Introduction
Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved
In the mid-1980s, I visited the Software Engineering
Institute at Carnegie-Mellon University for a summer to write a
curriculum for information protection. The curriculum I developed there
was fairly rudimentary, but the reviewers at the time were even more so,
and they were unable to accept the stretch that information
protection should encompass such a wide range of issues as integrity,
management, legal and social issues, and so forth. Since most computer
scientists today still seem to think of information protection as a
simple issue and mostly an afterthought, I guess these reviewers were
ahead of their time.
Dispite the negative reviews, I pressed on and wrote
this rudimentary book based on that curriculum. During the mid-1980s I
used the original edition of this book supplimented with many notes for
graduate classes in information protection at Lehigh University and the
University of Cincinnati, and eventually abandoned it by the end of the
decade because I wasn't teaching graduate university courses any more.
When I started the all.net Web site int he mid-1990s,
I decided that it would be a good idea to put lots of information about
information protection on the Web for the world to see. I began the
sometimes painful process of converting books and papers to html format
and that eventually became Infosec Heaven - and has now evolved into
The Security Database At All.Net.
Eventually, I converted this book, which has been
online for about 5 years. Over time, I changed the citations to Web
pointers into our annotated bibliography, made some other minor changes,
and so forth, but the book is essentially unchanged since the 1980s.
Introduction to the Previous Editions
I have often defined the "information age" in my talks, as the time
when our society becomes truly dependent for its very survival on
information and the technologies that deal with it. That time is now.
To understand just how serious this dependency is, I'll list some of the
things we currently depend on computers for.
- In transportation, computers play a central role. Our airline
reservations systems would not work without computers, our air traffic
control system is entirely computer operated, and many of our airliners
cannot operate efficiently without computers. Similarly, most cargo on
trucks and trains is now routed and tracked by computers to assure prompt
delivery to the proper destination.
- Our food distribution system depends very heavily on the use of
computers to determine when we will run out of things so we can place
orders and have replacements delivered fresh and on time where we need
them. Without these systems, we would have poor quality, rotting food,
shortages, enormous amounts of waste, and would be unable to have the
large selection we currently have in our food stores.
- Our electrical power grid is controlled by computers, and they
play a large role in determining when to deliver power to where. Without
the computers, we would have far more black outs and brown outs.
- The communications industry is dominated by computers. Most
phones are now actually small computers, and every telephone switching
system is computer operated. The FAX machines which business has become
increasingly dependent on are small computers, and electronic mail has
now replaced paper mail in most major corporations as the dominant form
of communications. Television and radio stations use computers to get
information around the world in seconds, to schedule and carry out their
broadcasts, and to generate the images we see.
- A typical major financial institution now transfers its entire
net worth in electronic funds transfers several times per week. Automatic
teller machines are a major source of cash transactions, and the stock
exchange operates almost exclusively with a computerized transaction
system.
- Most major manufacturing plants are now mechanized to a high
degree, with computers controlling which parts go together to form each
product that comes off the line. The very machines that put together
those parts are computer controlled, and the specification, ordering
and delivery process is usually operated by digital data interchange.
Many businesses completely exhaust their in house stock in under a
week, using "just in time" delivery to optimize warehouse and cash flow
expenses.
- In medicine, virtually every modern method of chemical and
physiological analysis is computer operated. Most of the modern
techniques such NMR, CAT scans, and many forms of chemical analysis
could not be performed without the computer.
Clearly, we are in the information age. Just as clearly, we
have a newly fostered dependency on information and information systems
that is unprecidented in its potential for good and for harm. It is
important for everyone to be aware of the nature of the problems we face
and the solutions we have or don't have to them. In the information
age, ignorance is not bliss, it is suicide.
The proliferation of information systems has caused widespread
concern about protection issues. Widening gaps have formed between the
need for protection, the state of the art in protection, and the ability
of practitioners to provide protection. We need only look at the last
few years to find startling examples of protection inadequacies.
- In 1984, independent reports stated that over 75% of businesses
surveyed sustained losses due to fraud involving computers [Tompkins84] and that from 2% to 5% of the
GNP of most industrialized nations is lost every year due to such fraud
[Prew84] .
- In 1985, the U.S. Internal Revenue Service wrongfully put
thousands of citizens out of business because of corruptions in IRS
information systems.
- In 1986, corruptions in educational information systems caused
false generation of degrees and illicit changes of grades.
- The first global computer viruses began spreading in 1987. They
affected over 500,000 users in a 1 year period, and brought at least one
major global information networks to a screeching halt for a period of
hours.
- In 1988, a virus brought over 6,000 computers to their knees for
two days, and almost 100 strains of known viruses had been found throughout
the world.
- A 1989 study by a major CPA firm found that over 80% of all
protection systems in use at that time throughout industry were not
properly administered. A study of the US military systems found that
over 90% of them had the same problem.
There is a clear and pressing need for widespread understanding
of information protection, for without this understanding, the degree of
harm is liable to increase beyond our capacity to compensate. That is
the reason for this book.