. xix.
53. Petersen, and Turn, System Implications, p. 3.
54. Ware, Security and Privacy, pp. 8, 10.
55. Ware, Security and Privacy, pp. 10–11.
56. Petersen and Turn, System Implications, p. 5.
57. Petersen and Turn, System Implications, pp. 4–5.
58. Ware, Security and Privacy, p. 6.
59. R. Turn, A Brief History of Computer Privacy/ Security Research at RAND, P-4798, RAND, Mar. 1972, p. 3.
60. R.M. Greene, Jr. ed., Business Intelligence and Espionage, Dow Jones-Irwin, 1966, p. 224.
61. "Industrial Spies to Turn to Laser Beam, Computer Snooping," Washington Post,16 Mar. 1967.
62. D.B. Parker, Threats to Computer Systems, Lawrence Livermore Laboratory, Mar. 1973, p. 111.
63. Parker, Threats to Computer Systems, p. 56.
64. D.B. Parker, Crime by Computer, Charles Scribner's Sons, 1976, p. 87; J. Millar Carroll, Computer Security, Butterworth-Heinemann, 1996, p. 53.
65. Parker, Crime by Computer, p. 94.
66. Parker, Crime by Computer, p. 102.
67. MacKenzie, Mechanizing Proof, p. 158.
68. W.H. Ware, RAND and the Information Evolution: A History in Essays and Vignettes, CP-537-RC, RAND, 2008, p. 153; www.rand.org/pubs/corporate_pubs/2008RAND_CP537.pdf .
69. W.H. Ware, Security Controls for Computer Systems (U): Report of Defense Science Board Task Force on Computer Security, R-609-1, RAND, 11 Feb. 1970, p. 10; http://csrc.nist.gov/ publications/history ware70.pdf.
70. Ware, Security Controls for Computer Systems, R-609-1, p. 7.
71. Ware, Security Controls for Computer Systems, R-609-1, p. 8.
72. P.S. Browne, "Computer Security: A Survey," SIGMIS Database, vol. 4, no. 3, 1972, p. 12; http://doi.acm.org/10.11451017536.1017537 .
73. J. Anderson et al., Computer Security Experiment, WN-7275-ARPA, RAND, Mar. 1971. I have not been able to obtain a copy of this paper.
74. Ware, RAND and the Information Revolution, pp. 153–154.
75. R. Turn, R. Fredrickson, and D. Hollingworth, Data Security Research at the RAND Corporation: Description and Commentary, P-4914, RAND, Mar. 1972, p. 2.
76. Turn, Fredrickson, and Hollingworth, Data Security Research at the RAND Corporation, p. 9.
77. Turn, A Brief History, pp. 4–5.
78. Turn, A Brief History, p. 5.
79. Turn, Fredrickson, and Hollingworth, Data Security Research, p. 2.
80. Turn, Fredrickson, and Hollingworth, Data Security Research, p. 10.
81. Turn, Fredrickson, and Hollingworth, Data Security Research, p. 20.
82. Turn, Fredrickson, and Hollingworth, Data Security Research, p. 11.
83. Ware, RAND and the Information Revolution, p. 154.
84. J.P. Anderson, AF/ACS Computer Security Controls Study, ESD-TR-71-395, L.G. Hanscom Field HQ Electronic Systems Division, Nov. 1971, p. 1.
85. E. Spafford, "James P. Anderson: An Information Security Pioneer," , IEEE Security and Privacy, vol. 6, no. 1, 2008, p. 9; http://dx.doi.org/10.1109MSP.2008.15. Anderson, who had participated in Ware's task force and RAND's penetration exercises, had organized his company in the late 1960s following stints at companies such as Univac, Burroughs, and Auerbach.
86. Anderson, AF/ACS Computer Security, p. 2.
87. Anderson, AF/ACS Computer Security, p. 17.
88. Anderson, AF/ACS Computer Security, p. 27.
89. J.P. Anderson, Computer Security Technology Planning Study, vol. II, ESD-TR-73-51, L.G. Hanscom Field HQ Electronic Systems Division, Oct. 1972, p. 59; http://seclab.cs.ucdavis. edu/projects/history/ papersande72.pdf.
90. Anderson, Computer Security, vol. II, p. 63.
91. Anderson, Computer Security, vol. II, pp. 62–63.
92. D.K. Branstad,, "Privacy and Protection," SIGOPS Operating Systems Rev., vol. 7, no. 1, 1973, p. 13.
93. J.P. Anderson, "Information Security in a Multi-User Computer Environment," Advances in Computers, vol. 12, M. Rubinoff ed., Academic Press, 1972, p. 4; Anderson, Computer Security, vol. II, p. 58.
94. Anderson, Computer Security, vol. II, p. 65.
95. J.P. Anderson, Computer Security Technology Planning Study, vol. I, ESD-TR-73-51, L.G. Hanscom Field HQ Electronic Systems Division, Oct. 1972, p. 4; http://seclab.cs.ucdavis. edu/projects/history/ papersande72a.pdf.
