Flashback: Declassified 1970 DOD cybersecurity document still relevant
The National Security Archives at George Washington University has just added a classic text of computer security to its “Cyber Vault” project—the original version of what came to be known as the “Ware Report,” a document published by the predecessor to the Defense Advanced Research Projects Agency in February 1970. And as much as technology has changed in the 46 years that have passed, the Ware Report would still hold up pretty well today with a few notable edits.
The document, officially entitled “Security Controls for Computer Systems: Report of the Defense Science Board Task Force on Computer Security,” was the result of work undertaken in 1967 at the behest of the Advanced Research Projects Agency (ARPA, now DARPA) to deal with the risks associated with the rapid growth of “multi-access, resource-sharing computer systems”—the primordial network ooze from which the Internet would be born. Authored by a task force led by computer science and security pioneer Willis Ware, the report was a first attempt to take on some of the fundamental security problems facing a future networked world.
The Ware Report included a list of conclusions and recommendations that (based on recent data breaches and security failures) many have failed to take to heart. The first of these is one that recent ransomware attacks seem to show that organizations have forgotten. “Providing satisfactory security controls in a computer system is in itself a system design problem,” Ware wrote in the summary memo accompanying the report. “A combination of hardware, software, communication, physical, personnel and administrative-procedural safeguards is required for comprehensive security. In particular, software safeguards alone are not sufficient.”