Cybersecurity in 1989: Looking Back at Cliff Stoll's Classic The Cuckoo's Egg

It has been almost exactly twenty-six years since the publication of Cliff Stoll's The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. I'm not sure this was the first non-fiction cybersecurity book to make it big, but it certainly was a trailblazer for the genre. And it is still well-worth the read. The book is a fascinating snapshot of cybersecurity threats and responses circa the mid-1980s, as seen through the eyes of an jovial, quirky, creative, and persistent astronomer-turned-sysadmin who gradually comes to appreciate (i) the vulnerability woven into the trust-dependent architecture of various emerging (and converging) networks, (ii) the extent to which human error, laziness, bureaucracy, and cognitive bias combine to create and perpetuate entirely-unnecessary vulnerabilities (widespread failure to identify and change default passwords, for example), (iii) interagency frictions hampering government efforts to develop a coordinated response to cyberthreats, and (iv) lack of trust and information-sharing hampering private-public cooperation. Sound familiar?

I hope I've said enough to induce readers to order up a copy of the book. **Stop reading here to avoid spoilers** For those who have already read it or do not plan to, I'll conclude with a handful of excerpts that just struck me as interesting as signs-of-the-time in the 1980s:

On perceptions of NSA's surveillance capacity:

NSA is rumored to tape record every transatlantic telephone conversation. Maybe they'd recorded this session. But that's impossible. How much information crosses the Atlantic everyday? Oh, say there's ten satellites and a half-dozen transatlantic cables. Each handles ten thousand telephone calls. So the NSA would need several hundred thousand tape recorders running full time. And that's just to listen to the phone traffic--there are computer messages and television as well. (p.182-83)

On satellites vs undersea cables for transatlantic communications...and for privacy:

"...today the hacker is coming across the number six transatlantic cable."...

"Why isn't he on a satellite link?"

"Probably because it's a Sunday--the cable channels are less crowded."

"You mean that people prefer cable to satellite links?"

"Sure. Every time you connect through a satellite, there's a quarter second delay. The undersea cables don't slow down your messages so much."...

"So if the phone companies try to route over the cables, who wants the satellites?"

"Television networks, mostly. TV signals can't be squeezed into submarine cables, so they grab the satellites. But fiber optics will change everything."

I'd heard of fiber optics...But who was running fiber-optic cables under the ocean?

"Everyone wants to," Steve explained. "There's a limited number of satellite channels available.... And the satellite channels aren't private-anyone can listen in. Satellites may be fine for television, but cable's the way to go for data." (p. 187)

On the impact of computers and networks on the ability to discern secrets via public information:

Individually, public documents don't contain classified information. But once you gather many documents together, they may reveal secrets. ... In the past, to pull together information from diverse sources you'd spend weeks in a library. Now, with computers and networks, you can match up data sets inminutes.... By analyzing public data with the held of computers, people can uncover secrets without ever seeing a classified database. (p. 193)

On White Hat responses to vulnerabilities:

"Perhaps I should keep my mouth shut, and hope that nobody else figures it out. Fat chance. Or perhaps I should tell the world. Post a notice to lots of electronic bulletin boards.... Or should I create a virus, one that takes advantage of this security hole? If there were a trusted clearinghouse, I could report to them. They, in turn, could figure out a patch for the problem, and see that systems are fixed. (p. 236-37)

On disclosure of vulnerabilities known to the government:

Well, I'd at least told the NSA. Maybe they'd known these techniques for years, but now they officially knew that someone else was using them. Would they publicize it? Come to think of it, if NSA had known of this for ten years, why hadn't they publicized it already? Systems designers needed to know about this problem--to build stronger operating systems. Computer managers ought to know, too. (p. 252)

On foreign states stealing U.S. technology (and on the impact of export control laws):

Even more important to the KGB was obtaining research data about Western technology, including integrated circuit design, computer-aided manufacturing, and, especially, operating system software that was under U.S. export control. (p. 299)