You may have seen some suggestions that cyber security started with the first antivirus, and a date given of 1987 as the first year of commercial antivirus.
Sorry to say that it’s wrong (at least I find it wrong). If we try again, then we could say 1971 when the first worm (Creeper) was released, along with arguably the first antivirus in the single-purpose Reaper in 1972. While Reaper was designed to remove copies of Creeper, it did move and replicate through the ARPANET, so arguably was another worm itself.
While I can see the argument for Creeper and Reaper as a start date, I can’t bring myself to agree. Either we point at arbitrary events to describe when cyber security started, which could take us back to 1966 (the time-sharing mainframe CTSS suffered a password breach as the welcome message got switched with the master password file), 1971 (the launch of the ARPANET), or even 2003 when the US government established the National Cyber Security Division.
The Beginning of Cybersecurity
Cyber security began between 1970 and 1972 with the publications of the Ware and Anderson reports. I will explain below how I came to this conclusion and the important historical points you need to be aware of for this answer to make sense.
To get to the start, we need to decide what cyber security really means. I go with the definition that it’s the discipline of security applied to the cyber domain.
The cyber domain is ‘a global domain within the information environment consisting of the interdependent networks of information, technology infrastructures and resident data, including the internet, telecommunications networks, computer systems, and embedded processors and controllers’. (
Security on the other hand is protection of assets from threats. Assets can be anything, including people, information, or physical systems. Threats (when we’re dealing with security) can ultimately always be traced back to a person.
If Cyber Security Didn’t Start in 1987, Then When?
I tend to stick to a few different dates. 1969 was when the first two nodes of the ARPANET came online, even if it wasn’t declared operational until 1971. Just because something exists, though, doesn’t mean that a formal security discipline exists around it. Really we need to look at when people started formally considering approaches to security in the cyber domain.
That leaves us with a couple of reports which were the first to formally consider the aspects of security.
The Ware Report
The first of these is the creatively named ‘
The Ware report set out a number of what it calls vulnerabilities, although nowadays we would refer to them as threats since they are external and uncontrolled rather than weaknesses within a system.
- Accidental Disclosure - what we now might call a negligence threat, the result of failure of some component or control whether hardware, software, or configuration by an operator
- Deliberate Penetration - a malicious threat, although the report then makes a distinction between a passive approach (such as wire tapping, covered under Passive Subversion) and an active approach referred to as Active Infiltration which includes compromise or elevation of privilege by a legitimate user
- Physical Attack - mentioned by the report, but specifically called out as outside the scope
What’s fascinating about the Ware report, and the next ones we’ll be talking about, is how modern many of the approaches taken in them are. As an example,
Image taken from the Ware Report, showing something anyone aware of threat modelling should find very familiar.
The diagram above should be recognisable to anyone as at least a basic threat model, showing different attacks and vulnerabilities of a system. Further in the report we have recommendations for controls, what we might now recognise as architectural principles for secure system development, consideration given to risk management and costs, and far more. Some terminology has changed over the years, and the report itself considers multi-use systems (i.e. what we’d now consider mainframes and terminals) rather than the true peer to peer networking that would come along shortly, but even a brief reading shows the foundational thinking that underlies even the most modern cyber security approaches.
The Anderson Report
So we’ve got an argument for 1970 as the date cyber security started. The only problem is that while there’s mention of networks, in 1970 the ARPANET wasn’t really in an operational state so the definition of network was more about a multi-user mainframe with remote terminals. Lets step a little further into the future-past, with the publication of the equally creatively named ‘Computer Security Technology Planning Study’
https://www.youtube.com/watch?v=4djue-tOaFY?embedable=true
James P. Anderson also worked on the Ware report previously, and his two-volume follow up drew heavily from and expanded upon it. Many of the recommendations he made for designing and implementing secure systems have, frankly, been ignored over the decades to the detriment of the cyber security ecosystem, and some are being rediscovered and renamed.
To take an example, if you’ve heard of zero-trust network architecture, you can find the core concepts that lead to the approach in volume 2 of the report. More importantly for those of us trying to define a conception date for cyber security, the Anderson Report talks a lot more about the ‘movement toward the establishment of large dispersed networks of related computer systems’. This gives us a more modern perspective of networks being key to cyber security.
So When Did Cyber Security Start?
We’ve got our answer. Admittedly, it might cover a range, but there’s a stronger argument for it than there is for saying it began with the first software tool of a particular type. Cyber security is about a methodical, considered approach to security within the cyber domain. Since the cyber domain didn’t exist (in any practical way) before the 1970s, we’re not going to need to look back further, but the pioneers of the field were very much active and thinking about the problems we still struggle with today back in that time.
My answer - cyber began in the years between 1970 and 1972 with the publications of the Ware and Anderson reports. And if you read those reports carefully, it’s changed surprisingly little since then.