96. G.J. Popek, and C.S. Kline, "Verifiable Secure Operating System Software," Proc. FIPS Nat'l Computer Conf. and Exposition, ACM Press, 1974, p. 145; http://doi.acm.org/10.11451500175.1500204 .
97. D.K. Branstad and S.K. Reed eds., Controlled Accessibility Workshop Report,, tech. note 827, US Dept. of Commerce and Nat'l Bureau of Standards, May 1974, p. 1.
98. Branstad and Reed, Controlled Accessibility, p. 68; Petersen, and Turn, System Implications, p. 13.
99. Branstad and Reed, Controlled Accessibility, p. 68.
100. Branstad and Reed, Controlled Accessibility, p. 74.
101. ADP Security Manual: Techniques and Procedures for Implementing, Deactivating, Testing, and Evaluating Secure Resource-Sharing ADP Systems, DoD 5200.28-M, US Dept. of Defense, Jan. 1973, p. 13; http://handle.dtic.mil/ 100.2ADA268995.
102. P.S. Browne, "Computer Security: A Survey," Proc. AFIPS Nat'l Computer Conf. and Exposition, ACM Press, 1976, p. 58.
103. D.B. Parker, Threats to Computer Systems, Lawrence Livermore Laboratory, Mar. 1973, p. 14.
104. D.B. Parker and S. Nycum, "The New Criminal," Datamation, Jan. 1974, p. 58.
105. K. Flamm, Targeting the Computer: Government Support and International Competition, The Brookings Institution, 1987, p. 57.
106. Anderson, Computer Security, vol. I, p. 12.
107. D. Hollingworth, Enhancing Computer System Security, P-5064, RAND, Aug. 1973, p. 10; www.rand.org/pubs/papers/2006P5064.pdf.
108. Hollingworth, Enhancing Computer System Security, pp. 10, 5.
109. T. Alexander, "Waiting for the Great Computer Rip-off," Fortune, July 1974, p. 143.
110. T. Whiteside, "Annals of Crime: Dead Souls in the Computer—II," New Yorker,29 Aug. 1977, p. 60.
111. Karger and Schell, MULTICS Security Evaluation, p. 17.
112. P.A. Karger and R.R. Schell, "Thirty Years Later: Lessons from the Multics Security Evaluation," Proc. 18th Ann. Computer Security Applications Conf. (ACSAC), IEEE CS Press, 2002, p. 119.
113. Karger and Schell, MULTICS Security Evaluation, p. 59.
114. Karger and Schell, MULTICS Security Evaluation, p. 53.
115. Karger and Schell, "Thirty Years Later," p. 121.
116. R.R. Schell, "Computer Security: The Achilles' Heel of the Electronic Air Force?" Air Univ. Rev., vol. 30, no. 2, 1979; www.au.af.mil/au/cadre/aspj/airchronicles/ aureview/1979/ jan-febschell.html.
117. Whiteside, "Annals of Crime," p. 61.
118. W.T. Porter, Jr., "'Computer Raped by Telephone' … and Other Futuristic Felonies by Electronic Con Men Who Leave No Footprints," New York Times Magazine,8 Sept. 1974.
119. Porter, "'Computer Raped by Telephone,'" p. 43.
120. Alexander, "Waiting for the Great Computer Rip-off," p. 146.
121. R. Turn and W.H. Ware, "Privacy and Security in Computer Systems," American Scientist, March/April 1975, p. 201.
122. B. Ginzburg, "Military Computers Easily Penetrable, AF Study Finds," Washington Post,8 Aug. 1976.
123. Whiteside, "Annals of Crime," pp. 59–60.
124. Whiteside, "Annals of Crime," p. 59.
125. Karger and Schell, "Thirty Years Later," p. 121.
126. J.H. Saltzer, "Ongoing Research and Development on Information Protection," SIGOPS Operating Systems Rev., vol. 8, no. 3, 1974, p. 9.
127. Saltzer, "Ongoing Research and Development on Information Protection," p. 8.
128. R.D. Lackey, "Penetration of Computer Systems: An Overview," Honeywell Computer J., vol. 8, no. 2, 1974, p. 81.
129. W.S. McPhee, "Operating System Integrity in OS/VS2," IBM Systems J., vol. 13, no. 3, 1974, p. 251.
130. Alexander, "Waiting for the Great Computer Rip-off," p. 146; D. Hollingworth, S. Glaseman, and M. Hopwood, Security Test and Evaluation Tools: An Approach to Operating System Security Analysis, P-5298, RAND, Sept. 1974, p. 13; www.rand.org/pubs/papers/2009P5298.pdf.
131. Parker, Threats to Computer Systems, p. viii.
132. Parker, Threats to Computer Systems, p. vii.
133. Saltzer, "Ongoing Research," pp. 11, 12.
134. Saltzer, "Ongoing Research," p. 12.
135. R. Bisbey II and D. Hollingworth, Protection Analysis: Final Report, ISI/SR-78-13, Information Sciences Inst., May 1978, p. 3; http://csrc.nist.gov/publications/history bisb78.pdf.
136. C. Weissman, System Security Analysis/Certification Methodology and Results, SDC SP-3728, System Development Corp., 8 Oct. 1973. I have not been able to obtain a copy of this paper.
137. C. Weissman, "Security Penetration Testing Guideline," NRL tech. memo 5540:082A, Handbook for the Computer Security Certification of Trusted Systems, Naval Research Laboratory, 1995, p. 6; http://chacs.nrl.navy.mil/publications/handbook PENET.pdf.
138. R.R. Linde, "Operating System Penetration," Proc. AFIPS Nat'l Computer Conf. and Exposition, ACM Press, 1975, pp. 361, 365.
139. Linde, "Operating System Penetration," p. 361.
140. Linde, "Operating System Penetration," p. 363.
141. Linde, "Operating System Penetration," p. 366.
142. Weissman, "Security Penetration," p. 34.
143. C.R. Attansio, P.W. Markstein, and R.J. Phillips, "Penetrating an Operating System: A Study of VM/370 Integrity," IBM Systems J., vol. 15, no. 1, 1976, pp. 103, 115.
144. Attansio, Markstein, and Phillips, "Penetrating an Operating System," p. 110.
145. Attansio, Markstein, and Phillips, "Penetrating an Operating System," p. 114.
146. Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, US Dept. of Defense, Dec. 1985, pp. 83, 84; http://csrc.nist.gov/publications/history dod85.pdf.
147. C. Stoll, The Cuckoo's Egg, Doubleday, 1989, p. 258.
148. J. Abbate, Inventing the Internet, MIT Press, 2000.
149. Senate Subcommittee on Constitutional Rights of the Committee on the Judiciary and the Senate Special Subcommittee on Science, Technology, and Commerce of the Committee on Commerce, Surveillance Technology, 94th Cong., 1st sess., 23 June, 9 Sept., and 10 Sept., 1975, p. 2.
150. MacKenzie, Mechanizing Proof, p. 175.
151. Senate Subcommittee, Surveillance Technology, p. 41.
152. Senate Subcommittee, Surveillance Technology, p. 43.
153. Senate Subcommittee, Surveillance Technology, p. 56.
154. Senate Subcommittee, Surveillance Technology, p. 57.
155. S.T. Walker, "The Advent of Trusted Computer Operating Systems," Proc. Nat'l Computer Conf., ACM Press, 1980, p. 655.
156. P.A. Myers, "Subversion: The Neglected Aspect of Computer Security," master's thesis, Naval Postgraduate School, 1980, p. 106; http://csrc.nist.gov/publications/history myer80.pdf.
157. Myers, "Subversion," p. 35.
158. Myers, "Subversion," p. 74.
159. Myers, "Subversion," p. 41.
160. Myers, "Subversion," pp. 40–41.
161. E.A. Anderson, C.E. Irvine, and R.R. Schell, "Subversion as a Threat in Information Warfare," J. Information Warfare, vol. 3, no. 2, 2004, p. 58.
162. S. Gorman, "U.S. Team and Israel Developed Worm," Wall Street J.,1 June 2012, http://online.wsj.com/articleSB1000142405270230 4821304577440703810436564.html .
163. Karger and Schell, "Thirty Years Later," p. 122.
164. Anderson, AF/ACS Computer Security, p. 27.
165. J. Markoff, "Robert Morris, Pioneer in Computer Security, Dies at 78," New York Times,30 June 2011; www.nytimes.com/2011/06/30/technology30morris.html . T.R. Shapiro, "Robert Morris, A Developer of Unix, Dies at 78," Washington Post,30 June 2011; www.washingtonpost.com/local/obituaries/ robert-morris-a-developer-of-unix-dies-at-78/ 2011/06/30AG5PwbsH_story.html.
166. House Subcommittee on Transportation, Aviation and Materials of the Committee on Science and Technology, Computer and Communications Security and Privacy, 98th Cong., 1st sess., 26 Sept., 17 Oct., and 24 Oct., 1983, p. 508.
167. House Subcommittee, Aviation and Materials, p. 524.
168. Stoll, Cuckoo's Egg, p. 255.
169. Stoll, Cuckoo's Egg, p. 252.
170. Markoff, "Robert Morris," New York Times.
171. Shapiro, "Robert Morris," Washington Post.
172. P. Richards, "NSA's Morris Gives Warnings on Information Encryption," MIT News,26 Nov. 1997; http://web.mit.edu/newsoffice/1997morris-1126.html .
173. Stoll, Cuckoo's Egg, p. 256.
174. House Subcommittee, Computer and Communications Security and Privacy, p. 456.
175. House Subcommittee, Computer and Communications Security and Privacy, p. 446.
176. House Subcommittee, Computer and Communications Security and Privacy, p. 461.
177. Clarke and Knake, Cyber War, p. 261.
178. D.E. Sanger, "Mutually Assured Cyberdestruction?" New York Times,3 June 2012; www.nytimes.com/2012/06/03/sunday-review mutually-assured-cyberdestruction.html .
39 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool